Using an IMSI-catcher and a Femtocell

The security researcher Wanqiao Zhang of Qihoo 360 has published a research about a vulnerability in LTE networks.

The attacks work through a series of messages sent between malicious base stations and targeted phones.

It results in attackers gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM networks where only voice and basic data services are available.

LTE networks allow users to be handed over to underused base stations in the event of natural disasters to ensure connectivity and three of this fail-over emergency features can be abused for specific attacks: global roaming features allow IMSI capture, battery energy saving for denial of service, and load balancing for redirection.

Using an IMSI-catcher and a femtocell, Zhang perform the attacks sending a series of radio resource control protocol messages using the international mobile subscriber identity (IMSI) numbers captured using the IMSI-catcher: she gain the permission to place calls and send text, intercept communications and make a denial of service.

Here the slides of speech: