As I predicted in an article I wrote last year, the increasingly maturity of the open-source implementations of the LTE stack is fueling more and more exciting work in LTE security. I saw two presentations at Blackhat in the area that will most likely make it to the mainstream media.

Ravishankar Borgaonkar and his colleagues at TU Berlin keep producing exciting work in this area and presented some fresh work on new techniques to track devices in mobile networks. Considering that the team under Prof. Jean-Pierre Seifert are responsible for some of the coolest papers I’ve read in the last 6 years, I was really looking forward to this one.

By tracking and analyzing the AKA sequence number and collecting messages by impersonating a target’s IMSI, one can collect RAND.AUTN pairs to be used later to track that victim. Fun stuff and yet another issue in mobile networks that has been carried over from generation to generation and is likely going to impact 5G networks as well. It could be worst, I guess. LTE networks could, for example, add a plain-text identifier, unique per device, in each packet at the PHY layer. Oh, wait, that actually happens and allows tracking devices as well

Very interesting presentation on exploiting CS fallback for voice traffic. Despite a device is well authenticated and secured on LTE, in CS fallback mode, calls will be delivered over, often, GSM. Sniffing the paging channel and replying with spoofed paging response messages, the authors are able to intercept phone calls.

This is a very cool exploit that I was already familiar with. Actually, I am looking forward to seeing the video of the presentation or reading the authors’ paper on this. Based on just the slides, this looks very similar and reminds me a lot to a really cool paper: Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks. By the way, this paper is by the team under, guess who, Jean-Pierre Seifert. I told you these guys do cool work!


As I said last year, more and more exciting research in LTE security and exploits. I wish I could say the same about myself, but having a full-time job (a really good one that I love and with which I am involved now in security of many other wireless technologies as well as corporate network security, data mining and machine learning and other fun stuff), going to a ton of rock concerts (follow me @rgoestotheshows), playing soccer twice a week, never missing an FC Barcelona game (the greatest soccer team in the world) and – specially – being about to become a dad for the first time, keep me VERY busy.

When I find some time, I work on the paper on my radio adventures at the Mobile World Congress scanning 802.11, BLE&Bluetooth, LTE and cloning my badge. I promised myself I would have it ready before next year’s Mobile World Congress 🙂 I am also starting to work in a new project/collaboration testing a whole new bunch of LTE protocol exploits. Some really FUN stuff. This time I have a team with me and we are actually aiming to submit papers to conferences, so things should be happening on this project soon. Stay tuned. Same bat-channel.

Ps. Please, Neymar, do not go to PSG!