Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two

Katharina Kohls, David Rupprecht, Thorsten Holz, Christina Poepper

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.

Original languageEnglish (US)
Title of host publicationWiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks
PublisherAssociation for Computing Machinery, Inc
Pages249-260
Number of pages12
ISBN (Electronic)9781450367264
DOIs
StatePublished - May 15 2019
Event12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019 - Miami, United States
Duration: May 15 2019May 17 2019

Publication series

NameWiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks

Conference

Conference12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019
CountryUnited States
CityMiami
Period5/15/195/17/19

Fingerprint

Long Term Evolution (LTE)
Cryptography
Websites
Network layers
Metadata
Experiments
Specifications
Communication

Keywords

  • Identification Attack
  • LTE
  • Website Fingerprinting

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

Kohls, K., Rupprecht, D., Holz, T., & Poepper, C. (2019). Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two. In WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks (pp. 249-260). (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks). Association for Computing Machinery, Inc. https://doi.org/10.1145/3317549.3323416

Lost traffic encryption : Fingerprinting LTE/4G traffic on layer two. / Kohls, Katharina; Rupprecht, David; Holz, Thorsten; Poepper, Christina.

WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, Inc, 2019. p. 249-260 (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kohls, K, Rupprecht, D, Holz, T & Poepper, C 2019, Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two. in WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks, Association for Computing Machinery, Inc, pp. 249-260, 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, Miami, United States, 5/15/19. https://doi.org/10.1145/3317549.3323416
Kohls K, Rupprecht D, Holz T, Poepper C. Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two. In WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, Inc. 2019. p. 249-260. (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks). https://doi.org/10.1145/3317549.3323416
Kohls, Katharina ; Rupprecht, David ; Holz, Thorsten ; Poepper, Christina. / Lost traffic encryption : Fingerprinting LTE/4G traffic on layer two. WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, Inc, 2019. pp. 249-260 (WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks).
@inproceedings{f0240241b79042668101561aa8dccaa4,
title = "Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two",
abstract = "Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.",
keywords = "Identification Attack, LTE, Website Fingerprinting",
author = "Katharina Kohls and David Rupprecht and Thorsten Holz and Christina Poepper",
year = "2019",
month = "5",
day = "15",
doi = "10.1145/3317549.3323416",
language = "English (US)",
series = "WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks",
publisher = "Association for Computing Machinery, Inc",
pages = "249--260",
booktitle = "WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks",

}

TY - GEN

T1 - Lost traffic encryption

T2 - Fingerprinting LTE/4G traffic on layer two

AU - Kohls, Katharina

AU - Rupprecht, David

AU - Holz, Thorsten

AU - Poepper, Christina

PY - 2019/5/15

Y1 - 2019/5/15

N2 - Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.

AB - Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer. In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions - with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.

KW - Identification Attack

KW - LTE

KW - Website Fingerprinting

UR - http://www.scopus.com/inward/record.url?scp=85066733454&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85066733454&partnerID=8YFLogxK

U2 - 10.1145/3317549.3323416

DO - 10.1145/3317549.3323416

M3 - Conference contribution

AN - SCOPUS:85066733454

T3 - WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks

SP - 249

EP - 260

BT - WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks

PB - Association for Computing Machinery, Inc

ER -