Easy 4G/LTE IMSI Catchers for Non-Programmers

Mjølsnes, Stig Frode; Olimid, Ruxandra F.

doi:10.1007/978-3-319-65127-9_19

Cited by 41 publications

(26 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The LTE network architecture is roughly divided into the access part called the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and the core part called the Evolved Packet Core (EPC). The E-UTRAN [24] and EPC are themselves divided into several network components, each playing an important role in the complete LTE network architecture. Figure 1 illustrates the LTE architecture.…”

Section: Lte Architecturementioning

confidence: 99%

“…Examples include IMSI catchers, active devices that masquerade genuine base stations with the purpose of stealing the permanent identity of subscribers. This makes LTE vulnerable to location attacks such as testing the presence or absence of a subscriber in an area [33,17,24,25]. Another example is the one we address in this paper: privacy exposure of subscribers by paging messages.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Experimental Analysis of Subscribers’ Privacy Exposure by LTE Paging

Sørseth

Zhou

Mjølsnes

et al. 2019

Wireless Pers Commun

Self Cite

View full text Add to dashboard Cite

Over the last years, considerable attention has been given to the privacy of individuals in wireless environments. Although significantly improved over the previous generations of mobile networks, LTE still exposes vulnerabilities that attackers can exploit. This might be the case of paging messages, wake-up notifications that target specific subscribers, and that are broadcasted in clear over the radio interface. If they are not properly implemented, paging messages can expose the identity of subscribers and furthermore provide information about their location. It is therefore important that mobile network operators comply with the recommendations and implement the appropriate mechanisms to mitigate attacks. In this paper, we verify by experiment that paging messages can be captured and decoded by using minimal technical skills and publicly available tools. Moreover, we present a general experimental method to test privacy exposure by LTE paging messages, and we conduct a case study on three different LTE mobile operators.

show abstract

Section: Lte Architecturementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Experimental Analysis of Subscribers’ Privacy Exposure by LTE Paging

Sørseth

Zhou

Mjølsnes

et al. 2019

Wireless Pers Commun

Self Cite

View full text Add to dashboard Cite

show abstract

“…• Active Radio: An attacker with this capability has full control over radio transmissions and is therefore able to put arbitrary messages on the radio channel. This enables an attacker to setup a own base station or a fully controllable phone stack using an SDR [9], [29], [30], [31], [32], [33].…”

Section: Attacksmentioning

confidence: 99%

“…V-D1 Session Key Retrieval via SS7 [56], [66] U ? V-D1 Privacy AKA Protocol Linkability Attack [7], [82] U V-A1 IMSI Paging Attack [7] U V-A1 Location Leak by SIP Message [83] U VII-A1 Location/Tracking Area not Allowed (Downgrade) [4], [6], [84] U V-A1 Measurement Reports Localization [4], [10] U V-A1 OTA SIM Card Update Key Reconstruction [85] U V-C1c Unauthenticated IMEI Request [8], [64], [66], [67], [68], [69] U V-A1 Unauthenticated IMSI Request (IMSI Catcher) [8], [9], [64], [65], [66],…”

Section: H Defensesmentioning

confidence: 99%

“…However, over the last years, a large body of literature has revealed numerous security and privacy issues in mobile networks. There is a broad set of attacks [4], [5], [6], [7], [8], [9] that affect the users' privacy and data secrecy, the mobile network operators' revenue, and the availability of the infrastructure. Various countermeasures against these attacks have been proposed, some of which have become security features of new mobile generations.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On Security Research Towards Future Mobile Network Generations

Rupprecht

Dabrowski

Holz

et al. 2018

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

Over the last decades, numerous security and privacy issues in all three active mobile network generations have been revealed that threaten users as well as network providers. In view of the newest generation (5G) currently under development, we now have the unique opportunity to identify research directions for the next generation based on existing security and privacy issues as well as already proposed defenses. This paper aims to unify security knowledge on mobile phone networks into a comprehensive overview and to derive pressing open research questions. To achieve this systematically, we develop a methodology that categorizes known attacks by their aim, proposed defenses, underlying causes, and root causes. Further, we assess the impact and the efficacy of each attack and defense. We then apply this methodology to existing literature on attacks and defenses in all three network generations. By doing so, we identify ten causes and four root causes for attacks.Mapping the attacks to proposed defenses and suggestions for the 5G specification enables us to uncover open research questions and challenges for the development of next-generation mobile networks. The problems of unsecured pre-authentication traffic and jamming attacks exist across all three mobile generations. They should be addressed in the future, in particular to wipe out the class of downgrade attacks and, thereby, strengthen the users' privacy. Further advances are needed in the areas of inter-operator protocols as well as secure baseband implementations. Additionally, mitigations against denial-of-service attacks by smart protocol design represent an open research question.

show abstract