You are currently browsing the category archive for the ‘LTE’ category.

We recently released a pre-print of our paper analyzing the 5G security specifications. The idea of releasing the pre-print while the paper is under submission was to get it out there soon and start collecting feedback in parallel to the actual review. There are a couple of things we want to clarify in the published version. The editorial process for this paper is taking longer than anticipated, so I thought I could make a quick update as sneak peak.

A few folks have pinged us with some questions and really good constructive feedback about the paper. Some questions were related to the main two concepts we will be clarifying in the final version.

  1.  The IMSI (SUPI in the context of 5G – I have been working in LTE security for many years and I am too used to saying IMSI, so I might wrongly refer to the IMSI here when I mean SUPI…) will be concealed using the public key of the home network, which does indeed imply that a SIM card only requires to have one single public key stored in order to conceal the SUPI into the SUCI.The SUPI will still be transmitted in the clear if there is no public key for the home network provisioned or in the case of an unauthenticated emergency call. It is not clear yet whether a rogue 5G base station could trick a device to issue such an unauthenticated call. Also, similarly to a recovery from a network outage in LTE, 5G might (should?) support a similar procedure for 5G. It is not clear yet either how the operator will indicate a UE/USIM that it needs to rotate the secret key (maybe it has been compromised, maybe it is time to rotate it… because they plan to rotate them, right???). In that scenario, implicitly, the operator will need to require the UE to authenticate in a manner that will not allow the SUPI to be concealed. To make things more complex, key management and rotation and what to do in these cases is left outside of the specifications.
  2. The 5G security specifications never explicitly state that a USIM will require to have a public key for every operator from every country. That is, however, an implicit requirement for the secure implementation of the protocol and to tackle the known LTE exploits (e.g. Attach Reject to DoS the device or downgrade it to GSM). Most of the protocol exploits discovered in LTE exploit one or multiple pre-authentication PHY, RRC or NAS messages before the handshake. An IMSI catcher returns an Attach Reject “I don’t know your TMSI/GUTI, send me your IMSI” message, a DoS-device replies with an AttachReject EMM Cause Code (for example) 0x03 Illegal UE and the device stops trying to connect until the timer T3245 expires (24h to 48h). A sophisticated Stingray replies with AttachReject EMM Cause Code 0x07 EPS Services Not Allowed and downgrades the UE to GSM to Man in the Middle the connection.Note that, in the case of IMSI/SUPI catching, 5G is *not* preventing the pre-authentication message to be exploited. In 5G, when an adversary sends an AttachReject “I don’t know your TMSI/GUTI send me your SUPI”, the UE replies with the SUPI, but this identifier is concealed. So the adversary catches the identifier, tough she/he cannot decrypt it. All the other exploits that leverage pre-authentication messages, and any other one that has not been identified yet, could still potentially be possible in 5G unless pre-authentication messages can be cryptographically authenticated by the UE. If mobile users never roamed to other networks or countries, having the public key of the home network would suffice. But, factoring roaming into the equation, the only way a UE could possibly cryptographically authenticate PHY, RRC and NAS pre-authentication messages is if the UE had a public key for every single operator from every single country. Otherwise, if I am missing a public key from an operator from say, Spain, I just need to set up my rogue 5G base station to broadcast, for example, MCC=214 MNC=07 (for Movistar) and the UE will implicitly trust every single PHY, RRC and NAS message that comes before the NAS authentication process.

    An alternative could be to have NAS messages from roaming UEs always routed back to/from the home operator in the home country. This would likely be an overload nightmare for Diameter networks and the mobile core networks. And, actually, probably this is something that could be exploited as a DDoS attack against mobile operators by having an army of fake software-radio based UEs initiating connections from different locations claiming to be USIM’s from all over the world. There might be other potential solutions to this problem, and I know of a couple research groups in academia doing excellent work to tackle this challenge.

Long story short, IMSI catching trickier in 5G but still not clear if fully prevented, and the requirement for a public key from all operators and countries is not an explicit requirement in the specifications but an implicit requirement if 5G is to tackle protocol exploits leveraging pre-authentication messages.

We will update the document on arXiv soon with these clarifications. Thank you very much again to everyone who has sent us feedback on the paper. We really appreciate it!

