Ruxcon Hacker Wanqiao Zhang of Chinese security house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline.
The team tested their work against Frequency Division Duplexing (FDD) LTE networks, which are more popular than Time Division Duplexing (TDD) LTE and are used in Britain, the US, and Australia. The competing TDD-LTE design is more common in Asian countries and in regions where population densities are higher.
Zhang uses Ravishankar Borgaonkar, and Altaf Shaik’s IMSI catcher with a femtocell to pull off the over-the-air meddling. A series of radio resource control protocol messages using the international mobile subscriber identity (IMSI) numbers captured in the IMSI catcher can be used to trigger a denial of service, place calls and send texts, or intercept communications.
Zhang modified code from the alpha-grade open-source Open LTE project to track network availability updates in the area, which is critical to successfully pulling off the attacks.
She says phone manufacturers should ignore base station redirection commands and instead use automatic searchers to find the best available. This would prevent attackers from forcing LTE devices to connect to malicious stations.