Professional Documents
Culture Documents
AbstractThe Long Term Evolution (LTE) is the latest mobile Given the widespread usage, with a subscription count
standard being implemented globally to provide connectivity and in the billions, securing the connectivity of mobile devices
access to advanced services for personal mobile devices. Moreover, is of extreme importance. The first generation of mobile
arXiv:1607.05171v1 [cs.CR] 18 Jul 2016
LTE networks are considered to be one of the main pillars for the networks (1G) lacked of support for encryption and legacy
deployment of Machine to Machine (M2M) communication sys- 2G networks lack of mutual authentication and implement an
tems and the spread of the Internet of Things (IoT). As an enabler
for advanced communications services with a subscription count
outdated encryption algorithm [5]. The wide availability of
in the billions, security is of capital importance in LTE. Although open source implementations of the GSM protocol stack has
legacy GSM (Global System for Mobile Communications) net- resulted in many security research projects unveiling several
works are known for being insecure and vulnerable to rogue base exploits possible on the GSM insecure radio link.
stations, LTE is assumed to guarantee confidentiality and strong
authentication. However, LTE networks are vulnerable to security Specific efforts were thus made to ensure confidentiality
threats that tamper availability, privacy and authentication. This and authentication in mobile networks, resulting in much
manuscript, which summarizes and expands the results presented stronger cryptographic algorithms and mutual authentication
by the author at ShmooCon 2016 [1], investigates the insecurity being explicitly implemented in both 3G and LTE. Based on
rationale behind LTE protocol exploits and LTE rogue base this, LTE is generally considered secure given this mutual
stations based on the analysis of real LTE radio link captures from authentication and strong encryption scheme. As such, con-
the production network. Implementation results are discussed fidentiality and authentication are wrongly assumed to be suf-
from the actual deployment of LTE rogue base stations, IMSI ficiently guaranteed. LTE mobile networks are still vulnerable
catchers and exploits that can potentially block a mobile device. to protocol exploits, location leaks and rogue base stations.
A previously unknown technique to potentially track the location
of mobile devices as they move from cell to cell is also discussed, Based on the analysis of real LTE traffic captures obtained
with mitigations being proposed. from live production networks in the areas of New York
City and Honolulu, this manuscript discusses the insecurity
rationale behind LTE protocol exploits and rogue base stations.
I. I NTRODUCTION Despite the strong cryptographic protection of user traffic
and mutual authentication of LTE, a very large number of
The Long Term Evolution (LTE) is the newest cellular control plane (signaling) messages are exchanged over an LTE
communications standard globally deployed. Regardless of radio link in the clear regularly. Before the authentication and
previous generations, with coexistence of different technolo- encryption steps of a connection are executed, a mobile device
gies for mobile access, all operators are globally converging to engages in a substantial conversation with *any* LTE base
LTE for next generation mobile communications. With a fully station (real or rogue) that advertises itself with the correct
redesigned PHYsical layer, built upon Orthogonal Frequency broadcast information. This broadcast information is sent in
Division Multiple Access (OFDMA), LTE networks provide the clear and can be easily sniffed [6], allowing an adversary
orders of magnitude higher rates and lower traffic latencies, to easily configure and set-up a rogue access point. Real
combined to a strong resiliency to multipath fading and overall samples of LTE broadcast traffic are captured and analyzed
improved efficiency in terms of bits per second per unit to exemplify this and discuss potential ways this information
of bandwidth. This highly improved Radio Access Network could be leveraged with a malicious intent.
(RAN), is architected over the Enhanced Packet Core (EPC)
network to provide connectivity to all types of mobile devices Motivated by this LTE protocol insecurity rationale, this
[2]. manuscript explores different areas of mobile network security
with low-cost software radio tools. Based on an open source
LTE cellular networks deliver advanced services for bil- implementation of the LTE stack, openLTE [7], a series of
lions of users, beyond traditional voice and short message exploits are demonstrated and implemented. Discussion is pro-
communications, as the cornerstone of todays digital and vided regarding the implementation of low-cost IMSI catchers
connected society. Moreover, mobile networks are one of the as well as exploits that allow blocking mobile devices, which
main enablers for the emergence of Machine to Machine were publicly introduced for the first time in [8] and shortly
(M2M) systems, with LTE expected to play a key role in the after also discussed in [1]. Moreover, based on the analysis
Inernet of Things (IoT) revolution [3]. Consequently, M2M of real LTE traffic captures, a new location information leak
and the IoT are often analyzed as key elements within the in the LTE protocol is introduced, which allows potentially
LTE security ecosystem [4]. tracking LTE devices as they move. Potential mitigations and
c Copyright 2016 Bloomberg L.P. All rights reserved. security discussions are provided for these exploits as well.
