Multiple security holes found in 4g lte standard
Security holes have been found in 4g lte that make it possible for attackers to send users to malicious websites and to map their browsing behavior. The attacks have a maximum distance of 2 kilometers and a few thousand euros in equipment is required.
One of the attacks, called aLTEr, involves intercepting 4G traffic and spoofing the attacker’s DNS server, after which the target is sent, for example, to a phishing website. This is possible because part of the mutual authentication between network and smartphone is not properly encrypted. The data packets are intercepted, the DNS address in the request is changed to a malicious DNS, which in turn sends the target to, for example, a phishing website.
Browsing history mapping is possible in the form of a passive attack. A sniffer can eavesdrop on a connection and, based on the size of the packets and the frequency with which they are sent, determine which website or domain is involved. According to the researchers, this is done by making fingerprints of the data streams from popular websites and comparing them with the data packets that go to the target. In test setups, the researchers would have achieved a success rate of around 89 percent with this method.
The attacks require a software-defined radio for the attacker to impersonate the network operator. Such a device costs about 4000 dollars, according to Ars Technica. This ensures that the attack, which is possible, requires a lot of money, knowledge and commitment. That in turn makes it more likely that the attack would only be used on special targets, such as politicians and journalists.
The researchers, who come from Ruhr University in Bochum and NYU Abu Dhabi, have already reported their findings to the GSM Association, which in turn informed network providers and the 3GPP. The latter is the body responsible for drawing up, for example, the 5G specification. The researchers want the security parameter that would prevent these attacks to be mandatory for 5G. In the current 5g specification, this is still optional. In a response, the 3GPP states that it takes the active attack in which the DNS server is spoofed very seriously, but that it cannot report anything concrete at such short notice. It also points out that dns spoofing can take place anywhere in the chain between user and dns server and that only e2e security can prevent that.
The researchers have made a video of the proof of concept. The full research report can also be downloaded.
 
			