PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification

Echeverria, Mitziu; Ahmed, Zeeshan; Wang, Bincheng; Arif, M. Fareed; Hussain, Syed Rafiul; Chowdhury, Omar

doi:10.48550/arxiv.2101.00328

Cited by 2 publications

(3 citation statements)

References 28 publications

(80 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, to UEs, the behavior and location of the cell are legitimate. As proposed in [11], a signature based anomaly detector with a signature: "if Identity Request, then attack", is successful in the detection of our attack. However, because Identity Requests are also sent during a legitimate protocol flow, such a solution will inherently report false positives during legitimate identification procedures.…”

Section: Overshadowing With Identity Requestmentioning

confidence: 94%

LTrack: Stealthy Tracking of Mobile Phones in LTE

Kotuliak,

Erni,

Leu

et al. 2021

Preprint

View full text Add to dashboard Cite

We introduce LTrack, a new tracking attack on LTE that allows an attacker to stealthily extract user devices' (UEs) permanent identifiers (IMSI) and locations. To remain stealthy, the localization of UEs in LTrack is fully passive. It relies on our new uplink/downlink sniffer implementation, which records both times of arrivals of LTE messages and contents of Timing Advance commands, based on which LTrack calculates UE locations. LTrack is the first to show the feasibility of passive UE's localization through an implementation on a software-defined radio.Passive localization attacks reveal information about a UE's locations but can at best link these locations to a UE's pseudonymous temporary identifier (TMSI), making tracking in dense areas challenging. LTrack overcomes this challenge by introducing and implementing a new type of IMSI Catcher named IMSI Extractor. It extracts a UE's permanent identifier (IMSI) and binds it to its current TMSI. Instead of relying on fake base stations like existing IMSI Catchers (which are detectable due to their output power), IMSI Extractor relies on our uplink/downlink sniffer enhanced with surgical message overshadowing. This makes our IMSI Extractor the stealthiest IMSI Catcher to date.We evaluate LTrack through a series of experiments and show that in line-of-sight conditions, the attacker can estimate the location of a phone with less than 6m error in 90% of the cases. In addition, we successfully test our IMSI Extractor against a set of 17 modern smartphones connected to an industry-grade LTE testbed.

show abstract

Section: Overshadowing With Identity Requestmentioning

confidence: 94%

LTrack: Stealthy Tracking of Mobile Phones in LTE

Kotuliak,

Erni,

Leu

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…On a higher layer, separating a legitimate rejection from a bogus one could be possible by identifying the absence of a message authentication code. In [5], Echeverria et al tried to identify an attach, service or authentication reject attack originating from a fake base station, but other than the presence of the reject message, they could not identify any characteristic that would clearly separate the attack from a legitimate rejection.…”

Section: Detectionmentioning

confidence: 99%

“…In these works, the authors detect fake base stations due to their unusual broadcast configuration, location, or other indicators. In [5], the authors do not use lower layer indicators to detect the presence of a fake base station, but rather rely on the protocol trace of the interaction with the fake base station. Fake Base Station Attack Impact.…”

Section: Related Workmentioning

confidence: 99%

AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks

Erni,

Kotuliak,

Leu

et al. 2021

Preprint

View full text Add to dashboard Cite

We introduce AdaptOver, a new LTE signal overshadowing attack that allows an adversary to reactively and adaptively overshadow any downlink message between the network and the user equipment (UE). We demonstrate the impact of AdaptOver by using it to launch targeted Denial-of-Service (DoS) attacks on UEs.We implement AdaptOver using a commercially available software-defined radio. Our experiments demonstrate that our DoS attacks cause persistent connection loss lasting more than 12 hours for a wide range of smartphones. DoS attacks based on AdaptOver are stealthier than attacks that relied on the use of fake base stations, and more persistent than existing overshadowing attacks, which caused connection loss of only up to 9 minutes. Given that AdaptOver can reactively overshadow any downlink message, its use is not limited to DoS attacks -it can be used for a wide range of other attacks, e.g., to extract the IMSI from a UE in a stealthier manner than traditional IMSI catchers. We consider AdaptOver to be an essential building block for many attacks against real-world LTE networks. In particular, any fake base station attack that makes use of spoofed downlink messages can be ported to the presented attack method, causing a much more reliable, persistent, and stealthy effect.

show abstract

PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification

Cited by 2 publications

References 28 publications

LTrack: Stealthy Tracking of Mobile Phones in LTE

LTrack: Stealthy Tracking of Mobile Phones in LTE

AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks

Contact Info

Product

Resources

About