Introduction & Final Summary

Introduction Name = Aria Lesmana Plans for next 5 years = After graduating from UI, I want to work in an IT position that specializes in networking or programming, then continue my study to the Master/Magister Degree DoB = 5 Jan 1998 Email = arixlsmn@gmail.com Hobbies = reading comics, videogaming, swimming, running Skills = C Programming, Java Programming, Cisco Networking, Embedded/Digital System Designing

Where I come From My Country of Origin & Hometown = Bogor, West Java, Indonesia Culture of My Hometown = Popular site in my Hometown = Bogor Botanical Garden

Knowledge Learned LTE Background Knowledge & History LTEInspector LTE Attacks and Vulnerabilities from LTEInspector Findings LTE platforms (srsLTE,openLTE,OAI) What is Open Air interface (OAI)

LTE Background Knowledges LTE is a standard mobile communication developed by 3GPP that has the goal of being the next generation of mobile communication, LTE standardization began in 2004, proposed in 2004 Toronto conference by NTT Docomo, first deployed commercially in 2009 In LTE there are 2 plane data: -User Plane Data: Belongs in the application layer of OSI layer. User Plane data is intended for the user. LTE uses OFDMA (Orthogonal Frequency-Division Multiplexing Access) as multiple access technology -Control Plane Data: Control Plane Data is the data which are necessary for successful delivery of user plane data. Fulfilled by advancement in Radio Technology such as: - Multi Carrier In downlink there are 4 transport channels: Paging channel, Broadcast channel ,Downlink shared channel , and Multicast channel. - MIMO (Multiple-Input and Multiple-Output) - Application of Packet Switching on Radio Interface In Uplink there are 2 transport channels: Uplink Shared Channel and Random Access Channel.

LTE architecture UE: the cellular device equipped with a SIM card. Home Subscriber Server (HSS): The HSS stores UEs’ identities (e.g., IMSI and IMEI) and subscription data (e.g., QoS profile) E-UTRAN: network between a UE and the eNodeB, and between pairs of eNodeBs Serving Gateway (SGW): transports the user traffic between the mobile terminals and external networks and interconnects the radio access network with the EPC network. eNodeBs : facilitates the connection between the UE and the EPC. EPC: framework for providing converged voice and data on 4G LTE network. Consists of: PDN (Packet Data Network) Gateway (PGW): connects the EPC network to the external networks. Routes traffic to and from PDN. Mobility Management Entity (MME): manages attach, paging, and detach procedures of the UEs and keeps track of locations of the UEs residing in its designated tracking area. Policy and Charging Rules Function (PCRF): node responsible for real-time policy rules and charging in EPC network.

LTEInspector What is LTEInspector :Tool for testing and exposing vulnerabilities on LTE protocols Design Overview Adversary model = Dolev-Yao-style network adversary Adv+c Capabilities: - Eavesdrop the public communication channel - Drop or modify any messages in the public communication channel. - Impersonating a legitimate protocol participant and can inject messages in the public communication channel on the victim’s behalf. - Adheres to all cryptographic assumptions. Adv+c can decrypt an encrypted message only if it possesses the decryption key.

LTEInspector components: - Abstract LTE Model = model of the LTE protocol from the point of view of an UE and a MME - Adversarial model instrumentor = incorporate the presence of an adversary (Madv) - General-purpose Model Checker (MC) = takes as input Madv and a desired abstract property (φ), and checks to see whether all possible executions of Madv satisfy φ - Validating counterexamples with cryptographic protocol verifier (CPV) = check each sub-step of counterexample (π) that requires manipulating some crytographically-protected message type - Testbed experimentation = If a π is feasible, this attack is realized in a testbed.

LTE Attacks and Vulnerabilities Attacks Against Attach Procedure Attacks Against Detach Procedure Attacks Against Paging Procedure Authentication Relay Attack

LTE Platforms srsLTE OAI openLTE

Open Air Interface (OAI) Open-source software-based implementation of 3GPP LTE Release 8/9 Spanning the full protocol stack of 3GPP standard Including features from LTE-Advanced (Rel 10/11/12), LTE-Advanced-Pro (Rel 13/14), going on to 5G Rel (15/16/…) - E-UTRAN (eNB, UE) - EPC (MME, S+P-GW, HSS) Realtime RF and scalable emulation platforms Works with many SDR platforms (ExpressMIMO2, USRP, LimeSDR, …)