15 May 2020 - David Rupprecht
Integrity protection assures that an attacker cannot mess with packets in transit. While this is a standard feature for control plane data, we don't have the same protection for the user plane in 4G. When we look at attacks like aLTEr or IMP4GT, it becomes clear how severe the consequences of a user data manipulation could be. Let's have a look at both attacks.
When opening a website, a user types a domain name into the browser and then waits for the page to load. What happens in the background is a DNS request, in which the browser asks at which address it can find the requested website. Such requests belong to the user plane and as we all know by now, it doesn't have any integrity protection when it comes to 4G. Because of that, an attacker can pick up the DNS request and manipulate the response. Let's assume we want to log in to a social media platform. But instead of the accurate response, we receive something that was changed by the adversary. The bogus response points to a phishing site that looks legitimate. We enter our login credentials and nothing happens. Maybe bad Internet connection? Don't know, let's try something else... The page didn't load and that's not too much of a problem, right? But the attacker now knows our username and password. That's bad!
The impersonation attack is even worse. Now the attacker goes crazy and brings a lot of equipment including a remote server that does the heavy lifting for all the computations we are going to need. Let's not go into detail with the attack, it's very complicated and would need its own blog. You can always refer to the paper for this! What's important to know: IMP4GT allows an attacker to fully impersonate a legitimate base station, in both directions. This means it's possible to intercept and decrypt packets meant for the victim, and to manipulate and change the packets that are sent towards the network. Although this is not trivial to implement, it shows how far an attacker can get just because the user plane of 4G lacks integrity protection.
I guess we all agree that this is not the end of the world, but it's also not an acceptable state for something as important as mobile communication. So the good news is that help might be on its way. With 5G we have the opportunity to improve things and make them better.