Lost traffic encryption

Fingerprinting LTE/4G traffic on layer two

Katharina Kohls, David Rupprecht, Thorsten Holz, Christina Poepper

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.

    Original languageEnglish (US)
    Title of host publicationWiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks
    PublisherAssociation for Computing Machinery, Inc
    Pages249-260
    Number of pages12
    ISBN (Electronic)9781450367264
    DOIs
    StatePublished - May 15 2019
    Event12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019 - Miami, United States
    Duration: May 15 2019May 17 2019

    Publication series

    NameWiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks

    Conference

    Conference12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019
    CountryUnited States
    CityMiami
    Period5/15/195/17/19

    Fingerprint

    Long Term Evolution (LTE)
    Cryptography
    Websites
    Network layers
    Metadata
    Experiments
    Specifications
    Communication

    Keywords

    • Identification Attack
    • LTE
    • Website Fingerprinting

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications

    Cite this

    Kohls, K., Rupprecht, D., Holz, T., & Poepper, C. (2019). Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two. In WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks (pp. 249-260). (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks). Association for Computing Machinery, Inc. https://doi.org/10.1145/3317549.3323416

    Lost traffic encryption : Fingerprinting LTE/4G traffic on layer two. / Kohls, Katharina; Rupprecht, David; Holz, Thorsten; Poepper, Christina.

    WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, Inc, 2019. p. 249-260 (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Kohls, K, Rupprecht, D, Holz, T & Poepper, C 2019, Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two. in WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks, Association for Computing Machinery, Inc, pp. 249-260, 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, Miami, United States, 5/15/19. https://doi.org/10.1145/3317549.3323416
    Kohls K, Rupprecht D, Holz T, Poepper C. Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two. In WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, Inc. 2019. p. 249-260. (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks). https://doi.org/10.1145/3317549.3323416
    Kohls, Katharina ; Rupprecht, David ; Holz, Thorsten ; Poepper, Christina. / Lost traffic encryption : Fingerprinting LTE/4G traffic on layer two. WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, Inc, 2019. pp. 249-260 (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks).
    @inproceedings{3d2bde70fd3f44d9ba580d1c4b781f50,
    title = "Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two",
    abstract = "Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.",
    keywords = "Identification Attack, LTE, Website Fingerprinting",
    author = "Katharina Kohls and David Rupprecht and Thorsten Holz and Christina Poepper",
    year = "2019",
    month = "5",
    day = "15",
    doi = "10.1145/3317549.3323416",
    language = "English (US)",
    series = "WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks",
    publisher = "Association for Computing Machinery, Inc",
    pages = "249--260",
    booktitle = "WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks",

    }

    TY - GEN

    T1 - Lost traffic encryption

    T2 - Fingerprinting LTE/4G traffic on layer two

    AU - Kohls, Katharina

    AU - Rupprecht, David

    AU - Holz, Thorsten

    AU - Poepper, Christina

    PY - 2019/5/15

    Y1 - 2019/5/15

    N2 - Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.

    AB - Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.

    KW - Identification Attack

    KW - LTE

    KW - Website Fingerprinting

    UR - http://www.scopus.com/inward/record.url?scp=85066733454&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85066733454&partnerID=8YFLogxK

    U2 - 10.1145/3317549.3323416

    DO - 10.1145/3317549.3323416

    M3 - Conference contribution

    T3 - WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks

    SP - 249

    EP - 260

    BT - WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks

    PB - Association for Computing Machinery, Inc

    ER -