You are currently browsing the category archive for the ‘Uncategorized’ category.

Yesterday, Google Scholar sent me an alert of a paper I might be interested in. It turns out, I am indeed very interested in it. This is a paper already accepted, in its new rolling window review process, for the IEEE Security and Privacy symposium of 2019 (link for this year’s symposium): Breaking LTE on Layer 2.

There is no available pre-print yet, but there’s an abstract already:

Long Term Evolution (LTE) is the latest mobile communication standard and has a pivotal role in our information society: LTE combines performance goals with modern security mechanisms and serves casual use cases as well as critical infrastructure and public safety communications. Both scenarios are demanding towards a resilient and secure specification and implementation of LTE, as outages and open attack vectors potentially lead to severe risks. Previous work on LTE protocol security identified crucial attack vectors for both the physical (layer one) and network (layer three) layers. Data link layer (layer two) protocols, however, remain a blind spot in existing LTE security research. In this paper, we present a comprehensive layer two security analysis and identify three attack vectors. These attacks impair the confidentiality and/or privacy of LTE communication. More specifically, we first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks. Second, we demonstrate how a passive attacker can abuse the resource allocation as a side channel to perform website fingerprinting that enables the attacker to learn the websites a user accessed. Finally, we present the A LTE R attack that exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload. As a proof-of-concept demonstration, we show how an active attacker can redirect DNS requests and then perform a DNS spoofing attack. As a result, the user is redirected to a malicious website. Our experimental analysis demonstrates the real-world applicability of all three attacks and emphasizes the threat of open attack vectors on LTE layer two protocols.

It is always great news to see excellent security research on LTE published that is based on open source implementations of the LTE stack. This is something I anticipated a few years ago. I am also very familiar with the work of this new paper’s authors. They have worked on some really interesting security research work on LTE and I have discussed some of their most recent papers in this blog.

This new paper is particularly exciting because it seems to build up on some of my work from a few years ago. Based on the abstract (“we first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks), it sounds like they are implementing RNTI-based user tracking and using it for what sounds like a series of new really interesting attacks against LTE. I really look forward to reading the paper and learning more about the excellent work they did and the new protocol exploits they found.

Back in 2016 I presented at ShmooCon (slides and video) and published a paper discussing and implementing Denial of Service attacks against LTE, IMSI catchers on LTE and, relevant to this new paper, presenting and implementing in a real network for the first time a user location tracking attack leveraging the PHY layer id known as RNTI (Radio Network Temporary Identifier). For details, see slides 31 to 44 here and section V.F of my paper from 2016.

In a nutshell, the RNTI is an id derived and assigned in the RACH handshake in plain text (and thus can be easily captured with a simple LTE downlink sniffer such as AirScope from Software Radio Systems). It is included in plaintext in the header of every single PHY layer packet, which means that it is included in the plaintext in all uplink and downlink packets of a connection. As such, it can obviously allow to distinguish traffic flows from multiple users and track a given user, if one can map the RNTI to something else. As I implemented in my work a couple years ago, mapping the RNTI to the TMSI or even the MSISDN (the phone number of the user) is trivial. Once one maps an RNTI to a TMIS, then one can leverage paging messages to further expand the ability to track a user, as Kune showed in a really cool paper from a few years ago. I also recently read a paper that expands even further the ability of user tracking on LTE by using the GUTI.

A couple of years ago I also demo-ed at HackerHalted an implementation of an RNTI-based tracker running passively using a modified version of srsLTE and a USRP radio (see slides here).

The authors of “Breaking LTE on layer 2” seem to have implemented and tested the RNTI tracking techniques in their paper and used it as the stepping stone for new attacks that sound pretty cool and interesting, given what the abstract reads. Hopefully we don’t have to wait until IEEE S&P 2019 (May 2019) to learn more details on their new research. Knowing the excellent work that this authors have published in the recent years, I expect a very good paper that is likely to generate a lot of conversations and discussions. The more work in this area the better, as we need people talking about this and actively working in making mobile networks more secure. Really looking forward to reading their paper!