Ps. Good game by Barcelona last night despite having Messi out! 😀

EDIT: Just to clarify further. The public key of the home network at the USIM is intended only to conceal the SUPI. We are not trying to imply that this key is intended to apply to pre-authentication PHY/RRC/NAS messages. If this public/private key scheme was to be used to protect pre-authentication messages, though, then there would be an implicit requirement of having public keys for all operators.

Advertisements

Yesterday Google Scholar sent me another alert about a new paper. I must say that Google Scholar is becoming my number 1 source to stay up to date about research in mobile security.

The paper, “Formal analysis of 5G authentication“, is a pre-print released by  a team from ETH Zurich, University of Lorraine and University of Dundee. Similarly to a recent paper on LTE security (LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE), the authors translate the 3GPP protocol specifications into pseudo-code that can be formally verified and analyzed. In this case, the authors analyze the recently released 5G 3GPP specifications, with special focus on the authentication protocols. To do so, the authors use Tamarin, a protocol verification tool.

I strongly recommend reading the paper. As I expected, the authors found a few weaknesses on the protocol. The 5G AKA protocol appears to fail to meet several security goals that are explicitly required by the 3GPP specifications, as well as other critical security properties. The paper highlights weaknesses in the standard and suggests improvements and refinements. Such an interesting work and an excellent paper.

It is worth noting that a couple months ago I was invited to write an opinion article on 5G security and I got some criticism from 3GPP folks on it, claiming that 5G is secure and things have been improved very much. As I stated in my article (Are we there yet? The long path to securing 5G mobile communication networks), I still see a long way to go to fully secure mobile communication networks. And the new sophisticated security architecture and PKI infrastructure are very interesting, but based on the unrealistic assumption that each SIM will have a public key or certificate for all operators from all countries. I always acknowledge that it is very hard to achieve a secure mobile communications system and the only reason I work in proactively identifying security weaknesses is to keep raising awareness on this problem.

It makes me happy to see so much excellent work coming from academia in the area of mobile security. Excellent research topic for talented PhD students to work on. And it makes me even happier that, just a couple of months after being publicly released, there is security research analyzing the 5G specifications. I am myself currently involved in a research project on 5G security with a team from VATech under Prof. Jeffrey Reed and Prof. Vuk Marojevic. We are working on a new paper on 5G security that should be out sometime later this summer or early Fall. Stay tuned! For the ones of you who saw me speak at UC Irvine last May or at Hushcon East in NY in June, you already got a bit of a sneak peak.

Yesterday, Google Scholar sent me an alert of a paper I might be interested in. It turns out, I am indeed very interested in it. This is a paper already accepted, in its new rolling window review process, for the IEEE Security and Privacy symposium of 2019 (link for this year’s symposium): Breaking LTE on Layer 2.

There is no available pre-print yet, but there’s an abstract already:

Long Term Evolution (LTE) is the latest mobile communication standard and has a pivotal role in our information society: LTE combines performance goals with modern security mechanisms and serves casual use cases as well as critical infrastructure and public safety communications. Both scenarios are demanding towards a resilient and secure specification and implementation of LTE, as outages and open attack vectors potentially lead to severe risks. Previous work on LTE protocol security identified crucial attack vectors for both the physical (layer one) and network (layer three) layers. Data link layer (layer two) protocols, however, remain a blind spot in existing LTE security research. In this paper, we present a comprehensive layer two security analysis and identify three attack vectors. These attacks impair the confidentiality and/or privacy of LTE communication. More specifically, we first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks. Second, we demonstrate how a passive attacker can abuse the resource allocation as a side channel to perform website fingerprinting that enables the attacker to learn the websites a user accessed. Finally, we present the A LTE R attack that exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload. As a proof-of-concept demonstration, we show how an active attacker can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website. Our experimental analysis demonstrates the real-world applicability of all three attacks and emphasizes the threat of open attack vectors on LTE layer two protocols.

It is always great news to see excellent security research on LTE published that is based on open source implementations of the LTE stack. This is something I anticipated a few years ago. I am also very familiar with the work of this new paper’s authors. They have worked on some really interesting security research work on LTE and I have discussed some of their most recent papers in this blog.

This new paper is particularly exciting because it seems to build up on some of my work from a few years ago. Based on the abstract (“we first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks), it sounds like they are implementing RNTI-based user tracking and using it for what sounds like a series of new really interesting attacks against LTE. I really look forward to reading the paper and learning more about the excellent work they did and the new protocol exploits they found.

