Boffins have demonstrated how intelligence agencies and well-resourced hackers can potentially spy on people – by studying and meddling with mobile data flying over the airwaves.
The computer scientists have described in detail novel surveillance techniques that allowed them to identify people within a phone tower's radio cell, determine which websites they visited from their handsets, and redirect them to malicious webpages by tampering with DNS lookups.
However, the team cautioned that their work so far is experimental, and difficult to perform in real-world scenarios.
The three attacks – explained on a dedicated website – all target the data link layer of LTE, aka Long-Term Evolution, aka 4G, networks.
The identification and website snooping techniques are passive, in that a spy just listens to what's going out over the airwaves from phones, whereas the webpage redirection attack is an active operation – an agent needs to set up a malicious cell tower to tamper with transmissions. As such, the academics dubbed their DNS spoofing attack "aLTEr." The website spying works by identifying, to a particular level of certainty, sites by their patterns of traffic over the air.
The spying methods may not be restricted to 4G, we're told. Forthcoming 5G networks may also be vulnerable because they rely on the same underlying – and potentially exploitable – technologies.
Countermeasures need to be applied, as the researchers – David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper – explained:
The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets. However, the current 5G specification does not require this security feature as mandatory, but leaves it as optional configuration parameter.
The shortcomings can be exploited by determined and well-funded miscreants to snoop on persons of special interest, for example, politicians, journalists, and human rights activists.
However, the attacks have thus far only been demonstrated using a customized rig in a lab environment – which isn't to say the issue is purely theoretical. "With some engineering effort, our attacks can also be performed in the wild," said the researchers, who are computer scientists from Ruhr-Universität in Bochum, Germany, and New York University's Abu Dhabi campus in the UAE.
Researchers put together a video, and uploaded it to YouTube on Thursday, of how an aLTEr attack can be carried out:
A paper with all the technical details about the aLTEr attack can be found here [PDF]. Full details due to be presented during the 2019 IEEE Symposium on Security and Privacy next May.
The group informed relevant institutions such as the GSM Association (GSMA), the 3rd Generation Partnership Project (3GPP), and telephone companies as part of a responsible disclosure process before going public with their work.
Previous work on LTE protocol security identified attack vectors in both the physical (layer one) and network (layer three) layers. The latest findings explore issues in the data link layer (layer two) protocols, previously a blind spot in LTE security research, according to the boffins.
News of the so-called aLTEr attacks comes days after another team of eggheads unveiled further security concerns about Diameter [PDF], an authentication, authorization, and accounting protocol which is in the process of replacing RADIUS in 4G and 5G networks.
The flaw has concerned infosec experts. "4G is now looking like it has a serious security problem," said Professor Alan Woodward, a computer scientist at the University of Surrey in England.
Thorsten Holz, one the researchers, told El Reg: "I definitely agree that LTE [4G] has security problems. Fixing this attack is hard given that it is a protocol-level problem in the standard. 5G will hopefully fix it." ®