I was reading this morning a new paper on the topic of LTE IMSI catchers: https://arxiv.org/pdf/1702.04434.pdf

Mjølsnes, Stig F., and Ruxandra F. Olimid. “Easy 4G/LTE IMSI Catchers for Non-Programmers.” arXiv preprint arXiv:1702.04434 (2017).

Although this is old news, it is exciting to see that the recent discovery and implementation of LTE IMSI catchers by the team of Prof. Seifert at TU Berlin (Oct 2015 – https://arxiv.org/pdf/1510.07563.pdf) has sparked the interest in this area. The paper also mentions the DoS threats that were introduced by the same team in [1]. I have done some work and implementation of LTE IMSI catchers and the DoS exploits myself in the past as well ([2] and [3]).

I was giving a talk on this topic last week at UC Irvine, trying to encourage graduate students to focus their PhD research in this area as there is still a lot of work to be done. We need the talented minds of graduate researchers to come up with new threats and, more importantly, solutions to these threats.

Back to this new paper, it is a great overview of IMSI catchers and it is great that the authors implemented the IMSI catcher using an alternative tool (Open Air Interface). I found interesting, though, that they state that implementing an IMSI cather on openLTE requires source code modification such that it is not a viable option for “non programmers”.

Although the claim of their implementation being for non-programmers is obviously correct, their LTE IMSI catcher uses very similar software and the same computing equipment as the ones in [1,2,3]. I would argue that adding 3 lines of code to openLTE is something a non-programmer could do as well. This is what the authors of [1] did. The only modification required at openLTE (as I have explicitly stated at every talk I have given) is mostly to add an fprintf statement where openLTE parses the AttachRequest message or the TAU/LocationArea Update message. Although one can do slightly fancier things.

Anyhow, maybe I am too optimistic and expecting a non-programmer to add an fprintf statement in openLTE is perhaps asking too much 🙂

Regardless, this new paper is great and very interesting and an excellent reference on this topic. I am wondering if they will be presenting their work at a conference soon?

I look forward to more and more research in this area.

[1] Shaik, Altaf, et al. “Practical attacks against privacy and availability in 4G/LTE mobile communication systems.” arXiv preprint arXiv:1510.07563(2015).

[2] Jover, Roger Piqueras. “LTE security and protocol exploits.” ShmooCon (2016).

[3] Jover, Roger Piqueras. “LTE security, protocol exploits and location tracking experimentation with low-cost software radio.” arXiv preprint arXiv:1607.05171 (2016).

Authentication in mobile networks is executed leveraging a symmetric key system. For each mobile subscriber, there is a secret key that is known only by the mobile device and the network operator. Actually, it is not the device itself holding the key, but the SIM card. On the network side, in the case of LTE, the secret key is stored in the Home Subscriber Server (HSS).

Based on this pre-shared secret key, a mobile device and the network can mutually authenticate itself. Though, this is not necessarily the case. For some reason someone must have thought, when designing 2G-GSM, that having the end point authenticate the mobile network was not a requirement… too bad that not having mutual authentication opens the door to all types of rogue base station MitM attacks. Bad things also happen when this pre-shared “secret” key is sent from the SIM card manufacturer to the mobile operator in the clear in a bunch of DVDs and someone manages to steal them.

After years or security research in mobile networks, identifying, implementing and testing protocol exploits, I started thinking that perhaps it would be a good idea to transition the security architecture of a mobile networks towards a PKI-based system. This is why I really enjoy reading research papers with PKI proposals for mobile networks, which is a rather rare topic in the research community. Thanks to Google Scholar, a very interesting paper showed up in my radar: Chandrasekaran, Varun, and Lakshminarayanan Subramanian. “A Decentralized PKI In A Mobile Ecosystem.

PKI would increase the complexity of each cryptographic operation, but it is not like device and network authenticate each other constantly. Definitively, a lot of research would have to be done to validate whether it would be possible.

With a PKI-based authentication architecture in mobile networks, so many cool things could potentially be done. For example, it is very well understood that, regardless of mutual authentication and strong encryption, a mobile device engages in a substantial exchange of unprotected messages  with *any* LTE base station (malicious or not) that advertises itself with the right broadcast information (and this broadcast information is transmitted in the clear in the SIB broadcast messages). And this is the source of a series of protocol exploits and attacks. Perhaps, by means of PKI, broadcast messages could be “signed” by the operator in a way that mobile devices could verify their freshness (to avoid replay attacks) and verify that the base station is legitimate. This would allow mobile devices to verify the legitimacy of a base station before starting to engage in RACH procedures, RRC connection establishments, NAS attach exchanges, etc.

Anyhow, very interesting paper on cool things that could be done applying PKI to mobile networks. Worth reading it.

