ITEM: Security researchers have discovered Layer 2 security vulnerabilities in LTE that could enable hackers to determine what websites users visit and even redirect them to scam websites.
The bad news: the flaws are practically unfixable. The good news: exploiting them is really, really hard.
More good news: 5G has built-in protections for this kind of attack. More potentially bad news: those protections are optional.
Researchers at Horst Görtz Institute at Ruhr-Universität Bochum say they have been able to successfully conduct three types of attacks – two passive, one active – on LTE networks by exploiting the fact that while LTE data payloads are encrypted, their integrity is not verified, Phys.org reports:
“An attacker can alter the encrypted data stream and reroute the messages to his own server without alerting the user,” explains [researcher] David Rupprecht. In order to do so, the attacker has to be in the vicinity of the mobile phone he targets. Using special equipment, he intercepts the communication between the phone and the base station and reroutes the user to a fake website by altering the messages. On that website, the attacker can then perform any actions he chooses, including monitoring the passwords as they are entered.
Video is available.
The researchers have published details here. They also provided the information to both the GSMA and 3GPP before going public with their findings.
The research team says that the best countermeasure would be to update the LTE specs, but it’s also the most infeasible because it means “the implementation of all devices must be changed”, which is logistically and financially as close to impossible as makes no odds. Other countermeasures include “using correct parameters for HTTPS (especially HTTP Strict Transport Security (HSTS))” and “using VPN tunnel with integrity protection and end point authentication”.
On the bright side – as has been the case with most cellular network security vulnerabilities in the past – it takes a lot of time, effort and engineering to pull off such an attack, which means that bad guys would be likely to direct such an attack against specific targets (such as politicians or journalists, for example) rather than randomly trying to trick lots of mobile users into accessing a spam site.
According to Ars Technica, the GSMA said in an email that it doesn’t believe anyone has successfully pulled off such a hack on a live LTE network:
However, as a result of this new research, the GSMA is working with the industry to investigate how to include the protection of the integrity of traffic and information (user plane integrity) in LTE. The 5G standards already include support for user plane integrity protection, and the GSMA is supporting the industry to ensure that it is fully deployed as 5G technology rolls out.
That last sentence is key, because while 5G does include integrity assurance features that would prevent this kind of attack, the researchers point out in their FAQ that it’s also an optional configuration parameter. The researchers highly recommend that the 3GPP make implementation mandatory.
Which is slightly mind-blowing in the sense that we hear a lot these days about how the next generation of networks and cloud-based digital services should be secure by design, rather than an afterthought. It seems strange that “secure by design” should also be optional.