Toward a Truly Secure Telecom Network:Analyzing and Exploiting Vulnerable Security Configurations/Implementations in Commercial LTE/IMS Networks

Authentication and data protection (both integrity and confidentiality) between the network and cellular devices are two fundamental security features in LTE and IMS networks. The first is implemented via authentication and key agreement mechanisms and can be compromised by relaying authentication parameters. The second security feature builds on the first one and is activated through corresponding security setup procedures. This work intends to investigate whether these basic security procedures are securely implemented and deployed in commercial networks. We analyzed the de facto situation of these security features in three major operators in China and found several new and previously disclosed configuration and implementation flaws that do not conform to specifications. These vulnerabilities allow attackers to disable LTE and IMS data protection mechanisms. We further propose novel proof-of-concept attacks to exploit the identified vulnerabilities including IMEI and Phone Number Catching , SMS and Call Impersonation and Interception attacks. To show the urgency of addressing these security issues and thus secure the real-world telecom networks, we successfully demonstrated these attacks in practice using open-source SDR tools as they have serious implications. For instance, the interception attacks undermine the widely-used SMS verification code security mechanism. We also discuss countermeasures to resist the proposed attacks.