Security gaps identified in LTE mobile telephony standard

June 28, 2018, Ruhr-Universitaet-Bochum
David Rupprecht, Thorsten Holz and Katharina Kohls (from left) use software-defined radios in order to test attacks on the LTE network under lab conditions. Credit: RUB, Marquard

By abusing security weaknesses in the LTE mobile telephony standard, attackers are able to identify which web pages a user visits and to reroute him to a scam website. This is the result of a study carried out by security experts from Horst Görtz Institute at Ruhr-Universität Bochum. All devices using LTE, also referred to as 4G, are affected—i.e. almost all mobile phones and tablets, as well as certain household devices connected to the network. The weaknesses are impossible to close; and they are also still present in the upcoming mobile telephony standard 5G, the standardization of which is currently pending. Still, the problem may be stemmed with the aid of other security mechanisms in browsers or apps.

The findings have been published by David Rupprecht, Katharina Kohls, Prof Dr. Thorsten Holz and Prof Dr. Christina Pöpper on the

Rerouting users to wrong websites

The payload transmitted via LTE is encrypted, but its integrity is not verified. "An attacker can alter the encrypted data stream and reroute the messages to his own server without alerting the user," explains David Rupprecht. In order to do so, the attacker has to be in the vicinity of the mobile phone he targets. Using special equipment, he intercepts the communication between the phone and the and reroutes the user to a fake website by altering the messages. On that website, the attacker can then perform any actions he chooses, including monitoring the passwords as they are entered.

"Websites and apps that deploy the HTTPS security protocol in the correct configuration provide adequate protection against rerouting," says Rupprecht. They alert the user whenever he is about to be rerouted to a fake page. However, it is not possible to prevent an attacker from monitoring certain information and activities performed on the mobile phone, for example the identity of the user and the websites he views.

The researchers from Bochum have demonstrated that the traffic pattern alone—i.e. the payload volume sent by a phone within a specific period of time—gives indication of the websites viewed by the user. In order to access this information, the attacker does not have to actively intercept the communication between mobile phone and base station; rather, simple passive recording of the transmitted metadata does the trick.

David Rupprecht, Thorsten Holz and Katharina Kohls (from left) use software-defined radios in order to test attacks on the LTE network under lab conditions. Credit: RUB, Marquard
Off-the-shelf equipment sufficient to carry out attacks

The attacks described above can be carried out using commercially available equipment that can be purchased at a price of approximately 4,000 euros. In their experiments, the researchers utilised a PC and two so-called software-defined radios that enable the sending and receiving of LTE signals. One of the devices pretends to the phone to be a ; the other pretends to the real network to be the phone. Thus, the system is capable of altering specific data, while transmitting the bulk of the data unchanged. Depending on the equipment, the can keep the distance of several hundred meters from the targeted during the attack.

"The LTE documentations have shown that an integrity protection that would prevent attacks has been deliberately omitted," says Thorsten Holz. The reason: In order to implement the security measure, an additional four byte would have to be attached to each payload. "Data transmission would have become expensive for the network operators, and so integrity protection was deemed expendable," continues Holz.

In the upcoming 5G mobile telephony standard, general integrity protection has not been provided for at present. Developers would have to configure the devices correctly for protection to become effective. The researchers are advocating to close the security gap in the new mobile telephony standard by default.

The team is going to present the gap at the IEEE Symposium on Security and Privacy that will be taking place in San Francisco in May 2019. The study was conducted under the umbrella of the Bercom project, short for "Blueprint for a pan-European system platform for resilient critical infrastructures".

Explore further: How safe is critical infrastructure from hacker attacks?

More information: David Rupprecht, Katharina Kohls, Thorsten Holz, Christina Pöpper: Breaking LTE on layer two, 2018, Advance Online Publication,

Related Stories

How safe is critical infrastructure from hacker attacks?

September 8, 2017

Critical infrastructure elements such as wind power stations are partially controlled via mobile phone networks. Using state-of-the-art tests, researchers at Horst Görtz Institute for IT-Security (HGI) in Bochum are investigating ...

Email encryption standards hacked

May 14, 2018

A research team from the University of Applied Sciences (FH) in Münster, Horst Görtz Institute for IT Security at Ruhr-Universität Bochum (RUB), and Katholieke Universiteit Leuven has demonstrated that the two most common ...

Scientists break satellite telephony security standards

February 8, 2012

Satellite telephony was thought to be secure against eavesdropping. German researchers at the Horst Gortz Institute for IT-Security (HGI) at the Ruhr University Bochum (RUB) have cracked the encryption algorithms of the European ...

Changing SIM card number for more secure mobile phone

November 23, 2016

A continuously changing SIM card number ensures that your mobile phone can no longer be traced and tapped and enables it to check whether it is in contact with an authentic radio tower. Computer scientist Fabian van den Broek ...

Recommended for you

Inert nitrogen forced to react with itself

March 21, 2019

Constituting over 78 % of the air we breathe, nitrogen is the element found the most often in its pure form on earth. The reason for the abundance of elemental nitrogen is the incredible stability and inertness of dinitrogen ...

Two-step path to shrinking worker bee gonads

March 21, 2019

The dramatic difference in gonad size between honey bee queens and their female workers in response to their distinct diets requires the switching on of a specific genetic program, according to a new study publishing March ...

Plant immunity cut to size

March 21, 2019

An international team based in Ghent, Belgium (VIB-UGent Center for Plant Systems Biology) and Basel, Switzerland (University of Basel), found a link between a class of enzymes and immune signals that is rapidly triggered ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.