Breaking LTE on Layer Two

Rupprecht, David; Kohls, Katharina; Holz, Thorsten; Pöpper, Christina

doi:10.1109/sp.2019.00006

Cited by 136 publications

(124 citation statements)

References 33 publications

Supporting

Mentioning

106

Contrasting

Order By: Relevance

“…In contrast, our ToRPEDO exploits the protocol standard's vulnerability of choosing fixed paging frames for a subscriber which makes all the network operators vulnerable to this attack. Rupprecht et al [31] and Jover et al [32] demonstrated that an adversary can identify victim UE's short-lived, lower-layer identifier (C-RNTI) when given the UE's TMSI and thus track the victim's UE. ToRPEDO, on the contrary, recovers the UE's PFI (and TMSI as a side effect) which enables tracking victim's UE irrespective of short-lived C-RNTIs or TMSIs.…”

Section: Related Workmentioning

confidence: 99%

Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information

Hussain

Echeverria

Chowdhury

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

112

View full text Add to dashboard Cite

The cellular paging (broadcast) protocol strives to balance between a cellular device's energy consumption and quality-of-service by allowing the device to only periodically poll for pending services in its idle, low-power state. For a given cellular device and serving network, the exact time periods when the device polls for services (called the paging occasion) are fixed by design in the 4G/5G cellular protocol. In this paper, we show that the fixed nature of paging occasions can be exploited by an adversary in the vicinity of a victim to associate the victim's softidentity (e.g., phone number, Twitter handle) with its paging occasion, with only a modest cost, through an attack dubbed ToRPEDO. Consequently, ToRPEDO can enable an adversary to verify a victim's coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks. We also demonstrate that, in 4G and 5G, it is plausible for an adversary to retrieve a victim device's persistent identity (i.e., IMSI) with a brute-force IMSI-Cracking attack while using ToRPEDO as an attack sub-step. Our further investigation on 4G paging protocol deployments also identified an implementation oversight of several network providers which enables the adversary to launch an attack, named PIERCER, for associating a victim's phone number with its IMSI; subsequently allowing targeted user location tracking. All of our attacks have been validated and evaluated in the wild using commodity hardware and software. We finally discuss potential countermeasures against the presented attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information

Hussain

Echeverria

Chowdhury

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

112

View full text Add to dashboard Cite

show abstract

“…In LTE, this task is facilitated by the lack of Media Access Control (MAC) and Radio Link Control (RLC) encryption. Thus, subscribers may be de-anonymized [2] or User Equipment (UE) locations can be tracked [3]. In case of stationary UEs, e.g.…”

Section: A Jammer Propertiesmentioning

confidence: 99%

Towards Resilient 5G: Lessons Learned from Experimental Evaluations of LTE Uplink Jamming

Girke

Kurtz

Dorsch

et al. 2019

2019 IEEE International Conference on Communications Workshops (ICC Workshops)

View full text Add to dashboard Cite

Energy, water, health, transportation and emergency services act as backbones for our society. Aiming at high degrees of efficiency, these systems are increasingly automated, depending on communication systems. However, this makes these Critical Infrastructures prone to cyber attacks, resulting in data leaks, reduced performance or even total system failure. Beyond a survey of existing vulnerabilities, we provide an experimental evaluation of targeted uplink jamming against Long Term Evolution (LTE)'s air interface. Primarily, our implementations of smart attacks on the LTE Physical Uplink Control Channel (PUCCH), the Physical Uplink Shared Channel (PUSCH) as well as on the radio access procedure are outlined and tested. In exploiting the unencrypted resource assignment process, these attacks are able to target and jam specific UE resources, effectively denying uplink access. Evaluation results reveal the criticality of such attacks, severely destabilizing Critical Infrastructures, while minimizing attacker exposure. Finally we derive possible mitigations and recommendations for 5G stakeholders, which serve to improve the robustness of mission critical communications and enable the design of resilient next generation mobile networks.

show abstract

“…The existence of LTE protocol vulnerabilities has been known for some time, although these have not been publicly discussed until recently. The openness of the standard, the large community of researchers, and the broad availability of SDRs, software libraries and open-source implementations of both the eNodeB and the UE protocol stacks have enabled a number of excellent LTE security analyses [5], [9], [10], [28], [29]. Despite the stronger cryptographic algorithms and mutual authentication, UEs and base stations exchange a substantial amount of pre-authentication messages that can be exploited to launch denial of service (DoS) attacks [6], [14], [30], catch IMSIs [31] or downgrade the connection to an insecure GSM link [7], [10].…”

Section: A Lte Protocol Exploitsmentioning

confidence: 99%

“…Nevertheless, a series of vulnerabilities inherent to the LTE protocol still exist and have been identified by researchers over the last few years. For example, a substantial number of pre-authentication messages are sent in the clear, which can be exploited to launch Denial of Service (DoS) attacks and obtain location information of mobile subscribers [5]- [7].…”

Section: Introductionmentioning

confidence: 99%

“…LTE opensource software libraries running on personal computers and using commercial off-the-shelf software-defined radio (SDR) peripherals did not reach a sufficient level of maturity until recent years. Once they became available, a wave of excellent security research in the area of LTE mobile communications emerged and identified numerous protocol vulnerabilities [5], [7]- [10].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Security and Protocol Exploit Analysis of the 5G Specifications

Jover

Marojevic

2019

IEEE Access

View full text Add to dashboard Cite

The Third Generation Partnership Project (3GPP) released its first 5G security specifications in March 2018. This paper reviews the proposed security architecture, its main requirements and procedures, and evaluates them in the context of known and new protocol exploits. Although security has been improved from previous generations, our analysis identifies unrealistic 5G system assumptions and protocol edge cases that can render 5G communication systems vulnerable to adversarial attacks. For example, null encryption and null authentication are still supported and can be used in valid system configurations. With no clear proposal to tackle pre-authentication messages, mobile devices continue to implicitly trust any serving network, which may or may not enforce a number of optional security features, or which may not be legitimate. Moreover, several critical security and key management functions are left outside of the scope of the specifications. The comparison with known 4G Long-Term Evolution (LTE) protocol exploits reveals that the 5G security specifications, as of Release 15, Version 1.0.0, do not fully address the user privacy and network availability challenges.

show abstract

Breaking LTE on Layer Two

Cited by 136 publications

References 33 publications

Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information

Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information

Towards Resilient 5G: Lessons Learned from Experimental Evaluations of LTE Uplink Jamming

Security and Protocol Exploit Analysis of the 5G Specifications

Contact Info

Product

Resources

About