aLTEr: A new LTE vulnerability that allows hackers to hijack your browsing session, spy on your browsing activity and steal login credentials

[captain_to_fire]

Sources: XDA Developers, Ars Technica,  breaking_lte_on_layer_two.pdf

 

Quote

Breaking LTE on Layer Two

 

ABSTRACT

 

Long Term Evolution (LTE) is the latest mobile communication standard and has a pivotal role in our information society: LTE combines performance goals with modern security mechanisms and serves casual use cases as well as critical infrastructure and public safety communications. Both scenarios are demanding towards a resilient and secure specification and implementation of LTE, as outages and open attack vectors potentially lead to severe risks. Previous work on LTE protocol security identified crucial attack vectors for both the physical (layer one) and network (layer three) layers. Data link layer (layer two) protocols, however, remain a blind spot in existing LTE security research.

 

In this paper, we present a comprehensive layer two security analysis and identify three attack vectors. These attacks impair the confidentiality and/or privacy of LTE communication. More specifically, we first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks. Second, we demonstrate how a passive attacker can abuse the resource allocation as a side channel to perform website fingerprinting that enables the attacker to learn the websites a user accessed. Finally, we present the ALTER attack that exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload. As a proof-of-concept demonstration, we show how an active attacker can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website. Our experimental analysis demonstrates the real-world applicability of all three attacks and emphasizes the threat of open attack vectors on LTE layer two protocols

Looks like a typical man in the middle attack but instead of a wifi network, it's with a 4G LTE network. For whatever reasons, we can't just take a break from security vulnerabilities and this one can lead to spying, phishing, and even malware infections. Looking at you NSA! 

 

Quote

 aLTEr is an attack written by David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper which abuses the second layer of LTE, known as the data link layer.

 

What is aLTEr?

aLTEr is an attack which abuses the second layer of LTE, known as the data link layer. It can allow an attacker to hijack your browsing session and also redirect your network requests via DNS spoofing. Is it dangerous? Yes, but it also requires about $4,000 worth of equipment to operate. What’s more, it only works within a 1-mile radius of the attacker. You can check out the video below of how it was abused on a commercial LTE network to redirect Hotmail to a website that looks like Hotmail but is not Hotmail.

What is the data link layer of LTE?

The data link layer in this particular attack is what the researchers abused. This layer protects data through encryption, organizes how users access resources on the network, and helps to correct transmission errors. It’s on top of the physical channel which maintains continuous transmission of data between client and cell tower.

 

How does aLTEr work?

aLTEr works by abusing an inherent design flaw of LTE, meaning that no, it cannot be patched. 

aLTEr works by creating a cell tower which masquerades as the user it’s attempting to attack. This fake cell tower then takes the requests from the user and forwards them to the real cell tower, but not before modifying some key points of the data. Layers above the data link layer are protected via a mutual connection with the cell tower, but those below it are not. A user can then modify the DNS server requests that are sent to the cell tower, even if they are encrypted. This is because if you know the original DNS server, you can change what one it requests by decrypting the packet and re-encrypting it with a new DNS server to target. This is all in between the user and the cell tower, so neither end should be aware of what is happening.

But what does this mean? Well, you can create your own DNS server which points a web address to another IP. For example, XDA-Developers’ IP address is 209.58.128.90. All a DNS server does is request that IP, so what if a DNS server lied and gave you another IP address? In a non-malicious sense, it could forward you to 64.233.177.94 instead, for example, which is Google’s website in Ireland. There’s a lot of control you can gain over a user by changing the DNS server.

But considering the fact that the equipment requires $4000, it's not something run in the mill hacker can afford. But rich people especially governments can afford it like the NSA or any intelligence agency. What's more terrifying is that the hack can work within the one mile range so any person can be affected and there is no patch for the hack and the only way to fix it is by implementing 5G. Just like how WPA3 solves the security shortcomings of WPA2 but requires a new compatible wireless AP and devices (phone, laptop, tablet, etc), to get fixed.

Quote

Holz and Rupprecht said the 5G specification that’s slated to replace LTE has the ability to mitigate the weaknesses by using what’s known as user plane integrity protection. That protection, however, is optional and requires that an operator use specific equipment. The researchers are suggesting that the 5G specification be revised to make integrity assurance mandatory.

