New Security Threats From 4G LTE: Abuse Facebook Accounts Without Passwords
The era of all-IP cellular network has come due to the rapid deployment of 4G LTE. All cellular network services (e.g., text) have been evolved from conventional circuit-switched (CS) to packet-switched (PS). But, mobile device, carriers and mobile service providers, are not ready for it. A recent UCLA-OSU research shows that nowadays mobile users suffer from an unprecedented attack.
Los Angeles, California, November 16, 2015 (Newswire.com) - The UCLA-OSU researchers (Dr. Guan-Hua, Tu Yuanjie Li, Prof. Chunyi Peng, Dr. Chi-Yu Li) discovered several new security vulnerabilities which can be exploited to abuse millions of Facebook accounts without passwords, via few commodity 4G LTE smartphones.
The root causes span over mobile service providers (e.g., Facebook), carriers and mobile OS (e.g., Android):
Facebook users should stop adding/associating their phone numbers to their Facebook accounts until Facebook security team fix this issue (Facebook security threat #276178926).
- For Facebook, it keeps asking users to add their phone numbers to FB to secure their accounts. After users added numbers, Facebook will automatically enable Facebook Text Service (https://www.facebook.com/help/125384024209252, i.e., access FB by sending TEXT commands to 32665 (FBOOK)) . However, Facebook will not ask user to provide FB password while it receives the FB text commands from the user's phone number. As a result, Facebook users are vulnerable to the spoofed TEXT attack (i.e., malicious user fakes the sender phone number of TEXT).
- For US carriers, not all of them recognize the technical difference between 2G/3G CS-based Text service and 4G PS-based Text service (i.e., 4G standards allows users to specify the "originating address" in 4G Text service, which is forbidden in 2G/3G Text service). Thus, malicious users can send the spoofed TEXT to any recipient, including 32665 (FBOOK), from their mobile devices in a major US 4G LTE network.
- For mobile OS vendors, current Android security mechanisms are only working for 2G/3G CS-based Text services instead of 4G PS-based Text service. All phone-side security protections (e.g., warning dialog while TEXT is sent special number or send a number of TEXT in short time) can be easily bypassed. As a result, attackers can distribute the spoofing-TEXT-malware to 4G LTE mobile devices and launch a large scale phone-initiated spoofed TEXT attacks towards Facebook or other mobile service providers. Compared with the traditional spoofed TEXT attacks launched via Internet Mobile Text service providers cooperate with carriers, the phone-initiated attack is much harder to be traced back since attackers do not need to first create an account on Internet Mobile Text service providers and purchase credits to send spoofed TEXT.
The more technical details are given in their arXiv preprint, http://arxiv.org/ftp/arxiv/papers/1510/1510.08531.pdf.
By taking advantage of readily deployed mobile text service infrastructure, mobile services providers do not only offer ubiquitous services to all mobile users, but also benefits from the built-in security protections in cellular network. However, the UCLA-OSU research results show that this service model might not be working well in nowadays while underlying networking technology changes.
The UCLA-OSU team have reported those security loopholes to Facebook and US carriers, and worked with them to solve the problems. Nevertheless, before they address these issues, Facebook users should not keep adding/associating their phone numbers to their Facebook accounts.
The ultimate solutions call for the concerted efforts among carriers, mobile devices and mobile service providers. However, it may not be done in a short time.