Analyzing and enhancing the resilience of LTE/LTE-A systems to RF spoofing

Labib, Mina; Marojevic, Vuk; Reed, Jeffrey H.

doi:10.1109/cscn.2015.7390464

Cited by 31 publications

(16 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The openness of the standard, the large community of researchers, and the broad availability of SDRs, software libraries and open-source implementations of both the eNodeB and the UE protocol stacks have enabled a number of excellent LTE security analyses [5], [9], [10], [28], [29]. Despite the stronger cryptographic algorithms and mutual authentication, UEs and base stations exchange a substantial amount of pre-authentication messages that can be exploited to launch denial of service (DoS) attacks [6], [14], [30], catch IMSIs [31] or downgrade the connection to an insecure GSM link [7], [10]. Researchers also found new privacy and location leaks in LTE [16].…”

Section: A Lte Protocol Exploitsmentioning

confidence: 99%

Security and Protocol Exploit Analysis of the 5G Specifications

Jover

Marojevic

2019

IEEE Access

Self Cite

View full text Add to dashboard Cite

The Third Generation Partnership Project (3GPP) released its first 5G security specifications in March 2018. This paper reviews the proposed security architecture, its main requirements and procedures, and evaluates them in the context of known and new protocol exploits. Although security has been improved from previous generations, our analysis identifies unrealistic 5G system assumptions and protocol edge cases that can render 5G communication systems vulnerable to adversarial attacks. For example, null encryption and null authentication are still supported and can be used in valid system configurations. With no clear proposal to tackle pre-authentication messages, mobile devices continue to implicitly trust any serving network, which may or may not enforce a number of optional security features, or which may not be legitimate. Moreover, several critical security and key management functions are left outside of the scope of the specifications. The comparison with known 4G Long-Term Evolution (LTE) protocol exploits reveals that the 5G security specifications, as of Release 15, Version 1.0.0, do not fully address the user privacy and network availability challenges.

show abstract

Section: A Lte Protocol Exploitsmentioning

confidence: 99%

Security and Protocol Exploit Analysis of the 5G Specifications

Jover

Marojevic

2019

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

“…After that, the UE selects a suitable BS based on the received SSs, and then begins to establish a wireless connection with the BS [1]. If a FBS transmits a spoofing SS during the CS stage with sufficiently high power (referred to as the SS spoofing attack [2]), the UE may be attracted by and attempt to camp on the FBS rather than any legitimate BS (LBS) [3], [4]. Currently, the widelyused authentication method for the UE to distinguish the FBS from the LBSs is based on encryption.…”

Section: Introductionmentioning

confidence: 99%

Identifying the Fake Base Station: A Location Based Approach

Huang

Wang

2018

IEEE Commun. Lett.

View full text Add to dashboard Cite

Fake base station (FBS) attack is a great security challenge to wireless user equipment (UE). During the cell selection stage, the UE receives multiple synchronization signals (SSs) from multiple nearby base stations (BSs), and then synchronizes itself with the strongest SS. A FBS also can transmit a SS with sufficient power to confuse the UE, which makes the UE connect to the FBS, and may lead to the leakage of private information. In this letter, countermeasure to the FBS attack by utilizing the location information is investigated. Two location awareness based FBS-resistance schemes are proposed by checking the received signal strength according to the position of the UE and a legitimate BS map. The successful cheating rate (SCR) definded as the probability that the UE will connect to the FBS is investigated. Numeric results show that with the two proposed schemes, the SCR can be greatly reduced especially when the transmit power of the FBS is large. Beyond that, a cooperation aided method is further proposed to improve the performance, and we show that the cooperation aided method can further suppress the SCR when the signal strength from the FBS is similar to that from the legitimate BS.

show abstract

“…As a result of code jamming, some SNs can receive AI more easily and have more chances to transmit the message, which is again jammed by the code jammers using the same code. Code jamming looks like RF spoofing where the jammers transmit a fake signal that masquerades as an actual signal [18]. The code jamming hence increases the failure probability in sending the information messages and intends to mislead the adequate allocation of radio resources.…”

Section: Introductionmentioning

confidence: 99%

Random Access Performance of Distributed Sensors Attacked by Unknown Jammers

Jeong

Wui

Kim

2017

Sensors

View full text Add to dashboard Cite

In this paper, we model and investigate the random access (RA) performance of sensor nodes (SN) in a wireless sensor network (WSN). In the WSN, a central head sensor (HS) collects the information from distributed SNs, and jammers disturb the information transmission primarily by generating interference. In this paper, two jamming attacks are considered: power and code jamming. Power jammers (if they are friendly jammers) generate noises and, as a result, degrade the quality of the signal from SNs. Power jamming is equally harmful to all the SNs that are accessing HS and simply induces denial of service (DoS) without any need to hack HS or SNs. On the other hand, code jammers mimic legitimate SNs by sending fake signals and thus need to know certain system parameters that are used by the legitimate SNs. As a result of code jamming, HS falsely allocates radio resources to SNs. The code jamming hence increases the failure probability in sending the information messages, as well as misleads the usage of radio resources. In this paper, we present the probabilities of successful preamble transmission with power ramping according to the jammer types and provide the resulting throughput and delay of information transmission by SNs, respectively. The effect of two jamming attacks on the RA performances is compared with numerical investigation. The results show that, compared to RA without jammers, power and code jamming degrade the throughput by up to 30.3% and 40.5%, respectively, while the delay performance by up to 40.1% and 65.6%, respectively.

show abstract

Analyzing and enhancing the resilience of LTE/LTE-A systems to RF spoofing

Cited by 31 publications

References 10 publications

Security and Protocol Exploit Analysis of the 5G Specifications

Security and Protocol Exploit Analysis of the 5G Specifications

Identifying the Fake Base Station: A Location Based Approach

Random Access Performance of Distributed Sensors Attacked by Unknown Jammers

Contact Info

Product

Resources

About