If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.
A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users’ cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.
LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.
However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user’s communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.
4G LTE Network Vulnerabilities
Now, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi have developed three novel attacks against LTE technology that allowed them to map users’ identity, fingerprint the websites they visit and redirect them to malicious websites by tampering with DNS lookups.
All three attacks, explained by researchers on a dedicated website, abuse the data link layer, also known as Layer Two, of the ubiquitous LTE network.
The data link layer lies on top of the physical channel, which maintains the wireless communication between the users and the network. It is responsible for organizing how multiple users access resources on the network, helping to correct transmission errors, and protecting data through encryption.
Out of three, identity mapping and website fingerprinting developed by the researchers are passive attacks, in which a spy listens to what data is passing between base stations and end users over the airwaves from the target’s phone.
However, the third, DNS spoofing attack, dubbed “aLTEr” by the team, is an active attack, which allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.
What is aLTEr Attack?
Since the data link layer of the LTE network is encrypted with AES-CTR but not integrity-protected, an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext.
“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext,” the researchers said in their paper.
In aLTEr attack, an attacker pretends to be a real cell tower to the victim, while at the same time also pretending to be the victim to the real network, and then intercepts the communications between the victim and the real network.
As a proof-of-concept demonstration, the team showed how an active attacker could redirect DNS (domain name system) requests and then perform a DNS spoofing attack, causing the victim mobile device to use a malicious DNS server that eventually redirects the victim to a malicious site masquerading as Hotmail.
The researcher performed the aLTEr attack within a commercial network and commercial phone within their lab environment. To prevent unintended inference with the real network, the team used a shielding box to stabilize the radio layer.
Also, they set up two servers, their DNS server, and an HTTP server, to simulate how an attacker can redirect network connections. You can see the video demonstration to watch the aLTEr attack in action.
The attack is dangerous, but it is difficult to perform in real-world scenarios. It also requires equipment (USRP), about $4,000 worth, to operate—something similar to IMSI catchers, Stingray, or DRTbox—and usually works within a 1-mile radius of the attacker.
However, for an intelligence agency or well-resourced, skilled attacker, abusing the attack is not trivial.