Related published work on user tracking and, specifically, RNTI tracking:

[1] Jover, Roger Piqueras. “LTE security, protocol exploits and location tracking experimentation with low-cost software radio.” arXiv preprint arXiv:1607.05171 (2016).

[2] Jover, Roger Piqueras. “LTE security and protocol exploits.” Shmoocon 2016 (2016).

[3] Hong, Byeongdo, Sangwook Bae, and Yongdae Kim. “GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier.” In Symposium on Network and Distributed System Security (NDSS). ISOC. 2018.

[4] Kune, Denis Foo, John Koelndorfer, Nicholas Hopper, and Yongdae Kim. “Location leaks on the GSM air interface.” ISOC NDSS (Feb 2012) (2012).

[5] Jover, Roger Piqueras. “Some key challenges in securing 5G wireless networks.” Electronic Comment Filing System, Jan(2017). [PDF]


UPDATE (06/28/2018) – The authors have released a web site describing their findings and, more importantly, including a pre-print of the paper. As I had guessed, this is indeed based on my RNTI tracking techniques. The authors leverage those techniques to fingerprint web traffic and, despite being encrypted, they can estimate who browses what websites. They test this with a bunch of top 50 Alexa sites. The other new attack, aLTEr, is very interesting. By exploiting the fact that certain layer 2 messages are encrypted but not integrity checked, they flip bits in the cipher text in a very smart way to modify the destination IP fr DNS queries, effectively redirecting any mobile device to, for example, a malicious domain when they believe they are browsing a legitimate service.

The paper seems to indicate that I did not test and implement RNTI tracking a couple of years ago, but I actually did. And also showed a demo at HackerHalted in Atlanta back in 2016. Regardless, this new paper is excellent, and worth a read. Check out the references, as they link to some of the working documents from GSMA and 3GPP  after receiving the authors’ disclosure about this protocol exploits. Interesting, though, that #GPP and GSMA seems to only be concerned about the aLTEr exploit and not really worried about the other one (see S3-181429 document from the 3GPP TSG SA WG3 Security Meeting #91).


I recently was approached by the FCC regarding an open call for feedback regarding 5G security and current security challenges in mobile security. The document that I submitted seems to be already in the public domain and can be accessed from here:

Some key challenges in securing 5G wireless networks

Direct link to the PDF.

I got this from a friend earlier today:!msg/blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ (Google Chrome – Intent to deprecate and remove trust in existing Symantec-issued Certificates)

It seems that, since a series of failures from Symantec to properly validate certificates (an issue that seems to be affecting over 30000 mis-issued certificates), Google Chrome is starting to deprecate and distrust Symantec-issued certificates.

I remember last year that a bunch of online services lost compatibility with Chrome as they were using Symantec-issued certificates). As highlighted in the notice from the link above, this is a problem that is not new (see this post on Google’s Security Blog from 2015).

Quoting the notice from Google, Chrome is proposing the following steps:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.

  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.

  • Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.

This is a pretty big deal and could result in a big mess of services stopping to work with Chrome… for a good reason, though, as this is clearly to ensure the security and trust in the certificates used to anchor the Internet’s security infrastructure.

If you are a SysAdmin, they are requesting feedback on this proposal.

Folks are starting to talk about this on reddit and other forums. I expect this to be in the news tomorrow… or not. After all, they are not fully distrusting Symantec, but putting them in some sort of “probation period”.


Update (03/24/17): As expected, if you google today “Chrome Symantec certificates” you get a ton of news stories on this…

Mobile cellular communications are a fascinating world. Although there’s impressive advances in technology in the research world – both academic and industrial research -, the technological progress and advance of such networks is driven by the standards community (i.e. 3GPP).

This is an approach that has worked since the inception of GSM and has delivered the impressive technology current smartphones use to connect to the Internet, stream the latest “cute dog doing something cute” video and watch the goals by Celta against Madrid in yesterday’s game (hooray for Celta!). In parallel, this model provides enough time for both equipment manufacturers and network operators to get a good return on the investment of billions of dollars of network equipment.

