Breaking LTE on Layer Two

Speaker/Bio

Jonathan Chamberlain (CAS '12/ENG '19) is an admitted PhD student in Computer Engineering studying under Prof. Starobinski in the NISLab, having previously received a MS degree in Systems Engineering in May 2019. His current research relates to Game Theoretic modeling of customer and provider interactions in cloud computing systems. His other interests include Network Systems and Security, and the use of Blockchain in securing records. In between undergraduate and graduate studies, Jonathan worked for Epic Systems Corporation and Hewlett Packard Enterprise in maintaining software deployments for hospitals and public health departments, where he dealt with overly caviler attitudes with regard to PHI/PII by customer IT teams on an almost daily basis.

Abstract

Long Term Evolution (LTE) is the latest mobile communication standard and has a pivotal role in our information society: LTE combines performance goals with modern security mechanisms and serves casual use cases as well as critical infrastructure and public safety communications. Both scenarios are demanding towards a resilient and secure specification and implementation of LTE, as outages and open attack vectors potentially lead to severe risks. Previous work on LTE protocol security identified crucial attack vectors for both the physical(layer one) and network (layer three) layers. Data link layer(layer two) protocols, however, remain a blind spot in existing LTE security research. In this paper, [the authors] present a comprehensive layer two security analysis and identify three attack vectors. These attacks impair the confidentiality and/or privacy of LTE communication. More specifically, [the authors] first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks. Second, [the authors] demonstrate how a passive attacker can abuse the resource allocation as a side channel to perform website fingerprinting that enables the attacker to learn the websites a user accessed. Finally, [the authors] present the ALTER attack that exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload.As a proof-of-concept demonstration, [the authors] show how an active attacker can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website. Our experimental analysis demonstrates the real-world applicability of all three attacks and emphasizes the threat of open attack vectors on LTE layer two protocols.

Reference