Distributed under the Creative Commons Attribution-Noncommercial-Share
Alike license (CC BY-NC-SA 4.0)
This manuscript is an extended report of the results pre-
sented in [1] and summarizes the authors research in LTE
mobile security and protocol exploits research over the last
few years. The remainder of the manuscript is organized as
follows. Section II introduces the relevant background on LTE
mobile network operation. Then, Section III and Section IV
discuss the tools leveraged to analyze and implement the LTE
protocol exploits herein introduced and details on the LTE
traffic captures analyzed, respectively. The rationale behind
the insecurity of LTE networks and discussion on LTE rogue
base stations and exploits are included in Section V. Section
VI overviews related work on mobile network exploit analysis
and security research. Finally, Section VII concludes the paper.
Fig. 5. Customized LTE cell scanner based on openLTE decoding and storing
eNodeB MIB and SIB packets
Aside from all the messages up to the Attach Request, there An IMSI catcher [18], commonly known as Stingray, is
is a long list of other packets transmitted in the clear that can an active radio device that impersonates a, commonly, GSM
be eavesdropped and spoofed. base station. In its most basic functionality, the IMSI catcher
receives connection/attach request messages from all mobile
UE measurement reports: These reports often contain a
devices in its vicinity. These attach messages are forced to
list of nearby towers and the received power from each
disclose the SIMs IMSI, thus allowing the IMSI catcher to
one of them, which can be potentially used to pinpoint the
retreive the IMSI for all devices in its vicinity. Stingrays, which
UEs location. In some rare cases, these contain explicitly
have been widely discussed in the generalist media recently,
the GPS coordinates of the device itself [17].
are known for being often used by law enforcement to track
Handover trigger messages: As discussed later, these
and locate suspects [19].
messages can be leveraged to track a target device as it
hands from tower to tower. More advanced Stingrays actually complete the network
Paging messages: These messages, used by the network attach process, fully impersonating a real base station. At that
to locate devices in order to deliver calls and incoming point, they can effectively act as a Man in the Middle (MitM)
connections, can be used to map a phone number to the for the devices connection as long as it forwards the traffic
internal id used by the network for each user. and calls into and from the real mobile network.
The remainder of this section discusses how to leverage Although it is well understood that a MitM Stingray is
these unprotected messages to build a Stingray, temporarily only possible in GSM, there is a general assumption that LTE
block devices and potentially track users. IMSI catchers are not possible or, at best, highly complex and
expensive [20]. However, a fully LTE-based IMSI catcher is
possible, very simple and very cheap to implement without re-
C. LTE IMSI catcher quiring to jam the LTE and 3G bands to downgrade the service
to GSM. In the context of this project, a fully operational IMSI
Although the IMSI should always be kept private and never
catcher was implemented on a USRP B210 running a modified
transmitted over the air, it is intuitive that it will be required
version of openLTE. A script was added to collect and store
to communicate it at least once. The very first time a mobile
the IMSI being disclosed by those devices within the radius
device is switched on and attempts to attach to the network,
of coverage of the IMSI catcher. The total budget to build the
it only has one possible unique identifier to be used in order
IMSI catcher was under $2000, including the radio, antennas,
to authenticate with the network: the IMSI. Once the device
GPS clock for the radio, etc. All experiments were carried out
attaches to an LTE network, a TMSI is derived and can be
in a Faraday cage and only three IMSIs were ever collected,
used thereafter to keep the IMSI secret [2].
namely the authors smartphone IMSI and the IMSI of two
As a result, regular operation of an LTE network requires LTE USB dongles. Figure 7 contains the capture of an Attach
that a mobile device discloses in the clear its IMSI in specific Request message with the IMSI of the authors phone, which
circumstances. For example, in the event that the network has was captured by means of the software-radio IMSI catcher.
