SlideShare a Scribd company logo

LTE Redirection attacks: Zhang Shan

Darren Pauli
Darren Pauli

Presentation given at DEF CON 24 and Ruxcon 12.

Technology
1 of 31
Download to read offline
LTE REDIRECTION Forcing Targeted LTE Cellphone into Unsafe Network Wanqiao Zhang Unicorn Team – Communication security researcher Haoqi Shan Unicorn Team – Hardware/Wireless security researcher Qihoo 360 Technology Co. Ltd.
LTE and IMSI catcher myths • In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf Shaik etc. introduced the LTE IMSI catcher and DoS attack.
IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network.
DoS Attack DoS message examples: ü You are an illegal cellphone! ü Here is NO network available. You could shut down your 4G/3G/2G modem.
Redirection Attack Malicious LTE: “Hello cellphone, come into my GSM network…”
Demo Fake LTE Network Fake GSM Network USRPs
Demo Video
Risk • If forced into fake network • The cellphone will have no service (DoS). • The fake GSM network can make malicious call and SMS. • If forced into rogue network • All the traffic (voice and data) can be eavesdropped. A femtocell controlled by attacker
LTE Basic Procedure • (Power on) • Cell search, MIB, SIB1, SIB2 and other SIBs • PRACH preamble • RACH response • RRC Connection Request • RRC Connection Setup • RRC Connection Setup Complete + NAS: Attach request + ESM: PDN connectivity request • RRC: DL info transfer + NAS: Authentication request • RRC: UL info transfer + NAS: Authentication response • RRC: DL info transfer + NAS: Security mode command • RRC: UL info transfer + NAS: Security mode completer • …… Unauthorized area Attack Space!
Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
How to Build Fake LTE Network • Computer + USRP
How to Build Fake LTE Network • There are some popular open source LTE projects: • Open Air Interface by Eurecom • http://www.openairinterface.org/ • The most completed and open source LTE software • Support connecting cellphone to Internet • But have complicated software architecture • OpenLTE by Ben Wojtowicz • http://openlte.sourceforge.net/ • Haven’t achieved stable LTE data connection but functional enough for fake LTE network • Beautiful code architecture • More popular in security researchers OpenLTE
OpenLTE Source Code (1/3) In current OpenLTE release, the TAU request isn’t handled. But TAU reject msg packing function is available. So we could add some codes to handle TAU case and give appropriate TAU reject cause.
Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
OpenLTE Source Code (1/3) Set the mme procedure as TAU REQUET Call the TAU reject msg packing function Refer to Attach reject function
OpenLTE Souce Code (2/3) DoS attack can directly utilize the cause setting in Attach Reject message.
Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
OpenLTE Source Code (3/3) redirectCarrierInfo can be inserted into RRC Connection Release message.
OpenLTE Source Code (3/3)
Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
Think from the other side Attacker Defender Why is RRC redirection message not encrypted?
Is This a New Problem? • "Security Vulnerabilities in the E-RRC Control Plane", 3GPP TSG-RAN WG2/RAN WG3/SA WG3 joint meeting, R3-060032, 9-13 January 2006 • This document introduced a ‘Forced handover’ attack: An attacker with the ability to generate RRC signaling—that is, any of the forms of compromise listed above—can initiate a reconfiguration procedure with the UE, directing it to a cell or network chosen by the attacker. This could function as a denial of service (if the target network cannot or will not offer the UE service) or to allow a chosen network to “capture” UEs. An attacker who already had full control of one system (perhaps due to weaker security on another RAT) could direct other systems’ UEs to “their” network as a prelude to more serious security attacks using the deeply compromised system. Used in this way, the ability to force a handover serves to expand any form of attack to UEs on otherwise secure systems, meaning that a single poorly secured network (in any RAT that interoperates with the E-UTRAN) becomes a point of vulnerability not only for itself but for all other networks in its coverage area.
3GPP’s Decision • “Reply LS on assumptions for security procedures”, 3GPP TSG SA WG3 meeting #45, S3-060833, 31st Oct - 3rd Nov 2006 (1) RRC Integrity and ciphering will be started only once during the attach procedure (i.e. after the AKA has been performed) and can not be de- activated later. (2) RRC Integrity and ciphering algorithm can only be changed in the case of the eNodeB handover.
Why 3GPP Made Such Decision • In special cases, e.g. earthquake, hot events • Too many people try to access one base station then make this base station overloaded. • To let network load balanced, this base station can ask the new coming cellphone to redirect to another base station. • If you don’t tell cellphones which base station is light-loaded, the cellphones will blindly and inefficiently search one by one, and then increase the whole network load. Overloaded Base station Overloaded Base station Overloaded Base station Light-loaded Base station
Network Availability vs.. Privacy • Global roaming • Battery energy saving • Load balance • IMSI Catcher • DoS Attack • Redirection Attack VS. Basic requirement High level requirement e.g. Wifi MAC addr tracking
Countermeasures (1/2) • Cellphone manufacture – smart response • Scheme 1: Don’t follow the redirection command, but auto-search other available base station. • Scheme 2: Follow the redirection command, but raise an alert to cellphone user: Warning! You are downgraded to low security network.
Countermeasures (2/2) • Standardization effort • Fix the weak security of legacy network: GSM • 3GPP TSG SA WG3 (Security) Meeting #83, S3-160702, 9-13 May 2016 Legacy Security Issues and Mitigation Proposals, Liaison Statement from GSMA. • Refuse one-way authentication • Disabling compromised encryption in mobile
Acknowledgements • Huawei • Peter Wesley (Security expert) • GUO Yi (3GPP RAN standardization expert) • CHEN Jing (3GPP SA3 standardization expert) • Qualcomm • GE Renwei (security expert) • Apple • Apple product security team
Thank you!

