Multiple security holes found in 4g lte standard




In 4g lte security holes have been found that make it possible for attackers to send users to malicious websites and to map their browsing behavior. For the attacks, a maximum distance of 2 kilometers applies and a few thousand euros of equipment is required.

One of the attacks , called aLTEr, involves the interception of 4G traffic and the spoofing of the DNS server by that of the attacker, after which the target is sent to a phishing website, for example. This is possible because part of the mutual authentication between network and smartphone is not properly encrypted. The data packets are intercepted, the dns address in the request is adapted to a malicious dns, which redirects the target to, for example, a phishing website.

Mapping the browsing history is possible in the form of a passive attack. A sniffer can listen to a connection and determine which website or domain is involved on the basis of the size of the packets and the frequency with which they are sent. According to the researchers, this is done by making fingerprints of the data streams of popular websites and comparing them with the data packets that go to the target. In test setups, the researchers would have achieved a success rate of around 89 percent with this method.

For the attacks a so – called software-defined radio is needed for the attacker to pretend to be the network operator. According to Ars Technica, such a device costs around 4,000 dollars. This ensures that the attack, which is possible, requires a lot of money, knowledge and commitment. That in turn makes it more likely that the attack would only be used on special targets, such as politicians and journalists.

The researchers, who come from the Ruhr University in Bochum and the NYU Abu Dhabi, have already reported their findings to the GSM Association, which in turn informed network providers and the 3GPP. The latter is the body responsible for drawing up the 5g specification for example. The researchers want the security parameter that would prevent these attacks from being turned on at 5g. In the current 5g specification , it is still optional. In a reaction, the 3GPP states that it takes the active attack where the dns server is spoofed very seriously, but that it can not report anything concrete in such a short term. It also notes that dns spoofing can take place anywhere in the chain between the user and the dns server and that only e2e security can counteract this.

The researchers made a video of the proof of concept . The complete research report can also be downloaded.


In: A Technology & Gadgets Asked By: [23633 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »