Download presentation
Presentation is loading. Please wait.
1
Exposing LTE Security Weaknesses at Protocol Inter-Layer, and Inter-Radio Interactions
Muhammad Taqi Raza, Fatima Muhammad Anwar and Songwu Lu University of California – Los Angeles
2
Ubiquitous Cellular Services
4.8 billion unique mobile subscribers Supports voice and multimedia services
3
Cellular Network Architectures
3G Network: Packet Switch + Circuit Switch 3G Base Station Mobile Switching Center Gateways Gateways Mobility Management Entity Internet Services Device 4G Base Station 4G Network: Packet Switch
4
Cellular Control Plane
Layered protocol stack NAS Non Access Startum RRC Radio Resource Control PDCP Packet Data Convergence Protocol RLC Radio Link Control MAC Medium Access Control Physical Device side LTE protocols
5
Cellular Control Plane
Oblivious interactions between protocols Device Powers On Attach Request NAS NAS RRC Complete Attach Request RRC-Complete (Attach Request) RRC RRC S1-AP RRC Procedure Device PDCP Core network Base station
6
Cellular Control Plane
Radio technologies interaction Location update procedure Mobility Management Entity 4G Base Station Device Device Sessions 3G Base Station Mobile Switching Center
7
Are the interaction between LTE protocols and cellular radio technologies secure ?
8
Weak Authentication: Non-Authentic Messages are Accepted
Findings Overview Weak Authentication: Non-Authentic Messages are Accepted Why? Network executes the message (even the message integrity check fails) when device is transitioning from idle to connected state. Attack Detach the victim from the network
9
Findings Overview Weak Security Association: Security Handshake is Skipped on Inter-Radio Communication Why? Security context mismatches between device and the target radio technology during inter-radio switch. Attack Rendering device to be unreachable from the network
10
Lack of Access Control/Non-Authorization
Findings Overview Lack of Access Control/Non-Authorization Why? Device does not have authorization process Attack Draining victims’ battery
11
Weak Authentication: Non-Authentic Messages are Accepted
Exploiting oblivious protocol interactions Power off IMSI =2 Which device ? What to send ? Attacker device Power off NAS msg Which device ? What to do ? Victim device Power off RRC Conn Request Gateways Mobility Management Entity RRC Conn Setup Power off IMSI =2 Release Resources RRC Conn Comp + Detach (power off) Attacker Device IMSI = 1 Tear down connection 4G Base Station LTE Core Network Why: LTE standard allows the MME to process Detach Request message with power off condition even if the device MAC fails Challenge: How to find the victim device identity (IMSI) ? Victim Device IMSI = 2
12
Finding Victim Device Identity
Use femtocell as a side channel. Gateways Mobility Management Entity 4G Base Station (Macrocell) Victim Device LTE Core Network Femtocell
13
Finding Victim Device Identity
Use femtocell as a side channel. Identity Resp Msg Gateways Mobility Management Entity 4G Base Station (Macrocell) Victim Device LTE Core Network Femtocell Identity Req Msg Victim IMSI: Identity response message contains IMSI in plain text!
14
Weak Authentication: Non-Authentic Messages are Accepted
Detaching multiple devices through broadcast message Victim devices are in sleep mode (not sending / receiving voice or data packets) Victim # 1 4G Base Station Attacker Base Station (prototype) Paging with IMSI Paging with IMSI Victim # n Paging with “IMSI” is abnormal procedure, used for error recovery in the network Paging is a broadcast message
15
Weak Authentication: Non-Authentic Messages are Accepted
Detaching multiple devices through broadcast message Locally Deregister Re-initiate Attach procedure Re-initiate Attach procedure Victim # 1 4G Base Station Leads to Attach signaling storm Locally Deregister Victim # n
16
Weak Security Association: Security Handshake is Skipped on Inter-Radio Communication
Exploiting radio technologies interaction Mobility Management Entity 4G Base Station LAU Old security context Victim Device Issue: LAU message is executed believing old security context is valid 3G Base Station Mobile Switching Center Attacker Device
17
Weak Security Association: Security Handshake is Skipped on Inter-Radio Communication
Registering wrong victim device location Mobility Management Entity 4G Base Station LAU Old security context Victim Device LAU 3G Base Station Mobile Switching Center Attacker Device
18
Lack of Access Control/Non-Authorization
Device takes action on its broadcast paging message Gateways Mobility Management Entity Idle Connected Paging Packet Establishes connection 4G Base Station (Macrocell) Device LTE Core Network
19
Lack of Access Control/Non-Authorization
Keeping the device in always connected mode Gateways Mobility Management Entity Connected Idle Establishes connection 4G Base Station (Macrocell) Device LTE Core Network Attacker Base Station (prototype) Paging Silently draining victim battery
20
Lack of Access Control/Non-Authorization
Keeping the device in always connected mode Gateways Mobility Management Entity Connected Idle Establishes connection 4G Base Station (Macrocell) Device LTE Core Network Attacker Base Station (prototype) Paging Attacker can silently drain the battery of a number of victims’ devices
21
Methodology Vulnerabilities are validated in operational LTE networks
Logs were gathered by changing device non-volatile memory Attacks were gathered in control prototype environment
22
Suggested Remedies Detach attack prevention
Network should consult its database to resolve device radio and core-network identities Location update hijack attack prevention The device should re-authenticate whenever it switches its radio technology Battery drain attack prevention The device should keep a mapping between paging request and gaining network resource
23
Conclusion Found new vulnerabilities in standardized LTE protocol operations We propose that no message is executed without integrity protection The broadcast messages must also be integrity protected
24
Conclusion Found new vulnerabilities in standardized LTE protocol operations We propose that no message is executed without integrity protection The broadcast messages must also be integrity protected
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.