Presentation is loading. Please wait.

Presentation is loading. Please wait.

Muhammad Taqi Raza, Fatima Muhammad Anwar and Songwu Lu

Published by가은 공 Modified over 6 years ago

Similar presentations

Presentation on theme: "Muhammad Taqi Raza, Fatima Muhammad Anwar and Songwu Lu"— Presentation transcript:

1 Exposing LTE Security Weaknesses at Protocol Inter-Layer, and Inter-Radio Interactions
Muhammad Taqi Raza, Fatima Muhammad Anwar and Songwu Lu University of California – Los Angeles

2 Ubiquitous Cellular Services
4.8 billion unique mobile subscribers Supports voice and multimedia services

3 Cellular Network Architectures
3G Network: Packet Switch + Circuit Switch 3G Base Station Mobile Switching Center Gateways Gateways Mobility Management Entity Internet Services Device 4G Base Station 4G Network: Packet Switch

4 Cellular Control Plane
Layered protocol stack NAS Non Access Startum RRC Radio Resource Control PDCP Packet Data Convergence Protocol RLC Radio Link Control MAC Medium Access Control Physical Device side LTE protocols

5 Cellular Control Plane
Oblivious interactions between protocols Device Powers On Attach Request NAS NAS RRC Complete Attach Request RRC-Complete (Attach Request) RRC RRC S1-AP RRC Procedure Device PDCP Core network Base station

6 Cellular Control Plane
Radio technologies interaction Location update procedure Mobility Management Entity 4G Base Station Device Device Sessions 3G Base Station Mobile Switching Center

7 Are the interaction between LTE protocols and cellular radio technologies secure ?

8 Weak Authentication: Non-Authentic Messages are Accepted
Findings Overview Weak Authentication: Non-Authentic Messages are Accepted Why? Network executes the message (even the message integrity check fails) when device is transitioning from idle to connected state. Attack Detach the victim from the network

9 Findings Overview Weak Security Association: Security Handshake is Skipped on Inter-Radio Communication Why? Security context mismatches between device and the target radio technology during inter-radio switch. Attack Rendering device to be unreachable from the network

10 Lack of Access Control/Non-Authorization
Findings Overview Lack of Access Control/Non-Authorization Why? Device does not have authorization process Attack Draining victims’ battery

11 Weak Authentication: Non-Authentic Messages are Accepted
Exploiting oblivious protocol interactions Power off IMSI =2 Which device ? What to send ? Attacker device Power off NAS msg Which device ? What to do ? Victim device Power off RRC Conn Request Gateways Mobility Management Entity RRC Conn Setup Power off IMSI =2 Release Resources RRC Conn Comp + Detach (power off) Attacker Device IMSI = 1 Tear down connection 4G Base Station LTE Core Network Why: LTE standard allows the MME to process Detach Request message with power off condition even if the device MAC fails Challenge: How to find the victim device identity (IMSI) ? Victim Device IMSI = 2

12 Finding Victim Device Identity
Use femtocell as a side channel. Gateways Mobility Management Entity 4G Base Station (Macrocell) Victim Device LTE Core Network Femtocell

13 Finding Victim Device Identity
Use femtocell as a side channel. Identity Resp Msg Gateways Mobility Management Entity 4G Base Station (Macrocell) Victim Device LTE Core Network Femtocell Identity Req Msg Victim IMSI: Identity response message contains IMSI in plain text!

14 Weak Authentication: Non-Authentic Messages are Accepted
Detaching multiple devices through broadcast message Victim devices are in sleep mode (not sending / receiving voice or data packets) Victim # 1 4G Base Station Attacker Base Station (prototype) Paging with IMSI Paging with IMSI Victim # n Paging with “IMSI” is abnormal procedure, used for error recovery in the network Paging is a broadcast message

15 Weak Authentication: Non-Authentic Messages are Accepted
Detaching multiple devices through broadcast message Locally Deregister Re-initiate Attach procedure Re-initiate Attach procedure Victim # 1 4G Base Station Leads to Attach signaling storm Locally Deregister Victim # n

16 Weak Security Association: Security Handshake is Skipped on Inter-Radio Communication
Exploiting radio technologies interaction Mobility Management Entity 4G Base Station LAU Old security context Victim Device Issue: LAU message is executed believing old security context is valid 3G Base Station Mobile Switching Center Attacker Device

