'Ghost Telephonist' Link Hijack Exploitations in 4G LTE CS Fallback

Black Hat USA 2017

Presented by: Lin Huang, Jun Li, Haoqi Shan, Qing Yang, Yuwei Zheng
Date: Thursday July 27, 2017
Time: 09:45 - 10:35
Location: Mandalay Bay GH

In this presentation, one vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network is introduced. In the CSFB procedure, we found the authentication step is missing. The result is that an attacker can hijack the victim's communication. We named this attack as 'Ghost Telephonist.' Several exploitations can be made based on this vulnerability. When the call or SMS is not encrypted, or weakly encrypted, the attacker can get the content of the victim's call and SMS. The attacker can also initiate a call/SMS by impersonating the victim. Furthermore, Telephonist Attack can obtain the victim's phone number and then use the phone number to make advanced attack, e.g. breaking Internet online accounts. The victim will not sense being attacked since no 4G or 2G fake base station is used and no cell re-selection. These attacks can randomly choose victims or target a given victim. We verified these attacks with our own phones in operators' network in a small controllable scale. The experiments proved the vulnerability really exists. Finally, the countermeasures are proposed and now we are collaborating with operators and terminal manufactures to fix this vulnerability.

Haoqi Shan

Haoqi Shan is currently a wireless/hardware security researcher in UnicornTeam of 360 Radio Security Research Dept. He focuses on Wi-Fi penetration, GSM system, embedded device hacking, building hacking tools, etc. He made serial presentations about Femto cell hacking, RFID hacking and LTE devices hacking on Defcon, Cansecwest, Syscan360 and HITB, etc.

Jun Li

Jun Li is a security researcher at UnicornTeam in the Radio Security Research Department of 360 Technology. He is interested in hardware security, connected car security, wireless security. He presented his research about wireless hacking and car hacking at DEFCON, HITB, CanSecWest, Syscan360, etc.

Yuwei Zheng

Yuwei Zheng is a senior security researcher concentrated in embedded systems over 10 years. He reversed blackberry BBM, PIN, BIS push mail protocol, and decrypted the network stream successfully in 2011. He successfully implemented a MITM attack for Blackberry BES based on a modified ECMQV protocol of RIM. He focuses on the security issues of embedded hardware and IOT systems. He was the speaker of DEFCON 23, HITB 2016.

Lin Huang

Lin Huang is a wireless security researcher and SDR technology expert. Her interests include security issues in wireless communication, especially the cellular network security, and also other problems in ADS-B, GPS, Bluetooth, Wifi, and automotive electronics etc. She was a speaker at DEFCON, HITB, POC etc. security conferences. She is the 3GPP SA3 delegate of Qihoo 360.

Qing Yang

Qing Yang is the founder of UnicornTeam & Radio Security Research Department in 360 Technology. He has rich experiences in information security area. He presented at Black Hat, DefCon, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats