For the privacy-minded readers on our forums, you probably steer clear of any open WiFi hotspot while you're out and about. If you're one of the lucky few who owns a select Nexus or Pixel device that is supported by Google's WiFi Assistant, then maybe you aren't so worried about using an unsecured network. But for the rest of us, we rely heavily on our carrier's 4G network to route any important financial, educational, or private data over the Internet. Unfortunately, though, it appears that our 4G LTE connection might not be as secure as we were previously led to believe. Wanqiao Zhang, a Chinese network security researcher from Qihoo 360, recently held a presentation at DEFCON 24 in August of this year describing the LTE vulnerability.

Source:
Source: Wanqiao Zhang

In the research paper, the team describes a method of forcing a targeted smartphone off of its LTE network and onto an unsecured, compromised network. The attack involves collecting the LTE device's IMSI and then tricking the device into connecting to a fake LTE network. Once the victim has connected to the compromised network, the attacker is able to perform a variety of malicious acts, including denial of service, redirection of calls/texts, or at its worst even sniffing on all voice and data traffic. Her team's demo specifically targeted the FDD-LTE networks that are currently operating in Britain, the United States, and Australia. However, Zhang says this type of attack is possible on any LTE network in the world, including TDD-LTE networks more commonly found in many Asian countries.

Sadly, the regulatory body responsible for overseeing and enforcing LTE standards had previously acknowledged this vulnerability all the way back in 2006 when they acknowledged the possibility of Zhang's man-in-the-middle attack. Recently in May, the 3GPP proposed a potential solution to the security vulnerability: refusing one-way authentication and dropping encryption downgrade requests from base stations. These measures would prevent a malicious femtocell from unilaterally hijacking your phone and downgrading its network security measures.

This vulnerability has not received much attention until security researchers wrote a paper about it last year (PDF). It was shortly after this paper was published that we saw the ACLU obtain documents that described the government's Stingray project had identical functionalities. Many still don't know exactly how the Stingray tracking devices actually operate, although people have started to draw similarities between the technology and the recently researched LTE vulnerability.

For those who want to keep their data and communications private, a VPN which uses OpenVPN and its TLS protocol will be able to keep your data private. You'll want to stay away from VPNs that use PPTP/L2TP/SOCKS connection methods as those could still be vulnerable to attacks. It's been over 10 years since the 3GPP was made aware of this issue and they have yet to implement updated LTE protocols to remedy this security hole. With readily available hardware that can pull off these attacks now, however, it will be up to you to keep your data private.

Source: The Register