17 Weak Security Association: Security Handshake is Skipped on Inter-Radio Communication
Registering wrong victim device location Mobility Management Entity 4G Base Station LAU Old security context Victim Device LAU 3G Base Station Mobile Switching Center Attacker Device

18 Lack of Access Control/Non-Authorization
Device takes action on its broadcast paging message Gateways Mobility Management Entity Idle Connected Paging Packet Establishes connection 4G Base Station (Macrocell) Device LTE Core Network

19 Lack of Access Control/Non-Authorization
Keeping the device in always connected mode Gateways Mobility Management Entity Connected Idle Establishes connection 4G Base Station (Macrocell) Device LTE Core Network Attacker Base Station (prototype) Paging Silently draining victim battery

20 Lack of Access Control/Non-Authorization
Keeping the device in always connected mode Gateways Mobility Management Entity Connected Idle Establishes connection 4G Base Station (Macrocell) Device LTE Core Network Attacker Base Station (prototype) Paging Attacker can silently drain the battery of a number of victims’ devices

21 Methodology Vulnerabilities are validated in operational LTE networks
Logs were gathered by changing device non-volatile memory Attacks were gathered in control prototype environment

22 Suggested Remedies Detach attack prevention
Network should consult its database to resolve device radio and core-network identities Location update hijack attack prevention The device should re-authenticate whenever it switches its radio technology Battery drain attack prevention The device should keep a mapping between paging request and gaining network resource

23 Conclusion Found new vulnerabilities in standardized LTE protocol operations We propose that no message is executed without integrity protection The broadcast messages must also be integrity protected

24 Conclusion Found new vulnerabilities in standardized LTE protocol operations We propose that no message is executed without integrity protection The broadcast messages must also be integrity protected

Download ppt "Muhammad Taqi Raza, Fatima Muhammad Anwar and Songwu Lu"

Similar presentations

Doc.: IEEE 802.21-xxx Submission May 10-14, 2004 Alan Carlton, Interdigital CommunicationsSlide 1 Defining Layer 2.5 Alan Carlton Interdigital Communications.

Doc.: IEEE xxx Submission May 10-14, 2004 Alan Carlton, Interdigital CommunicationsSlide 1 Defining Layer 2.5 Alan Carlton Interdigital Communications.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Layer 3 Messaging and Call Procedures

Layer 3 Messaging and Call Procedures
General Packet Radio Service An Overview Ashish Bansal.

General Packet Radio Service An Overview Ashish Bansal.
Signaling Measurements on the Packet Domain of 3G-UMTS Core Network G. Stephanopoulos (National Technical University of Athens, Greece) G. Tselikis (4Plus.

Signaling Measurements on the Packet Domain of 3G-UMTS Core Network G. Stephanopoulos (National Technical University of Athens, Greece) G. Tselikis (4Plus.
GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.
LTE Call Flow and MS Attached Procedures

LTE Call Flow and MS Attached Procedures
LTE Signaling Flow.

LTE Signaling Flow.
Control-Plane Protocol Interactions in Cellular Networks

Control-Plane Protocol Interactions in Cellular Networks
On Attack Causality in Internet- Connected Cellular Networks Presented by EunYoung Jeong.

On Attack Causality in Internet- Connected Cellular Networks Presented by EunYoung Jeong.
Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.

Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
Lecture 1 Overview: roadmap 1.1 What is computer network? the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  network.

Lecture 1 Overview: roadmap 1.1 What is computer network? the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  network.
Packet Data Over Cellular Networks: The CDPD Approach Svet Naydenov CS 556.

Packet Data Over Cellular Networks: The CDPD Approach Svet Naydenov CS 556.
정보보호 및 알고리즘 2007601028 조호성. Contents 정보보호 및 알고리즘 2.

정보보호 및 알고리즘 조호성. Contents 정보보호 및 알고리즘 2.
“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless.

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
CELLULAR DATA NETWORKS Mr. Husnain Sherazi Lecture 5.

CELLULAR DATA NETWORKS Mr. Husnain Sherazi Lecture 5.
Support for CSFB Tony Lee David Wang David Wang June/15/2009 VIA Telecom grants.

Support for CSFB Tony Lee David Wang David Wang June/15/2009 VIA Telecom grants.

Similar presentations

Ads by Google