A research that was just published reveals how attacks against the mobile communication standard LTE can occur. LTE can be compromised in three attacks where an attacker collects meta- information about the user’s traffic, among other things. More specifically, the researchers identified three attack vectors where the confidentiality and privacy of LTE communication is at stake.
What is LTE? LTE is commonly marketed as 4G LTE & Advance 4G, but it does not meet the technical criteria of a 4G wireless service, according to the 3GPP Release 8 and 9 document series for LTE Advanced.
Who are the researchers who made that discovery? The research team consists of three researchers from the Ruhr-University in Bochum, Germany, and a researcher from New York University.
Three Types of Attacks Endangering LTE Revealed
The team first presented а passive identity mapping attack that matches volatile radio identities to longer lasting network identities. This enabled them to identify users within a cell and also helped them in the follow-up attacks, the report reveals.
The second type of attack shows how a passive attacker can abuse the resource allocation as a side channel to carry out website fingerprinting through which the attacker becomes aware of the websites the user has visited.
The third attack revealed in the report is called the aLTEr attack which leverages the information that LTE user data is encrypted in counter mode known as AES-CTR without being integrity protected. This allowed the researchers to modify the message payload.
In a nutshell, the passive attacks enable attackers to collect meta-information about user’s traffic – known as identity mapping attack. The second type of attack reveals the websites visited by the user – known as website fingerprinting. The third type of attack allows attackers to modify messages – which they called aLTEr.
In addition to these attacks, the researchers also had a proof-of-concept demonstration where they showed how an active attacker can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website, the researchers said. Their “experimental analysis demonstrates the real-world applicability of all three attacks and emphasizes the threat of open attack vectors on LTE layer two protocols“.
Are these attacks a real threat to users?
It turns out that they are not. Specific and expensive equipment is needed for the attacks to take place in the real world, as well as custom software which is usually out-of-reach for average malicious actors:
To conduct such attacks, the attacker depends on specialized hardware (so called software-defined radios) and a customized implementation of the LTE protocol stack. In addition, a controlled environment helps to be successful within an acceptable amount of time. In particular, the use of a shielding box helps to maintain a stable and noise-free connection to the attack setup. Especially the latter cannot be maintained in a real-world situation and more engineering effort is required for real-world attacks.
The attacks described in the researchers’ paper are all carried out in an experimental setup in a lab that depends on special hardware and a controlled environment. “These requirements are, at the moment, hard to meet in real LTE networks. However, with some engineering effort, our attacks can also be performed in the wild,” the researchers concluded.
The team says that they got in touch with institutions such as the GSM Association (GSMA), 3rd Generation Partnership Project (3GPP), and telephone companies to alert them about the issue. They also warned that the same issue could occur in the forthcoming 5G standard, at least in its current form. Even though the 5G standard has additional security features such as stronger data encryption, there features are currently optional.
Last year, a serious cryptographic flaw was revealed during the Black Hat conference held in Las Vegas. The vulnerability was found in modern, high-speed cell networks and could allow affordable phone surveillance and location tracking. It turned out that the 3G and 4G devices deployed worldwide were vulnerable to the so-called IMSI catcher or Stingray devices. The flaw was based on a weakness in the authentication and key agreement letting the device communicate safely with the network.