Experimental Analysis of Subscribers’ Privacy Exposure by LTE Paging

Sørseth, Christian; Zhou, Shelley; Mjølsnes, Stig Frode; Olimid, Ruxandra F.

doi:10.1007/s11277-019-06585-7

Cited by 3 publications

(2 citation statements)

References 11 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These enable us to derive the master's UAP. 2 To find the UAP of a device, we need to (i) first identify which 6-bits of the master clock were used to whiten a frame header and de-whiten it, and (ii) infer what UAP value produces a HEC value that matches the HEC in the de-whitened header. We illustrate this logic in Fig.…”

Section: Re-identifying Bluetooth Devicesmentioning

confidence: 99%

“…In recent years, however, the privacy attack surface has expanded significantly with the pervasiveness of mobile and sensing devices, open mobile platforms (running untrusted code), diverse wireless connectivity options, and the availability of SDR platforms. For instance, faulty implementations of paging messages in LTE networks allow attackers to collect IMSIs through passive sniffing [2]. This questions the effectiveness of SUCI, given that it is possible to downgrade a terminal's connectivity from 5G to 3G via jamming, and subsequently use one of the many SDR-based IMSI catching tools [3] to reveal a target's identity.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Even Black Cats Cannot Stay Hidden in the Dark: Full-band De-anonymization of Bluetooth Classic Devices

Cominelli

Gringoli

Patras

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Bluetooth Classic (BT) remains the de facto connectivity technology in car stereo systems, wireless headsets, laptops, and a plethora of wearables, especially for applications that require high data rates, such as audio streaming, voice calling, tethering, etc. Unlike in Bluetooth Low Energy (BLE), where address randomization is a feature available to manufactures, BT addresses are not randomized because they are largely believed to be immune to tracking attacks. We analyze the design of BT and devise a robust de-anonymization technique that hinges on the apparently benign information leaking from frame encoding, to infer a piconet's clock, hopping sequence, and ultimately the Upper Address Part (UAP) of the master device's physical address, which are never exchanged in clear. Used together with the Lower Address Part (LAP), which is present in all frames transmitted, this enables tracking of the piconet master, thereby debunking the privacy guarantees of BT. We validate this attack by developing the first Software-defined Radio (SDR) based sniffer that allows full BT spectrum analysis (79 MHz) and implements the proposed de-anonymization technique. We study the feasibility of privacy attacks with multiple testbeds, considering different numbers of devices, traffic regimes, and communication ranges. We demonstrate that it is possible to track BT devices up to 85 meters from the sniffer, and achieve more than 80% device identification accuracy within less than 1 second of sniffing and 100% detection within less than 4 seconds. Lastly, we study the identified privacy attack in the wild, capturing BT traffic at a road junction over 5 days, demonstrating that our system can re-identify hundreds of users and infer their commuting patterns.

show abstract

Section: Re-identifying Bluetooth Devicesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%