 

Mobile cellular communications are a fascinating world. Although there’s impressive advances in technology in the research world – both academic and industrial research -, the technological progress and advance of such networks is driven by the standards community (i.e. 3GPP).

This is an approach that has worked since the inception of GSM and has delivered the impressive technology current smartphones use to connect to the Internet, stream the latest “cute dog doing something cute” video and watch the goals by Celta against Madrid in yesterday’s game (hooray for Celta!). In parallel, this model provides enough time for both equipment manufacturers and network operators to get a good return on the investment of billions of dollars of network equipment.

Nowadays, though, we are experiencing two technology trends that are challenging the status quo in wireless and mobile technology. For the first time ever, standards are late to cope for the demand – and obscene amounts of potential revenue and services – in two key technological trends:

  • IoT: There is a massive demand of wireless connectivity for embedded M2M devices. For many applications, such as smart city, agriculture, smart grid, etc, some of the requirements are to have very cheap devices (the “target” used in the industry is $1 per chip) with very low battery consumption (again, the “target” from the industry is 10 years, thoguh I think that is a bit optimistic). The demand is here, but the standards have not delivered. And, in this huge gap one can find two exciting trends: the money-making/raising machine of Sigfox and the LoRa/LoRaWAN community. Two new technologies fueling new services, new applications and exciting new ventures. Meanwhile, the 3GPP community is playing catch up with LTE Cat-M and NB-IoT. (This document provides a bit of an overview. – LoRa is much slower, but for the aforementioned applications one does not need much speed, and latency is not a major deal breaker either)
  • Connected cars, self-driving cars, etc: Similar scenario. Although the self-driving car technology is still just in its inception, there is already several use cases that require connectivity between vehicles and from vehicles to the “road”. 5G mobile networks aim at sub-10ms latency and large capacity for connectivity to 1000x more devices, yet at this point no one really knows what 5G will be (other than the really exciting transition to mmWave and application of massive arrays and beamforming). In parallel, an alternative technology – Dedicated Short Range Communications – seems to be gaining momentum.

In both cases, once the mobile industry and the standards catch up and finally deploy 5G, LTE Cat-M/NB-IoT, all these alternative technologies might simply fade away. But, as of now, the folks at SigFox, the startups deploying smart-city applications running on LoRa, etc are making a lot of money and the status quo is not getting – yet – any piece of the cake.

Exciting times!

(Yes, after months? maybe years? I decided to get back to being somehow active on my blog… Most likely I’ll just be posting about security and wireless/mobile interesting stuff)

I was reading this morning a very cool paper from a team at MITRE implementing a jamming mitigation engine leveraging beamforming. The idea is to generate a null in reception at the direction from which the jamming signal is coming from.

Link to the paper: http://ieeexplore.ieee.org/abstract/document/7795331/

It is very interesting that this type of jamming mitigation is becoming popular. It is an area with a lot of potential, specially in the context of 5G, communication at mmWaves and massive arrays of antennas.

My former team and I worked in a very similar idea in the past. We both implemented a beamforming-based mitigation for radio jamming against LTE (details in this paper) and there’s a bunch of patents already public about that technology: beamforming at the eNodeB and beamforming at the UE. In the case of the UE, we also used beamforming to increase the capacity and throughput of the system… a bit of a utopian idea that, actually, now makes much more sense with carrier frequencies in the mmWave range and above and massive arrays of antennas in the context of 5G. I strongly recommend to read Prof. Rappaport’s work in this area for more details.

Anyhow, the paper is VERY interesting and presents some exciting area in this area.

https://static-content.springer.com/image/art%3A10.1186%2F1687-417X-2014-7/MediaObjects/13635_2013_Article_22_Fig7_HTML.jpg

Today Apple will give more details on its new wearable device. Here is where you can follow the presentation live:

Enjoy!

Ps. I always post links to the live blogs and streams for Apple events because once it resulted in 30k hits on my blog in a day. It’s been way less ever since, but I still do it as an experiment…

Apple finally unveiled its new products, in the first presentation in a while that introduced more than one new product. I could spend lines and lines talking about the new iPhone 6 and iPhone 6 Plus and about the new Apple Watch, but other people has already done that. You might want to check out these:

Every time Apple releases new products I post the links to some live blogs in my blog. It used to be because I was very active on my blog, talking about new products and stuff and whatnot. Then I realized that it would bring a ton of visits to my blog. In 2012, with the release of the iPhone 5, I got 25k visits in one day. So now I always post links to the live blogs to see if I get the same result… even though I am way less active on my blog now. It worked very well until Apple started broadcasting the events over streaming. Or maybe that was not the reason. Anyhow, posting links to the live blogs gets me now about 100 hits, which is not much more than the daily average. Why am I explaining this? No idea.

