You are currently browsing the category archive for the ‘LTE’ category.

I was reading this morning a new paper on the topic of LTE IMSI catchers:

Mjølsnes, Stig F., and Ruxandra F. Olimid. “Easy 4G/LTE IMSI Catchers for Non-Programmers.” arXiv preprint arXiv:1702.04434 (2017).

Although this is old news, it is exciting to see that the recent discovery and implementation of LTE IMSI catchers by the team of Prof. Seifert at TU Berlin (Oct 2015 – has sparked the interest in this area. The paper also mentions the DoS threats that were introduced by the same team in [1]. I have done some work and implementation of LTE IMSI catchers and the DoS exploits myself in the past as well ([2] and [3]).

I was giving a talk on this topic last week at UC Irvine, trying to encourage graduate students to focus their PhD research in this area as there is still a lot of work to be done. We need the talented minds of graduate researchers to come up with new threats and, more importantly, solutions to these threats.

Back to this new paper, it is a great overview of IMSI catchers and it is great that the authors implemented the IMSI catcher using an alternative tool (Open Air Interface). I found interesting, though, that they state that implementing an IMSI cather on openLTE requires source code modification such that it is not a viable option for “non programmers”.

Although the claim of their implementation being for non-programmers is obviously correct, their LTE IMSI catcher uses very similar software and the same computing equipment as the ones in [1,2,3]. I would argue that adding 3 lines of code to openLTE is something a non-programmer could do as well. This is what the authors of [1] did. The only modification required at openLTE (as I have explicitly stated at every talk I have given) is mostly to add an fprintf statement where openLTE parses the AttachRequest message or the TAU/LocationArea Update message. Although one can do slightly fancier things.

Anyhow, maybe I am too optimistic and expecting a non-programmer to add an fprintf statement in openLTE is perhaps asking too much 🙂

Regardless, this new paper is great and very interesting and an excellent reference on this topic. I am wondering if they will be presenting their work at a conference soon?

I look forward to more and more research in this area.

[1] Shaik, Altaf, et al. “Practical attacks against privacy and availability in 4G/LTE mobile communication systems.” arXiv preprint arXiv:1510.07563(2015).

[2] Jover, Roger Piqueras. “LTE security and protocol exploits.” ShmooCon (2016).

[3] Jover, Roger Piqueras. “LTE security, protocol exploits and location tracking experimentation with low-cost software radio.” arXiv preprint arXiv:1607.05171 (2016).

Authentication in mobile networks is executed leveraging a symmetric key system. For each mobile subscriber, there is a secret key that is known only by the mobile device and the network operator. Actually, it is not the device itself holding the key, but the SIM card. On the network side, in the case of LTE, the secret key is stored in the Home Subscriber Server (HSS).

Based on this pre-shared secret key, a mobile device and the network can mutually authenticate itself. Though, this is not necessarily the case. For some reason someone must have thought, when designing 2G-GSM, that having the end point authenticate the mobile network was not a requirement… too bad that not having mutual authentication opens the door to all types of rogue base station MitM attacks. Bad things also happen when this pre-shared “secret” key is sent from the SIM card manufacturer to the mobile operator in the clear in a bunch of DVDs and someone manages to steal them.

After years or security research in mobile networks, identifying, implementing and testing protocol exploits, I started thinking that perhaps it would be a good idea to transition the security architecture of a mobile networks towards a PKI-based system. This is why I really enjoy reading research papers with PKI proposals for mobile networks, which is a rather rare topic in the research community. Thanks to Google Scholar, a very interesting paper showed up in my radar: Chandrasekaran, Varun, and Lakshminarayanan Subramanian. “A Decentralized PKI In A Mobile Ecosystem.

PKI would increase the complexity of each cryptographic operation, but it is not like device and network authenticate each other constantly. Definitively, a lot of research would have to be done to validate whether it would be possible.

With a PKI-based authentication architecture in mobile networks, so many cool things could potentially be done. For example, it is very well understood that, regardless of mutual authentication and strong encryption, a mobile device engages in a substantial exchange of unprotected messages  with *any* LTE base station (malicious or not) that advertises itself with the right broadcast information (and this broadcast information is transmitted in the clear in the SIB broadcast messages). And this is the source of a series of protocol exploits and attacks. Perhaps, by means of PKI, broadcast messages could be “signed” by the operator in a way that mobile devices could verify their freshness (to avoid replay attacks) and verify that the base station is legitimate. This would allow mobile devices to verify the legitimacy of a base station before starting to engage in RACH procedures, RRC connection establishments, NAS attach exchanges, etc.

