Cisco Blogs
Share

Protecting against the latest LTE network attacks


July 6, 2018 - 6 Comments

Recently, researchers have uncovered new attacks against the Long-Term Evolution (LTE) network protocol. LTE, a type of 4G network, is a mobile communications standard used by billions of devices around the world.

Security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi discovered three new attacks against LTE technology. The first two are passive attacks — identity mapping and website fingerprinting. These allow the attacker to listen in on not only the destinations that are visited from the target’s mobile device, but also on what data is passing over the network. The third is an active domain name system (DNS) redirect attack, referred to as “aLTEr” by the research team. It allows the attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to malicious websites using DNS spoofing.

How does the attack work?

This attack works by taking advantage of a design flaw within the LTE network — the data link layer (or layer 2) of the LTE network is encrypted with AES-CTR but it is not integrity-protected. This means an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext. As a result, the attacker is posing as a cell tower to the victim, while pretending to be a subscriber to the real network.

These types of attacks are not only limited to LTE networks. 5G networks may also be vulnerable to these attacks in the future, in the event that carriers do not implement the optional authenticated encryption feature.

How can you protect against these types of attacks?

The best way to protect against DNS spoofing attacks is to encrypt DNS queries, and only use trusted DNS resolvers. We’ve partnered with Apple to deliver the deepest level of visibility and control, including DNS encryption, for enterprise-owned iOS devices with the Cisco Security Connector application.

The Cisco Security Connector app protects users from connecting to malicious destinations in the first place. It leverages security intelligence to first classify the requested domain, and then determines if the request should be allowed — for safe destinations, or blocked — for malicious destinations. Users and mobile devices are protected regardless of location, whether on cellular networks, such as LTE, corporate networks, or public Wi-Fi. The Cisco Security Connector encrypts DNS queries and sends them to Cisco Umbrella for resolution. Encryption prevents DNS hijacking, while Umbrella’s industry leading intelligence blocks connections to malicious destinations, so you can protect your users anywhere they go.

Visit www.cisco.com/go/csc to learn more and start a free trial of Umbrella to get protected today.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

6 Comments

  1. Hi Casey, Given that the aLTEr attack is dangerous, but difficult to perform in real-world scenarios, are there any security-focused groups doing research on real-world implementations of the attack?

    • Hi Vincent, thanks for your comment. Please refer to https://alter-attack.net/ for more information on the attack, including real-world implementations. The researchers will be presenting their work at the 2019 IEEE Symposium on Security & Privacy.

  2. Why not run all traffic through a personal vpn? I run one from home just for a bit of added protection.

    • Hi Jason, thanks for your comment. Unlike a personal VPN, the Cisco Security Connector extends the capabilities of Cisco Umbrella and Clarity (AMP for Endpoints) to supervised iOS devices. The Cisco Security Connector offers protection and control anywhere you go, including off of the VPN or away from home. A personal VPN will protect from man-in-the-middle attacks (DNS, HTTP or otherwise), but most personal VPNs don’t offer additional security or visibility capabilities besides the transport encryption.

  3. Interesting. Sounds like a great added layer of security, especially with the identified risk on LTE. Does it matter if devices are BYOD and/or if they have other security applications on them?

    • Hi Sara, thanks for your comment. To use the Cisco Security Connector app, the devices must be enterprise-owned and in supervised mode. The app is designed to run alongside other security applications without issue.