Researchers have found vulnerabilities in the formal standards of LTE, which leave users vulnerable to potential attacks including determining user identities in a radio cell, determining which websites were accessed by a given user, and altering DNS traffic—giving attackers the ability to hijack a given connection and misdirect potential victims to phishing sites.
The vulnerabilities were discovered by David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper of Ruhr-Universität Bochum and New York University Abu Dhabi, who collectively published their findings on this website. Of the three attack types described above, two of these are passive attacks—allowing attackers to listen to traffic and attempt to derive information based on that data. The third is an active attack, which the researchers call "aLTEr."
The aLTEr attack is a technically complex thing to pull off, partially because it relies so heavily on outside infrastructure to exist—it works as a DNS redirect, which is possible because of inconsistent application of authentication across LTE layers. According to researchers:
LTE uses mutual authentication on the layers above the data link layer to prevent Bob's phone from connecting to a fake network. However, the layers below are unprotected and an attacker can forward high-layer messages. Bob's phone still assumes that he is connected to the original network. For the user data redirection attack, we exploit that the user data is not integrity protected. Thus an attacker can modify the content of a packet if she knows the original plain text, even the packet is encrypted. In the case of DNS packets, we know the destination address of the original DNS server. For the redirection, the attacker adds a specific offset, thus the DNS request is redirected to a DNS server under the adversary's control.
Naturally, this requires an attacker to have a malicious DNS server operating, as well as a phishing website in place to harvest the credentials of a user who would plausibly log in to that service via their phone.
These requirements for aLTEr are on top of the already extensive amount of hardware necessary to successfully pull off any of these attacks. Because of the nature of radio-related attacks, remote exploitation is not possible. It requires a software-defined radio and antenna to receive and transmit signals, within a reasonably close (up to 2km) proximity to the target.
Naturally, the researchers have only conducted these proof-of-concept demonstrations in a controlled environment, and they note that the complexity of carrying out the attacks increases significantly in real-world situations, which increases the amount of engineering effort required.
The researchers also note that these attacks are closely related to the behavior of IMSI catchers—popularly known as Stingrays, after the popular model sold by defense contractor Harris Corporation—though aLTEr actively sends data, rather than tries to identify and localize a given target.
Additionally, the aLTEr attack is potentially exploitable on 5G networks. The researchers note that using "authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets," and that the 5G specification does not require this functionality, but it is included as an option.
The big takeaways for tech leaders:
- Vulnerabilities in LTE networks have been discovered, leaving users vulnerable to having their identities uncovered, determining which websites are accessed, and altering DNS traffic.
- The aLTEr attack is potentially exploitable on 5G networks, though an optional security feature of the 5G specification would be capable of mitigating this risk if enabled.