Protocol underpinning 4G communications found vulnerable to three new attack vectors

The security of Long-Term Evolution (LTE), the high-speed wireless communication standard commonly referred to as ‘4G’, has once again been thrown into question, after a team of university researchers discovered a clutch of weaknesses that could allow malicious websites to spy on a user’s online activity.

Previous work on LTE protocol security has identified crucial attack vectors for both the physical (layer one) and network (layer three) layers.

Now, a team of researchers from Ruhr-Universität Bochum in Germany and New York University Abu Dhabi, have come forward with a new report that picks holes in the standard’s data link layer (layer two).

As outlined in the white paper and accompanying website, three attack vectors have been discovered that impair the confidentiality and privacy of LTE communications.

Passive snooping

The first two flaws leave users open to so-called ‘passive attacks’, whereby a malicious third party could eavesdrop on transmissions in order to map a user’s identity.

Although the data link layer protects transmissions through encryption, the researchers said an adversary with a sniffing device could ascertain which sites a user is visiting by analyzing certain meta-information and matching this with each site’s unique ‘fingerprint’.

“We conducted a website fingerprinting attack in our lab setup of an LTE network and tested different devices on a selection of the 50 most popular websites on the internet,” the researchers said.

“Our results indicate that such attacks, in fact, are possible: we achieve an average success rate of about 89% ± 10.”

Active interception

Even more worrying was the idea that identity mapping techniques could be used as a stepping stone for an ‘active’ attack – dubbed ‘aLTEr’ – in which an adversary could simulate both the legitimate network and a target device in order to intercept transmissions.

While LTE uses mutual authentication on the layers above the data link layer to protect a user’s device from connecting to fake networks, the layers below are unprotected, allowing an attacker to forward high-layer messages.

“For the user data redirection attack, we exploit that the user data is not integrity protected,” the researchers explained. “Thus an attacker can modify the content of a packet if she knows the original plain text, even the packet is encrypted.”

In a proof-of-concept demonstration, the researchers showed how an active assailant can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website.

Roll on 5G?

While the researchers noted that the attack vector requirements are currently “hard to meet in real LTE networks”, they demonstrated that it would be possible for attacks to be performed in the wild.

What’s more, as device manufacturers and telcos around the world prepare for the rollout of 5G, the report’s authors said the latest high-speed communication standard may not be immune to aLTEr-based attacks.

“5G specifies user plane integrity protection as optional,” they said. “However, for a successful protection against aLTEr, the network needs to be configured correctly and the [user’s equipment] must support it.

“We argue that only mandatory integrity protection in 5G is a sustainable countermeasure.”

The researchers will present their full findings at the 2019 IEEE Symposium on Security & Privacy, which takes place in San Francisco next year.

A pre-print version of their paper is available here.