Proceedings 2018 Network and Distributed System Security Symposium 2018
DOI: 10.14722/ndss.2018.23313
|View full text |Cite
|
Sign up to set email alerts
|

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE

Abstract: In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a modelbased testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new atta… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
93
0

Year Published

2019
2019
2022
2022

Publication Types

Select...
5
2
1

Relationship

0
8

Authors

Journals

citations
Cited by 155 publications
(108 citation statements)
references
References 37 publications
0
93
0
Order By: Relevance
“…An overview of various attack vectors against the LTE air interface is given in [6], estimating potential jammer to signal power ratios. Hussain et al propose LTEInspector [7], which combines a symbolic model checker with a cryptographic protocol verifier. It is applied to analyze several different attacks, most of which are validated using a testbed set-up.…”
Section: Related Workmentioning
confidence: 99%
“…An overview of various attack vectors against the LTE air interface is given in [6], estimating potential jammer to signal power ratios. Hussain et al propose LTEInspector [7], which combines a symbolic model checker with a cryptographic protocol verifier. It is applied to analyze several different attacks, most of which are validated using a testbed set-up.…”
Section: Related Workmentioning
confidence: 99%
“…In general, protocol exploits like the ones disclosed in [7], [10], [16] are, as of Release 15, Version 1.0.0, still possible in 5G.…”
Section: A Pre-authentication Message Exploitsmentioning
confidence: 99%
“…Threat Impact on 5G IMSI catching Privacy threat, location leaks, SS7 leaks, etc. [6], [7], [10], [27] Potential for IMSI/SUPI catching in some protocol edge cases, such as when an operator does not implement optional security features or when an unauthenticated emergency call is maliciously triggered. Attach/ Tracking Area Update (TAU) request DoS [6], [7], [10] DoS of 5G mobile devices exploiting pre-authentication messages with rogue base station broadcasting a valid Mobile Country and Network Code (MCC-MNC) combination for network with no public key provisioned in the USIM.…”
Section: Lte Protocol Exploitmentioning
confidence: 99%
See 1 more Smart Citation
“…4G/LTE mobile communication was considered to be notably more secure than its precursors, GSM and UMTS. However, with the wide availability of open source tools for various experimentations, an increasing number of security and privacy vulnerabilities existing in LTE [12][13][14][15][16][17] can precisely locate an LTE device by using an LTE rogue station [17]. Jover exploited the unencrypted and noneintegrity protected LTE protocols, e.g., Attach Reject and TAU Reject messages, and uncovered the vulnerabilities of denying service to an LTE device and downgrading it to the more insecure GSM network [14].…”
Section: Related Workmentioning
confidence: 99%