Location Privacy in LTE: A Case Study on Exploiting the Cellular Signaling Plane's Timing Advance

Roth, John D.; Tummala, Murali; McEachen, John; Scrofani, James

doi:10.24251/hicss.2017.761

Cited by 8 publications

(4 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, radio link a ackers can use fake base stations either to check whether UEs are present in a given location or to obtain precise coordinates of the UE [92,106,133,163]. Similarly, adversaries with access to core network can misuse signaling protocols (e.g., SS7 [55,56] and Diameter [80,145]) or exploit vulnerabilities in the signaling plane [149] for obtaining location information. IP-based a ack vectors from the IMS domain (e.g., over VoLTE) also yields similar results [100].…”

Section: Impactsmentioning

confidence: 99%

Threat modeling framework for mobile communication systems

Rao¹,

Holtmanns²,

Aura³

2020

Preprint

View full text Add to dashboard Cite

Due to the complex nature of mobile communication systems, most of the security e orts in its domain are isolated and sca ered across underlying technologies. is has resulted in an obscure view of the overall security. In this work, we a empt to x this problem by proposing a domain-speci c threat modeling framework. By gleaning from a diverse and large body of security literature, we systematically organize the a acks on mobile communications into various tactics and techniques. Our framework is designed to model adversarial behavior in terms of its a ack phases and to be used as a common taxonomy matrix. We also provide concrete examples of using the framework for modeling the a acks individually and comparing them with similar ones. CCS CONCEPTS•Security and privacy → Security requirements; Mobile and wireless security; •Networks → Mobile networks;

show abstract

Section: Impactsmentioning

confidence: 99%

Threat modeling framework for mobile communication systems

Rao¹,

Holtmanns²,

Aura³

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…These limitations notwithstanding, the tighter timing requirements in LTE provide a level of accuracy up to 78.125 m [12], which bring the TA back under consideration as a viable method for cellular localization. Unfortunately, the security architecture of LTE does not afford for the confidentiality of the TA and other signaling plane information critical for the protection of user privacy as it is not encrypted [7], [13]. As this information is sent in the clear, it provides the vehicle for location exploitation in LTE.…”

Section: Location-based Exploitation In Cellular Networkmentioning

confidence: 99%

“…The TA has been previously considered formally as a location privacy preserving mechanism (LPPM) [13], [14] with both a user anonymization component (the cell-radio network temporary identifier (C-RNTI) [9]) and an information obscurity component (the discretization of distance via the TA [15]). The obscurity component of the LPPM is described with the model…”

Section: Location-based Exploitation In Cellular Networkmentioning

confidence: 99%

“…Further, the introduction of a extra-network sensor facilitates a higher level of accuracy through introduction of a new node and the flexibility to mitigate the dilution of accuracy of potentially poor network infrastructure geometry (which LBS is typically beholden to) [22]. These effects come at no cost of bandwidth to the network due to its passive nature, which simultaneously act as a force multiplier for network operators [22] and a latent signaling plane vulnerability making attribution and detection of unauthorized positioning difficult [13].…”

Section: Cellular Synchronization Assisted Refinementmentioning

confidence: 99%

See 1 more Smart Citation

Quantifying Location Privacy in Urban Next-Generation Cellular Networks

Roth

Tummala

McEachen

et al. 2018

Proceedings of the 51st Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

With urbanization and cellular subscribership rising sharply, cellular use in urban locales has become a normative behavior for the majority of the world's population. As the research community pushes the limits of what is possible in the next generation cellular arena, it is prudent to simultaneously hold in tension the responsibility to provide appropriate protections to the ultimate end users of such technology. To this end, this research illustrates a location-based attack in modern cellular networks. This attack leverages control information sent over the radio access network without the benefit of encryption. We show how this attack is particularly potent in urban localization where it is important to infer location in three dimensions. We quantify the efficacy of such an attack, and therefore the associated location privacy, through simulation both in a generic cellular environment and in an environment modeled after downtown Honolulu. Our results show that accuracy on the order of 15 meters is possible.

show abstract