 

“Based on our findings,” the researchers wrote, “we urgently demand the implementation of effective countermeasures in the upcoming 5G specification to assure the security and privacy of future mobile communication.”

The researchers also point out that the only way to protect yourself from an aLTEr attack is to watch out your URL bar if you're viewing a secure website or not. So far Google Chrome's shaming campaign works.

 

GSMA sent an email to Ars Technica saying:

Quote

Although LTE user traffic is encrypted over the radio interface and cannot be eavesdropped, it is not integrity protected. The research has shown that this lack of integrity protection can be exploited in certain circumstances using sophisticated radio equipment to modify user traffic. For example, when a user attempts to connect to a website that does not enforce the use of the HTTPS security protocol, the researchers have shown that it can be possible to re-direct users to a fake website.

 

Although the researchers have shown traffic modification to be feasible in a laboratory environment, there are a number of technical challenges to make it practical outside a laboratory. Mobile operators have fraud detection functions that can detect and react to certain attack scenarios, while several mobile applications and services use enforced HTTPS, which prevents traffic modification.

 

The GSMA does not believe that the specific technique demonstrated by the researchers has been used to target users in the past, nor is it likely to be used in the near future. However, as a result of this new research, the GSMA is working with the industry to investigate how to include the protection of the integrity of traffic and information (user plane integrity) in LTE. The 5G standards already include support for user plane integrity protection, and the GSMA is supporting the industry to ensure that it is fully deployed as 5G technology rolls out.

Unfortunately, there's no commercially available 5G network at the moment nor does any OEM released any phone. laptop, IoT device that supports 5G and those are expected as early as the middle of 2019. 

 

[ItsMitch]

NSA been hard at work then it seems. 

[captain_to_fire]

Just now, SC2Mitch said:

NSA been hard at work then it seems. 

I bet UK's GCHQ does something similar https://www.theverge.com/2016/10/17/13305270/uk-illegal-surveillance-gchq-investigatory-powers-tribunal

[ItsMitch]

1 minute ago, captain_to_fire said:

bet UK's GCHQ does something similar

Oh I have no doubts they do, but NSA so much worse, so so so much worse. 

[Christophe Corazza]

"flaw"? more like, "feature"

This should come as no surprise, given that we know the phone companies responsible for setting the specification are themselves compromised by intelligence agencies worldwide.

 

Its not like anyone uses 4G as we're all on 5G according to sales reps

[2FA]

This isn't exactly that far fetched as you've been able to spoof cell towers for a long time now, this just seems like a logical next step to me. Really it's effectively taking a standard 802.11 MITM/DNS poisoning/rogue AP attack and making a cellular version.

[ScratchCat]

Nokia 3310 FTW

[captain_to_fire]

4 hours ago, 2FA said:

This isn't exactly that far fetched as you've been able to spoof cell towers for a long time now, this just seems like a logical next step to me. Really it's effectively taking a standard 802.11 MITM/DNS poisoning/rogue AP attack and making a cellular version.

Usually a VPN can protect a device from SSL stripping, an example of MITM. I don’t think it will work with aLTEr. But yes it’s an improvement over earlier cell tower spoofing where you need to be near the attack victim. With this one though, it will work within a mile (1.609 kilometers) radius which is already big the hacker doesn’t have to appear like a creep inside a van. 

[mynameisjuan]

Man in the middle attacks should be known as an easy vector by now. No matter what platform you are on.

[Zodiark1593]

Besides 4G, smartphones have 3G implemented as well. Would it be possible to mitigate this MITM weakness in Chrome (or some other browser) or from within the OS by reloading pages without SSL over 3G?

 

The idea is that pages where SSL has been stripped by a compromised 4G network, the device would simply reload the page over the 3G network instead.

[Razor Blade]

A VPN should stop this kind of attack shouldn't it? Your connection should be encrypted to the VPN server and your phone would use the VPN's DNS. Im pretty sure some VPN apps also lock down internet if your connection drops. Which I would imagine would happen if your phone connects to the attacker's equipment.

[2FA]

1 hour ago, captain_to_fire said:

Usually a VPN can protect a device from SSL stripping, an example of MITM. I don’t think it will work with aLTEr. But yes it’s an improvement over earlier cell tower spoofing where you need to be near the attack victim. With this one though, it will work within a mile (1,609 kilometers) radius which is already big the hacker doesn’t have to appear like a creep inside a van. 

