Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2017: Security and Privacy in Communication Networks pp 312–338Cite as

Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions

  • Conference paper
  • First Online:

Abstract

Despite security shields to protect user communication with both the radio access network and the core infrastructure, 4G LTE is still susceptible to a number of security threats. The vulnerabilities mainly exist due to its protocol’s inter-layer communication, and the access technologies (2G/3G) inter-radio interaction. We categorize the uncovered vulnerabilities in three dimensions, i.e., authentication, security association and service availability, and verify these vulnerabilities in operational LTE networks. In order to assess practical impact from these security threats, we convert these threats into active attacks, where an adversary can (a) kick the victim device out of the network, (b) hijack the victim’s location, and (c) silently drain the victim’s battery power. Moreover, we have shown that the attacker does not need to communicate with the victim device or reside at the device to launch these attacks (i.e., no Trojan or malware is required). We further propose remedies for the identified attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   143.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Such interaction can occur within, and across the device and network elements.

  2. 2.

    The communication between UE and eNodeB is performed by RRC.

  3. 3.

    The communication between UE and MME is performed by NAS.

  4. 4.

    Cell Radio Network Temporary Identifier (C-RNTI) identifies UE over the air.

  5. 5.

    S1AP facilitates control-plane traffic between eNodeB and MME.

  6. 6.

    Section 5.3.3 RRC connection establishment procedure and Sect. 5.3.4 Initial security activation in LTE RRC specification [20]. Note that initial NAS message (such as Service Request) is sent as a piggybacked message with RRCConnectionSetupComplete message that eNodeB forwards to MME. However, SecurityModeCommand message is sent thereafter.

  7. 7.

    Paging message is a control beacon sent from LTE network to a device, when packet switched (PS) data, or circuit switched (CS) call is impending at LTE core network. These paging messages are sent when device is in RRC Idle state.

  8. 8.

    The tracking area is a logical concept of an area where a user can move around without updating the MME. In operational network, one tracking area spans to a number of eNodeBs.

  9. 9.

    Because femtocells are part of operator network, therefore, operators take both hardware and software security measures to secure it. Therefore, as shown in Fig. 3 (right), we only broke small part of femtocell cover, just to access the debugging pins (JP1, JP2, JP5, JP6, PL2, etc.). We used screen command to dump femtocell memory image. Then uncompressed it, reversed the kernel image, and looked for user information in /etc/passwd file. We then applied brute force technique to decode the password string within 7 days.

  10. 10.

    MNC uniquely identifies a mobile network operator.

  11. 11.

    Service Request establishes UE connection with MME, when uplink/downlink data is to be sent/received at device idle state.

References

  1. 3GPP Specification series. http://www.3gpp.org/dynareport/36-series.htm/

  2. Tera-Term-A Terminal Emulator. http://ttssh2.sourceforge.jp/index.html.en

  3. Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.-P.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In: NDSS (2016)

    Google Scholar 

  4. Jover, R.P.: Security attacks against the availability of LTE mobility networks: overview and research directions. In: IEEE WPMC (2013)

    Google Scholar 

  5. Jover, R.P.: LTE security, protocol exploits and location tracking experimentation with low-cost software radio. arXiv preprint arXiv:1607.05171 (2016)

  6. The Security Vulnerabilities of LTE: Opportunity and Risks for Operators. http://forums.juniper.net/t5/Industry-Solutions-and-Trends/The-Security-Vulnerabilities-of-LTE-Opportunity-and-Risks-for/ba-p/214477/

  7. Tu, G.-H., Li, Y., Peng, C., Li, C.-Y., Wang, H., Lu, S.: Control-plane protocol interactions in cellular networks. In: ACM SIGCOMM (2014)

    Google Scholar 

  8. Huang, J., Qian, F., Guo, Y., Zhou, Y., Xu, Q., Mao, Z.M., Sen, S., Spatscheck, O.: An in-depth study of LTE: effect of network protocol and application behavior on performance. In: ACM SIGCOMM Computer Communication Review (2013)

    Google Scholar 

  9. LTE protocol layer stack. http://www.tutorialspoint.com/lte/lte_protocol_stack_layers.htm/

  10. Ahmadi, S.: LTE-Advanced: A Practical Systems Approach to Understanding 3GPP LTE Releases 10 and 11 Radio Access Technologies, 1st edn. Academic Press, Waltham (2013)

    Google Scholar 

  11. Stefania Sesia, M.B., Toufik, I.: LTE - The UMTS Long Term Evolution: From Theory to Practice, 2nd edn. Wiley, Hoboken (2011)

    Google Scholar 

  12. Qualcomm: QxDM Professional - QUALCOMM eXtensible Diagnostic Monitor. http://www.qualcomm.com/media/documents/tags/qxdm

