LTEInspector: A Systematic Approach

for Adversarial Testing of 4G LTE

Syed Rafiul Hussain*, Omar Chowdhury†, Shagufta Mehnaz*,

Elisa Bertino*
Purdue University*, University of Iowa†
Critical Infrastructure using Cellular
Network

2
Security and Privacy Threats on
Cellular Network
IMSI
IMSI

No
No No
No
IMSI = International Mobile Subscriber Identity No
No
Service
Service
No
No
Service
Service
Service
Service Service
Service

3
 Limitations of Existing Attack
Finding Strategies for Cellular
Networks

No adversary, just analyze the

No Systematic performance, and reliability
Approach

 Is it possible to build a Systematic framework for adversarially

analyzing the cellular network specification in order to find
security and privacy related problems? 4
Scope
Attach SMS

Detach VoLTE

Paging Handover

Man-in-the-Middle
Spurious billing Life threatening risks
Attacker
 Challenges
Challenges 1

Preliminaries
Preliminaries
2

LTEInspector
LTEInspector 3

4 Findings
Findings&&
Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work

Conclusion
Conclusion 7

6
Challenges
 Stateful procedures and multiple
participants

 4G LTE lacks formal specification

written in natural language

 Closed system
Proprietary

 Legal barrier
Licensed spectrum
7
 Challenges
Challenges 1

Preliminaries
Preliminaries
2

LTEInspector
LTEInspector 3

4 Findings
Findings&&
Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work

Conclusion
Conclusion 7

8
 Background: LTE Architecture

Evolved Packet Core

eNodeB (EPC)
HSS
eNode PCR
B F
UE
MME
eNodeB
Internet
eNodeB eNodeB SGW

eNodeB
PGW
eNodeB

eNodeB
Background (Attach)
Security algorithm TMSI Exchange
Identification Authentication
negotiation
eNode Core
UE
B Network

Connection Setup
Attach Request (IMSI/IMEI, UE’s Security Capabilities)
Select the
Network accepts Security
attachChallenge
Algorithm (LTE:
(LTE:
and allocates Authentication
Security identity
temporary ModeRequest)
Command)
(LTE: Attach Accept)

Confirm
Response
Confirm(LTE:Attach and new temporary
Authentication
Security Algorithm Response)
(LTE: identity(LTE:
Security Attach Complete)
Mode Complete)

10
 Background (Paging & Detach)
eNode
UE MME
B

paging_request

Paging

detach_request
detach_accept

11
 Challenges
Challenges 1

Preliminaries
Preliminaries
2

LTEInspector
LTEInspector 3

4 Findings
Findings&&
Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work

Conclusion
Conclusion 7

12
 Adversary Model
 Dolev-Yao model
 Eavesdrop
 Drop or modify
 Inject
 Adheres to cryptographic assumptions

 Why Dolev-Yao model?

 Powerful adversary
 Automatic tools (ProVerif, Tamarin) can leverage

13
 Insight
 Property characteristics
 Temporal ordering of events
 Cryptographic constructs
 Linear integer arithmetic and other
predicates
temporal trace
 Intuition: property Cryptographic
& Constructs
 Model checker Linear integer
arithmetic
 Cryptographic protocol verifier

How can we leverage reasoning power of these two?

14
 LTEInspector

UE state machine Core network state Adversarial model Threat instrumented abstract LTE
machine ecosystem model

Crypto.
protocol Model
verifier checker

Domain Desired
Testbed Counter-
knowledge properties from
example
Attacks standard
 Abstract LTE Model  
𝑎 𝑢𝑡h 𝑟𝑒𝑗𝑒𝑐𝑡 ∨ 𝑑𝑒𝑡𝑎𝑐h𝑟𝑒𝑞𝑢𝑒𝑠𝑡 ∕ —
  6   auth_failure
auth_response
2 7
Standard m obile _ restart ∕ attach _ request  
  8

UE
 
UE UE
1
  waits for 5 authenticates
disconnected
auth_request auth_response MME
4   9
3
 
 Specification Model for NAS layer   auth_failure

(UE-MME) interactions
 Propositional logic level
 Model message types only, not a uth _ failure ∕ —
  2 5
message data    
MME MME
 Abstract away cryptographic disconnected
MME
1 waits for authenticates
constructs auth_response UE
 
 Two unidirectional channels 3
4
6

  16
Adversarial Model Instrumentor
attach_request Dolev Yao Attacker
auth_response adversary_tur
sec_mode_command n
attach_complete

  = no_operation (drop)

𝑚
  𝑈𝐸  =  attach _ request     = detach_request (inject)

auth_request
UE sec_mode_command
MME
attach_accept
paging_request

17
 Model Checker
 Temporal trace properties
 Liveness – something good eventually happens Victim UE MME
 Safety – nothing bad happens
 NuSMV
:  It is always the case that whenever UE is in the wait for
auth request, it will eventually authenticate MME.

attach_request
𝑎 𝑢𝑡h 𝑟𝑒𝑗𝑒𝑐𝑡 ∨ 𝑑𝑒𝑡𝑎𝑐h𝑟𝑒𝑞𝑢𝑒𝑠𝑡 ∕ —  
  6   auth_failure authentication_reject
auth_response
2 7
m obile _ restart ∕ attach _ request  
  8

UE
UE
  UE
UE   waits for
for 5
Emergency
1 waits authenticates
disconnected auth_request calls only
auth_request auth_response MME
4   9
3
  auth_failure 18
 
Cryptographic Protocol Verifier
 Injective-correspondence (authentication)
Every authentication_reject message received by UE must be sent by the core network

 ProVerif
 Secrecy
 Authenticity
 Observational equivalence

19
 Testbed Validation
 Malicious eNodeB setup (USRP,
OpenLTE, srsLTE)

 Malicious UE setup (USRP, srsUE)