Anyhow, very interesting paper on cool things that could be done applying PKI to mobile networks. Worth reading it.


I recently was contacted by someone with questions regarding a document I wrote (LTE PHY fundamentals) a few years ago as part of a class at Columbia University and that is hosted on my website. The confusion was regarding Doppler shift and the time separation of the reference signals in LTE.

Quoting the message:

I was trying to tell you that 500 km/h does not mean a Doppler shift that you wrote in your document. If the carrier frequency is low and the receiver is moving through the transmitter Doppler shift will be zero cos(90).

Please read the LTE documentation carefully: Universal Mobile Telecommunications System (UMTS); LTE; Requirements for Evolved UTRA (E-UTRA) and Evolved UTRAN (E-UTRAN). In chapter 7.3, it is clearly written that this speed can be from 15 to 120 in the best case with a Doppler shift, not 500 as you wrote and even calculated the Doppler shift.

After responding to the question, I thought that it would be a good idea to write a quick post here and reference it from my website to clarify this topic if other people had the same questions.

The 3GPP standards do account mobility of up to 500km/h. Checking ETSI TR 125 913 V9.0.0 (Universal Mobile Telecommunications System (UMTS); LTE; Requirements for Evolved UTRA (E-UTRA) and Evolved UTRAN) one can read:

The E-UTRAN shall support mobility across the cellular network and should be optimized for low mobile speed from 0 to 15 km/h. Higher mobile speed between 15 and 120 km/h should be supported with high performance. Mobility across the cellular network shall be maintained at speeds from 120 km/h to 350 km/h (or even up to 500 km/h depending on the frequency band). Voice and other real-time services supported in the CS domain in R6 shall be supported by EUTRAN via the PS domain with at least equal quality as supported by UTRAN (e.g. in terms of guaranteed bit rate) over the whole of the speed range. The impact of intra E-UTRA handovers on quality (e.g. interruption time) shall be less than or equal to that provided by CS domain handovers in GERAN.

The mobile speed above 250 km/h represents special case, such as high speed train environment. In such case a special scenario applies for issues such as mobility solutions and channel models. For the physical layer parametrization EUTRAN should be able to maintain the connection up to 350 km/h, or even up to 500 km/h depending on the frequency band.

Regarding this topic, Samsung did some very interesting experiments on the high speed case inside a plane flying at 750km/h. Also, a recent paper was presented in a Sigcomm workshop that I was part of the TPC committee. It presented high speed measurements of LTE (check the paper titled “Performance of LTE in a High-velocity Environment: A Measurement Study”).

As for the Doppler shift, the Doppler equation does contain a cos(alfa), but alfa will only be 90 degrees when a mobile is under the cell tower, In general, in mobile communications, one does not consider the special case of alfa=0 (see below for more details). Anyhow, the way system specifications are designed is for the worst case scenario. In the case of LTE, the maximum possible doppler shift is for the highest carrier frequency (~2GHz at the time I wrote the document), V=500km/h and alfa=0 (cos(0)=1). That’s why the separation of the pilot tones in the LTE/OFDMA lattice is 0.5ms (the derivation of the value 0.5ms is in my document). Essentially, the Doppler shift defines the coherence time, which is the duration of time for which the channel does not change “substantially” or, more mathematically defined, the delay for which its autocorrelation is “higher” than a certain value (there is different ways to define coherence time depending on how “strict” one wants to be). Pilot tones or reference signals are used to sample the channel to perform equalization and other tricks. The Doppler shift defines the maximum sampling period that will allow to sample the channel correctly. If the channel can change as fast as every 0.5ms, one needs to have one sample at least ever 0.5ms. Therefore, the reference signals are separated every 0.5ms, tackling this way the worst case scenario for the coherence time.

Generally, in wireless communications for terrestrial applications, one usually does not even consider alfa because the heights of the towers (10 to 50m or so) are much smaller than the distances between the mobile devices and the towers (up to 35km for the biggest supported cells), so the value of alfa is always very small. However, in radar applications they do consider alfa because planes are flying at high altitudes.

Anyways, the best way to read about this concepts and have them explained much better than what I did here, is to check Rappaport’s book.


