A team of four researchers from the Ruhr-University in Bochum, Germany, and New York University Abu Dhabi in the UAE, have revealed that the ‘data link layer’ of LTE networks have at least three critical vulnerabilities that could potentially allow attackers to not only eavesdrop on targets, but also direct users to hostile websites. The flaws are said to be built into the LTE standard itself, and affect the second layer of LTE, known as the data link layer.

The research team, comprising of David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper, published the report in a research paper titled ‘Breaking LTE Layer Two’, which will be presented at the 2019 IEEE Symposium on Security & Privacy in San Francisco. In the mean time, they have already notified the GSMA and 3GPP about their findings.

What is ‘aLTEr’ and What Can it Do?

According to the researchers, two of the three attacks are passive, including an ‘identity mapping attack’ and a ‘website fingerprinting attack’. While the first one allows hackers to silently gather information about the victim(s), the second one allows the attacker to identify the websites being visited by an user on their LTE device.

The third one, meanwhile, is an active attack dubbed ‘aLTEr’ “that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard”.

Attacks Unlikely ‘In a Real-World Scenario’

Thankfully, though, none of the attacks can be employed widely by would-be hackers. That because, according to the researchers, the attacks require not only expensive and sophisticated equipment worth $4,000, but also custom software, which means they are beyond the scope of a large majority of regular hackers around the world, but not beyond state-sponsored or corporate-backed teams.

To exploit the flaw, the attacker also needs to be in physical proximity to their target(s), as it apparently only works within a 1-mile radius.

“To conduct such attacks, the attacker depends on specialized hardware (so called software-defined radios) and a customized implementation of the LTE protocol stack. In addition, a controlled environment helps to be successful within an acceptable amount of time. In particular, the use of a shielding box helps to maintain a stable and noise-free connection to the attack setup. Especially the latter cannot be maintained in a real-world situation and more engineering effort is required for real-world attacks”

Given all of the above, the researchers believe that “people of special interest such as politicians or journalists”, are most likely to be the targets of such attacks, and not general users, even though there’s reason to be cautious because it also affects next-gen standards.

The Security Flaws Also Impact 5G

What’s really alarming is that the attack can also affect 5G networks. While the 5G standard does include additional security features, they are only optional at the moment. According to the researchers, the 5G standard will need to incorporate the suggested security measures and employ stronger encryption at the data layer if its has to mitigate the vulnerability.