Breaking LTE on Layer Two

David Rupprecht, Katharina Kohls, Thorsten Holz, Christina Popper

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Long Term Evolution (LTE) is the latest mobile communication standard and has a pivotal role in our information society: LTE combines performance goals with modern security mechanisms and serves casual use cases as well as critical infrastructure and public safety communications. Both scenarios are demanding towards a resilient and secure specification and implementation of LTE, as outages and open attack vectors potentially lead to severe risks. Previous work on LTE protocol security identified crucial attack vectors for both the physical (layer one) and network (layer three) layers. Data link layer (layer two) protocols, however, remain a blind spot in existing LTE security research. In this paper, we present a comprehensive layer two security analysis and identify three attack vectors. These attacks impair the confidentiality and/or privacy of LTE communication. More specifically, we first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks. Second, we demonstrate how a passive attacker can abuse the resource allocation as a side channel to perform website fingerprinting that enables the attacker to learn the websites a user accessed. Finally, we present the A LTE R attack that exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload. As a proof-of-concept demonstration, we show how an active attacker can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website. Our experimental analysis demonstrates the real-world applicability of all three attacks and emphasizes the threat of open attack vectors on LTE layer two protocols.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1121-1136
Number of pages16
ISBN (Electronic)9781538666609
DOIs
StatePublished - May 2019
Event40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States
Duration: May 19 2019May 23 2019

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2019-May
ISSN (Print)1081-6011

Conference

Conference40th IEEE Symposium on Security and Privacy, SP 2019
Country/TerritoryUnited States
CitySan Francisco
Period5/19/195/23/19

Keywords

  • Attack
  • DNS-Redirection
  • Identity-Mapping
  • LTE
  • Mobile-Security
  • Website-Fingerprinting

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Breaking LTE on Layer Two'. Together they form a unique fingerprint.

Cite this