aLTEr: POC Exploit of LTE Layer Two
Long Term Evolution (LTE) is the latest mobile telephony standard designed to bring many security improvements over the predecessor standard known as the Global System for Mobile (GSM).
In a new research paper, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi outline attacks that could allow sophisticated hackers to spy on users’ cellular networks, modify the contents of their communications, and even can reroute them to malicious or phishing websites.
According to the researchers, vulnerabilities have been documented in LTE’s physical layer (layer one) and the network layer (layer three), but not in the data link layer (layer two). In their research, the team performed a security analysis of LTE on layer two and analyzed these protocols for potential vulnerabilities. The team introduce two passive attacks and one active attack that could impair the confidentiality and privacy of LTE communication. The attacks work because of weaknesses built into the LTE standard itself. According to the researchers, the most crucial weakness is a form of encryption that doesn’t protect the integrity of the data. The lack of data authentication makes it possible for an attacker to manipulate the IP addresses within an encrypted packet.
The three attacks are:
- Passive: The two passive attacks are identity mapping and website fingerprinting, in which an attacker listens to what data is passing between base stations and end users over the airwaves from the target’s phone.
- Active: “aLTEr” is a DNS spoofing attack which allows the attacker to perform man-in-the-middle (MITM) attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.
Based on frightening, hyperbolic headlines like “aLTEr: Attack every smartphone via LTE” and “LTE wireless connections used by billions aren’t as secure as we thought”, enterprise mobile professionals are concerned with the active threat (which leverages the passive capabilities), aLTEr. What follows is a brief description of the aLTEr attack, and then a description of how zIPS (powered by the most effective and complete mobile machine learning engine in the world, z9) can provide protection.
According to the research, in an aLTEr attack, an attacker would:
- Pretend to be a real cell tower to the victim.
- Pretend to be the victim to the real network.
- Intercept the communications between the victim and the real network.
- Redirect the victim to a malicious website.
aLTEr uses the lack of integrity checks in LTE’s lower layers to modify the text inside a data packet. Since that’s relatively easy to determine with DNS packets, which direct traffic to website addresses, an attacker can steer requests to malicious DNS servers and thus take the user to a website of their choice.
The researchers showed how an adversary could actively manipulate the encrypted payload and control specific parts of the message. They explained how an attacker could use a malicious LTE relay to manipulate the IP addresses within an encrypted packet, thereby redirecting a packet to a malicious DNS server in the uplink direction, while maintaining a stable and transparent connection at all times. In their POC, the researchers redirected the test user to a malicious server masquerading as Hotmail. While not part of the demonstration, Zimperium experience shows that fake sites can be used to phish credentials or deliver additional exploits.
These attacks aren’t trivial. An attacker would need software-defined radios that run a customized implementation of the LTE specification. Attackers would also have to devise ways to make the connection stable, filter out radio interference, and evade fraud detection software implemented by many network operators. An attacker would also be required to know in advance where a target is located and have a malicious base station operating within a mile of the location. Finally, sniffing hardware isn’t cheap; Ars Technica places the cost at roughly $4,000. Whoever uses the attacks will likely be either a committed thief or a surveillance agency.
A Practical Note
aLTEr appears to be possible, and Zimperium endorses any improvements in the LTE standard to address the vulnerabilities. Having said that, it should be noted that there are more efficient ways for attackers to accomplish the same objectives. While the research is important to thwart future attacks, the current attacks (e.g., rogue access points, whether cellular or WiFi) are much more cost and time effective. Hackers will continue using the most efficient approaches until they are prevented. The researchers themselves state: “These requirements are, at the moment, hard to meet in real LTE networks.”
For its part, the The GSM Association has stated, “Although the researchers have shown traffic modification to be feasible in a laboratory environment, there are a number of technical challenges to make it practical outside a laboratory… The GSMA does not believe that the specific technique demonstrated by the researchers has been used to target users in the past, nor is it likely to be used in the near future.”
How Zimperium Will Help Combat aLTEr
Zimperium zIPS, powered by z9, has many advantages. One of which is Zimperium’s full “Kill Chain” detection, wherein z9 detects attacks on device, at multiple steps and without any updating or signatures. In the aLTEr case, z9 can detect phishing and exploit attempts from the malicious site, and then prevent them via customer-defined policy enforcement. z9 has some additional network detection capabilities that are currently focused on local WiFi networks that can be extended into cellular networks if aLTEr-like attacks ever become commercial realities.