Back in 2016 I presented at ShmooCon (slides and video) and published a paper discussing and implementing Denial of Service attacks against LTE, IMSI catchers on LTE and, relevant to this new paper, presenting and implementing in a real network for the first time a user location tracking attack leveraging the PHY layer id known as RNTI (Radio Network Temporary Identifier). For details, see slides 31 to 44 here and section V.F of my paper from 2016.

In a nutshell, the RNTI is an id derived and assigned in the RACH handshake in plain text (and thus can be easily captured with a simple LTE downlink sniffer such as AirScope from Software Radio Systems). It is included in plaintext in the header of every single PHY layer packet, which means that it is included in the plaintext in all uplink and downlink packets of a connection. As such, it can obviously allow to distinguish traffic flows from multiple users and track a given user, if one can map the RNTI to something else. As I implemented in my work a couple years ago, mapping the RNTI to the TMSI or even the MSISDN (the phone number of the user) is trivial. Once one maps an RNTI to a TMIS, then one can leverage paging messages to further expand the ability to track a user, as Kune showed in a really cool paper from a few years ago. I also recently read a paper that expands even further the ability of user tracking on LTE by using the GUTI.

A couple of years ago I also demo-ed at HackerHalted an implementation of an RNTI-based tracker running passively using a modified version of srsLTE and a USRP radio (see slides here).

The authors of “Breaking LTE on layer 2” seem to have implemented and tested the RNTI tracking techniques in their paper and used it as the stepping stone for new attacks that sound pretty cool and interesting, given what the abstract reads. Hopefully we don’t have to wait until IEEE S&P 2019 (May 2019) to learn more details on their new research. Knowing the excellent work that this authors have published in the recent years, I expect a very good paper that is likely to generate a lot of conversations and discussions. The more work in this area the better, as we need people talking about this and actively working in making mobile networks more secure. Really looking forward to reading their paper!

Related published work on user tracking and, specifically, RNTI tracking:

[1] Jover, Roger Piqueras. “LTE security, protocol exploits and location tracking experimentation with low-cost software radio.” arXiv preprint arXiv:1607.05171 (2016).

[2] Jover, Roger Piqueras. “LTE security and protocol exploits.” Shmoocon 2016 (2016).

[3] Hong, Byeongdo, Sangwook Bae, and Yongdae Kim. “GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier.” In Symposium on Network and Distributed System Security (NDSS). ISOC. 2018.

[4] Kune, Denis Foo, John Koelndorfer, Nicholas Hopper, and Yongdae Kim. “Location leaks on the GSM air interface.” ISOC NDSS (Feb 2012) (2012).

[5] Jover, Roger Piqueras. “Some key challenges in securing 5G wireless networks.” Electronic Comment Filing System, Jan(2017). [PDF]

 

UPDATE (06/28/2018) – The authors have released a web site describing their findings and, more importantly, including a pre-print of the paper. As I had guessed, this is indeed based on my RNTI tracking techniques. The authors leverage those techniques to fingerprint web traffic and, despite being encrypted, they can estimate who browses what websites. They test this with a bunch of top 50 Alexa sites. The other new attack, aLTEr, is very interesting. By exploiting the fact that certain layer 2 messages are encrypted but not integrity checked, they flip bits in the cipher text in a very smart way to modify the destination IP fr DNS queries, effectively redirecting any mobile device to, for example, a malicious domain when they believe they are browsing a legitimate service.

The paper seems to indicate that I did not test and implement RNTI tracking a couple of years ago, but I actually did. And also showed a demo at HackerHalted in Atlanta back in 2016. Regardless, this new paper is excellent, and worth a read. Check out the references, as they link to some of the working documents from GSMA and 3GPP  after receiving the authors’ disclosure about this protocol exploits. Interesting, though, that #GPP and GSMA seems to only be concerned about the aLTEr exploit and not really worried about the other one (see S3-181429 document from the 3GPP TSG SA WG3 Security Meeting #91).

(Originally posted as an article on LinkedIn)

The mobile and wireless communication industry is highly susceptible, as are most sectors in the information technology industry, to drowning in a sea of buzzwords. “5G” is a concept that has been thrown around frequently for the past 6 years or so to define a futuristic – and potentially hard to achieve – connectivity scenario in which speeds of 1Gbps are ubiquitous, sub-10ms latencies are the norm, and the network can take on 1,000 times more connected devices without any hiccups. This utopian connected world has always been promised to arrive in 2020, to coincide with the Tokyo Summer Olympics, with the first trials during the 2018 Winter Olympics.

