• United States

Protecting iOS against the aLTEr attacks

Jul 10, 20185 mins
MobileMobile SecurityNetwork Security

The new aLTEr attack can be used against nearly all LTE connected endpoints by intercepting traffic and redirecting it to malicious websites. This article summarizes how the attack works, and suggests ways to protect yourself from it – including a specific approach for Apple iOS devices.

mobile security / unlocked data connections
Credit: Thinkstock

Researchers from Ruhr-Universität Bochum & New York University Abu Dhabi have uncovered a new attack against devices using the Long-Term Evolution (LTE) network protocol. LTE, which is a form of 4G, is a mobile communications standard used by billions of devices and the largest cellular providers around the world.

In other words, the attack can be used against you.

The research team has named the attack “aLTEr” and it allows the attacker to intercept communications using a man-in-the-middle technique and redirect the victim to malicious websites using DNS spoofing.

Note: According to their FAQ question: “Is there a logo for the attacks“, the answer is: “Maybe. There are no stickers, t-shirts, songs, …“. You gotta love their sense of humor since no attack is truly relevant without its own logo! ☻

The aLTEr attack

This attack works by taking advantage of a design flaw within the LTE network — the data link layer (aka: layer-2) of the LTE network is encrypted with AES-CTR but it is not integrity-protected, which is why an attacker can modify the payload.

As a result, the attacker is performing a classic man-in-the-middle where they are posing as a cell tower to the victim, while pretending to be the real subscriber to the real network. The traffic from the victim is sent to the attacker where it is modified and forwarded into the real network.

alter mitmattack Aaron Woland

Figure 1 the aLTEr MiTM attack

These types of attacks are not only limited to LTE networks. 5G networks may also be vulnerable to these attacks in future – if they don’t institute integrity protection.

Protecting against these types of attacks?

DNS is foundational to how the internet works; before any app connects to its service, before any web browser connects to the web site, before any email is sent: a DNS lookup is performed. Traditional DNS is designed to be very quick, not secure.

DNS spoofing attacks can be prevented by adding security to DNS itself, leveraging encryption and intelligent policies for name resolution. One example of this is implementing RFC 7858 or RFC 8310. These RFC’s reference the use of DNS over Transport Layer Security (TLS) and DNS over Datagram TLS (DTLS).

DNS over TLS or DTLS will protect devices from the aLTEr attack, by providing encryption of the DNS traffic that includes integrity-protection. There have been articles on Google Android’s O release (aka: Oreo) enabling DNS over TLS out of the box, by default. This helps when the DNS servers the device is connecting to are leveraging DNS over TLS; but naturally, the DNS servers do get assigned by the network the device is connected to.  Cloudflare’s DNS service does over DNS over HTTPS already, but not many clients are able to leverage it just yet.

Since this is my blog, I guess I’m entitled to share my opinion. From the testing results that I have seen, DNS over TLS has a bit too much overhead and is lacking the performance required by DNS. This is why DNS over DTLS makes more a little more sense to me. We saw this with “SSL VPN” (which is a misnomer, it’s actually a TLS VPN), and time sensitive traffic for voice over IP. Moving the VPN to DTLS instead of TLS increased the performance and made VoIP with VPN truly achievable.

Another possible solution would be to leverage DNS over HTTPS, which does interest a lot of people, especially those who may have malicious intentions, where the DNS requests from the app itself (most likely a Tor client or a browser) would be sent directly to a DNS server, leveraging an HTTPS communication. This is mostly theoretical at this juncture, as not many services enable DNS over HTTPS.  Google DNS does enable this communication type, as does Cloudflare’s DNS service. However, not many (if any) clients or apps are built to leverage the service yet. Additionally, since HTTPS is leveraging TLS this would add the overhead of the TLS session, also.

DNSCrypt and the Cisco Security Connector for iOS

There is another, older option, which has successfully been implemented for quite some time already, known as DNSCrypt. Cisco Umbrella (the solution formerly known as OpenDNS) has been using DNSCrypt to secure DNS for many years.

Along these lines, Apple and Cisco have partnered to deliver the deepest level of visibility and control for enterprise-owned iOS devices with the Cisco Security Connector (CSC) for iOS. [Disclamer: the author is a principal engineer for Cisco.]

CSC for iOS protects users from connecting to malicious sites, leveraging DNS as a control plane. The protections occur whether on the corporate network, on public Wi-Fi, or on cellular network. CSC encrypts the DNS queries and sends them to Cisco’s Umbrella service for resolution, which protects your user population from connecting to nefarious web sites and prevents the DNS spoofing attacks.


Aaron Woland, CCIE No. 20113, is a Principal Engineer at Cisco Systems, Inc., and works with Cisco’s Largest Customers all over the world. His primary job responsibilities include Secure Access and Identity deployments with ISE, solution enhancements, standards development, and futures. Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards, and standards body working groups.

Prior to joining Cisco, Aaron spent 12 years as a Consultant and Technical Trainer. His areas of expertise include network and host security architecture and implementation, regulatory compliance, as well as route-switch and wireless. Aaron is the author of Cisco ISE for BYOD and Secure Unified Access book (Cisco Press), and many published white papers and design guides. Aaron is a member of the Hall of Fame for Distinguished Speakers at Cisco Live, and is a security columnist for Network World where he blogs on all things related to Identity. His other certifications include: GHIC, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP and many other industry certifications.

The opinions expressed in this blog are those of Aaron Woland and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies, including Cisco Systems.