A group of pentest researchers has demonstrated ability to passively identify session details and perform hijacking, allowing phishing attacks.
According to the International Institute of Cyber Security, researchers have found vulnerabilities in LTE standards, which leave users vulnerable to possible attacks, such as determining user identities, determining which websites accessed a particular user and modify DNS traffic, allowing attackers to hijack a connection and redirect potential victims to phishing sites.
The vulnerabilities were discovered by pentest experts at Ruhr-Universität (Germany) and New York University (Abu Dhabi), remarking that out of the three types of possible attacks two are passive, allowing attackers to listen to traffic and try to derive information based on that data. The third is an active attack, called “ALTEr” by the investigators.
The ALTEr attack is technically complex, partly because it depends on the existence of external infrastructure: it functions as a DNS redirection, which is possible due to the inconsistent application of authentication in the LTE layers.
Obviously this requires the hacker to have a malicious DNS server in operation, as well as an identity spoofing website to collect the credentials of users who may log on to that service through their phone. These requirements to consummate the attack are added to the already extensive amount of hardware needed to successfully perform such an operation.
Researchers have only conducted these demonstrations as proof-of-concept in a controlled environment, and notice that the complexity of conducting the attacks significantly increases in real-world situations, increasing the amount of effort of engineering required.
The pentest group also noted that these attacks are closely related to the behavior of IMSI receptors, popularly known as stingrays.
In addition, the attack is potentially exploitable in 5G networks. Researchers point out that the use of authenticated encryption would prevent the attack, which can be achieved by adding user-authentication codes.