The LTE standard defines a strong security mechanism and architecture for protecting 4G mobile communications. However, just as the LTE’s name "Long Term Evolution" implies, LTE operators didn't completely deploy a new, isolated global mobile communications network at first, but continuously evolving their networks. On one hand, in order to simplify the network architecture, the LTE standard abandoned the circuit domain responsible for the traditional voice service, leaving only the packet switched domain. On the other hand, telecom operators will not give up their voice services as the main revenue. For a long time in the LTE network construction, operators need to provide voice services by means of GSM / CDMA / UMTS networks, which are called as “Circuit Switched Fallback”. Although the VoLTE voice service based on packet switched domain has been gradually deployed in recent years, it also necessary to introduce SRVCC (Single Radio Voice Call Continuity) mechanism which seamlessly maintains voice calls as mobile users move from LTE to non-LTE coverage areas. These measures increase the complexity of deploying 4G networks and may introduce vulnerabilities.
In this presentation, vulnerabilities introduced by IRAT (Inter-Radio Access Technology) handover mechanism, such as CSFB and SRVCC in 4G LTE network are revealed. These vulnerabilities allow hackers to hijack the victim's communication. We named these attacks as 'Ghost Telephonist.' Through such attacks hackers can impersonate the victim to make phone calls, send SMSes, as well as hijacking the user's incoming phone calls or SMSes. Furthermore, hackers can even gain access to victims 'internet accounts, online banking accounts and even steal victims' assets.Compared with the former presentation of this topic, this time we will introduce more extended research results we did, and our effort on fixing this vulnerability together with operators and terminal manufactures.