The Long-Term Evolution (LTE) mobile communications standard, also known as 4G, has much better security than its predecessor, the GSM, but is far from perfect. A team of researchers has demonstrated new techniques that allow hackers to launch both passive and active attacks against users’ internet traffic when connected over LTE.
The team, made up of three researchers from Ruhr-University Bochum and one from New York University Abu Dhabi, has developed three attacks that work despite the traffic encryption by LTE: One that can identify users connected to a network cell, one that can determine which websites users are visiting and one that allows spoofing DNS responses and redirecting users to malicious websites.
The researchers have demonstrated the attacks in a controlled laboratory setting and noted that implementing them on a commercial network would require specialized equipment and a high engineering effort.
That’s because attackers would need to gain a man-in-the-middle position by setting up a rogue LTE relay in close proximity to the victim so they can intercept, analyze and manipulate traffic. They would also have to deal with the background noise and uncontrolled dynamics of mobile networks in the real world.
That said, adversaries with sufficient resources and technical skill could launch such attacks against high-interest targets such as politicians, journalists or company executives.
The LTE standard uses mutual authentication, meaning that the network equipment and connecting devices verify each others’ identities before negotiating a key that is then used to encrypt communications. None of the attacks described by the researchers actually break that encryption.
Instead, the passive attacks work by making determinations about users’ traffic based on metadata—when and how often data is transmitted, the size of the packets, etc.—while the active DNS spoofing attack works because the LTE specification doesn’t use integrity verification for encrypted user data.
The researchers recorded traffic patterns that act as “fingerprints” for the internet’s most popular 50 websites and then showed that they can match them to LTE traffic metadata to determine which of those websites accessed by users with around 90 percent accuracy.
For the DNS spoofing attack, which the researchers have dubbed aLTEr, they set up a rogue network relay that manipulated parts of users’ encrypted DNS requests and redirected them to a server under their control.
“In the case of DNS packets, we know the destination address of the original DNS server,” the researchers said on a website dedicated to the attacks. “For the redirection, the attacker adds a specific offset, thus the DNS request is redirected to a DNS server under the adversary’s control.”
This means that whenever an attacked mobile device wants to find out the IP address of a legitimate website, the rogue DNS server can respond with an address pointing to a web server controlled by attackers. That server can then serve a rogue copy of the website the user wanted to access. For their demonstration, the researchers directed a mobile browser trying to access hotmail.com and to a phishing page.
Fixing the aLTEr attack by adding integrity verification to the LTE specification at this point is almost impossible because existing infrastructure devices in mobile networks would need to be changed as well, which would be extremely costly.
However, websites that use HTTPS together with an HSTS (HTTP Strict Transport Security) policy are protected against DNS spoofing in general. That’s because HSTS policies create special records inside browsers that tells them they should always access those websites over HTTPS.
Short of hacking a certificate authority, attackers cannot obtain legitimate SSL certificates for websites they don’t own so they can’t spoof HTTPS websites. If those sites use HSTS as well, attackers can’t direct users to non-HTTPS versions either because browsers will refuse to connect.
“In our test setup, we conducted the attacks with minimal distance between the victim’s phone and our LTE relay,” the researchers said. “This is not possible in a realistic scenario, where the attacker needs to deploy the LTE relay without revealing herself. We can assume that our attacks are comparable to so-called IMSI catchers / Stingrays that are successful in ranges of up to approximately 2km.”
The researchers shared their paper with the GSMA, a trade body that represents mobile network operators, in advance of making it public. The GSMA also shared the findings with the 3rd Generation Partnership Project (3GPP), the body that defines the LTE and 5G standards.