Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researchers Create Attacks That Compromise LTE Data Communication

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim. 

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim. 

In a newly published paper (PDF), researchers from Ruhr-University Bochum and New York University Abu Dhabi present a set of attacks against LTE’s data link layer (layer two) protocols, which could be used to identify mobile users within a cell, learn what websites the user visits, and even modify the message payload. 

A stealthy attacker, the researchers say, could perform an identity mapping attack and map the user’s temporary network identity (TMSI) to the temporary radio identity (RNTI). Both pieces of information are previously unknown to the attacker but are both contained in the radio packets. 

“More specifically, we demonstrate how an attacker can precisely localize and identify a user within the cell, distinguish multiple transmission streams, and use this information as a stepping stone for subsequent attacks,” the researchers note. 

Using common paging techniques, the researchers were also able to identify and localize specific users for a pre-known TMSI within the cell. This, however, requires the use of an active interface, meaning that the attack becomes detectable. 

The researchers also demonstrate that, even for encrypted transmissions, plaintext information up to the Packet Data Convergence Protocol (PDCP) can be accessed, thus de-anonymizing connections otherwise considered secure due to encryption.

Targeting TOR with their website fingerprinting attack, the researchers revealed that information leaks in the metadata of a connection could be used to distinguish between different websites. They also demonstrated how website fingerprinting can be mapped to LTE layer two attacks. 

Although they achieved a high success rate with such an attack, the researchers explain that the experiments were performed on a closed LTE network completely under their control and on a small set of websites.  

Advertisement. Scroll to continue reading.

In addition to these passive attacks, the researchers devised an active attack on LTE’s layer two protocols. Called ALTER, it “exploits the missing integrity protection of LTE user data to perform a chosen-ciphertext attack,” affects all LTE devices and has implications up to the application layer, the research paper reads. 

For this attack scenario, the researchers used a malicious relay within the vicinity of the user, which intercepts DNS requests from the mobile device and uses a manipulation mask to change the original IP address to that of the malicious DNS server. 

The request is then forwarded to the commercial network, which sends it to the malicious server, and an additional manipulation in the downlink path ensures that the source IP address matches the target, thus rendering the attack undetected. 

The attack, however, poses several challenges, such as luring the user into connecting to the malicious relay and maintaining a stable radio connection, and identifying the DNS requests and responses among the transmitted packets. Packet manipulation is another issue an attacker would face. 

After testing the ALTER attack in a real-world setup, the researchers determined it is a feasible assault scenario. By forwarding all messages between the user device and the network, the malicious relay remains undetectable. The attack, the researchers claim, is possible despite the LTE Authentication and Key Agreement (AKA) being formally proven secure.

“While lots of research effort in LTE security focuses on the physical and network layers, the data link layer has remained unexplored until now. […] Based on our findings, we urgently demand the implementation of effective countermeasures in the upcoming 5G specification to assure the security and privacy of future mobile communication,” the paper concludes.

Related: Researchers Devise New Attacks Against 4G LTE Mobile Networks

Related: Mobile Ecosystem Vulnerable Despite Security Improvements: DHS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

Commvault has appointed Pranay Ahlawat as Chief Technology and AI Officer (CTAIO).

More People On The Move

Expert Insights