The researchers found two passive attacks against LTE networks: an identity mapping attack and a method to perform website fingerprinting. The third type of attack, called
“aLTEr” by the team, is an active attack, which allows an attacker to intercept communications.
The researchers said that the LTE network’s data layer is not integrity-protected. This means an attacker can change the bits even within an encrypted packet, and then the attacker will be able to decrypt that packet. As the researchers said in their paper:
"The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext."
The aLTEr flaw allows an attacker to pretend to be a real cell tower, while also pretending to be the target to the real network. Then the attacker can intercept the communications between the target and the real network.