A Weakness in the 4G Allows to Trap the Internet Users with False Web sites

Due to a lack of protection of the data’s integrity, it’s possible to usurp the DNS of a mobile phone operator and to replace the Web sites asked by hostiles versions.

If you think that you are safe when you surf with your 4G, make no mistake. This standard of mobile telecom is certainly more secured than its predecessors, but it’s not exempt from breaches, as has just proved a group of researchers of the Ruhr-Universität Bochum and New York University. In a scientific paper, they explain having found a vector of attack which allows to usurp the DNS server of the operator and to bring the Internet users on false sites.

Baptized "aLTEr ", the attack leans on a false base station which intercepts the traffic between the user and the real base station of the operator. Some people will say it’s impossible because the connection to base stations is made in a authenticated way. It's true, but not at the second level of the LTE network layer. Called "dated link layer", this one organizes the transfer of raw data between the various equipments. In other words, the false base station fits as a simple relay and only sees encrypted flows. However, the researchers manage to modify the contents of these flows to proceed to the DNS usurpation as you can see on this YouTube video.

How do they make it? By analyzing the size of the messages which pass through, the researchers detect at first those who correspond to DNS requests. Knowing the IP address of the operator DNS server, they manage then (through a cryptographic sleight of hand) to replace this address by another one, directly in the encrypted message. The request arriving on the DNS server of the aggressor, the user is then redirected to a hostile site. And it's done.

Even if the 4G data are encrypted, this attack is possible because their integrity is only protected by a simple detection code (checksum) which is easy to by-pass. It’s impossible to protect itself as user. The researchers indicate two countermeasures: modify the standard LTE by integrating an encryption with authentification (what is almost unfeasible) or force sites to use the HSTS technology (HTTP Strict Transport Security). It allows to avoid the hostile rerouting. The 5G has on its side a protective measure of integrity, but it is optional for the operators.

But, you shouldn't panic either. At the moment this attack was only demonstrated in laboratory and would rather be difficult to realize in real conditions. Therefore, she couldn’t be massively displayed. It is a technique which could especially interest government agencies to target specific people.

Finally, the researchers also revealed other faults in LTE but less critical. So, they showed that it was possible by simply listening to flows, to distinguish users of a 4G cell and to know about which Web sites they went, and that with an average rate of 89 %.

• Have you seen the new standard which will consolidate the security of your Wi-Fi? WPA3!

• This is my guide to secure your PC after a fresh installation of Windows

• And if you think that your phone or your PC has been hacked, you know where to click ;-)

• I've made a lot of good articles with tools and advises to teach you how to protect your privacy and to make you aware of the hacker's weapons, go check them out!