While the buzz around 5G has spawned conferences, workshops, symposiums, industry consortiums, and tomes of scientific press, some great minds in both academia and industry have been working on actual technology which, unlike big stands at expos and conferences and flashy slide decks, will solve the 5G connectivity challenges. mmWave communications are the clear path towards being able to achieve gigabit rates ubiquitously in dense urban scenarios and, although radio signal propagation is very challenging at such high bands, massive MIMO (Multiple-Input Multiple-Output) and adaptive beamforming arrays are the promising technologies that will help close that gap.

While 5G has mostly been a buzzword attached to flashy presentations and keynotes during the last few years, this does not change the fact that there have been outstanding research and development advances in some of the key technology areas that will sustain the connectivity demands of the next decade. That is, things that will make the concept of 5G an actual reality. As a result of this excellent work, the first official release of the 3GPP standards for 5G communication systems was published in December 2017. The new proposed mobile communication system is known as New Radio (NR) and its Core Network (as opposed to the Radio Access Network) is known as 5G System (5G-S).

While the technology pillars for future 5G mobile systems were being developed, there has been a spike in excellent security research work in the general field of mobile communications, and LTE mobile networks more specifically. As I anticipated 2 years ago, open source platforms have provided the perfect tools for bright security researchers to work on outstanding research projects that have yielded the discovery of all sorts of implementation issues and communication protocol deficiencies in LTE mobile networks. In some cases, the technology press has picked up on some of the resulting scientific publications at top conferences, which has sent shockwaves throughout the mobile communications industry. Such great research has also driven security innovation and protocol improvements that are making mobile networks nothing but more secure and resilient.

For quite a few years, I have been among the advocates for piggybacking on the technology disruption of 5G to address the well-known and, in many cases, very concerning security and scalability issues in LTE mobile networks. Although the major breakthrough in 5G will be at the physical layer (PHY), we are long overdue on reconsidering the current circuit-switched architecture of core mobile networks and embracing a fully packet-switched architecture. Although the mobile core of LTE is already fully IP-based, the architecture of the network still heavily relies on circuits – known as bearers in 3GPP jargon – and complex state machines. Among many other reasons for embracing a packet-switched architecture, the goal of massive connectivity in 5G networks will never be achieved in current control plane signaling-constrained networks. This is especially true when the goal is achieving connectivity for 1,000 times more devices and the Internet of Things (IoT) is at our doorstep, waiting to enter the game. As a great point of reference for this massive challenge in mobile networks, I always like to refer my colleagues to the visionary paper by J Kim and Paul Henry.

In general, the disruption of 5G is indeed the perfect opportunity for major architectural changes in the core network, though this is a challenging goal. However, it would be a big loss if, at the very least, 5G was not used to address the minor, and narrower in scope, changes required to tackle concerning security exploits uncovered in LTE. By now, it is well understood that there are multiple ways an adversary could abuse the pre-authentication Radio Resource Control (RRC) and Non-Access Stratum (NAS) messages, both of which are neither authenticated nor encrypted. As such, LTE mobile networks and, more importantly, LTE smartphones and network equipment, are potentially vulnerable to certain privacy leaks and Denial of Service (DoS) attacks, as prototyped in the lab by several research projects over the last 5 years.

The first release of the NR and 5G-S standards (Release 15 of the 3GPP standards), with the initial specifications released in December 2017, makes a partial attempt at addressing such security issues. Interestingly, most of the security definitions have not been included in the specifications until the updated documents released in March 2018. There are some ongoing efforts in protecting the International Mobile Subscriber Identifier (IMSI) using Public Key Infrastructure (PKI), likely motivated due to the recent amount of press and media coverage on IMSI catchers, in addition to leveraging PKI to authenticate certain pre-authentication messages. However, it is still to be seen how certain challenges, such as how to authenticate or implement PKI with a subscriber roaming from another network – or even a foreign network – will be solved. There are also several edge cases in which null integrity and null ciphering are used, such as the initial registration procedure for emergency services (3GPP TS 24.501 V1.0.0 2018-03 – 4.4.2.1). Plus, the fact that null ciphering and null integrity are supported (3GPP TS 24.501 V1.0.0 2018-03 – Table 9.8.3.29.1) could potentially end up in insecure, unexpected protocol edge cases. Besides that, the sheer number of pre-authentication messages still exposes protocols to potential security exploits.

