'Ghost Telephonist' Link Hijack Exploitations in 4G LTE CS Fallback

Presented at Black Hat USA 2017, July 27, 2017, 9:45 a.m. (50 minutes)

In this presentation, one vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network is introduced. In the CSFB procedure, we found the authentication step is missing. The result is that an attacker can hijack the victim's communication. We named this attack as 'Ghost Telephonist.' Several exploitations can be made based on this vulnerability. When the call or SMS is not encrypted, or weakly encrypted, the attacker can get the content of the victim's call and SMS. The attacker can also initiate a call/SMS by impersonating the victim. Furthermore, Telephonist Attack can obtain the victim's phone number and then use the phone number to make advanced attack, e.g. breaking Internet online accounts. The victim will not sense being attacked since no 4G or 2G fake base station is used and no cell re-selection. These attacks can randomly choose victims or target a given victim. We verified these attacks with our own phones in operators' network in a small controllable scale. The experiments proved the vulnerability really exists. Finally, the countermeasures are proposed and now we are collaborating with operators and terminal manufactures to fix this vulnerability.

Presenters:

• Yuwei Zheng - Senior Researcher, UnicornTeam, 360 Technology
  Yuwei Zheng is a senior security researcher concentrated in embedded systems over 10 years. He reversed blackberry BBM, PIN, BIS push mail protocol, and decrypted the network stream successfully in 2011. He successfully implemented a MITM attack for Blackberry BES based on a modified ECMQV protocol of RIM. He focuses on the security issues of embedded hardware and IOT systems. He was the speaker of DEFCON 23, HITB 2016.
• Lin Huang - Senior Researcher, UnicornTeam, 360 Technology
  Lin Huang is a wireless security researcher and SDR technology expert. Her interests include security issues in wireless communication, especially the cellular network security, and also other problems in ADS-B, GPS, Bluetooth, Wifi, and automotive electronics etc. She was a speaker at DEFCON, HITB, POC etc. security conferences. She is the 3GPP SA3 delegate of Qihoo 360.
• Jun Li - Researcher, UnicornTeam, 360 Technology
  Jun Li is a senior security researcher from Radio Security Research Dept. of 360 Technology. He is interested in hardware security, connected car security, wireless security. He presented his research about wireless hacking and car hacking at DEFCON, HITB, CanSecWest, Syscan360, etc.
• Haoqi Shan - Researcher, UnicornTeam, 360 Technology
  Haoqi Shan is currently a wireless/hardware security researcher in UnicornTeam of 360 Radio Security Research Dept. He focuses on Wi-Fi penetration, GSM system, embedded device hacking, building hacking tools, etc. He made serial presentations about Femto cell hacking, RFID hacking and LTE devices hacking on Defcon, Cansecwest, Syscan360 and HITB, etc.
• Qing Yang - Founder, UnicornTeam, 360 Technology
  Qing Yang is the founder of UnicornTeam & Radio Security Research Department in 360 Technology. He has rich experiences in information security area. He presented at Black Hat, DefCon, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#ghost-telephonist-link-hijack-exploitations-in-4g-lte-cs-fallback-6405
• https://www.youtube.com/watch?v=9hkc-gDPl-0
• https://www.blackhat.com/docs/us-17/thursday/us-17-Yuwei-Ghost-Telephonist-Link-Hijack-Exploitations-In-4G-LTE-CS-Fallback.pdf

Similar Presentations:

• Black Hat Europe 2019 / Side Channel Attacks in 4G and 5G Cellular Networks
• DEF CON 25 (2017) / 'Ghost Telephonist' Impersonates You Through LTE CSFB
• Black Hat USA 2018 / LTE Network Automation Under Threat