Security News Security Flaws Disclosed in LTE (4G) Mobile Telephony Standard (Flaws also impact upcoming 5G standard)

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/security-flaws-disclosed-in-lte-4g-mobile-telephony-standard/

A team of academics has published research yesterday that describes three attacks against the mobile communication standard LTE (Long-Term Evolution), also known as 4G.

Two of the three attacks are passive, meaning an attacker can watch LTE traffic and determine various details about the target, while the third is an active attack that lets the attacker manipulate data sent to the user's LTE device.

According to researchers, the passive attacks allow an attacker to collect meta-information about the user's traffic (an identity mapping attack), while the second allows the attacker to determine what websites a user might be visiting through his LTE device (a website fingerprinting attack).

aLTEr attack can redirect users to malicious websites
Researchers nicknamed the active attack aLTEr because of its intrusive capabilities, which they used in experiments to redirect users to malicious sites by altering DNS packets (DNS spoofing). Below is a demo of an aLTEr attack recorded by researchers.
...
.....

Attacks possible because of weak LTE encryption

As for the technical details of the three attacks, the three vulnerabilities exist in one of the two LTE layers called the data layer, the one that transports the user's actual data. The other layer is the control layer and that's the one that controls and keeps the user's 4G connection running.

According to researchers, the vulnerabilities exist because the data layer is not protected, so an attacker can intercept, alter, and then relay the modified packets to the actual cell tower.

They can do this because 4G data packets are not integrity-protected, meaning it's possible to change bits of data, despite the data being encrypted.

... ....

Flaws also impact upcoming 5G standard

The research team, made up of three researchers from the Ruhr-University in Bochum, Germany and a researcher from New York University, say they have notified relevant institutions such as the GSM Association (GSMA), 3rd Generation Partnership Project (3GPP), and telephone companies about the issues they discovered.


They warned the issue could also affect the upcoming version of the 5G standard in its current form. Experts said the 5G standard includes additional security features (stronger encryption at the data layer) to prevent aLTEr attacks, but these are currently optional.

 

[Hi Brothers]

With all the vulnerabilities left and right, it feels impossible to stay on top of security, especially when you can't update (hardward-wise) to the newest tech all the time (or even some)

It's just hilarious how fast hardware becomes obsolete, in terms of security especially

Buy a new CPU here, new router there, new phone etc. etc.

 

[509322]

With all the vulnerabilities left and right, it feels impossible to stay on top of security, especially when you can't update (hardward-wise) to the newest tech all the time (or even some).

Chasing new technology constantly for the "latest and greatest" is foolhardy.

For optimal high-security, you should either disable or otherwise not use as much of what makes the system\device vulnerable as is practical. That security practice is never behind the 8 Ball.

 

[ForgottenSeer 58943]

With all the vulnerabilities left and right, it feels impossible to stay on top of security, especially when you can't update (hardward-wise) to the newest tech all the time (or even some)

It's just hilarious how fast hardware becomes obsolete, in terms of security especially

Buy a new CPU here, new router there, new phone etc. etc.

This is the result of security being secondary (or even farther down) during design and engineering phase of products/services/standards.

The NSA/CIA/FBI work tirelessly to reduce security. They even 'weaken' encryption for export. (pathetic) They've already been caught attempting to circumvent security improvements in new upcoming standards. They've been busted attempting to influence RSA. There are endless stories of their efforts to weaken security/safety/privacy in the modern age. So if you really want to blame someone, blame these creatures. I recall recently the NSA was booted from one standards conference for constant attempts to sabotage it.

Industry leaders need to push security/privacy to the forefront, and need to stop pandering to the intelligence slugs. If they don't, we'll be talking about this in another decade and it will have gotten much worse by then.

 

[509322]

This is the result of security being secondary (or even farther down) during design and engineering phase of products/services/standards.

The NSA/CIA/FBI work tirelessly to reduce security. They even 'weaken' encryption for export. (pathetic) They've already been caught attempting to circumvent security improvements in new upcoming standards. They've been busted attempting to influence RSA. There are endless stories of their efforts to weaken security/safety/privacy in the modern age. So if you really want to blame someone, blame these creatures. I recall recently the NSA was booted from one standards conference for constant attempts to sabotage it.

Industry leaders need to push security/privacy to the forefront, and need to stop pandering to the intelligence slugs. If they don't, we'll be talking about this in another decade and it will have gotten much worse by then.

Nobody wants to pay the prices needed for publishers to provide extremely high security with good usability. Publishers can do it, but no one is willing to pay. For a home user, think $100 per month instead of $5. In other words, the demand is very low-end when you consider that the vast majority of consumers will not pay a cent for a 3rd-party security soft - let alone security hardware.

Security barely manages to get lip-service; it is not a high-demand commodity. The costs are the reason there are no IT security minimum standards and software liability has never been made a substantive matter of law the world over.

Until people are willing to pay, and pay high prices at that, things will not change.

 

[ForgottenSeer 58943]

Most consumers are idiots. I watch them line up at Microcenter with arms full of IoT and zero understanding of what they are doing but since it is the latest thing, they want it. I listen to stories from friends/family about how cool it is to have 12 Google Dot's or Alexa units in their home, even the bathroom.

Then when 'stuff' happens they always come to me, worried. But then fall asleep when I tell them what they need to do. One of my relatives said his ads started showing stuff he talked about ONLY to his doctor. I explained how/why this happens, he wandered off to get another beer then started talking about his wife's butt instead of the subject I was discussing.

It's all a mess and it's going to be an absolute tragedy sooner, rather than later. Just wait for IT failures to start killing people in higher quantities. Then the IT/IoT will be to blame not the idiots demanding it all be free/cheap and easy..