I recently collaborated with a highly-renowned mobile security research team from academia (Prof. Jeffrey H. Reed and Dr. Vuk Marojevic at Wireless @ Virginia Tech) in a security analysis of the NR standards. In the past, both that team and I had been involved in research on protocol-aware jamming and the underlying vulnerability of LTE mobile networks to adversarial RF jamming. The goal of this latest security analysis was to investigate the feasibility of protocol-aware jamming in the proposed PHY layer in NR. The outcome of the study will be presented in the 1st IEEE Workshop on 5G Wireless Security coming up this May in Kansas City, but the results are already available to the public in our paper.

Although the outcome of the security analysis is not encouraging, one must acknowledge that it would have been a massive achievement to simultaneously tackle the challenge of gigabit connectivity, mmWave combined with massive MIMO and, on top of that, security and resiliency. Things at the higher protocol layers still look rather challenging as well. Despite my forays into PHY layer security and protocol-aware jamming, most of my security research work over the last 8 years has focused on protocol-level exploits on various wireless technologies, with great focus on 3GPP’s LTE as defined starting on Release 8. As one of the few researchers who has uncovered numerous protocol exploits that would result in DoS of mobile devices and privacy leaks, I was, and still am, optimistic about the role of 5G disruption in enhancing the security of mobile networks. And leveraging PKI is definitely a step in the right direction.

Nevertheless, what we have seen so far in the NR and 5G-S standards is not a complete solution yet, despite attempts to address protocol exploits. In parallel, there is also a set of new pre-authentication messages and new fields and configurations in existing messages. One must acknowledge, though, that fully securing mobile communication networks is a massive challenge that will require collaboration among academia, industry and researchers.

As a security researcher, many of my colleagues and I see the emerging landscape of 5G as a blank canvas to experiment with the potential security impact of adversarial tampering, spoofing and intercepting of these pre-authentication messages in NR and 5G-S. And it is critical that the security research community and the mobile communications industry work together in identifying such potential exploits and, more importantly, their root causes, so the security of the upcoming 5G networks can be enhanced in short order. There is still time until 2020 to enhance mobile communication networks even further.

Although we could – and perhaps should – be much closer by now, there is still a very long way to go to fully secure mobile communication networks. The same applies to reaching a flexible and truly scalable mobile architecture capable of supporting the connectivity demands of the future. However, the very active community of mobile security researchers will hopefully take us to that stage.

Equipped with an army of software radios, mostly USRP B210s, and my new toolset based on srsLTE, I continue my work on protocol-fuzzing mobile and wireless network standards with the goal of contributing to the security of the communication systems used by billions on a regular basis. In my case, time is now slightly scarcer due to my recent fatherhood. But, I continue to work and follow closely the excellent work of the few other teams in this research field, where outstanding graduate students and researchers are paving the way towards secure and reliable mobile communication networks.

This time, I cannot predict whether there will be a large number of new security exploits identified and prototyped in NR and 5G-S networks in the near future or a spike in mobile security findings in this field, mainly because there are no available test-beds or open source implementations of the Release 15 stack. But, as long as the folks behind tools such as srsLTE keep up their great work, it will not take long for the right tools to be available for applied security research on 5G mobile systems. And when that day comes, it is game on!

Roger Piqueras Jover is a Security Architect in the Office of the CTO at Bloomberg, where he is actively engaged in mobile and wireless security research. He maintains a bibliography of his previously released and published work at his personal website: http://rogerpiquerasjover.net.

I was setting up today my new Windows7 laptop. And, as every single Windows laptop I’ve had before, I set up a Linux VM on it. Although on my other laptop I run a paid VMWare Workstation Pro license, in this particular license I am running the free VMWare Workstation 14 Player.

I currently have two VMs set-up, a custom Ubuntu one that I use mostly for development and tests and a Kali-Linux one. If you are interested in radio security, you must install the kali-linux-sdr and kali-linux-wireless packages. Such a convenient way to get all your favorite tools nicely installed on your machine.

