📢 Novel 4G/5G Attack Technique 'Man On The Side' - Adapting NSA approaches for traffic injection in mobile networks.
Don’t confuse it with 'Man In The Middle', they're not the same. The term 'Man On The Side' (MOTS) might not be widely recognized, but it is a legitimate concept, especially within the field of network security and encrypted communications. I believe I once heard about it in 2014, relating to the Snowden leaks and secret NSA capabilities.
🔬 Recently, new research released by Fredrik Söderlund explains how a MOTS attack using the SCTP protocol specifics can affect 4G/5G networks. SCTP is a communication protocol designed to surpass TCP and UDP, though it's less commonly used and primarily found in telecom scenarios.
Here is what an attacker can do:
🔻Place a node on the same network switch as the target to monitor and intercept SCTP traffic between the Base Station and Core Network.
🔻Capture and analyze key details from SCTP packets, such as sequence numbers and verification tags.
🔻Mimic legitimate communications and inject a fake packet before the legitimate one arrives, causing the victim to accept the fake data and ignore the real response as redundant.
🔻Depending on how the victim processes the fake packets, the attacker can mislead the victim into executing actions based on the manipulated data.
🕵️ Sounds hard to achieve? Probably, but not for nation-state intelligence services. The interesting part here is that in new research this technique was applied to SCTP communication in 4G/5G scenarios (NGAP or S1AP), demonstrating how it can lead to Denial of Service and Data Redirection.
🗺️ Mapping this to the MITRE FiGHT framework, I’d say it falls under ‘Transmitted Data Manipulation’ Techniques (FGT1565.002).
Prevention and Detection:
🔹Encrypt the traffic to prevent unauthorized access.
🔹Even better to ensure attackers cannot reside on your network switches.
🔹Detection lies in analyzing the packets that return to a victim in response to its requests. One packet will be the rogue one from the attacker; the other will be legitimate, sent from a genuine server. Both packets will have the same sequence number—a ready-to-use signature, if by chance you monitor this part of the network 🤷♀️
#CyberSecurity #NetworkSecurity #5GSecurity #MOTS #SCTP