The attack is a combination of multiple "vulnerabilities":<p>1. the data link layer is not protected, so an attacker can perform a relay attack (forward the encrypted radio packets between the phone and the actual cell tower).<p>2. from watching the encrypted traffic patterns, it is possible to guess which websites the user is surfing by comparing the traffic fingerprints.<p>3. the packets are not integrity-protected, so it's possible to change bits of data, if you can guess which packet you have and how it's constructed. This is used to manipulate DNS requests to redirect traffic.<p>I'm not sure about the significance of #1 and #2. A passive attacker <i>might</i> be able to obtain the same information simply by monitoring the physical layer traffic patterns emitted by the phone. Additionally, mobile operators are typically monitoring their frequencies for abuse, so an active attack might not stay under the radar for long.<p>Regarding #3, this is a complicated way to achieve what you can do with a fake WiFi hotspot, and gives you control over unencrypted communications, which hopefully is only a very small subset of todays traffic thanks to omnipresent HTTPS.
This is nothing compared to the disasters that are mobile “core” networks. Those are where the real problem is (allows real time location tracking, call/text/data spoofing & interception, denial of service, etc) and the telcos don’t give a shit.
I really like the trend of offering a human-readable explanation of attacks, complete with illustrations. It's so much easier to present the danger to upper management if they can do some self-research.
Nice technical work but given the pre-requisites nothing to lose sleep over (yet). As a rule: if you are on a mobile network consider your activities to be public.