As a result of the decline in hits when posting links to live blogs of Apple events, and in an effort to investigate how Google’s crawling and indexing works, I am going to include in this post the following sentences just for fun and experimentation: Instructions to root the iPhone 6. How to root an iPhone 6. iPhone 6 for free. iPhone 7 design leaked. Where to buy an iPhone 8. Water proof iPad.

You never know, maybe now I get tons of hits from people trying to root the iPhone 6 or people who want to find out where to buy an iPhone 8. For the latter I would ask Marty McFly. By the way, this reminds me of that Chaplin movie where you can see a lady using what looks like a cellphone in some footage from early last century. I had a post about it a long time ago.

Anyhow, the main reason why I started writing this post was to highlight the fact that Barcelona was, once again (recall the special mention, with video included, of the launch of Barcelona’s Apple store during the presentation of the iPhone 5), featured in an Apple presentation. In yesterday’s case, with a “mention” of the cool W Hotel in Barcelona.

iwatch_BCN

Looking forward to what Apple will release on September 9th? Experts argue that a new iPhone will be unveiled. And perhaps also the highly anticipated iWatch. Follow live the event from either of these live blogs:

Also, Apple will be broadcasting the event via streaming. You can access it here: Apple live video

Enjoy!

9-9event

I recently was contacted by someone with questions regarding a document I wrote (LTE PHY fundamentals) a few years ago as part of a class at Columbia University and that is hosted on my website. The confusion was regarding Doppler shift and the time separation of the reference signals in LTE.

Quoting the message:

I was trying to tell you that 500 km/h does not mean a Doppler shift that you wrote in your document. If the carrier frequency is low and the receiver is moving through the transmitter Doppler shift will be zero cos(90).

Please read the LTE documentation carefully: Universal Mobile Telecommunications System (UMTS); LTE; Requirements for Evolved UTRA (E-UTRA) and Evolved UTRAN (E-UTRAN). In chapter 7.3, it is clearly written that this speed can be from 15 to 120 in the best case with a Doppler shift, not 500 as you wrote and even calculated the Doppler shift.

After responding to the question, I thought that it would be a good idea to write a quick post here and reference it from my website to clarify this topic if other people had the same questions.

The 3GPP standards do account mobility of up to 500km/h. Checking ETSI TR 125 913 V9.0.0 (Universal Mobile Telecommunications System (UMTS); LTE; Requirements for Evolved UTRA (E-UTRA) and Evolved UTRAN) one can read:

The E-UTRAN shall support mobility across the cellular network and should be optimized for low mobile speed from 0 to 15 km/h. Higher mobile speed between 15 and 120 km/h should be supported with high performance. Mobility across the cellular network shall be maintained at speeds from 120 km/h to 350 km/h (or even up to 500 km/h depending on the frequency band). Voice and other real-time services supported in the CS domain in R6 shall be supported by EUTRAN via the PS domain with at least equal quality as supported by UTRAN (e.g. in terms of guaranteed bit rate) over the whole of the speed range. The impact of intra E-UTRA handovers on quality (e.g. interruption time) shall be less than or equal to that provided by CS domain handovers in GERAN.

The mobile speed above 250 km/h represents special case, such as high speed train environment. In such case a special scenario applies for issues such as mobility solutions and channel models. For the physical layer parametrization EUTRAN should be able to maintain the connection up to 350 km/h, or even up to 500 km/h depending on the frequency band.

Regarding this topic, Samsung did some very interesting experiments on the high speed case inside a plane flying at 750km/h. Also, a recent paper was presented in a Sigcomm workshop that I was part of the TPC committee. It presented high speed measurements of LTE (check the paper titled “Performance of LTE in a High-velocity Environment: A Measurement Study”).

As for the Doppler shift, the Doppler equation does contain a cos(alfa), but alfa will only be 90 degrees when a mobile is under the cell tower, In general, in mobile communications, one does not consider the special case of alfa=0 (see below for more details). Anyhow, the way system specifications are designed is for the worst case scenario. In the case of LTE, the maximum possible doppler shift is for the highest carrier frequency (~2GHz at the time I wrote the document), V=500km/h and alfa=0 (cos(0)=1). That’s why the separation of the pilot tones in the LTE/OFDMA lattice is 0.5ms (the derivation of the value 0.5ms is in my document). Essentially, the Doppler shift defines the coherence time, which is the duration of time for which the channel does not change “substantially” or, more mathematically defined, the delay for which its autocorrelation is “higher” than a certain value (there is different ways to define coherence time depending on how “strict” one wants to be). Pilot tones or reference signals are used to sample the channel to perform equalization and other tricks. The Doppler shift defines the maximum sampling period that will allow to sample the channel correctly. If the channel can change as fast as every 0.5ms, one needs to have one sample at least ever 0.5ms. Therefore, the reference signals are separated every 0.5ms, tackling this way the worst case scenario for the coherence time.

