According to a study carried out by security experts from Horst Görtz Institute at Ruhr-Universität Bochum, security weaknesses in the LTE mobile telephony standard have largely helped cyber attackers to identify user behavior on the internet and thus carry out scams and fraud activities.
All devices using 4G/LTE technology like mobile phones, tablets, as well as certain household devices connected to the network are susceptible to this security flaw. The weaknesses are also present in the upcoming mobile telephony standard 5G, the standardization of which is currently pending. However, this problem can be resolved with the aid of other security mechanisms in browsers or apps. These findings were published by David Rupprecht, Katharina Kohls, Prof Dr. Thorsten Holz and Prof Dr. Christina Pöpper.
Rerouting Users to Wrong Websites
According to the study, the payload transmitted via LTE is encrypted, but its integrity is not verified. An attacker can alter the encrypted data stream and reroute the messages to his own server without alerting the user. In order to do so, the attacker has to be in the vicinity of the mobile phone he targets. Using special equipment, he cab intercept the communication between the phone and the base station and reroute the user to a fake website by altering the messages. On that website, the attacker can then perform any actions he chooses, including monitoring the passwords as they are entered.
Websites and apps that deploy the HTTPS security protocol in the correct configuration provide adequate protection against rerouting. They alert the user whenever he is about to be rerouted to a fake page. However, it is not possible to prevent an attacker from monitoring certain information and activities performed on the mobile phone, for example the identity of the user and the websites he views.
The researchers from Bochum have demonstrated that the traffic pattern alone - i.e. the payload volume sent by a phone within a specific period of time - gives an indication of the websites viewed by the user. In order to access this information, the attacker does not have to actively intercept the communication between mobile phone and base station; rather, simple passive recording of the transmitted metadata does the trick.
Off-the-shelf Equipment Sufficient to Carry out Attacks
The attacks described in the study can be carried out using commercially available equipment that can be purchased at a price of approximately 4,000 euros. In their experiments, the researchers utilized a PC and two so-called software-defined radios that enable the sending and receiving of LTE signals. One of the devices pretends to be the phone on a mobile phone network; the other pretends to be the real mobile phone network. Thus, the system is capable of altering specific data, while transmitting the bulk of the data unchanged. Depending on the equipment, the attacker can keep a distance of several hundred meters from the targeted phone during the attack.
The LTE documentations have shown that an integrity protection that would prevent attacks has been deliberately omitted. The reason for this is that in order to implement the security measure, an additional four bytes would have to be attached to each payload. Data transmission would become more expensive for the network operators, and the so-called integrity protection was deemed expendable. In the upcoming 5G mobile telephony standard, general integrity protection has not been provided for at present. Developers would have to configure the devices correctly for protection to become effective. The researchers are advocating closing the security gap in the new mobile telephony standard by default.
The team is going to present the security gap at the IEEE Symposium on Security and Privacy that will be taking place in San Francisco in May 2019. The study was conducted under the umbrella of the BERCOM project, short for "Blueprint for a pan-European system platform for resilient critical infrastructures".