  13. Mobile Insight. http://mobileinsight.net/

  14. AT Commands List. http://www.lte.com.tr/uploads/pdfe/1.pdf

  15. QPST Service Programming. http://forum.xda-developers.com/showthread.php?t=1180211

  16. Open EPC - open source LTE implementation. http://www.openepc.net/

  17. OpenAirInterface. http://www.openairinterface.org/

  18. Open LTE. http://openlte.sourceforge.net/

  19. 3GPP. TS24.301: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3, June 2013

    Google Scholar 

  20. 3GPP. TS36.331: Radio Resource Control (RRC) (2012)

    Google Scholar 

  21. MME Pool Overlap. http://lteuniversity.com/get_trained/expert_opinion1/b/johnmckeague/archive/2012/03/06/mme-pool-overlap.aspx

  22. Borgaonkar, R., Udar, S.: Understanding IMSI privacy. In: Vortrag auf der Konferenz Black Hat (2014)

    Google Scholar 

  23. Ginzboorg, P., Niemi, V.: Privacy of the long-term identities in cellular networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, pp. 167–175. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering) (2016)

    Google Scholar 

  24. Strobel, D.: IMSI catcher. Chair for Communication Security, Ruhr-Universität Bochum, p. 14 (2007)

    Google Scholar 

  25. 3GPP. TS36.304: User Equipment procedures in idle mode (2013)

    Google Scholar 

  26. Securing the Mobile Network. http://www.us.aviatnetworks.com/media/files/Securing_the_Mobile_Network.pdf/

  27. 3GPP. TS24.008: Core Network Protocols (2012)

    Google Scholar 

  28. 3GPP. TS33.401: 3GPP SAE; Security architecture, September 2013

    Google Scholar 

  29. 3GPP. TS23.401: GPRS Enhancements for E-UTRAN Access (2011)

    Google Scholar 

  30. 3GPP. TS23.012: Location management procedures (2011)

    Google Scholar 

  31. UE Emulation Mode. https://wiki.phantomnet.org/wiki/phantomnet/oepc-protected/openepc-tutorial/

  32. LTE Cat-0 Power Saving Mode: What it Could Mean for Cellular IoT. http://www.eleven-x.com/2015/04/29/lte-cat-0s-power-saving-mode-what-it-could-mean-for-cellular-iot/

  33. 3GPP. TS36.413:E-UTRAN S1 Application Protocol (S1AP) (2014)

    Google Scholar 

  34. MonSoon Power Monitor Tool. https://www.msoon.com/LabEquipment/PowerMonitor/

  35. Traynor, P., McDaniel, P., La Porta, T.: On attack causality in internet-connected cellular networks. In: USENIX Security (2007)

    Google Scholar 

  36. Qian, Z., Mao, Z.: Off-path TCP sequence number inference attack-how firewall middleboxes reduce security. In: IEEE Security & Privacy (2012)

    Google Scholar 

  37. Enck, W., Traynor, P., McDaniel, P., La Porta, T.: Exploiting open functionality in SMS-capable cellular networks. In: ACM CCS (2005)

    Google Scholar 

  38. Racic, R., Ma, D., Chen, H.: Exploiting MMS vulnerabilities to stealthily exhaust mobile phone’s battery. In: SecureComm 2006 (2006)

    Google Scholar 

  39. Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: ACM CCS (2010)

    Google Scholar 

  40. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: ACM MobiSys (2011)

    Google Scholar 

  41. Marforio, C., Ritzdorf, H., Francillon, A., Capkun, S.: Analysis of the communication between colluding applications on modern smartphones. In: ACM ACSAC (2012)

    Google Scholar 

  42. Potharaju, R., Newell, A., Nita-Rotaru, C., Zhang, X.: Plagiarizing smartphone applications: attack strategies and defense techniques. In: ACM ESSoS (2012)

    Google Scholar 

  43. Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: NDSS (2011)

    Google Scholar 

Download references

Acknowledgement

We thank anonymous reviewers for their excellent feedback that has helped to improve the paper. This work is also supported in part by NSF grants (CNS-1422835 and 1528122).

Author information

Authors and Affiliations

  1. Computer Science Department, University of California – Los Angeles, Los Angeles, USA

    Muhammad Taqi Raza & Songwu Lu

  2. Electrical Engineering Department, University of California – Los Angeles, Los Angeles, USA

    Fatima Muhammad Anwar

Authors
  1. Muhammad Taqi Raza
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fatima Muhammad Anwar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Songwu Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Muhammad Taqi Raza .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Raza, M.T., Anwar, F.M., Lu, S. (2018). Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78813-5_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78812-8

  • Online ISBN: 978-3-319-78813-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation