The Long Term Evolution mobile device standard used by billions of people was designed to fix many of the security shortcomings in the predecessor standard known as Global System for Mobile communications. Mutual authentication between end users and base stations and the use of proven encryption schemes were two of the major overhauls. Now, researchers are publicly identifying weaknesses in LTE that allow attackers to send nearby users to malicious websites and fingerprint the sites they visit.
The attacks work because of weaknesses built into the LTE standard itself. The most crucial weakness is a form of encryption that doesn’t protect the integrity of the data. The lack of data authentication makes it possible for an attacker to surreptitiously manipulate the IP addresses within an encrypted packet. Dubbed aLTEr, the researchers’ attack causes mobile devices to use a malicious domain name system server that, in turn, redirects the user to a malicious server masquerading as Hotmail. The other two weaknesses involve the way LTE maps users across a cellular network and leaks sensitive information about the data passing between base stations and end users.
The attacks, which are described in a paper published Thursday, require about $4,000 worth of equipment that must be within about one mile of the targeted user. Because the weaknesses are the result of design decisions made when the LTE specification was under development, there is no way to patch them now. End users, however, can protect themselves against aLTEr by only visiting websites that use HTTP Strict Transport Security and DNS Security Extensions.
In an email, researchers Thorsten Holz and David Rupprecht of the Ruhr-Universität Bochum wrote:
The two significant contributions are that we show that LTE suffers from several attack vectors and demonstrate that LTE is vulnerable in practice. Most importantly, the aLTEr attack enables an adversary to redirect network connections and thus perform several kinds of attacks. Note that the underlying attack vectors are well-known and such attacks were demonstrated in other kinds of protocols in the past. We are the first to demonstrate that LTE, despite a lot of security improvements compared to GSM, also suffers from such attacks. We hope that our research will influence the security-related decisions in 5G such that future mobile communication protocols are not vulnerable to such attacks. Note that an attacker that wants to perform our attacks still needs to be in the proximity of the victim and she required special equipment (although this is easily available for an attacker). We think that, in particular, people that are of special interest (politician, journalists, ambassadors, upper management, …) should care about such attacks (see for example the attacks against politicians uncovered via the Snowden leaks). The main consequences of our attacks are that an attacker can use them to redirect network traffic, determine the visited website, or use this attack as a stepping stone for further attacks.
