The Long Term Evolution mobile device standard used by billions of people was designed to fix many of the security shortcomings in the predecessor standard known as Global System for Mobile communications.
The most crucial weakness is a form of encryption that doesn’t protect the integrity of the data.
The lack of data authentication makes it possible for an attacker to surreptitiously manipulate the IP addresses within an encrypted packet.
Dubbed aLTEr, the researchers’ attack causes mobile devices to use a malicious domain name system server that, in turn, redirects the user to a malicious server masquerading as Hotmail.
The attacks, which are described in a paper published Thursday, require about $4,000 worth of equipment that must be within about one mile of the targeted user.
In an email, researchers Thorsten Holz and David Rupprecht of the Ruhr-Universität Bochum wrote: