LTE wireless connections used by billions aren’t as secure as we thought

(credit: BAZ Antennen)

The Long Term Evolution mobile device standard used by billions of people was designed to fix many of the security shortcomings in the predecessor standard known as Global System for Mobile communications. Mutual authentication between end users and base stations and the use of proven encryption schemes were two of the major overhauls. Now, researchers are publicly identifying weaknesses in LTE that allow attackers to send nearby users to malicious websites and fingerprint the sites they visit.

The attacks work because of weaknesses built into the LTE standard itself. The most crucial weakness is a form of encryption that doesn’t protect the integrity of the data. The lack of data authentication makes it possible for an attacker to surreptitiously manipulate the IP addresses within an encrypted packet. Dubbed aLTEr, the researchers’ attack causes mobile devices to use a malicious domain name system server that, in turn, redirects the user to a malicious server masquerading as Hotmail. The other two weaknesses involve the way LTE maps users across a cellular network and leaks sensitive information about the data passing between base stations and end users.

Well-known attack vectors

The attacks, which are described in a paper published Thursday, require about $ 4,000 worth of equipment that must be within about one mile of the targeted user. Because the weaknesses are the result of design decisions made when the LTE specification was under development, there is no way to patch them now. End users, however, can protect themselves against aLTEr by only visiting websites that use HTTP Strict Transport Security and DNS Security Extensions.

Read 8 remaining paragraphs | Comments

Biz & IT – Ars Technica