One Simple Trick Could Disable a City’s 4G Phone Network
High-speed wireless data networks are vulnerable to a simple jamming technique that could block service across much of a city, according to research findings provided to a federal agency last week.
The high-bandwidth mobile network technology LTE (long-term evolution) is rapidly spreading around the world. But researchers show that just one cheap, battery-operated transmitter aimed at tiny portions of the LTE signal could knock out a large LTE base station serving thousands of people. “Picture a jammer that fits in a small briefcase that takes out miles of LTE signals—whether commercial or public safety,” says Jeff Reed, director of the wireless research group at Virginia Tech.
“This can be relatively easy to do,” and it would not be easy to defend against, Reed adds. If a hacker added an inexpensive power amplifier to his malicious rig, he could take down an LTE network in an even larger region.
If LTE networks were to be compromised, existing 3G and 2G networks would still operate—but those older networks are gradually being phased out.
Reed and a research assistant, Marc Lichtman, described the vulnerabilities in a filing made last Thursday with the National Telecommunications and Information Administration, which advises the White House on telecom and information policy. There was no immediate reaction from the NTIA, which had sought comments from experts on the feasibility of using LTE for emergency responder communications.
Any radio frequency can be blocked, or “jammed,” if a transmitter sends a signal at the same frequency, with enough power. But LTE turns out to be especially vulnerable, Reed’s group says. That is because the whole LTE signal depends on control instructions that make up less than 1 percent of the overall signal.
Some of these instructions govern the crucial time synchronization and frequency synchronization that underpin LTE transmissions. “Your phone is constantly syncing with the base station” in order to effectively carry and assemble bits of information that make up, say, a photo or a video, says Lichtman, a graduate research assistant who cowrote the study. “If you can disrupt that synchronization, you will not be able to send or receive data.”
There are seven other such weak points, the researchers say, any one of which could be used to jam an LTE signal with a low-power transmitter. “There are multiple weak spots—about eight different attacks are possible. The LTE signal is very complex, made up of many subsystems, and in each case, if you take out one subsystem, you take out the entire base station.”
All that would be required is a laptop and an inexpensive software-defined radio unit (which can cost as little as $650). Battery power, including from a car battery, would then be enough to jam an LTE base station. Doing so would require technical knowledge of the complexity of the LTE standard, but those standards—unlike military ones—are openly published. “Any communications engineer would be able to figure this stuff out,” Lichtman says.
Lichtman offered an analogy of stopping all cars, taxis, and trucks from operating in Manhattan by silencing the traffic signaling system. “Imagine blocking all traffic lights so nobody can see if they are red and green, and see what happens to the traffic. Cars hit each other and nobody gets through,” he says.
All of the latest smartphones and major carriers are heavily promoting a transition to LTE networks. Around the world, nearly 500 million people have access to the signals from more than 100 LTE operators in 94 countries. The technology can be 10 times faster at delivering data, such as video, than 3G networks. Reed’s group did not identify whether anything could be done to fix the newly identified problem. “You have to put the problems out on the table first. Although we’ve identified the problem, we don’t necessarily have solutions,” he says. “It’s virtually impossible to bring in mitigation strategies that are also backward-compatible and cover it all.”
But LTE is also being proposed as the basis for next-generation communications systems for emergency response—a proposal called FirstNet, conceived after police and fire communications glitches added to the death toll after the September 11 terrorist attacks. In his brief to the NTIA, Reed said it was conceivable that terrorists could compromise an LTE network to confuse the response to an attack.
No jamming of LTE networks is known to have happened as a result of the vulnerabilities, Reed says. Qualcomm, which sells LTE chipsets and is one of the companies that developed the LTE standard, declined yesterday to comment on the matter. Ericsson, the Swedish telecom that supplies much of the world’s LTE infrastructure, including to Verizon in the United States, did not respond to requests for comment yesterday.
The impact of any LTE vulnerabilities could be enormous. By Ericsson’s estimate, half the world’s population will have LTE coverage by 2017. And many consumer devices—including medical monitors, cameras, and even vehicles—may adopt LTE technology for a new wave of applications (see “Verizon Envisions 4G Wireless in Just About Anything”).
Digital cellular communications were engineered to address another security concern. “Back in the old days, our students used to listen in on cell-phone conversations for entertainment. It was extremely easy to do. And that was actually one of the key motivators behind digital cellular systems,” Reed says. “LTE does a good job of covering those aspects. But unconventional security aspects, such as preventing signal jamming, have been largely overlooked.”