4G Hacked

Hacked: 4G

Following on from the Ticketmaster hack, the latest hacked news brings us something not only significantly more technical, but fortunately (for now) less achievable. However, less achievable doesn’t mean unachievable. The tehnology in question is ubiquitous – millions of us use it every day. It’s just there, running all the time on our mobile phones. 4G – what most people simply call “the Internet” on their mobile phones has had some quite serious flaws identified.

Now, at this time you shouldn’t start panicking. To replicate the hacks requires specialised equipment. Most articles you may come across will also say you need “specialist knowledge”, however that is never true. If you have the kit to do it – from there on, it’s a simple case of following instructions. Take “script kiddies” for example. Many of them don’t understand the programming behind many of the attacks they use. They download a specialist operating system with the tools built in, then follow the many guides that can be found online.

Every communication across the internet – whether it’s an e-mail, or a web-page request – or an internet based direct messaging system (even sending photos using MMS on your phone) follow a schema known as the “OSI Model“. The model is split in to 7 layers, each of which have a specific function. Each layer communicates with the layer above or below, depending on what is happening with the message (packet). The layers that you mostly interact with are in layers 4 – 7, aka the “Host Layers”. These involve the applications you interact with, and the protocols they use. Layers 1-3 are the “Media Layers”. These involve things like physical wires and fibre-optics, and how those communicate with one another.

Now that the boring Computer Science lecture is over, lets learn about what’s been broken and how it has been hacked. The reason for briefly explaining the OSI Model is to let you understand that this hack doesn’t involve applications or malware on your phone. It can’t be fixed with a software update to your device. It is something that is broken in the Media Layers – the parts that happed behind the scenes. The attacks occur on Layer 2 – the Data Link layer. This is the interface layer between the Physical (wires and fibre) and Network (communication) layers. As your mobile device operates wirelessly, that means no wires have to be interfered with, and is also what makes this much more unsettling.

Wireless attacks are often undetectable – the are simply “sniffing the air” and hoovering up your communications (passive attack). One of the three vulnerabilities is passive. The others (active) attacks are detectable. Two of these have been discovered.

Passive Attack – Website Fingerprinting

The passive attack is quite convoluted and involves a decent amount of legwork by the attacker. The attacker uses soe specialist receiving equipment to “sniff” traffic to and from the network. The attacker first needs to build a “fingerprint” database, listing the expected traffic to and from the most popular websites. By sniffing the data to and from your device, the attacker can then compare your traffic to the fingerprint database and work out what sites you are visiting, with a certain degree of probability. In reality, all this attack tells the attacker is what kind of things you might be looking at.

Active attack 1 – aLTEr Redirection

When your mobile connects to a 4G network, it “authenticates” whilst connecting. This encrypts (most of) the data to and from the mobile network, which is why the passive attack is relatively innocuous. However, this attack would alow the attacker to see and hear everything. The attacker sets up a “spoof” network access point. As long as this is placed between your device and the nearest network tower, it can work. The attacker presents themselves as your mobile provider, retrieves your authentication key – then passes this to the network tower. The network responds to the attacker, and forwards the key to your phone. The other nae for this type of attak is “Man in the Middle”. Now that the attacker has your encryption keys for the session, all data passed through their device will list everything your phone is doing – calls, messages, web pages you are visiting, and applications you are using. You have been fully hacked.

This attack can technically be detected by the mobile provider, unless the attacker spoofs certain key elements other than your authentication data. For an attacker at this level, it is quite likely they will know what to change, and what to change it to.

Active attack 2 – DNS Spoofing

This is a re-hash on an old trick. DNS is like the phonebook of the internet. We’re used to using addresses like twoup.it (Fully Qualified Domain Name, or FQDN). Underneath it all – from Level 3 and below – IP addresses are used. DNS converts the easy to reember names we use, and provides the IP address required. An old trick was to change the DNS server being used on a PC (or mac) to point to a server under the attackers control. This allowed the attacker to change the IP address presented for any FQDN requested. The page you would be sent to would likely have been cloned from the original, but modified to do something malicious. The site you were visiting wouldn’t have been hacked – you just wouldn’t be seeing the real page.

There is a vulnerability in LTE which allows this old-time trick to be used. Ultimately, this allows the attacker to control what your device does, or does not see. It can also be used to install malware on to your device, making it much easier for the attaker to do what they wish with your phone.


To initiate these attacks, specialist hardware is required. It’s not cheap, but it is available to purchase legally. Ultimately, the network providers need to get any LTE fixes installed on their core equipment ASAP. Until then, everything is vulnerable. On a scale of 1 to 10, I’d rate this an 8 for difficulty – and 3 for practicality. There are far easier ways to gain control of a device, though this attack exposes far more devices to be hacked.

Comments are closed.