Abstract
Despite security shields to protect user communication with both the radio access network and the core infrastructure, 4G LTE is still susceptible to a number of security threats. The vulnerabilities mainly exist due to its protocol’s inter-layer communication, and the access technologies (2G/3G) inter-radio interaction. We categorize the uncovered vulnerabilities in three dimensions, i.e., authentication, security association and service availability, and verify these vulnerabilities in operational LTE networks. In order to assess practical impact from these security threats, we convert these threats into active attacks, where an adversary can (a) kick the victim device out of the network, (b) hijack the victim’s location, and (c) silently drain the victim’s battery power. Moreover, we have shown that the attacker does not need to communicate with the victim device or reside at the device to launch these attacks (i.e., no Trojan or malware is required). We further propose remedies for the identified attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Such interaction can occur within, and across the device and network elements.
- 2.
The communication between UE and eNodeB is performed by RRC.
- 3.
The communication between UE and MME is performed by NAS.
- 4.
Cell Radio Network Temporary Identifier (C-RNTI) identifies UE over the air.
- 5.
S1AP facilitates control-plane traffic between eNodeB and MME.
- 6.
Section 5.3.3 RRC connection establishment procedure and Sect. 5.3.4 Initial security activation in LTE RRC specification [20]. Note that initial NAS message (such as Service Request) is sent as a piggybacked message with RRCConnectionSetupComplete message that eNodeB forwards to MME. However, SecurityModeCommand message is sent thereafter.
- 7.
Paging message is a control beacon sent from LTE network to a device, when packet switched (PS) data, or circuit switched (CS) call is impending at LTE core network. These paging messages are sent when device is in RRC Idle state.
- 8.
The tracking area is a logical concept of an area where a user can move around without updating the MME. In operational network, one tracking area spans to a number of eNodeBs.
- 9.
Because femtocells are part of operator network, therefore, operators take both hardware and software security measures to secure it. Therefore, as shown in Fig. 3 (right), we only broke small part of femtocell cover, just to access the debugging pins (JP1, JP2, JP5, JP6, PL2, etc.). We used screen command to dump femtocell memory image. Then uncompressed it, reversed the kernel image, and looked for user information in /etc/passwd file. We then applied brute force technique to decode the password string within 7 days.
- 10.
MNC uniquely identifies a mobile network operator.
- 11.
Service Request establishes UE connection with MME, when uplink/downlink data is to be sent/received at device idle state.
References
3GPP Specification series. http://www.3gpp.org/dynareport/36-series.htm/
Tera-Term-A Terminal Emulator. http://ttssh2.sourceforge.jp/index.html.en
Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.-P.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In: NDSS (2016)
Jover, R.P.: Security attacks against the availability of LTE mobility networks: overview and research directions. In: IEEE WPMC (2013)
Jover, R.P.: LTE security, protocol exploits and location tracking experimentation with low-cost software radio. arXiv preprint arXiv:1607.05171 (2016)
The Security Vulnerabilities of LTE: Opportunity and Risks for Operators. http://forums.juniper.net/t5/Industry-Solutions-and-Trends/The-Security-Vulnerabilities-of-LTE-Opportunity-and-Risks-for/ba-p/214477/
Tu, G.-H., Li, Y., Peng, C., Li, C.-Y., Wang, H., Lu, S.: Control-plane protocol interactions in cellular networks. In: ACM SIGCOMM (2014)
Huang, J., Qian, F., Guo, Y., Zhou, Y., Xu, Q., Mao, Z.M., Sen, S., Spatscheck, O.: An in-depth study of LTE: effect of network protocol and application behavior on performance. In: ACM SIGCOMM Computer Communication Review (2013)