1. I think you meant meters there, not kM.

2. Distance is dependent upon the hardware used for the cell site and resultant power levels. It's just that in this exact case with their equipment, it was roughly a 1 mile radius.

[Drak3]

15 minutes ago, 2FA said:

think you meant meters there, not kM

That depends on if he uses a comma or a period for decimal point. His use of KM might be correct.

[Fasterthannothing]

Is this bad yes is it surprising not really especially since it's a DNS spoofing attack and people are dumb enough to click through errors with web certificates. I feel like man in the middle attack's are the biggest most exploitable part of security and have been for a while which is why you should use a VPN and triple check the encryption on websites. Also stripping the encryption from a website seems like it has gotten easier and easier lately. 

[captain_to_fire]

1 hour ago, gabrielcarvfer said:

There are cheaper SDR (Software Defined Radio) solutions that can be used with srsLTE, including LimeSDR, that costs US$ 300.

But does it have the same coverage as the one in OP up to one mile? 

[Zodiark1593]

8 minutes ago, captain_to_fire said:

But does it have the same coverage as the one in OP up to one mile? 

An in-line amplifier will solve the range problem. Though I strongly suspect radio frequency and power are not the only hurdles needed to gain access to an LTE network.

[2FA]

3 hours ago, Drak3 said:

That depends on if he uses a comma or a period for decimal point. His use of KM might be correct.

Ahh, yes you are right.

[Amazonsucks]

Sound like Stingrays do work with 4G then. And that video doesnt have EVERYTHING one needs to know about 5G ?

 

https://www.globalresearch.ca/scientists-and-doctors-warn-of-potential-serious-health-impacts-of-fifth-generation-5g-wireless-technology/5609503

https://www.electricsense.com/12399/5g-radiation-dangers/

https://eluxemagazine.com/magazine/dangers-of-5g/

http://www.dailymail.co.uk/health/article-5409921/Residents-enduring-stillbirths-street-lamps.html

http://www.latimes.com/business/la-fi-cellphone-5g-health-20160808-snap-story.html

https://www.defendershield.com/health-risks-5g-mobile-network-internet-of-things/

http://www.cellphonecancer.com/the-looming-health-risks-of-5g-technology/

 

TLDR MitM vs getting microwaved.

[sof006]

Oh dear... does this only work if user is using LTE/4G? Or can I switch it to 3G only and the attack no longer work?

[captain_to_fire]

3 minutes ago, sof006 said:

Oh dear... does this only work if user is using LTE/4G? Or can I switch it to 3G only and the attack no longer work?

I think a similar hack is already in existence since the days of 3G (HSPA+ for GSM, EVDO Rev. A for CDMA). It cannot be patched and the only solution is switching to a 5G network which just like WPA3, overcomes the security holes of LTE and with added protections when data is in transit. 

 

5 hours ago, Amazonsucks said:

Sound like Stingrays do work with 4G then. And that video doesnt have EVERYTHING one needs to know about 5G ?

-snip-

You cited a British fake news tabloid called "Daily Mail". Also, the author from the Global Research seems to be misleading the reader. I've read the actual report from US NTP and the findings are:

• low incidences of brain and heart tumors in male rats but not female rats
• effects on humans are still inconclusive

https://linustechtips.com/main/profile/277318-captain_to_fire/?status=191072&type=status

Quote

Interesting, while both CDMA and GSM radiation was found to cause brain and heart cancer in Sprague Dawley rats, until this very day, whether it causes cancer to humans or not is inconclusive. [Primary source: US NIH National Toxicology Reports]

 

While it's now clear that we shouldn't ignore this research, we also shouldn't be paranoid. I can think of some reasons as to why non-ionizing GSM/CDMA radiation gave those rats cancer but inconclusive to humans:

