aLTEr: Hackers can spy on your 4G browsing sessions thanks to LTE flaws
Vulnerabilities have been discovered in LTE that would make it possible for an attacker to tap into 4G networks for the purposes of spying on and hijacking 4G browsing sessions.
Security researchers from Ruhr-Universität, Bochum and New York University, Abu Dhabi show how three different attacks can be launched on the second layer of LTE -- also known as the data link layer. Two passive attacks allow for identity mapping and website fingerprinting, while the active cryptographic aLTEr attack allows for DNS spoofing and network connection redirection.
The researchers, David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper, are due to share their findings at the 2019 IEEE Symposium on Security & Privacy next year, but has published a paper in the meantime. Their findings mean that all three protocol layers of LTE (physical, data link, and network) have been found to be problematic.
Current 4G networks are vulnerable, and it is thought that 5G networks could be as well. In the name of responsible disclosure, the group informed the likes of the GSM Association (GSMA), the 3rd Generation Partnership Project (3GPP), and telephone companies of its findings.
The four researchers share details of two passive attacks, but it is aLTEr that is the most concerning:
We present the ALTER attack that exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload. As a proof-of-concept demonstration, we show how an active attacker can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website. Our experimental analysis demonstrates the real-world applicability of all three attacks and emphasizes the threat of open attack vectors on LTE layer two protocols.
In the video below, you can see how an aLTEr attack is used to redirect a victim to a fake Hotmail website:
The attack requires the use of a custom-built cell tower which would cost a few thousand dollars to make. While this puts the attack out of the reach of the casual hacker, the cost is by no means prohibitive. There are fears that there is no way to patch the vulnerability without re-writing the LTE protocol.
When contacted by Ars Technica, the GSM Association said:
Although LTE user traffic is encrypted over the radio interface and cannot be eavesdropped, it is not integrity protected. The research has shown that this lack of integrity protection can be exploited in certain circumstances using sophisticated radio equipment to modify user traffic. For example, when a user attempts to connect to a website that does not enforce the use of the HTTPS security protocol, the researchers have shown that it can be possible to re-direct users to a fake website.
Although the researchers have shown traffic modification to be feasible in a laboratory environment, there are a number of technical challenges to make it practical outside a laboratory. Mobile operators have fraud detection functions that can detect and react to certain attack scenarios, while several mobile applications and services use enforced HTTPS, which prevents traffic modification.
The GSMA does not believe that the specific technique demonstrated by the researchers has been used to target users in the past, nor is it likely to be used in the near future. However, as a result of this new research, the GSMA is working with the industry to investigate how to include the protection of the integrity of traffic and information (user plane integrity) in LTE. The 5G standards already include support for user plane integrity protection, and the GSMA is supporting the industry to ensure that it is fully deployed as 5G technology rolls out.
A detailed paper explaining the aLTEr attack can be found here.