I just added some LTE resources on my website. Some are links that I had already shared here in this blog, but some other stuff is new. I posted some material I prepared when I was back at Columbia University taking a class on LTE and WiMAX networks (all the documents were done by me except for the LTE link budget calculator). Some of the resources are:

More coming soon!

As I have been doing lately, here you have some stuff I found online that is very useful to me and might be very useful to you too:

  • LTE resource grid allocation: Very useful for quick calculations on raw capacity, throughput, etc. Also, very very useful for a nice visualization of the LTE resource allocation grid with all the control channels, etc.
  • Modulation and Coding Schemes list: Do you ever remember what are the coding rates typically used in QPSK, 16-QAM, 64-QAM…? Me neither. When I need to do a quick real throughput calculation I check them here.

Somewhere lost in my home computer I have an excel file that calculates the capacity of LTE (in bits per second) for all kinds of configurations. I did it as part of the class project from my LTE networks class at Columbia University. You fill in some input parameters and, voila!, there you have it. Not the greatest resource of all time at all, but it is useful. I’ll try to find it and post it here.

I wanted to quickly mention this really cool initiative. I read about it in the Barcelona newspaper La Vanguardia a few days ago, and now it seems it is reaching the US as well. The idea is to turn the homeless into 4G hotspots. Users are able to make donations to a paypal account the homeless owns in order to connect to the network. Really great idea. These are the kind of ideas in our field that really push to change the world.

From CNN Money:

It sounds like a headline from The Onion, but it’s true: A project called “Homeless Hotspots” is turning homeless Austin residents into mobile wireless hotspots outside the South by Southwest convention center.

It’s part marketing stunt, part genuine charitable initiative — and it’s generating lots of double-takes and chatter from those who pass by.

“I’m Melvin, a 4G hotspot,” reads the T-shirt of participant Melvin Hughes. “SMS HH Melvin to 25827 for access.”

Hughes is carrying a Verizon MiFi 4G hotspot. Texting his code sends back his network password, which the recipient can use to suck down a few minutes of fast broadband access — a scarce commodity at SXSW, a tech/film/music gathering that has drawn more than 20,000 visitors to Austin, Texas.

Access is pay-what-you-want, though $2 per 15 minutes is the suggested donation, payable through Paypal or Venmo. BBH Labs, the project’s organizer, says it will pay all the proceeds directly to the participant who made the sale.

I just read in the Barcelona newspaper (La Vanguardia) that Vodafone will launch sometime during the next few weeks the first LTE deployment in Spain. As an initial trial deployment, with a couple of very specific customers from the corporate world. The trial will start (of course) in Barcelona and some areas in Madrid and will slowly be expanded to other metropolitan areas throughout next year.

The service will initially be offered only for computer USB modems given that an LTE-capable smart phone is yet to be launched in Spain.

Read about it here. (In Spanish)

Access it here.

Vodafone has recently released the very first Femtocell solution available in Spain. Mainly focused to business customers – given our shaky economics, it will be very tough to convince my fellow Spaniards to spend money on anything right now, specially if it is something that we have traditionally solved by leaving the phone next to the window -, these femtocells will offer 3G coverage and will back-haul the traffic through the broadband connection, mainly ADSL in Spain.

With this new technology, enterprise customers of Vodafone Spain can have a connection inside the mobile network Voice and data from Vodafone.

The femtocells have been designed by Huawei and includes three patents held by the Radio Competence Centre Vodafone Group located in Spain.

Over 25,000 companies with more than 500,000 lines, now experiencing the communications services “in the cloud” offered by Vodafone Office. With the launch of femtocells, Vodafone Office customers have privileged access to the mobile network of Vodafone voice and data.

This is not the first collaboration between Vodafone and Huawei. Vodafone recently teamed up with both Huawei and Ericsson to develop the LTE network in Germany, which is already launched in five states.

I recently received an email from Anritsu offering a free download of a white paper entitled “Future Technologies and Testing for Fixed Mobile Convergence, SAE and LTE in Cellular Mobile Commuincations“. A very interesting introduction to LTE networks and specially to LTE testing.

It can be downloaded here and the offer includes a resource guide on LTE and a poster, being this last one mailed for free to any address you provide. The resource guide includes all the specs and information of LTE networks and testing equipment and can work very good as a quick reference guide when working on these kind of topics.

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me:

Blog Stats

  • 124,284 hits

Twitter feed

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Enter your email address to follow this blog and receive notifications of new posts by email.