By the way, when setting up the Kali image, for some reason, the apt sources were not properly configured and I could not apt-get install kali-linux-sdr and kali-linux-wireless. A quick update of /etc/apt/sources.list fixed the issue. You can get the url to the various package repositories here (note: several of the ones listed do not actually work).

Anyhow, once all my sdr and radio tools are ready to run, I got to the main issue at hand. It is quite well known that running USB devices from within a VM is prone to errors and rather imperfect. Things seem to work fine when, upon plugging my USRP B210, it would be recognized by the driver and connected to the VM.

Running uhd_usrp_probe appeared to work well, as it loaded the firmware onto the USRP, but then it just couldn’t locate the device anymore. For some reason the VM gets lost in translation as, once the firmware is loaded, the USB device essentially changes and the VM loses it. And it took me quite some time to get it to work. I was close to leaving it for another day until I found a solution that worked well on both the Kali and Ubuntu images. Instead of running uhd_usrp_probe or any other application that probes and uses the USRP, the trick is to run first the b2xx_fx3_utils tool. Its path might be different depending on how you installed UHD, but in the Kali image it is in /usr/lib/uhd/utils. After running this tool the firmware is updated on the USRP and, from that moment on, everything works just fine. You will need to do this trick each time that you unplug the USRP and plug it again, as the firmware will need to be updated again.

When I thought I was done, I am actually facing a new challenge. Installing OpenLTE on Kali doesn’t work as cmake cannot find the UHD libraries. Most likely a permissions or weird installation path on Kali for UHD. But this is one that I’ll procrastinate in fixing as I switched to doing all my development and experimentation for my LTE exploits security research with srsLTE.

Ever since becoming a father I’ve had very little time for research, but I have some new LTE protocol exploits in the kitchen being cooked. Once I have enough time to put together results and a talk, you’ll see me on the road to talk about it. I’m aiming for Spring time.

Happy new year everyone!

EDIT: A lot of people has been asking me about this. What this fixes is the USRP itself being used from within a VM. This does not fix the ancient issue of VMWare with USB3 drivers. If you need to run something with the USRP that requires USB3 (e.g. an LTE base station at full 10MHz and ~30Msps), that will be VERY hard to do from within a VM. You are much better off by creating a partition to run native Linux on your laptop for that.

If anyone ever manages to get the USRP over USB3 working from within a VM, please please please let me know!

Ever since back in 2010 I started investigating what would happen if a radio adversary jammed specific LTE signaling channels – as opposed to barrage jamming of the entire LTE signal -, I have been very interested in what I referred as to Smart Jamming back in 2013 and again in 2014.

smart_jammingA team in Virginia Tech has been one of the main players in the research field of smart jamming, more commonly known as Protocol-Aware Jamming. Starting with their 2013 paper “Vulnerability of LTE to Hostile Interference“, this team has published a bunch of interesting results in this area, including a paper in which I collaborated with them.

The same team just released a pre-print version of their Milcom paper in which they actually implement smart jamming attacks against downlink signaling channels using off-the-shelf software defined radios and open-source software. It makes me happy every time there is a new excellent work in LTE security which implements and tests exploits, attacks and solutions using open-source software. Over a year ago I wrote a short article on how I anticipated a spike in excellent LTE security research work now that the open-source implementations of LTE have reached a high level of maturity.

In the case of the Virginia Tech paper, they implement their protocol-aware jamming use cases on top of the srsLTE tool, which has always been one of the most complete LTE open-source implementation and might currently be the best one. It is also, to the date, the only tool that provides a full implementation of the UE LTE stack.

Read the paper on smart jamming implementation on SDRs running srsLTE here:

R. Rao, S. Ha, V. Marojevic, J.H. Reed, “LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools”, IEEE MILCOM 2017, 23-25 Oct. 2017.

Happy Saturday!

ps. Dembele better be good. Let’s try to get Coutinho now. Though I feel terrible we are just adding more fuel to the fire of the over-inflated and out of control European soccer transfer market…

I was reading this morning a new paper on the topic of LTE IMSI catchers: https://arxiv.org/pdf/1702.04434.pdf

Mjølsnes, Stig F., and Ruxandra F. Olimid. “Easy 4G/LTE IMSI Catchers for Non-Programmers.” arXiv preprint arXiv:1702.04434 (2017).

