Researchers have found few mobile security loopholes in the data transmission of LTE networks aka 4G networks. Experts say that the vulnerability identified recently is found to affect almost all mobile phones and tablets connected to 4G networks. And the weakness could also spread to the upcoming mobile telephony standard 5G.
Mobile security researchers from Horst Gortz Institute at Ruhr University Bochum, Germany have found that the data payload transmitted via LTE lacks integrity even though it is encrypted. The experts say that a well-versed attack can alter the encrypted data stream and reroute the messages to their own servers or other websites running with malicious intent.
“All he/she has to do is to stay in the vicinity of the mobile phone and by using special equipment intercept the communication between the phone and the base station and reroute the traffic to fake websites”, said David Rupprecht, the professor assisting in the research.
In general, websites which have HTTPS security protocol configured in the correct mode alert a user when they redirect them to a webpage or a fake webpage. This is possible if the website which is being used by a visitor has adequate protection against rerouting.
However, when a user is utilizing a mobile phone to visit websites, attackers can still monitor their activities by just simply recording the transmitted metadata without actively intercepting the communication between mobile phone and base station.
Even in the upcoming 5G telephony standard, the integrity protection feature is missing as of now. And developers need to struggle hard to configure their devices correctly for protection to become effective.
Thus, researchers from Bochum want the security gap to be closed by default by the developers in the upcoming new telephony standard.
A representation of it will be made at the IEEE Symposium on security and privacy that will be taking place in San Francisco in May next year.
Note- The study was conducted under the Bercom project- Blueprint for a Pan-European System platform for resilient critical infrastructure.