Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Researchers Create Attacks That Compromise LTE Data Communication

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim. 

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim. 

In a newly published paper (PDF), researchers from Ruhr-University Bochum and New York University Abu Dhabi present a set of attacks against LTE’s data link layer (layer two) protocols, which could be used to identify mobile users within a cell, learn what websites the user visits, and even modify the message payload. 

A stealthy attacker, the researchers say, could perform an identity mapping attack and map the user’s temporary network identity (TMSI) to the temporary radio identity (RNTI). Both pieces of information are previously unknown to the attacker but are both contained in the radio packets. 

“More specifically, we demonstrate how an attacker can precisely localize and identify a user within the cell, distinguish multiple transmission streams, and use this information as a stepping stone for subsequent attacks,” the researchers note. 

Using common paging techniques, the researchers were also able to identify and localize specific users for a pre-known TMSI within the cell. This, however, requires the use of an active interface, meaning that the attack becomes detectable. 

The researchers also demonstrate that, even for encrypted transmissions, plaintext information up to the Packet Data Convergence Protocol (PDCP) can be accessed, thus de-anonymizing connections otherwise considered secure due to encryption.

Targeting TOR with their website fingerprinting attack, the researchers revealed that information leaks in the metadata of a connection could be used to distinguish between different websites. They also demonstrated how website fingerprinting can be mapped to LTE layer two attacks. 

Although they achieved a high success rate with such an attack, the researchers explain that the experiments were performed on a closed LTE network completely under their control and on a small set of websites.  

In addition to these passive attacks, the researchers devised an active attack on LTE’s layer two protocols. Called ALTER, it “exploits the missing integrity protection of LTE user data to perform a chosen-ciphertext attack,” affects all LTE devices and has implications up to the application layer, the research paper reads. 

For this attack scenario, the researchers used a malicious relay within the vicinity of the user, which intercepts DNS requests from the mobile device and uses a manipulation mask to change the original IP address to that of the malicious DNS server. 

The request is then forwarded to the commercial network, which sends it to the malicious server, and an additional manipulation in the downlink path ensures that the source IP address matches the target, thus rendering the attack undetected. 

The attack, however, poses several challenges, such as luring the user into connecting to the malicious relay and maintaining a stable radio connection, and identifying the DNS requests and responses among the transmitted packets. Packet manipulation is another issue an attacker would face. 

After testing the ALTER attack in a real-world setup, the researchers determined it is a feasible assault scenario. By forwarding all messages between the user device and the network, the malicious relay remains undetectable. The attack, the researchers claim, is possible despite the LTE Authentication and Key Agreement (AKA) being formally proven secure.

“While lots of research effort in LTE security focuses on the physical and network layers, the data link layer has remained unexplored until now. […] Based on our findings, we urgently demand the implementation of effective countermeasures in the upcoming 5G specification to assure the security and privacy of future mobile communication,” the paper concludes.

Related: Researchers Devise New Attacks Against 4G LTE Mobile Networks

Related: Mobile Ecosystem Vulnerable Despite Security Improvements: DHS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.