Exploiting Missing Integrity Protection in LTE Networks

The aLTEr attack enables an adversray to manipulate encrypted transmissions in the LTE network to redirect a victim to a fraudulent website. Furthermore, we analyze the enforcement of integrity protection in deployed LTE networks and demonstrate how a false core network configuration of this allows an adversary to impersonate users.

LTE combines performance goals with modern security mechanisms and serves casual use cases and public safety communications. However, the strong dependence on LTE leads to a significant impact for any open attack vector. In particular, the authenticity of communication partners and the data integrity must be assured all time, as otherwise an attacker can modify data or impersonate a victim to undermine one of LTE’s most important security goals. In this talk, we present two attacks exploiting missing integrity protection in LTE networks; both attacks lead to far-reaching risks for providers and users.

First, we provide insights about the aLTEr attack, which exploits the specification flaw of missing integrity protection for user data. User data in LTE is encrypted in counter mode (AES-CTR), but not integrity protected, which allows modifying the message payload. As a proof-of-concept, we demonstrate how an active attacker can redirect DNS requests to perform a DNS spoofing attack. As a result, the user is redirected to a malicious website, where the attacker can steal, e.g., the user credentials.

The second part is about missing integrity protection of control plane data due to a false network configuration. Deployed LTE networks select the applied security algorithm from a selection of supported algorithms. By actively testing the selection procedure in 12 commercial networks of five countries, we identify a total of four networks with insecure configurations. The implications of the false configuration are severe, as they allow a worldwide user impersonation attack. Following a successful impersonation attack, the adversary can commit fraud using the victim’s identity.

About the Speaker

David Rupprecht received his B.Eng. in Computer Science and Telecommunications from the University of Applied Sciences for Telecommunications Leipzig, Germany, in 2012. He continued his studies with a focus on IT Security, Networks, and Systems and received his master’s degree 2015 from the Ruhr-University Bochum, Germany. Since 2015, David Rupprecht is a doctoral student at the Information Security Group of the Horst Görtz Institute for IT Security, Bochum. His research interests include mobile network security with a focus on access networks. His work explores implementation as well as specifications flaws in current and future mobile networks. In his daily work, he makes use of software-defined radios for the implementation of attacks and countermeasures.