Recommended

Interworking wcdma to lte
Interworking wcdma to lteInterworking wcdma to lte
Interworking wcdma to ltebahar
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flowAlfred Ongere
 
02 gsm bss network kpi (sdcch call drop rate) optimization manual
02 gsm bss network kpi (sdcch call drop rate) optimization manual02 gsm bss network kpi (sdcch call drop rate) optimization manual
02 gsm bss network kpi (sdcch call drop rate) optimization manualtharinduwije
 
Sharing session huawei network optimization january 2015 ver3
Sharing session huawei network optimization january 2015 ver3Sharing session huawei network optimization january 2015 ver3
Sharing session huawei network optimization january 2015 ver3Arwan Priatna
 
2G Handover Details (Huawei)
2G Handover Details (Huawei)2G Handover Details (Huawei)
2G Handover Details (Huawei)Md Mustafizur Rahman
 
LTE Call Processing and Handover
LTE Call Processing and HandoverLTE Call Processing and Handover
LTE Call Processing and HandoverSitha Sok
 
Lte irat-troubleshooting-guide
Lte irat-troubleshooting-guideLte irat-troubleshooting-guide
Lte irat-troubleshooting-guideDenmark Wilson
 
Huawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decHuawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decKetut Widya
 

Recommended

Interworking wcdma to lte
Interworking wcdma to lteInterworking wcdma to lte
Interworking wcdma to ltebahar
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flowAlfred Ongere
 
02 gsm bss network kpi (sdcch call drop rate) optimization manual
02 gsm bss network kpi (sdcch call drop rate) optimization manual02 gsm bss network kpi (sdcch call drop rate) optimization manual
02 gsm bss network kpi (sdcch call drop rate) optimization manualtharinduwije
 
Sharing session huawei network optimization january 2015 ver3
Sharing session huawei network optimization january 2015 ver3Sharing session huawei network optimization january 2015 ver3
Sharing session huawei network optimization january 2015 ver3Arwan Priatna
 
2G Handover Details (Huawei)
2G Handover Details (Huawei)2G Handover Details (Huawei)
2G Handover Details (Huawei)Md Mustafizur Rahman
 
LTE Call Processing and Handover
LTE Call Processing and HandoverLTE Call Processing and Handover
LTE Call Processing and HandoverSitha Sok
 
Lte irat-troubleshooting-guide
Lte irat-troubleshooting-guideLte irat-troubleshooting-guide
Lte irat-troubleshooting-guideDenmark Wilson
 
Huawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decHuawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decKetut Widya
 
VoLTE KPI Performance
VoLTE KPI PerformanceVoLTE KPI Performance
VoLTE KPI PerformanceVikas Shokeen
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call dropMuffat Itoro
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
LTE KPIs and Formulae
LTE KPIs and FormulaeLTE KPIs and Formulae
LTE KPIs and FormulaeMradul Nagpal
 
LTE KPI
LTE KPILTE KPI
LTE KPISitha Sok
 
12 gsm bss network kpi (tch assignment success rate) optimization manual
12 gsm bss network kpi (tch assignment success rate) optimization manual12 gsm bss network kpi (tch assignment success rate) optimization manual
12 gsm bss network kpi (tch assignment success rate) optimization manualtharinduwije
 
Sdcch
SdcchSdcch
SdcchDeepak Sharma
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guideMorg
 
wcdma-drive-test-analysis-ppt-libre
wcdma-drive-test-analysis-ppt-librewcdma-drive-test-analysis-ppt-libre
wcdma-drive-test-analysis-ppt-libreNarcisse FOIDIENG
 
