Data security researchers have shown that 4G LTE, a generation of wireless technology used by billions, is vulnerable to a straightforward (if slightly expensive) attack.
The attack, aLTEr, was discovered by David Rupprecht, Katharina Kohls, Thorsten Holz and Christina Pöpper from Ruhr-Universität Bochum and New York University Abu Dhabi.
It takes advantage of LTE’s data link layer, which lies on top of the physical channel between user and network. In terms of function, the layer organizes multi-user network resource access, corrects transmission errors and encrypts data.
While layers above the data link layer use mutual authentication to prevent connections to a fake network, the layers below are unprotected, making it possible for an attacker to manipulate web addresses without the user ever knowing.
For instance, the attacker could make it seem that a user was heading to Hotmail (an example seen in the below video) but actually send them to a spoofed version that nabs their login credentials.
Additionally, the issue cannot be patched short of overhauling the entire LTE protocol.
Fortunately, though, the attack requires approximately $4,000 USD of specialized (but easily accessible) equipment to create a fake cell tower that can pretend to be the legitimate network or user device. In the image shown in the header above, the device does both, intercepting all transmissions between the user and the network.
To the user, the fake tower is their usual network provider. To the real network, the attacker is their user. This allows for the modification of encrypted packets being sent both ways, exploiting the fact that the integrity of the user’s data is not protected.
Beyond the $4,000 investment, an attacker also has to be within a one mile radius, which makes the attack most likely to happen to individuals of specific interest, like politicians or journalists.
To guard against the attacks, the simplest thing end users can do is to make sure they only visit websites that use HTTPS. Look out for the green ‘Secure’ notification beside your web address bar, rather than the red ‘Not secure’ — though this may change in the future.
In response to ArsTechnica, the GSM Association, a global organization that represents nearly 800 mobile operators and over 300 hardware and software companies, stated that is aware of the weakness and doesn’t believe it has been used in the past.
It noted, however, that it’s working with industry on how it might possible to include higher levels of protection regarding this issue into LTE, while the 5G standards already include support for further protections.