LTE Flaw Lets Attackers To Redirect Browsers And Snoop Into Users’ Browsing Activity

LTE (Long-Term Evolution), also known as the 4G network, not only offers Internet at higher speeds with security but also brings many security improvements over the predecessor standard known as GSM (Global System for Mobile) communications. LTE is used by millions of people across the globe.

However, researchers have now uncovered three exploits in the ‘data link layer’ of LTE network that allows hackers to control Internet traffic and redirect regular users to malicious or phishing websites and spy on their online activity without their knowledge to find out which sites they visit through their LTE device. The vulnerabilities are said to be built into the LTE standard itself, and affect the second layer of LTE, known as the data link layer.

The research team, made up of three researchers from the Ruhr-University in Bochum, Germany and a researcher from New York University Abu Dhabi in the UAE, have found two of the three attacks are passive, against LTE networks: an identity mapping attack and a method to perform website fingerprinting. The first one allows hackers to silently collect information about the victim(s), while the second one allows the attacker to identify the websites being visited by the user on their LTE device.

The third type of attack, called “aLTEr” by the team, is an active attack, “that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard”.

According to the researchers, the data link layer is not integrity-protected, which makes for an easy victim of the vector to cover its tracks while making a false cell tower.

“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext.”

This bogus cell tower can take requests from the trusting user and pass on those requests to a real network. However, before forwarding these requests, the attackers behind it make changes to the bits of the encrypted packet. The attackers then redirect users to malicious websites by decrypting and re-encrypting the packet with a new DNS server.

While the attack is dangerous, it is difficult to perform in real-world scenarios, as it requires expensive and sophisticated equipment worth $4,000, say the researchers. However, the hackers who are state-sponsored or corporate-backed may find it easy to execute such attacks.

To exploit the flaw, the attacker needs to be within a 1-mile radius of the physical target.

“To conduct such attacks, the attacker depends on specialized hardware (so called software-defined radios) and a customized implementation of the LTE protocol stack. In addition, a controlled environment helps to be successful within an acceptable amount of time. In particular, the use of a shielding box helps to maintain a stable and noise-free connection to the attack setup. Especially the latter cannot be maintained in a real-world situation and more engineering effort is required for real-world attacks.

Such attacks are not restricted only to 4G, as these can also affect the upcoming 5G networks. Although 5G supports authenticated encryption, they are presently only optional.

“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets,” the researchers said. “However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter.”

In order to avoid any further breach, it is recommended that users browse secure websites (HTTPS) and avoid any unsecured websites.

Meanwhile, the researchers have notified relevant institutions such as the GSM Association (GSMA), 3rd Generation Partnership Project (3GPP), and telephone companies about their findings.

The researchers have published their findings in a research paper titled ‘Breaking LTE Layer Two’, which they will be presenting at the 2019 IEEE Symposium on Security & Privacy that will be held in May 2019 in San Francisco.