• We human beings have a higher tolerance to radiation whether its ionizing or non-ionizing. Everyday, cells multiply and die and those dead ones are constantly replaced and during cell division, errors occur and such errors are worsened by external factors such as radiation and yet people sun bathing all the time and people get x-rays at least once a year and nothing happens. Mammals have their fair share of defenses against cancer in the cellular level. Proto-oncogenes (e.g. myc, sis, bcl-1, etc) are the ones responsible for normal cell division and tumor suppressor genes (e.g. p53, BRCA1, etc)  put the breaks in cell division. They are basically each others checks and balances and any imbalance to both can result to diseases including cancer [Note: a single genetic mutation is not enough to cause cancer, even if someone inherits a predisposition, there's a high chance they'll never have cancer for the rest of their lives]. It is possible that cellphone radiation maybe able to give off rats cancer but not enough to cause genetic mutation on humans.
• I can see that double blind human studies would be deemed unethical by so many people and for the most part it can be that's why health authorities are limited to observation of a simple or clustered random samples.
• Since human studies could be deemed unethical, how about in the future scientists would try studying the effects of cellphone radiation to human cell lines in-vitro? Those can be obtained easily and can actually be bought. I'd like to see future researchers to add isotope labelling so that they can monitor the changes the cell undertakes once exposed to non-ionizing radiation and determine the pathways that could lead to cancer so that proper treatments can be made.
• Assuming that cellphone radiation is indeed carcinogenic like UV and X-rays, how are they going to study demographics? Due to environment, culture and history, a lot of people maybe inherit predisposition to certain diseases and that includes cancer. Do people with inherited BRCA1 mutation have an increased risk while using their phone?
• Assuming that it can cause cancer in humans, which is more carcinogenic? sub 1GHz spectrum or above 1GHz? At the moment my wireless carrier uses 700 and 1800 MHz LTE and 800, 1900, 2100 MHz GSM.

There's more to the story more than meets the eye.

[Zodiark1593]

1 hour ago, gabrielcarvfer said:

In telecom you don't really have powerfull transmissions (0.1~100mW), except when transmitting to space/AM/FM/TV long range transmissions, while microwave ovens output a lot of power (~700W).

The irony being that nearly every kitchen in America possesses an excellent/absurdly powerful 2.4 GHz jamming device.

[Zodiark1593]

6 minutes ago, gabrielcarvfer said:

Yup, but it's reasonably shielded.

Bypass the safety, point in the general direction of the nearest cafe. 5 minutes on High should do nicely.

[Amazonsucks]

4 hours ago, gabrielcarvfer said:

In telecom you don't really have powerfull transmissions (0.1~100mW), except when transmitting to space/AM/FM/TV long range transmissions, while microwave ovens output a lot of power (~700W).

Its hyperbole. However, microwaving yourself with a microwave is going to cause acute burns and tissue damage. Chronic exposure to RF in the frequencies that 5G uses is going to take longer at the power levels youll get exposed to, but remember that 5G will use mini cell sites on lamp posts etc, which are exponentially closer to people. And you should know how being exponentially closer to an RF source works.

 

https://en.m.wikipedia.org/wiki/Inverse-square_law

[Amazonsucks]

Except that some of the milimeter waves that are within the 5G spectrum are readily absorbed by water, of which the human body contains a lot of. They will need to put mini cells in close proximity to people specifically because atmospheric moisture and the water in foliage will be absorbing a lot of energy and reducing signal levels to below useful power levels. The mini cell sites still need enough power to be as effective as old fashioned longer wavelength transmitters which would usually be further away.

 

The health effects have been and are currently being studied and it appears that the masses are behind the curve on this one like they were with the whole blue light hazard issue caused by LED lighting and monitors. Now just about every screen has an eye saver, low blue light mode thanks to people waking up to the fact that rhodopsin mediated photo reversal and intrinsically photosensitive retinal ganglion cells role in entraining the circadian rythm are actually real issues. It took a few years for the masses to catch on.

 

The dangers of 5G are likely to be a similar case.

[Amazonsucks]

They have provisions for up to 80GHz in the 5G specifications, but they will roll it out at lower frequencies. Tissue heating isnt the real problem either. No one is claiming that youll suffer acute burns from 5G transmitters. Its the long term effects of exposure to a huge frequency range that has never been used like this before that has people concerned with things like immune system dysregulation, neurological problems, cataracts, and the other stuff in the articles i linked to.

 

And saying "well 5G transmitters will be closer but they use lower power" has two huge problems:

 

Because of the inverse square law, the radiation at the receiver(persons body) could easily be the same or higher, since its not only a function of power output from the transmitter, but its exponentially higher the closer the receiver is.

 

Secondly, the W/cm^2 of one frequency vs another is not an apples to apples comparison because of how different frequrmencies of RF affect biological functions. They are also biologically active WITHOUT heating.