 COTS smartphones

 SIM cards of four major US carriers

 Custom-built core network

 USRP, OpenLTE, srsLTE, and
USIM
20
 Challenges
Challenges 1

Preliminaries
Preliminaries
2

LTEInspector
LTEInspector 3

Findings
Findings&&
4 Attack
AttackValidation
Validation

Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work

Conclusion
Conclusion 7

21
 Findings
 Uncovered 10 new attacks
Attack Procedures Responsible Notable Impacts
Auth Sync. Failure Attach 3GPP DoS
Traceability Attach carriers Coarse-grained location tracking
Numb using auth_reject Attach 3GPP, smartphones DoS
Authentication relay Attach 3GPP Location spoofing
Paging Channel Hijacking Paging 3GPP DoS
Stealthy Kicking-off Paging 3GPP DoS, coarse-grained location tracking
Panic Paging 3GPP Artificial chaos for terrorist activity
Energy Depletion Paging 3GPP Battery depletion/DoS
Linkability Paging 3GPP Coarse-grained location tracking
Targeted/Non-targeted Detach 3GPP DoS
Detach

 Identified 9 prior attacks: IMSI-catching, DoS, Linkability, MitM in 3G and 2G, etc. 22
 Authentication Synchronization
Failure Attack
Assumption:
 Victim UE’s IMSI
 Malicious UE setup
Malicious UE Victim UE Core Network

𝐼  𝑀𝑆𝐼
𝑆𝑄𝑁
  𝑈𝐸 =𝑥 𝑆𝑄𝑁
  𝐶𝑁 =𝑥
attach_request (IMSI)
attach_request (IMSI)  
++
attach_request (IMSI)  
++
….  
++
attach_request (MSI)
 ++
UE and CN sequence numbers get desynchronized 23
Panic Attack

S)
TW
( E
n g
a gi
p

paging (ETWS)

24
Attack Chaining (Authentication
Relay or Mafia Attack)
Indiana

Connected

Authentication_response
Authentication_request
Attach_request
NID Authentication_response
Attach_request
Authentication_request

Authentication_re
Authentication
Attach_request
_request
sponse

Indiana California 25
 Challenges
Challenges 1

Preliminaries
Preliminaries
2

LTEInspector
LTEInspector 3

Findings
Findings&&
4 Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure
and
andImpact
Impact 5

6 Future
FutureWork
Work

Conclusion
Conclusion 7

26
Responsible Disclosure and Impacts
 Mobile network operators

 Resolved the issue of using EEA0 (no encryption)

 Other issues are in progress

27
 Challenges
Challenges 1

Preliminaries
Preliminaries
2

LTEInspector
LTEInspector 3

Findings
Findings&&
4 Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure
and
andImpact
Impact 5

6 Future
FutureWork
Work

Conclusion
Conclusion 7

28
 Future Work
UE eNodeB MME
NAS NAS
1
RRC RRC RRC RRC

 
PCCH-Message ::= SEQUENCE
  +-message ::= CHOICE [c1]
    +-c1 ::= CHOICE [paging]
      +-paging ::= SEQUENCE [0110]
2         +-pagingRecordList ::= SEQUENCE OF OPTIONAL:Omit
        +-systemInfoModification ::= ENUMERATED [true]
OPTIONAL:Exist
        +-etws-Indication ::= ENUMERATED [true] OPTIONAL:Exist
        +-nonCriticalExtension ::= SEQUENCE OPTIONAL:Omit

3
29
 Challenges
Challenges 1

Preliminaries
Preliminaries
2

LTEInspector
LTEInspector 3

Findings
Findings&&
4 Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure
and
andImpact
Impact 5

6 Future
FutureWork
Work

Conclusion
Conclusion 7

30
Conclusion
Proposed a systematic approach for analyzing the
specification

Uncovered 10 new attacks and 9 prior attacks

Validated most of the attacks in a testbed

https://github.com/relentless-warrior/LTEInspector

31
Questions

32
 LTEInspector: A Systematic
Approach for Adversarial
Testing of 4G LTE

Syed Rafiul Hussain*, Omar Chowdhury†, Shagufta Mehnaz*,

Elisa Bertino*
Purdue University*, University of Iowa†
Cryptographic Protocol Verifier
 Injective-correspondence (authentication)
Every authentication_reject message received by UE must be sent by the core network

 ProVerif
 Secrecy
 Authenticity
 Observational equivalence
(hyper-properties)
 Why not ProVerif only?
 Rich temporal trace properties
 Constraints on linear integer
arithmetic
34
 Traceability attack
Assumption:
 Victim UE’s IMSI
 Malicious UE setup
 secutity_mode_command

attach_request
….
security_mode_command (MAC, nonce)

….
attach_complete
security_mode_command security_mode_command
security_mode_reject security_mode_complete
35
 Numb Attack
Assumption: malicious eNodeB setup
• Learn from SystemInformationBlock messages

authentication_reject
NID
Connected
tracking_area_update_request

Emergency
calls only
Background (Attach)
Security algorithm TMSI Exchange
Identification Authentication
negotiation
eNode
UE MME
B

Connection Setup
Attach Request (IMSI/IMEI, UE’s Security Capabilities)
Select the
Network accepts Security
attachChallenge
Algorithm (LTE:
(LTE:
and allocates Authentication
Security identity
temporary ModeRequest)
Command)
(LTE: Attach Accept)

Confirm
Response
Confirm(LTE:Attach and new temporary
Authentication
Security Algorithm Response)
(LTE: identity(LTE:
Security Attach Complete)
Mode Complete)
Time
Time

Time
37