hngopher.com

       [HN Gopher] LTESniffer: An open-source LTE downlink/uplink eaves...
       ___________________________________________________________________
        
       LTESniffer: An open-source LTE downlink/uplink eavesdropper [pdf]
        
       Author : stacktrust
       Score  : 90 points
       Date   : 2023-04-25 19:47 UTC (3 hours ago)
        
 (HTM) web link (syssec.kaist.ac.kr)
 (TXT) w3m dump (syssec.kaist.ac.kr)
        
       | MuffinFlavored wrote:
       | How illegal is this from an FCC or cell phone carrier
       | perspective?
       | 
       | I would have guessed LTE traffic was "HTTPS" levels of encrypted?
        
         | xen2xen1 wrote:
         | No, IIRC it isn't anywhere near real encryption.
        
           | nicce wrote:
           | Hmm...
           | 
           | LTE stands for 4G and they use 128-EEA2 (AES-CTR) or 128-EIA2
           | (AES-CMAC) which are kinda same as TLS 1.2 and TLS 1.3. Where
           | the latter suppors chacha additionally.
           | 
           | GCM on TLS gives greater performance and the integrity can be
           | confirmed earlier, but there are no serious security problems
           | on algorithm side.
        
         | jcrawfordor wrote:
         | Modern LTE features a fairly high level of traffic security,
         | although downgrade attacks remain a major problem. The article
         | addresses this point: "The target of LTESNIFFER is to capture
         | the wireless packets between the base station and the user. It
         | can only obtain encrypted packets in most cases because it
         | can't know the cryptographic keys of users. However, some
         | packets are transferred in plaintext by design." One of the
         | reasons you here about cell-site simulators ("stingrays") a lot
         | less these days is that improving security standards in the
         | cellular network has made them less useful, although they are
         | still widely employed and particularly rely on forcing
         | downgrades to 3G.
         | 
         | Elsewhere, the article notes that one of the difficult things
         | about sniffing LTE is that even the parameters used for the
         | radio connection are encrypted, so some of them have to be
         | inferred and guessed. That encryption isn't really intended as
         | a security feature, we're talking about the modulation mode,
         | but comes out of the fact that LTE revisions have erred on the
         | side of caution with encrypting as much of the management
         | traffic as practical. Much of this is a result of lessons
         | learned with previous cellular protocols and protocols like
         | WiFi, where unencrypted/unauthenticated management traffic has
         | often become an attack vector.
        
         | jabbany wrote:
         | IANAL but, IIRC any sniffing seems to be fine in general? You'd
         | only get in trouble if you transmitted anything. I don't even
         | think you need a license to just listen to stuff.
         | 
         | Also I think the paper mentions that many types of packets are
         | in fact encrypted, and only certain control packets are sent in
         | the clear. This seems to be not any more concerning than other
         | Internet related protocols which also send a lot of
         | coordination information in cleartext.
        
           | kube-system wrote:
           | If someone doesn't like what you're doing, wiretap charges
           | are legally plausible.
        
       | newsclues wrote:
       | https://github.com/SysSec-KAIST/LTESniffer
        
       | lll-o-lll wrote:
       | Sounds cool, but how many people have the 9k USD to sink on the
       | radio required? Security through price barriers.
       | 
       | Except it's not security of course; the difficulty in obtaining
       | hardware is a large reason as to why industrial control systems
       | had such abysmal security for as long as they did.
        
         | nickphx wrote:
         | It can be done for under $600 using a bladeRF..
         | https://docs.srsran.com/projects/4g/en/latest/app_notes/sour...
        
         | jrexilius wrote:
         | for passive sniffing, it looks like you can run the cheaper
         | module at only $2k, which is approachable for researchers..
         | actually fully loaded price tag is $11k or $4k as you need
         | GPSDO also.. but $4k is almost approachable I guess..
         | 
         | [edit to add] https://www.ettus.com/all-products/ub210-kit/
        
           | tonyarkles wrote:
           | Amazingly, you can probably get a reasonable GPSDO from eBay
           | for a couple hundred dollars. I was running an Ettus B210 off
           | of an eBay GPSDO and had about a 1Hz frequency offset
           | relative to an LTE tower at 1800MHz. Pretty cool!
        
       ___________________________________________________________________
       (page generated 2023-04-25 23:00 UTC)