never derived a TMSI for that user before or in the rare event
that the TMSI has been lost. Note that the IMSI is transmitted D. Temporary blocking mobile devices
in a message before the authentication and encryption steps of
the NAS attach process. This is precisely what an IMSI catcher The basic implementation of an LTE-based IMSI catcher
exploits. Figure 7 presents a real capture of an AttachRequest described in Section V-C replies with an Attach Reject message
message in which a mobile device is disclosing its IMSI. This to the Attach Request message, allowing the device to rapidly
was a controlled experiment with the authors smartphone in re-connect with the legitimate network. As with other pre-
an isolated environment. authentication messages, the Attach Reject message is sent in
Fig. 8. Mobile device temporary block by a rogue LTE base station
the clear, which can be exploited by an attacker to temporarily [21]. Therefore, even in the context of an embedded sensor,
block a mobile device. the DoS would only be sustained for 1 to 2 days. In some
applications, the impact of 24 hours of connectivity loss could
3GPP defines a series of cause codes that the network
be very high, specially in critical and security applications.
utilizes to indicate mobile devices the reason why, for example,
a connection is not allowed. These codes, are defined as EMM This same attack can be also carried over by means of
causes in the LTE specifications [21]. replying with a reject message to the Traffic Area Update
Some of the EMM causes indicate the device that it (TAU) message. By means of configuring a rogue base station
is not allowed to connect to the network (i.e. PLMN not with a different Tracking Area value than the surrounding
allowed EMM cause), which is a way a network provider legitimate eNodeBs, one can trigger TAU messages from the
can block a customer who engages in, for example, mobile devices that attempt to connect with the rogue base station.
fraud, spam, etc. Given that at the Attach Request stage in the
connection there is no authentication or encryption established This LTE protocol exploit, which was first introduced by
yet, any mobile device implicitly trusts the EMM cause codes the authors of [8] and later also discussed in [1], was imple-
regardless of the legitimacy of the base station. In other words, mented by means of a modified version of openLTE running
when the Attach Reject message is received, the base station is on a USRP B210. All the experiments were carried in a
not authenticated yet but the UE has to obey the Attach Reject controlled environment resulting in the blocking of the authors
message. smartphone and 2 LTE USB dongles. No experimentation
was carried over to determine the value of the timer T3245
If a rogue base station replies to an incoming connection because the author could not go about without phone for
with an Attach Reject message, it can fool the mobile device to 24 hours. Excellent further analysis and results of this threat
believe that it is not allowed to connect to that given network. were recently presented in [17] in an outstanding paper by the
As a result, the device will stop attempting to connect to any authors.
base station of the provider that was being spoofed by the
rogue eNodeB. Figure 8 illustrates this exploit by which a
rogue base station effectively prevents any mobile device in its E. Soft downgrade to GSM
radio communication range from connecting to the network,
resulting in a Denial of Service (DoS). Similarly to the DoS threat discussed in Section V-D, an
It is important to note that this is just a temporary DoS attacker can trigger a soft downgrade of the connection to
threat. By simply rebooting the device or toggling airplane GSM, known for being highly insecure [5]. Exploiting the
mode, the device is capable again to connect to the network. same TAU Reject and Attach Reject messages, a rogue base
Given that toggling airplane mode is commonly the first thing station can indicate a victim mobile device that it is not allowed
a user does when the cellular connection appears to be stalled, to access 3G and LTE services on that given operator (EPS
the impact of this DoS threat on smartphones would be minor. services not allowed EMM cause code). The target mobile
The impact could be more severe, though, in the case of an device will then only attempt to connect to GSM base stations,
embedded device servicing an application in the context of the as described in Figure 9.
IoT. In the case of an embedded sensor deployed in the field
An attacker could combine this with a rogue GSM base
with mobile network connectivity, it might be expensive and
station, which would open the doors to a full MitM threat, fully
time-consuming to send a technician to reboot all the sensors
eavesdropping all mobile network traffic. This would allow
being affected.
the attacker to listen to phone calls, read text messages and
LTE mobile devices implement a timer (T3245) which is a long list of other known GSM threats [22]. Moreover, by
started when an Attach Reject message blocks the device from configuring the rogue base station to target a specific user,
further attempting to connect. Upon expiration of this timer, the one could leverage this technology for a spearphishing threat
mobile device is allowed again to attempt to communicate and aiming to a specific device. As the device would not loose
attach with the blocked network. According to the standards, connectivity, the user might not realize it is connected through
this timer is configured to a value between 24 and 48 hours GSM unless.
