Long-Term Evolution (LTE) was introduced in order to improve upon current mobile data network protocols. LTE combines performance goals with security and is used by both the general consumer and enterprise alike. As such, it requires a high level of resilience against attacks due to the potentially private nature of the data being transmitted. aLTEr is an attack written by David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper which abuses the second layer of LTE, known as the data link layer.
What is aLTEr?
aLTEr is an attack which abuses the second layer of LTE, known as the data link layer. It can allow an attacker to hijack your browsing session and also redirect your network requests via DNS spoofing. Is it dangerous? Yes, but it also requires about $4,000 worth of equipment to operate. What’s more, it only works within a 1-mile radius of the attacker. You can check out the video below of how it was abused on a commercial LTE network to redirect Hotmail to a website that looks like Hotmail but is not Hotmail.
What is the data link layer of LTE?
The data link layer in this particular attack is what the researchers abused. This layer protects data through encryption, organizes how users access resources on the network, and helps to correct transmission errors. It’s on top of the physical channel which maintains continuous transmission of data between client and cell tower.
How does aLTEr work?
aLTEr works by abusing an inherent design flaw of LTE, meaning that no, it cannot be patched. Observe the image below.
aLTEr works by creating a cell tower which masquerades as the user it’s attempting to attack. This fake cell tower then takes the requests from the user and forwards them to the real cell tower, but not before modifying some key points of the data. Layers above the data link layer are protected via a mutual connection with the cell tower, but those below it are not. A user can then modify the DNS server requests that are sent to the cell tower, even if they are encrypted. This is because if you know the original DNS server, you can change what one it requests by decrypting the packet and re-encrypting it with a new DNS server to target. This is all in between the user and the cell tower, so neither end should be aware of what is happening.
But what does this mean? Well, you can create your own DNS server which points a web address to another IP. For example, XDA-Developers’ IP address is 184.108.40.206. All a DNS server does is request that IP, so what if a DNS server lied and gave you another IP address? In a non-malicious sense, it could forward you to 220.127.116.11 instead, for example, which is Google’s website in Ireland. There’s a lot of control you can gain over a user by changing the DNS server.
How practical is aLTEr and am I safe?
Well, there’s good news and bad news. The good news is as mentioned – this requires around $4,000 worth of hardware to do. Not something that people usually have lying around. This was tested in a very controlled environment, so there’s no telling how it will work in real life. What’s more, it would need to be a very targeted attack. The researchers estimate you would need to be within a mile radius of the target for it to work.
However, this attack is very practical. In theory, there’s nothing stopping somebody investing a lot of money and time into implementing this attack in your locality. What’s more, this cannot be patched as it would require overhauling the entire LTE protocol. The GSM Association and the 3rd Generation Partnership Project have both been notified, along with many other telephone companies that may benefit to be told about it.
So how can you protect yourself? The easiest way to do it is through the use of HTTPS. Always keep a lookout for that “Secure” text beside your address bar.
Left: Good / Right: Bad
Some of this is simple, but often users have a tendency to ignore the “Not secure” warning that our browsers give us. Never trust a website that Chrome says isn’t secure, as it’s very likely that it’s trying to steal your data by either spoofing a real website or by lying to you. Sometimes having an expired certificate will still lead to your web browser saying that the site isn’t secure, but it still shouldn’t be trusted.
ArsTechnica contacted the GSM Association and received this statement.
Although LTE user traffic is encrypted over the radio interface and cannot be eavesdropped, it is not integrity protected. The research has shown that this lack of integrity protection can be exploited in certain circumstances using sophisticated radio equipment to modify user traffic. For example, when a user attempts to connect to a website that does not enforce the use of the HTTPS security protocol, the researchers have shown that it can be possible to re-direct users to a fake website.
Although the researchers have shown traffic modification to be feasible in a laboratory environment, there are a number of technical challenges to make it practical outside a laboratory. Mobile operators have fraud detection functions that can detect and react to certain attack scenarios, while several mobile applications and services use enforced HTTPS, which prevents traffic modification.
The GSMA does not believe that the specific technique demonstrated by the researchers has been used to target users in the past, nor is it likely to be used in the near future. However, as a result of this new research, the GSMA is working with the industry to investigate how to include the protection of the integrity of traffic and information (user plane integrity) in LTE. The 5G standards already include support for user plane integrity protection, and the GSMA is supporting the industry to ensure that it is fully deployed as 5G technology rolls out.
Officials with the 3rd Generation Partnership Project did not respond to a request for comment by ArsTechnica.
The researchers also discovered a number of passive exploits, including one that could identify with 89% +/- accuracy of what website a user was visiting based on what encrypted data was downloaded.
It’s also worth noting that while it’s technically possible that 5G will mitigate the issues, it will require specific hardware to be used in cell towers. You can check out the official website for aLTEr below.
Source: aLTEr Attack
Rojenx is a leading concept artist who work appears in games and publications
Check out his personal gallery here