LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE

  title={LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE},
  author={Syed Rafiul Hussain and Omar Chowdhury and Shagufta Mehnaz and Elisa Bertino},
  booktitle={Network and Distributed System Security Symposium},
In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. [] Key Result Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials.

Towards 5G Security Analysis against Null Security Algorithms Used in Normal Communication

An in-depth analysis of the signaling interaction and security mechanism for the attach procedure in the 5G network finds that faulty security algorithm selection could result in the acceptance of the null security algorithm on the side of the core network, and attackers can exploit this to trigger IP spoofing attacks and SUPI catching attacks on the victim UE.

A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security

An improved PKI mechanism based on the existing asymmetric encryption of 5G is proposed, which introduces a new pair of asymmetric keys in the gNodeB to encrypt and sign the signalling message sent to UE.

LTE security disabled: misconfiguration in commercial networks

This work enhances the open baseband srsLTE with support for commercial networks and performs a subsequent analysis of the security configuration of commercial LTE networks, providing a proof-of-concept attack in a live network where the adversary obtains an IP address at the victim's cost.

Security and Protocol Exploit Analysis of the 5G Specifications

Comparison with known 4G long-term evolution protocol exploits reveals that the 5G security specifications, as of Release 15, Version 1.0, do not fully address the user privacy and network availability challenges.

IMP4GT: IMPersonation Attacks in 4G NeTworks

A novel cross-layer attack is introduced that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three and implies that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution.

5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol

5GReasoner, a framework for property-guided formal verification of control-plane protocols spanning across multiple layers of the 5G protocol stack, is proposed and identified 11 design weaknesses resulting in attacks having both security and privacy implications.

On Key Reinstallation Attacks over 4G/5G LTE Networks: Feasibility and Negative Impact

This paper shows that several design choices on both control and data planes in the current LTE security setup are vulnerable to key reinstallation attacks, and proposes remedies to defend against such threats.

On Key Reinstallation Attacks over 4G LTE Control-Plane: Feasibility and Negative Impact

It is shown that several design choices in the current LTE security setup are vulnerable to key reinstallation attacks, and remedies to defend against such threats are proposed.

A Systematic Framework For Analyzing the Security and Privacy of Cellular Networks

An analysis of LTEInspector's findings shows that the absence of broadcast authentication enables an adversary to mount a wide plethora of security and privacy attacks and develops an attack-agnostic generic countermeasure that provides broadcast authentication without violating any common-sense deployment constraints.

VWAnalyzer: A Systematic Security Analysis Framework for the Voice over WiFi Protocol

This paper model five critical procedures of the VoWiFi protocol and deploy a model-based testing approach to uncover potential design flaws and demonstrates the effectiveness of VWAnalyzer, which constructs diverse and viable scenarios based on the underspecifications and substantially reduces the number of possible scenarios.



Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness

A framework is developed to analyze various LTE devices and identify several security flaws partially violating the LTE specification, which undermine the data protection objective of LTE and represent a threat to the users of mobile communication.

Defeating IMSI Catchers

This work proposes a solution, which essentially replaces the IMSIs with changing pseudonyms that are only identifiable by the home network of the SIM's own network provider, and therefore mitigate both passive and active attacks.

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

This work constitutes the first publicly reported practical attacks against LTE access network protocols and recommends that safety margins introduced into future specifications to address such trade-offs should incorporate greater agility to accommodate subsequent changes in the trade-off equilibrium.

On the Detection of Signaling DoS Attacks on 3G Wireless Networks

This paper identifies and study a novel denial of service (DoS) attack, called signaling attack, that exploits the unique vulnerabilities of the signaling/control plane in 3G wireless networks and presents and evaluates an online early detection algorithm based on the statistical CUSUM method.

Security attacks against the availability of LTE mobility networks: Overview and research directions

  • R. Jover
  • Computer Science
    2013 16th International Symposium on Wireless Personal Multimedia Communications (WPMC)
  • 2013
An overview of the current threat landscape against the availability of LTE mobility networks is presented and a set of areas of focus that should be considered in mobility security in order to guarantee availability against security attacks are identified.

A Vulnerability in the UMTS and LTE Authentication and Key Agreement Protocols

A flaw in the specifications of the Authentication and Key Agreement (AKA) protocols of the Universal Mobile Telecommunications System and Long-Term Evolution (LTE) as well as the specification of the GSM Subscriber Identity Authentication protocol is reported.

On the Security of Public Key Protocols (Extended Abstract)

The goals of privacy and non-malleability are considered, each under chosen plaintext attack and two kinds of chosen ciphertext attack, and a new definition of non-Malleability is proposed which the author believes is simpler than the previous one.

Trashing IMSI catchers in mobile networks

A novel authentication approach for 3G and 4G systems that does not affect intermediate entities, notably the serving network and mobile equipment and prevents disclosure of the subscriber's IMSI by using a dynamic pseudo-IMSI that is only identifiable by the home network for the USIM.

A man-in-the-middle attack on UMTS

A man-in-the-middle attack on the Universal Mobile Telecommunication Standard (UMTS), one of the newly emerging 3G mobile technologies, is presented, showing that an attacker can mount an impersonation attack since GSM base stations do not support integrity protection.

Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery

An attack is demonstrated, which surreptitiously drains mobile devices' battery power up to 22 times faster and therefore could render these devices useless before the end of business hours.