Generally, in wireless communications for terrestrial applications, one usually does not even consider alfa because the heights of the towers (10 to 50m or so) are much smaller than the distances between the mobile devices and the towers (up to 35km for the biggest supported cells), so the value of alfa is always very small. However, in radar applications they do consider alfa because planes are flying at high altitudes.

Anyways, the best way to read about this concepts and have them explained much better than what I did here, is to check Rappaport’s book.

ReferenceSignal

I am quite busy lately and neglecting my blog too much, it is time to catch up a bit. Although work is one of the main things keeping me busy, going back to playing soccer regularly, running quite often and a few other things are keeping me busy… plus it is summer and in summer I rather spend my free time away from my computer.

Anyhow, to catch up, just a few thoughts on a few things.

I have been gathering some old stuff from when I was an undergrad. I will try to post more source code and other projects on my personal website soon.

Happy summer everyone! And for those of you in the southern hemisphere, happy winter! Oh, and could you please share a video of the toilette flushing and spinning the other way?

First of all, the reason why I have been missing in action for a couple of months on my blog has been that I have been rather busy (but “good” busy) with work. Lots of exciting things happened recently, including reaching two of my main milestones for this year. I am still busy, but I will try to be back here every now and then to share stuff that I find interesting.

Having said that, if you know me well, you know that these days I am doing crazy schedules and working many hours so I can also watch as many World Cup games as possible. I will not reach my great achievements from the World Cups of 2010 and 2006, when I saw every single game of each tournament (yes, you read it right, every single one), but I am doing a decent job. By the way, if you happen to have a lot of free time (I had just finished my undergrad in 2006 and I was on a lazy + learning German + travel hiatus, and I was a grad student in 2010), I challenge you to watch every single game of a World Cup. It’s an amazing experience. But not easy. As an example, I saw the Portugal-France semifinal in a ferry with poor satellite reception going from Athens to Paros. And I saw the final in some random restaurant in the less populated side of Siros.

Anyhow, I just wanted to share some thoughts about the World Cup so far:

  • Spain: I knew we were in a bad shape and there was 0 chances we would mean. But still, what Spain did was lame. The way they surrendered after the Netherlands’ second goal was very sad. I guess Spain always sucks in World Cups and now we just had the last 6 years as an exception. The exception that confirms the rule. I was back home in Barcelona for the games against the Netherlands and Chile, so it hurt even more.
  • USA: I like this team a lot, and I am not saying it because the US is my second (actually, now officially permanent) home. I like how they play, very talented young players. And I really like this Dempsey guy. Back in my grad student years, me and my Spanish friends we always played in the intramurals against the US kids. Playing futsal 5on5 we always kicked ass… but when it was 11on11, those guys had so much stamina and energy that we always lost! And I see that in the World Cup too. It’s very interesing how over the last few World Cups the US has scored a large number of goals towards the end of the game, when the rival is tired (a game every 3 days ain’t easy!). Having said that, sometimes one sees that the US does not have that much experience in soccer. For example, no team has used a “polo-type neck” for the jersey since the early 90s. They need a jersey redesign asap! Also, they did not win against Portugal for 2 reasons: 1) that guy whose dad is the former national couch had a terrible game and made an awesome pass to CR96 Ronaldo, and 2) the US has to master the ancient skill of wasting time.
  • Argentina: Playing bad, but with a stellar Messi. I hope they win the World Cup just so there are no more counter arguments (i.e. he never won a World Cup, unlike Maradona and Pele). The world needs to finally agree that Messi is, BY FAR, the greatest player of all times.
  • Germany: My favorite team (aside from Spain) for the last few World Cups. Playing very good. Although I really want Messi to win a World Cup, I hope for a Germany-Brazil final.
  • Ghana: Such a good team. The way they play is just amazing, and although I always cheer for Germany, I was quite annoyed when Klose scored the 2-2. However, kudos for Klose, top scorer of a World Cup tied with Ronaldo (the good one).

I want to write more, but I’ll leave it here for now. Back to work now! I have been here since 7 today. It will be a long day. But it’s all good, fun stuff at work. Projects going great. And, in parallel, a really fun World Cup. What else can one wish for?

640px-WC-2014-Brasil.svg

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me: http://www.ee.columbia.edu/~roger/

Blog Stats

  • 122,004 hits

Twitter feed

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Enter your email address to follow this blog and receive notifications of new posts by email.