Security gaps in LTE mobile standard discovered
User data transmitted via LTE is encrypted but not checked for integrity. “An attacker can change the encrypted data stream and ensure that the messages are redirected to their own server without the user noticing,” explains David Rupprecht, one of the members of the team. The attacker must be near the victim’s cell phone. It can switch itself into the communication between mobile phone and mobile mast the messages change and redirect the user so on a wrong web page. On this website the attacker can then perform any actions, for example retrieve entered passwords.
Web pages or apps that use the HTTPS security protocol in the correct configuration, however, offer reliable protection against redirection. Such websites issue a warning if a user is to be redirected to an incorrect page. However, it is not possible to prevent an attacker from monitoring certain activities on the mobile phone, such as who the user is and which websites he is visiting.
The Bochum researchers showed that they were only able to deduce which website the user had visited on the basis of the traffic pattern – i.e. the amount of user data that a mobile phone sends within a certain period of time. To do this, the attacker does not need to actively switch between the communication between the mobile phone and the mobile tower; it is sufficient to record passive metadata of the connection.
The attacks described can be carried out with freely available commercial equipment to the value of around 4,000 euros. The researchers used a PC and two Software Defined Radios for their experiments, which enable the transmission and reception of LTE signals. One of the devices masquerades as a mobile phone network for the victim’s mobile phone, the other masquerades as a mobile phone for the real mobile phone network. In this way, the system can change specific data while forwarding most of the data unchanged. Depending on the equipment, the attacker may be several hundred meters away from the victim’s cell phone to carry out the attack.
Security gap remains in the 5G standard
“From the LTE documentations it is clear that integrity protection was deliberately dispensed with, which would prevent the attacks,” says IT security researcher Thorsten Holz, one of the discoverers of the security gaps. The reason: For the security measure, an additional four bytes would have to be appended to all user data. “Data transmission is expensive for network operators and integrity protection was considered unnecessary,” Holz continued.
According to the research team, integrity protection is not generally provided for in the upcoming 5G mobile phone standard either. Devices would have to be configured correctly by the manufacturer for protection to work, they say.