Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researchers Create Attacks That Compromise LTE Data Communication

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim. 

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim. 

In a newly published paper (PDF), researchers from Ruhr-University Bochum and New York University Abu Dhabi present a set of attacks against LTE’s data link layer (layer two) protocols, which could be used to identify mobile users within a cell, learn what websites the user visits, and even modify the message payload. 

A stealthy attacker, the researchers say, could perform an identity mapping attack and map the user’s temporary network identity (TMSI) to the temporary radio identity (RNTI). Both pieces of information are previously unknown to the attacker but are both contained in the radio packets. 

“More specifically, we demonstrate how an attacker can precisely localize and identify a user within the cell, distinguish multiple transmission streams, and use this information as a stepping stone for subsequent attacks,” the researchers note. 

Using common paging techniques, the researchers were also able to identify and localize specific users for a pre-known TMSI within the cell. This, however, requires the use of an active interface, meaning that the attack becomes detectable. 

The researchers also demonstrate that, even for encrypted transmissions, plaintext information up to the Packet Data Convergence Protocol (PDCP) can be accessed, thus de-anonymizing connections otherwise considered secure due to encryption.

Targeting TOR with their website fingerprinting attack, the researchers revealed that information leaks in the metadata of a connection could be used to distinguish between different websites. They also demonstrated how website fingerprinting can be mapped to LTE layer two attacks. 

Although they achieved a high success rate with such an attack, the researchers explain that the experiments were performed on a closed LTE network completely under their control and on a small set of websites.  

Advertisement. Scroll to continue reading.

In addition to these passive attacks, the researchers devised an active attack on LTE’s layer two protocols. Called ALTER, it “exploits the missing integrity protection of LTE user data to perform a chosen-ciphertext attack,” affects all LTE devices and has implications up to the application layer, the research paper reads. 

For this attack scenario, the researchers used a malicious relay within the vicinity of the user, which intercepts DNS requests from the mobile device and uses a manipulation mask to change the original IP address to that of the malicious DNS server. 

The request is then forwarded to the commercial network, which sends it to the malicious server, and an additional manipulation in the downlink path ensures that the source IP address matches the target, thus rendering the attack undetected. 

The attack, however, poses several challenges, such as luring the user into connecting to the malicious relay and maintaining a stable radio connection, and identifying the DNS requests and responses among the transmitted packets. Packet manipulation is another issue an attacker would face. 

After testing the ALTER attack in a real-world setup, the researchers determined it is a feasible assault scenario. By forwarding all messages between the user device and the network, the malicious relay remains undetectable. The attack, the researchers claim, is possible despite the LTE Authentication and Key Agreement (AKA) being formally proven secure.

“While lots of research effort in LTE security focuses on the physical and network layers, the data link layer has remained unexplored until now. […] Based on our findings, we urgently demand the implementation of effective countermeasures in the upcoming 5G specification to assure the security and privacy of future mobile communication,” the paper concludes.

Related: Researchers Devise New Attacks Against 4G LTE Mobile Networks

Related: Mobile Ecosystem Vulnerable Despite Security Improvements: DHS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.