Ghost telephonist impersonates you: Vulnerability in 4G LTE CS fallback

LTE is a globally deployed standard. CSFB (Circuit Switched Fallback) is one of the major voice solutions in LTE network. We found one vulnerability in CSFB where the authentication step is missing. This allows an attacker to impersonate a victim. We named this attack as ‘Ghost Telephonist’. The consequence of this attack include: (1) The attacker can impersonate the callee and obtain the content of incoming calls or SMSs. (2) The attacker can impersonate the caller and initiate a call/SMS to others. (3) The attacker can obtain the victim's phone number and then use the phone number to launch further attack, e.g. reseting the victim's Internet account. These exploitations can randomly choose victims, or target a given victim. The victim will not detect the attacks since no fake base station is used and no cell re-selection happens. We implemented our own baseband based on OsmocomBB and verified the vulnerability with our own phones in two operators' network. The experiments validate the vulnerability really exists. We've already reported the vulnerability to the operators and proposed the countermeasures.