Although this is old news, it is exciting to see that the recent discovery and implementation of LTE IMSI catchers by the team of Prof. Seifert at TU Berlin (Oct 2015 – https://arxiv.org/pdf/1510.07563.pdf) has sparked the interest in this area. The paper also mentions the DoS threats that were introduced by the same team in [1]. I have done some work and implementation of LTE IMSI catchers and the DoS exploits myself in the past as well ([2] and [3]).

I was giving a talk on this topic last week at UC Irvine, trying to encourage graduate students to focus their PhD research in this area as there is still a lot of work to be done. We need the talented minds of graduate researchers to come up with new threats and, more importantly, solutions to these threats.

Back to this new paper, it is a great overview of IMSI catchers and it is great that the authors implemented the IMSI catcher using an alternative tool (Open Air Interface). I found interesting, though, that they state that implementing an IMSI cather on openLTE requires source code modification such that it is not a viable option for “non programmers”.

Although the claim of their implementation being for non-programmers is obviously correct, their LTE IMSI catcher uses very similar software and the same computing equipment as the ones in [1,2,3]. I would argue that adding 3 lines of code to openLTE is something a non-programmer could do as well. This is what the authors of [1] did. The only modification required at openLTE (as I have explicitly stated at every talk I have given) is mostly to add an fprintf statement where openLTE parses the AttachRequest message or the TAU/LocationArea Update message. Although one can do slightly fancier things.

Anyhow, maybe I am too optimistic and expecting a non-programmer to add an fprintf statement in openLTE is perhaps asking too much 🙂

Regardless, this new paper is great and very interesting and an excellent reference on this topic. I am wondering if they will be presenting their work at a conference soon?

I look forward to more and more research in this area.

[1] Shaik, Altaf, et al. “Practical attacks against privacy and availability in 4G/LTE mobile communication systems.” arXiv preprint arXiv:1510.07563(2015).

[2] Jover, Roger Piqueras. “LTE security and protocol exploits.” ShmooCon (2016).

[3] Jover, Roger Piqueras. “LTE security, protocol exploits and location tracking experimentation with low-cost software radio.” arXiv preprint arXiv:1607.05171 (2016).

Authentication in mobile networks is executed leveraging a symmetric key system. For each mobile subscriber, there is a secret key that is known only by the mobile device and the network operator. Actually, it is not the device itself holding the key, but the SIM card. On the network side, in the case of LTE, the secret key is stored in the Home Subscriber Server (HSS).

Based on this pre-shared secret key, a mobile device and the network can mutually authenticate itself. Though, this is not necessarily the case. For some reason someone must have thought, when designing 2G-GSM, that having the end point authenticate the mobile network was not a requirement… too bad that not having mutual authentication opens the door to all types of rogue base station MitM attacks. Bad things also happen when this pre-shared “secret” key is sent from the SIM card manufacturer to the mobile operator in the clear in a bunch of DVDs and someone manages to steal them.

After years or security research in mobile networks, identifying, implementing and testing protocol exploits, I started thinking that perhaps it would be a good idea to transition the security architecture of a mobile networks towards a PKI-based system. This is why I really enjoy reading research papers with PKI proposals for mobile networks, which is a rather rare topic in the research community. Thanks to Google Scholar, a very interesting paper showed up in my radar: Chandrasekaran, Varun, and Lakshminarayanan Subramanian. “A Decentralized PKI In A Mobile Ecosystem.

PKI would increase the complexity of each cryptographic operation, but it is not like device and network authenticate each other constantly. Definitively, a lot of research would have to be done to validate whether it would be possible.

With a PKI-based authentication architecture in mobile networks, so many cool things could potentially be done. For example, it is very well understood that, regardless of mutual authentication and strong encryption, a mobile device engages in a substantial exchange of unprotected messages  with *any* LTE base station (malicious or not) that advertises itself with the right broadcast information (and this broadcast information is transmitted in the clear in the SIB broadcast messages). And this is the source of a series of protocol exploits and attacks. Perhaps, by means of PKI, broadcast messages could be “signed” by the operator in a way that mobile devices could verify their freshness (to avoid replay attacks) and verify that the base station is legitimate. This would allow mobile devices to verify the legitimacy of a base station before starting to engage in RACH procedures, RRC connection establishments, NAS attach exchanges, etc.

Anyhow, very interesting paper on cool things that could be done applying PKI to mobile networks. Worth reading it.