Nowadays, though, we are experiencing two technology trends that are challenging the status quo in wireless and mobile technology. For the first time ever, standards are late to cope for the demand – and obscene amounts of potential revenue and services – in two key technological trends:

  • IoT: There is a massive demand of wireless connectivity for embedded M2M devices. For many applications, such as smart city, agriculture, smart grid, etc, some of the requirements are to have very cheap devices (the “target” used in the industry is $1 per chip) with very low battery consumption (again, the “target” from the industry is 10 years, thoguh I think that is a bit optimistic). The demand is here, but the standards have not delivered. And, in this huge gap one can find two exciting trends: the money-making/raising machine of Sigfox and the LoRa/LoRaWAN community. Two new technologies fueling new services, new applications and exciting new ventures. Meanwhile, the 3GPP community is playing catch up with LTE Cat-M and NB-IoT. (This document provides a bit of an overview. – LoRa is much slower, but for the aforementioned applications one does not need much speed, and latency is not a major deal breaker either)
  • Connected cars, self-driving cars, etc: Similar scenario. Although the self-driving car technology is still just in its inception, there is already several use cases that require connectivity between vehicles and from vehicles to the “road”. 5G mobile networks aim at sub-10ms latency and large capacity for connectivity to 1000x more devices, yet at this point no one really knows what 5G will be (other than the really exciting transition to mmWave and application of massive arrays and beamforming). In parallel, an alternative technology – Dedicated Short Range Communications – seems to be gaining momentum.

In both cases, once the mobile industry and the standards catch up and finally deploy 5G, LTE Cat-M/NB-IoT, all these alternative technologies might simply fade away. But, as of now, the folks at SigFox, the startups deploying smart-city applications running on LoRa, etc are making a lot of money and the status quo is not getting – yet – any piece of the cake.

Exciting times!

Today Apple will give more details on its new wearable device. Here is where you can follow the presentation live:


Ps. I always post links to the live blogs and streams for Apple events because once it resulted in 30k hits on my blog in a day. It’s been way less ever since, but I still do it as an experiment…

Looking forward to what Apple will release on September 9th? Experts argue that a new iPhone will be unveiled. And perhaps also the highly anticipated iWatch. Follow live the event from either of these live blogs:

Also, Apple will be broadcasting the event via streaming. You can access it here: Apple live video



My blog got all messed up and looks terrible because the themes are not working. Anyone else having the same problem?

Happy New Year, everyone!

Feliz Año Nuevo a todos!

Bon any nou a tothom!

In this post, last one until after Christmas day and December 26th – Dec. 26th is Sant Esteve in Catalunya, also a holiday – will be devoted to a random and useless list of the best of the best of 2010.

First of all, the most used words and events of 2010 on Twitter were the World Cup – hooray for Spain! – and the BP oil spill. Do not miss SouthPark’s Coon Saga about the BP Oil Spill!

Let’s move to YouTube. Believe it or not, the most seen video of 2010 was this:

The whole thing come from a real news that you can’t miss for its surrealism. Justin Bieber wins the silver medal in this category.

Moving on to television. The most seen TV program of 2010 was this:

The most Googled words in Spain during 2010 were Facebook, Tuenti, YouTube, Hotmail and… Marca. It says a lot about our culture when one of the most googled words is a sports newspaper. I actually read it daily, despite its irritating Real Madrid/anti-Barcelona bias. They cheer for the wrong team but hey, they are the most complete sports newspaper in Spain and it makes me day when I read there about Barcelona’s victories or when we crush Real Madrid 5-0, 0-3, 2-6, 0-2, etc.

The most seen movie of 2010 and also the biggest money making movie of all time has been James Cameron’s Avatar.

Among others, a brief list of – according to me and my very low credibility – the biggest mistakes of 2010:

Finally, a quick list of my other favorites of 2010:

Merry Christmas everyone!

I am sorry for eventual Real Madrid fans reading the blog, I couldn’t stop myself from posting this.


Read about the game at NY Times and at its Goal blog.

The highlights:

Extended highlights:


For some reason, the highlights keep being censored and removed from YouTube. If you check, you’ll see you can see the highlights of any other game in Spain. Apparently, somebody from Mediapro or Spain’s soccer federation is trying to hide the images of the humiliation so nobody can see them. Well, it won’t work:

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me:

Blog Stats

  • 133,353 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.