LTE protocol layer stack. http://www.tutorialspoint.com/lte/lte_protocol_stack_layers.htm/
Ahmadi, S.: LTE-Advanced: A Practical Systems Approach to Understanding 3GPP LTE Releases 10 and 11 Radio Access Technologies, 1st edn. Academic Press, Waltham (2013)
Stefania Sesia, M.B., Toufik, I.: LTE - The UMTS Long Term Evolution: From Theory to Practice, 2nd edn. Wiley, Hoboken (2011)
Qualcomm: QxDM Professional - QUALCOMM eXtensible Diagnostic Monitor. http://www.qualcomm.com/media/documents/tags/qxdm
Mobile Insight. http://mobileinsight.net/
AT Commands List. http://www.lte.com.tr/uploads/pdfe/1.pdf
QPST Service Programming. http://forum.xda-developers.com/showthread.php?t=1180211
Open EPC - open source LTE implementation. http://www.openepc.net/
OpenAirInterface. http://www.openairinterface.org/
Open LTE. http://openlte.sourceforge.net/
3GPP. TS24.301: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3, June 2013
3GPP. TS36.331: Radio Resource Control (RRC) (2012)
MME Pool Overlap. http://lteuniversity.com/get_trained/expert_opinion1/b/johnmckeague/archive/2012/03/06/mme-pool-overlap.aspx
Borgaonkar, R., Udar, S.: Understanding IMSI privacy. In: Vortrag auf der Konferenz Black Hat (2014)
Ginzboorg, P., Niemi, V.: Privacy of the long-term identities in cellular networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, pp. 167–175. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering) (2016)
Strobel, D.: IMSI catcher. Chair for Communication Security, Ruhr-Universität Bochum, p. 14 (2007)
3GPP. TS36.304: User Equipment procedures in idle mode (2013)
Securing the Mobile Network. http://www.us.aviatnetworks.com/media/files/Securing_the_Mobile_Network.pdf/
3GPP. TS24.008: Core Network Protocols (2012)
3GPP. TS33.401: 3GPP SAE; Security architecture, September 2013
3GPP. TS23.401: GPRS Enhancements for E-UTRAN Access (2011)
3GPP. TS23.012: Location management procedures (2011)
UE Emulation Mode. https://wiki.phantomnet.org/wiki/phantomnet/oepc-protected/openepc-tutorial/
LTE Cat-0 Power Saving Mode: What it Could Mean for Cellular IoT. http://www.eleven-x.com/2015/04/29/lte-cat-0s-power-saving-mode-what-it-could-mean-for-cellular-iot/
3GPP. TS36.413:E-UTRAN S1 Application Protocol (S1AP) (2014)
MonSoon Power Monitor Tool. https://www.msoon.com/LabEquipment/PowerMonitor/
Traynor, P., McDaniel, P., La Porta, T.: On attack causality in internet-connected cellular networks. In: USENIX Security (2007)
Qian, Z., Mao, Z.: Off-path TCP sequence number inference attack-how firewall middleboxes reduce security. In: IEEE Security & Privacy (2012)
Enck, W., Traynor, P., McDaniel, P., La Porta, T.: Exploiting open functionality in SMS-capable cellular networks. In: ACM CCS (2005)
Racic, R., Ma, D., Chen, H.: Exploiting MMS vulnerabilities to stealthily exhaust mobile phone’s battery. In: SecureComm 2006 (2006)
Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: ACM CCS (2010)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: ACM MobiSys (2011)
Marforio, C., Ritzdorf, H., Francillon, A., Capkun, S.: Analysis of the communication between colluding applications on modern smartphones. In: ACM ACSAC (2012)
Potharaju, R., Newell, A., Nita-Rotaru, C., Zhang, X.: Plagiarizing smartphone applications: attack strategies and defense techniques. In: ACM ESSoS (2012)
Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: NDSS (2011)
Acknowledgement
We thank anonymous reviewers for their excellent feedback that has helped to improve the paper. This work is also supported in part by NSF grants (CNS-1422835 and 1528122).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Raza, M.T., Anwar, F.M., Lu, S. (2018). Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-78813-5_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78812-8
Online ISBN: 978-3-319-78813-5
eBook Packages: Computer ScienceComputer Science (R0)