 

I recently was contacted by someone with questions regarding a document I wrote (LTE PHY fundamentals) a few years ago as part of a class at Columbia University and that is hosted on my website. The confusion was regarding Doppler shift and the time separation of the reference signals in LTE.

Quoting the message:

I was trying to tell you that 500 km/h does not mean a Doppler shift that you wrote in your document. If the carrier frequency is low and the receiver is moving through the transmitter Doppler shift will be zero cos(90).

Please read the LTE documentation carefully: Universal Mobile Telecommunications System (UMTS); LTE; Requirements for Evolved UTRA (E-UTRA) and Evolved UTRAN (E-UTRAN). In chapter 7.3, it is clearly written that this speed can be from 15 to 120 in the best case with a Doppler shift, not 500 as you wrote and even calculated the Doppler shift.

After responding to the question, I thought that it would be a good idea to write a quick post here and reference it from my website to clarify this topic if other people had the same questions.

The 3GPP standards do account mobility of up to 500km/h. Checking ETSI TR 125 913 V9.0.0 (Universal Mobile Telecommunications System (UMTS); LTE; Requirements for Evolved UTRA (E-UTRA) and Evolved UTRAN) one can read:

The E-UTRAN shall support mobility across the cellular network and should be optimized for low mobile speed from 0 to 15 km/h. Higher mobile speed between 15 and 120 km/h should be supported with high performance. Mobility across the cellular network shall be maintained at speeds from 120 km/h to 350 km/h (or even up to 500 km/h depending on the frequency band). Voice and other real-time services supported in the CS domain in R6 shall be supported by EUTRAN via the PS domain with at least equal quality as supported by UTRAN (e.g. in terms of guaranteed bit rate) over the whole of the speed range. The impact of intra E-UTRA handovers on quality (e.g. interruption time) shall be less than or equal to that provided by CS domain handovers in GERAN.

The mobile speed above 250 km/h represents special case, such as high speed train environment. In such case a special scenario applies for issues such as mobility solutions and channel models. For the physical layer parametrization EUTRAN should be able to maintain the connection up to 350 km/h, or even up to 500 km/h depending on the frequency band.

Regarding this topic, Samsung did some very interesting experiments on the high speed case inside a plane flying at 750km/h. Also, a recent paper was presented in a Sigcomm workshop that I was part of the TPC committee. It presented high speed measurements of LTE (check the paper titled “Performance of LTE in a High-velocity Environment: A Measurement Study”).

As for the Doppler shift, the Doppler equation does contain a cos(alfa), but alfa will only be 90 degrees when a mobile is under the cell tower, In general, in mobile communications, one does not consider the special case of alfa=0 (see below for more details). Anyhow, the way system specifications are designed is for the worst case scenario. In the case of LTE, the maximum possible doppler shift is for the highest carrier frequency (~2GHz at the time I wrote the document), V=500km/h and alfa=0 (cos(0)=1). That’s why the separation of the pilot tones in the LTE/OFDMA lattice is 0.5ms (the derivation of the value 0.5ms is in my document). Essentially, the Doppler shift defines the coherence time, which is the duration of time for which the channel does not change “substantially” or, more mathematically defined, the delay for which its autocorrelation is “higher” than a certain value (there is different ways to define coherence time depending on how “strict” one wants to be). Pilot tones or reference signals are used to sample the channel to perform equalization and other tricks. The Doppler shift defines the maximum sampling period that will allow to sample the channel correctly. If the channel can change as fast as every 0.5ms, one needs to have one sample at least ever 0.5ms. Therefore, the reference signals are separated every 0.5ms, tackling this way the worst case scenario for the coherence time.

Generally, in wireless communications for terrestrial applications, one usually does not even consider alfa because the heights of the towers (10 to 50m or so) are much smaller than the distances between the mobile devices and the towers (up to 35km for the biggest supported cells), so the value of alfa is always very small. However, in radar applications they do consider alfa because planes are flying at high altitudes.

Anyways, the best way to read about this concepts and have them explained much better than what I did here, is to check Rappaport’s book.

ReferenceSignal

I just added some LTE resources on my website. Some are links that I had already shared here in this blog, but some other stuff is new. I posted some material I prepared when I was back at Columbia University taking a class on LTE and WiMAX networks (all the documents were done by me except for the LTE link budget calculator). Some of the resources are:

More coming soon!

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me: http://rogerpiquerasjover.net/

Blog Stats

  • 136,967 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Advertisements