One Simple Trick Could Disable a City’s 4G Phone Network
Eugen Leitl
eugen at leitl.org
Mon Nov 19 09:39:39 PST 2012
http://www.technologyreview.com/news/507381/one-simple-trick-could-disable-a-citys-4g-phone-network/
One Simple Trick Could Disable a Cityb�s 4G Phone Network
High-speed LTE networks could be felled by a $650 piece of gear, says a new
study.
By David Talbot on November 14, 2012
Why It Matters
LTE networks can have 10 times the bandwidth of 3G, and are eyed as the basis
for a new wave of data-rich applications worldwide. So any loss of LTE
availability could be highly disruptive.
High-speed wireless data networks are vulnerable to a simple jamming
technique that could block service across much of a city, according to
research findings provided to a federal agency last week.
The high-bandwidth mobile network technology LTE (long-term evolution) is
rapidly spreading around the world. But researchers show that just one cheap,
battery-operated transmitter aimed at tiny portions of the LTE signal could
knock out a large LTE base station serving thousands of people. b�Picture a
jammer that fits in a small briefcase that takes out miles of LTE
signalsb�whether commercial or public safety,b� says Jeff Reed, director of the
wireless research group at Virginia Tech.
b�This can be relatively easy to do,b� and it would not be easy to defend
against, Reed adds. If a hacker added an inexpensive power amplifier to his
malicious rig, he could take down an LTE network in an even larger region.
If LTE networks were to be compromised, existing 3G and 2G networks would
still operateb�but those older networks are gradually being phased out.
Reed and a research assistant, Marc Lichtman, described the vulnerabilities
in a filing made last Thursday with the National Telecommunications and
Information Administration, which advises the White House on telecom and
information policy. There was no immediate reaction from the NTIA, which had
sought comments from experts on the feasibility of using LTE for emergency
responder communications.
Any radio frequency can be blocked, or b�jammed,b� if a transmitter sends a
signal at the same frequency, with enough power. But LTE turns out to be
especially vulnerable, Reedb�s group says. That is because the whole LTE
signal depends on control instructions that make up less than 1 percent of
the overall signal.
Some of these instructions govern the crucial time synchronization and
frequency synchronization that underpin LTE transmissions. b�Your phone is
constantly syncing with the base stationb� in order to effectively carry and
assemble bits of information that make up, say, a photo or a video, says
Lichtman, a graduate research assistant who cowrote the study. b�If you can
disrupt that synchronization, you will not be able to send or receive data.b�
There are seven other such weak points, the researchers say, any one of which
could be used to jam an LTE signal with a low-power transmitter. b�There are
multiple weak spotsb�about eight different attacks are possible. The LTE
signal is very complex, made up of many subsystems, and in each case, if you
take out one subsystem, you take out the entire base station.b�
All that would be required is a laptop and an inexpensive software-defined
radio unit (which can cost as little as $650). Battery power, including from
a car battery, would then be enough to jam an LTE base station. Doing so
would require technical knowledge of the complexity of the LTE standard, but
those standardsb�unlike military onesb�are openly published. b�Any
communications engineer would be able to figure this stuff out,b� Lichtman
says.
Lichtman offered an analogy of stopping all cars, taxis, and trucks from
operating in Manhattan by silencing the traffic signaling system. b�Imagine
blocking all traffic lights so nobody can see if they are red and green, and
see what happens to the traffic. Cars hit each other and nobody gets
through,b� he says.
All of the latest smartphones and major carriers are heavily promoting a
transition to LTE networks. Around the world, nearly 500 million people have
access to the signals from more than 100 LTE operators in 94 countries. The
technology can be 10 times faster at delivering data, such as video, than 3G
networks. Reedb�s group did not identify whether anything could be done to fix
the newly identified problem. b�You have to put the problems out on the table
first. Although web�ve identified the problem, we donb�t necessarily have
solutions,b� he says. b�Itb�s virtually impossible to bring in mitigation
strategies that are also backward-compatible and cover it all.b�
But LTE is also being proposed as the basis for next-generation
communications systems for emergency responseb�a proposal called FirstNet,
conceived after police and fire communications glitches added to the death
toll after the September 11 terrorist attacks. In his brief to the NTIA, Reed
said it was conceivable that terrorists could compromise an LTE network to
confuse the response to an attack.
No jamming of LTE networks is known to have happened as a result of the
vulnerabilities, Reed says. Qualcomm, which sells LTE chipsets and is one of
the companies that developed the LTE standard, declined yesterday to comment
on the matter. Ericsson, the Swedish telecom that supplies much of the
worldb�s LTE infrastructure, including to Verizon in the United States, did
not respond to requests for comment yesterday.
The impact of any LTE vulnerabilities could be enormous. By Ericssonb�s
estimate, half the worldb�s population will have LTE coverage by 2017. And
many consumer devicesb�including medical monitors, cameras, and even
vehiclesb�may adopt LTE technology for a new wave of applications (see
b�Verizon Envisions 4G Wireless in Just About Anythingb�).
Digital cellular communications were engineered to address another security
concern. b�Back in the old days, our students used to listen in on cell-phone
conversations for entertainment. It was extremely easy to do. And that was
actually one of the key motivators behind digital cellular systems,b� Reed
says. b�LTE does a good job of covering those aspects. But unconventional
security aspects, such as preventing signal jamming, have been largely
overlooked.b�
More information about the cypherpunks-legacy
mailing list