Lte signaling
Lte signalingLte signaling
Lte signalingMansour Naslcheraghi
 
Zte macro bts introduction
Zte macro bts introductionZte macro bts introduction
Zte macro bts introductionRamanuj Kumar
 
Lte àà¿ë ±â¼ú ±³à°
Lte àà¿ë ±â¼ú ±³à°Lte àà¿ë ±â¼ú ±³à°
Lte àà¿ë ±â¼ú ±³à°Birendra Yadav
 
Huawei - Access failures troubleshooting work shop
Huawei - Access failures troubleshooting work shopHuawei - Access failures troubleshooting work shop
Huawei - Access failures troubleshooting work shopnavaidkhan
 
Lte capacity monitoring
Lte capacity monitoringLte capacity monitoring
Lte capacity monitoringKlajdi Husi
 
13 gsm bss network kpi (network interference) optimization manual[1].doc
13 gsm bss network kpi (network interference) optimization manual[1].doc13 gsm bss network kpi (network interference) optimization manual[1].doc
13 gsm bss network kpi (network interference) optimization manual[1].doctharinduwije
 
395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptxSudheeraIndrajith
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBJustin MA (馬嘉昌)
 
Gsm architecture
Gsm architecture Gsm architecture
Gsm architecture Ramraj Vaishnav
 
3g counter & timer
3g counter & timer3g counter & timer
3g counter & timerTABREZ KHAN
 
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)son6971
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupPrashant Sengar
 

More Related Content

What's hot

VoLTE KPI Performance
VoLTE KPI PerformanceVoLTE KPI Performance
VoLTE KPI PerformanceVikas Shokeen
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call dropMuffat Itoro
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
LTE KPIs and Formulae
LTE KPIs and FormulaeLTE KPIs and Formulae
LTE KPIs and FormulaeMradul Nagpal
 
12 gsm bss network kpi (tch assignment success rate) optimization manual
12 gsm bss network kpi (tch assignment success rate) optimization manual12 gsm bss network kpi (tch assignment success rate) optimization manual
12 gsm bss network kpi (tch assignment success rate) optimization manualtharinduwije
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guideMorg
 
wcdma-drive-test-analysis-ppt-libre
wcdma-drive-test-analysis-ppt-librewcdma-drive-test-analysis-ppt-libre
wcdma-drive-test-analysis-ppt-libreNarcisse FOIDIENG
 
Zte macro bts introduction
Zte macro bts introductionZte macro bts introduction
Zte macro bts introductionRamanuj Kumar
 
Lte àà¿ë ±â¼ú ±³à°
Lte àà¿ë ±â¼ú ±³à°Lte àà¿ë ±â¼ú ±³à°
Lte àà¿ë ±â¼ú ±³à°Birendra Yadav
 
Huawei - Access failures troubleshooting work shop
Huawei - Access failures troubleshooting work shopHuawei - Access failures troubleshooting work shop
Huawei - Access failures troubleshooting work shopnavaidkhan
 
Lte capacity monitoring
Lte capacity monitoringLte capacity monitoring
Lte capacity monitoringKlajdi Husi
 
13 gsm bss network kpi (network interference) optimization manual[1].doc
13 gsm bss network kpi (network interference) optimization manual[1].doc13 gsm bss network kpi (network interference) optimization manual[1].doc
13 gsm bss network kpi (network interference) optimization manual[1].doctharinduwije
 
395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptxSudheeraIndrajith
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
3g counter & timer
3g counter & timer3g counter & timer
3g counter & timerTABREZ KHAN
 

What's hot (20)

VoLTE KPI Performance
VoLTE KPI PerformanceVoLTE KPI Performance
VoLTE KPI Performance
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call drop
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
 
LTE KPIs and Formulae
LTE KPIs and FormulaeLTE KPIs and Formulae
LTE KPIs and Formulae
 
LTE KPI
LTE KPILTE KPI
LTE KPI
 
12 gsm bss network kpi (tch assignment success rate) optimization manual
12 gsm bss network kpi (tch assignment success rate) optimization manual12 gsm bss network kpi (tch assignment success rate) optimization manual
12 gsm bss network kpi (tch assignment success rate) optimization manual
 
Sdcch
SdcchSdcch
Sdcch
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guide
 
wcdma-drive-test-analysis-ppt-libre
wcdma-drive-test-analysis-ppt-librewcdma-drive-test-analysis-ppt-libre
wcdma-drive-test-analysis-ppt-libre
 
Lte signaling
Lte signalingLte signaling
Lte signaling
 
Zte macro bts introduction
Zte macro bts introductionZte macro bts introduction
Zte macro bts introduction
 