Fig. 9. Mobile device soft downgrading to GSM by rogue LTE base station
F. LTE device tracking with C-RNTI connection and scheduling dedicated to a particular UE. Al-
though initially assigned as a temporary id, it is promoted to a
This sub-section introduces a previously unknown LTE
static value after connection establishment or re-establishment.
exploit that could potentially allow a passive adversary (i.e.
There is no explicit indications in the standards regarding
only sniffing capabilities) to locate and track devices and users
the requirements for the RNTI being refreshed periodically.
as they move. This location leak threat was first disclosed by
Observations of real LTE traffic from the major operators in the
the author in [1] and has already been discussed and analyzed
United States indicate that often the RNTI remains static for
with both GSMA and 3GPP.
long period of times. The authors smartphone was observed
The Cell Random Network Temporary Identifier (C-RNTI, to maintain the same RNTI for over 4 hours.
RNTI for short from here on) is a PHY layer identifier unique
per device within a given cell. In other words, there are no two
devices within a cell with the same RNTI. But there could be
two devices in adjacent cells with the same RNTI.
This 16-bit identifier is assigned to each mobile device
during the Random Access Procedure [2]. The eNodeB re-
sponds to the devices preamble with a MAC Random Access
Response (MAC RAR) message that indicates, in the clear, the
RNTI to be used by the device in that cell, as shown in Figure
10. Fig. 10. RNTI assignment in the RACH LTE procedure
Passive analysis of real LTE traffic indicates that the Further analysis of LTE traffic uncovered a potential way
RNTI is included in the header (unencrypted PHY layer a passive eavesdropper could track devices during mobility
encapsulation) of every single packet, regardless of whether handover events. In LTE, handovers are network-triggered.
it is signaling or user traffic. This allows, as shown in Figure Based on periodic measurement reports from the UEs, the
11, a passive observer to easily map traffic, regardless of its eNodeBs decide whether it is necessary to hand the connection
encryption, to an individual device or user. to an adjacent cell. As such, the handover is triggered by the
source eNodeB through the RRC Connection Reconfiguration
Mapping of a TMSI or MSISDN to the RNTI is trivial. message. In this packet, the source eNodeB indicates the UE
By means of silent text messages or other mobile terminated what is the destination eNodeB and provides some parameters
traffic, an attacker can identify the current RNTI of a given necessary for the UE to connect to the new tower. Upon
device. Once this PHY layer id is known, a passive eavesdrop- reception of this message, the UE performs a random access
per can know, for example, how long a given user stays at a procedure with the destination eNodeB, which assigns it a new
given location. Assuming that an average smartphone will keep RNTI. At this point, the handover is complete and the UE
connecting to the network to receive email, SMSs, Whatsap completes the RRC connection with the destination eNodeB.
messages, check for pull notifications and the like, there is
going to be frequent and periodic data traffic originated or During the investigation of LTE security and protocol
terminated at the device, allowing an eavesdropper to know the exploits, it was discovered that, in some cases, the RNTI that
user is still there, while perhaps a partner of the eavesdropper was initially assigned to the UE by the destination eNodeB was
is robbing the users apartment. Moreover, assuming that always quickly updated shortly after via an RRC Connection
the control plane traffic load for a mobile device is much Reconfiguration message from the source eNodeB. Further
lower than the actual user data load, the RNTI could also be inspection of the captures highlighted that, in the original RRC
leveraged to estimate the UL and DL data traffic load of a given Connection Reconfiguration message sent from the source
device. This could potentially allow and adversary to identify eNodeB to initiate the handover process, a new RNTI is
the connectivity hotspot of an ad-hoc LTE-based network, such explicitly provided by the eNodeB in a Mobility Control Info
as the ones being considered for both first responders [23] and container [25]. This RNTI being explicitly provided matches
tactical scenarios [24]. the RNTI that is assigned to the UE at the destination cell via
the RRC Connection Reconfiguration message.
Examination of the 3GPP standards [25] indicate that the
RNTI is defined as a unique id for identifying the RRC Based on observations of real LTE traffic, the message that
triggers the handover process appears to be sent in the clear.
As a result, a passive eavesdropper can potentially track a
given device in a cell and, upon a handover event, follow the
connection to the destination cell (indicated in the message
that triggers the handover) and intercept the RNTI that is
assigned to the device in this new cell. This location and
handover information leak was observed to not occur always.
Discussions with the GSMA security team indicated that the
RRC Connection Reconfiguration message that triggers the
handover should not be transmitted in the clear.