All devices using LTE, also referred to as 4G, are affected as well as certain household devices connected to the network. The weaknesses are impossible to close. Further, they are also still present in the upcoming mobile 5G standard. However, the problem may be stemmed with the aid of other security mechanisms in browsers or apps.
The findings have been published by David Rupprecht, Katharina Kohls, Prof Dr Thorsten Holz and Prof Dr Christina Pöpper on the website https://aLTEr-Attack.net.
Rerouting users to wrong websites
The payload transmitted via LTE is encrypted, but its integrity is not verified. "An attacker can alter the encrypted data stream and reroute the messages to his own server without alerting the user," explains David Rupprecht. In order to do so, the attacker has to be in the vicinity of the mobile phone being targeted. Using special equipment, the attacker intercepts the communication between the phone and the base station and reroutes the user to a fake website by altering the messages. On that website, the attacker can then perform any actions he/she chooses, including monitoring the passwords as they are entered.