A team of from Ruhr-Universität Bochum and New York University Abu Dhabi has discovered some security issues in the LTE mobile device standard that could be exploited by persistent attackers (i.e. intelligence agencies, well-funded groups) to spy on users’ cellular networks, eavesdrop communications, hijack their data traffic.
LTE mobile telephony standard is currently used by billions of people worldwide, compared to other standards it includes many security improvements.
The experts devised surveillance techniques that allowed them to identify people within a phone tower radio cell, spy on their traffic, and redirect them to rogue websites by tampering with DNS lookups.
The researchers demonstrated three attack scenarios that target the data link layer of Long-Term Evolution networks, also known as LTE or 4G.
“Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so-called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol.” reads the analysis published by the experts.
“On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard.”
This data link layer lies on top of the physical channel, that maintains the wireless transmission of information between the users and the network. Layer two define the way multiple users can access the resources of the network, helps to correct transmission errors, and implement data protection through encryption.
Researchers distinguished between passive and active attack techniques, the former include identification and website snooping techniques, the latter is the webpage redirection attack.
The identification and website snooping techniques could allow attackers to spy on users by listening to what’s going out over the airwaves from phones, whereas the webpage redirection attack could be conducted by an attacker that sets up a malicious cell tower to tamper with transmissions.
The experts dubbed the DNS spoofing attack “aLTEr” and described it with this statement.
“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext,” reads the research paper published by the experts.
“the adversary sends signals to the network or to the device by using a specific device that is capable of simulating the legitimate network or user device. In our case, the adversary does both and intercepts all transmissions between Bob and the network. Thus, Bob perceives the adversary as his usual network provider and connects to the simulation device. Towards the real network, the adversary acts like she was Bob.”
The experts conducted the attacks in a controlled environment and highlighted that the requirements are, at the moment, hard to meet in real LTE networks, anyway persistent attackers can replicate them in the wild.
The researchers used a shielding box to stabilize the radio layer and prevent inference during the tests.
The team set up two servers, a DNS server and an HTTP server, to shows how an attacker can hijack connections (see PoC attack video).
The experts published a paper with all the technical details of the aLTEr attack and a video PoC of the attack:
The researchers also described countermeasures to adopt in order to mitigate the attacks. The researchers already shared findings of their study with telco institutions, including the GSM Association (GSMA) and the 3rd Generation Partnership Project (3GPP), and telephone companies.
According to the experts, forthcoming 5G networks may also be vulnerable to these attack techniques because the 5G standard supports authenticated encryption.
“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets,” the experts said.
“However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter.”
The researchers will share full details about their researcher during the 2019 IEEE Symposium on Security and Privacy.
(Security Affairs – aLTEr, hacking)