Breaking LTE on Layer Two – DNS Over TLS Response

Recent disclosure of a paper describing an attack (aLTEr) against LTE networks titled “Breaking LTE on Layer Two” is surprisingly drawing a lot of attention to DNS security over mobile networks. The fact is, this paper refers to a combination of multiple “vulnerabilities” within the implementation of LTE networks. It describes how it’s possible to corrupt mobile network traffic, by targeting, as an example, DNS packets. But beware- any unencrypted protocol is at risk. In the end, this alarming paper highlights the well known fact that since the inception of DNS, DNS traffic between a client and its DNS resolver is unsecured. The reason is that related traffic is neither authenticated nor encrypted, leaving the integrity of the transaction at risk.

Overview of the DNS redirection attack: A malicious relay is deployed as a Man in the Middle between the UE (User Equipment) and the commercial network, which alters the destination IP address of a DNS request to redirect messages to a malicious DNS server. Eventually, the UE connects to the malicious HTTP server.

Image source: Breaking LTE Layer Two publication

As a result, many telecommunication network operators are expressing concerns about DNS security, and are now asking for the rapid deployment of DNS security mechanisms. This concern is a good thing, however. Being aware that deploying DNS over TLS or an equivalent protocol will take time. DNS clients (mostly operating systems) are not yet compatible, hence deployment considerations are numerous. For instance, very few operating systems natively support this protocol, and those which do provide very limited support. More importantly, other alternatives are still on the table since DNS over TLS may significantly impact DNS performance and DNS scaling. Switching the underlying transport protocol from UDP to TCP brings new limitations and challenges (increase in consumed bandwidth, limited number of TCP concurrent sessions, etc.). These potential issues could possibly be addressed by deploying DNS over DTLS or QUIC, for instance.

For now, some actors are pushing for DNS over TLS. Google is announcing DNS over TLS support within the next Android version, Pistachio. This might push for a massive deployment of this protocol, but only if network operators agree on deploying the necessary network infrastructure instead of waiting for other alternatives such as DNS over DTLS or QUIC, which remain drafts at the IETF (see here and here).

For additional information regarding Breaking LTE on Layer Two, see here, ‘alter attack’ website and a video demo here. Also, for earlier work discussing security issues with LTE please see here.

Take action and protect your network.
Download the DNS security best practices white paper to learn how.