What is a renegotiation (downgrade) attack against LTE, and how is it mitigated?
A rogue base station forces a user to downgrade to GSM or UMTS, where significant cryptographic weaknesses exist. Mitigations: ensure an LTE connection (a "use LTE only" option), and use a rogue-base-station detector.
* Downgrade: the rogue cell forces fallback to breakable GSM A5/1. *
The threat:
- A rogue base station can push a phone to downgrade to GSM or UMTS
- Those older standards have significant cryptographic weaknesses (e.g., GSM's broken A5/1, one-sided authentication)
- The illustration: phone asks "Can I use LTE with AES?" — rogue BS replies "No. Use GSM using A5/1."
Why this works: phones support multiple generations for backward compatibility and will fall back when told the better option isn't available. The attacker exploits that fallback to drag the victim onto a weaker, breakable network.
Mitigations:
- Ensure an LTE connection — most current mobile devices don't let a user force staying on LTE, but a "use LTE only" option addresses this
- Use a rogue base station detector
Connection to GSM security: the downgrade attack is why GSM's weaknesses still matter in an LTE world — an attacker doesn't break LTE, they trick you out of it. The defense is refusing to fall back.
Go deeper:
Detecting IMSI-catchers and other mobile network attacks (CCC Camp, 2015) — the rogue base station that performs the downgrade, and the tell-tale signs (forced fallback, missing LTE) that betray it.
Stingray phone tracker (Wikipedia) — the commercial IMSI catcher's documented "force a downgrade to an older, less secure protocol" capability — this attack as a real product feature.