by Antriksh Shah

Telecom security is still evolving. With voice and video services getting more mainstream, security of a 3G / 4G network is imperative. In the past, some major security flaws have been detected in modern high-speed cell networks. For example, a cryptographic flaw in the protocol used in 3G and 4G LTE networks could enable mobile devices to connect with the cell operator. Despite of many vulnerabilities in the network, there haven’t been a lot of activity in terms of safeguarding these networks.

In an interaction with Nullcon, Ataf Shaik - principal security researcher at Kaitiaki Labs and PhD researcher at security in the telecommunication's department at TU Berlin, talks to us about challenges in detecting network attacks, measures for end-users and developers to safeguard Telecom network and more.

What are some challenges in detecting attacks in the current 3G / 4G networks that security testers face currently?

The most important issue hindering security research on a practical scale is the lack of access to low-level information for detailed analysis. On one side iOS completely blocks any kind of access to cellular level data on the phone. On the other side Android provides limited access to both rooted and non-rooted phones. This makes it highly difficult for the security testers detecting rogue base stations.

Could you tell us about the recent trending threats or incidents that have affected businesses on account of neglecting security testing of 3g / 4g networks or devices?

VoLTE feature is introduced in 4G and is widely deployed now and is typically used for carrying voice in IP packets. The call setup and reception are handled by Android apps rather than the normally restricted baseband radio. With the help of a malicious software attackers could embed data streams within VoLTE calls, and able to send large amounts of data to the remote end without having billed for it. Additionally the attackers were able to block a specific phone to receive incoming calls thereby creating DoS.

The SIP headers inside the VoLTE frames are not security checked by the operators which actually led to the above attacks.

What could be some basic steps can be taken at the developer and end-user level to minimize attacks on these networks?

Developer: The set of parameters currently monitored for IC detection is are not sufficient and the certain methods are found to be inadequate. Due to complex state machine nature of mobile protocol stacks, developers are required to enlarge the detection criteria used.

End-user: For an end-user, 100 percent protection cannot be guaranteed by the ICD apps available in the market. When a user is more concerned about his privacy and security, it is recommended to have a rooted phone that allows ICD apps to reliably detect at least 70% of the attacks.

Altaf Shaikh is conducting a training on Practical 3G / 4G security and attacks, along with Dr. Ravishankar Borgaonkar at Nullcon Goa 2018. Click here for more


Antriksh Shah

Antriksh is a Security Analyst from Goa. He is associated with null The Open Security Communities initiatives and organizing its annual flagship conference called as nullcon. His area of interest lies in VAPT, Web Application Security, Network Auditing & Forensics. He is very active with Pune Cyber Crime Branch and assisting them with investigation cases.