Lte àà¿ë ±â¼ú ±³à°
Lte àà¿ë ±â¼ú ±³à°Lte àà¿ë ±â¼ú ±³à°
Lte àà¿ë ±â¼ú ±³à°
 
Huawei - Access failures troubleshooting work shop
Huawei - Access failures troubleshooting work shopHuawei - Access failures troubleshooting work shop
Huawei - Access failures troubleshooting work shop
 
Lte capacity monitoring
Lte capacity monitoringLte capacity monitoring
Lte capacity monitoring
 
13 gsm bss network kpi (network interference) optimization manual[1].doc
13 gsm bss network kpi (network interference) optimization manual[1].doc13 gsm bss network kpi (network interference) optimization manual[1].doc
13 gsm bss network kpi (network interference) optimization manual[1].doc
 
395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFB
 
Gsm architecture
Gsm architecture Gsm architecture
Gsm architecture
 
3g counter & timer
3g counter & timer3g counter & timer
3g counter & timer
 

Viewers also liked

Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)son6971
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupPrashant Sengar
 
Quick attach summaryl
Quick attach summarylQuick attach summaryl
Quick attach summarylLarry Cragun
 
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen StilkolTRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkolchiportal
 
20121129 lte basic procedures (2)
20121129 lte basic procedures (2)20121129 lte basic procedures (2)
20121129 lte basic procedures (2)Debasish Sahoo
 
LTE EPC Technology Essentials
LTE EPC Technology EssentialsLTE EPC Technology Essentials
LTE EPC Technology EssentialsHussien Mahmoud
 
LTE Architecture and LTE Attach
LTE Architecture and LTE AttachLTE Architecture and LTE Attach
LTE Architecture and LTE Attachaliirfan04
 
Lte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcpLte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcpPrashant Sengar
 
Lte attach-messaging
Lte attach-messagingLte attach-messaging
Lte attach-messagingPraveen Kumar
 
AIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM International
 
Lte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingLte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingPrashant Sengar
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
LTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsLTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsBP Tiwari
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure3G4G
 

Viewers also liked (20)

Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setup
 
Quick attach summaryl
Quick attach summarylQuick attach summaryl
Quick attach summaryl
 
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen StilkolTRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
 
20121129 lte basic procedures (2)
20121129 lte basic procedures (2)20121129 lte basic procedures (2)
20121129 lte basic procedures (2)
 
LTE EPC Technology Essentials
LTE EPC Technology EssentialsLTE EPC Technology Essentials
LTE EPC Technology Essentials
 
EPS presentation
EPS presentationEPS presentation
EPS presentation
 
LTE Procedures
LTE ProceduresLTE Procedures
LTE Procedures
 
LTE Architecture and LTE Attach
LTE Architecture and LTE AttachLTE Architecture and LTE Attach
LTE Architecture and LTE Attach
 
3 gpp lte-rlc
3 gpp lte-rlc3 gpp lte-rlc
3 gpp lte-rlc
 
Lte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcpLte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcp
 
Lte attach-messaging
Lte attach-messagingLte attach-messaging
Lte attach-messaging
 
AIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network Architecture
 
Lte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingLte rrc-connection-setup-messaging
Lte rrc-connection-setup-messaging
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
c1 & c2 values
c1 & c2 values c1 & c2 values
c1 & c2 values
 
LTE Key Technologies
LTE Key TechnologiesLTE Key Technologies
LTE Key Technologies
 
LTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsLTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc Aspects
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
 
PDN Overview
PDN OverviewPDN Overview
PDN Overview
 

Similar to LTE Redirection attacks: Zhang Shan

4g security presentation
4g security presentation4g security presentation
4g security presentationKyle Ly
 
Mobile computing – module 6
Mobile computing – module 6 Mobile computing – module 6
Mobile computing – module 6 JIGNESH PATEL
 
Security threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkSecurity threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkmmubashirkhan
 
Lte in ten_minutes
Lte in ten_minutesLte in ten_minutes
Lte in ten_minutesAnkur Raj
 
Posting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docxPosting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docxharrisonhoward80223
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future fraudsRanjeet Kumar
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)Mumbai Academisc
 
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networksBlack hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networksijsrd.com
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
Computer network notes with company specific questions
Computer network notes with company specific questionsComputer network notes with company specific questions
Computer network notes with company specific questionsTaleManju
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.RAVI RAJ
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of ThingsRishabh Sharma
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkSam Bowne
 
Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computingmadhurbyheart
 
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015Mark Niehus, RCDD
 
Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtap Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtapVikas Jagtap
 

Similar to LTE Redirection attacks: Zhang Shan (20)

The mfn 3
The mfn 3The mfn 3
The mfn 3
 
4g security presentation
4g security presentation4g security presentation
4g security presentation
 
Mobile computing – module 6
Mobile computing – module 6 Mobile computing – module 6
Mobile computing – module 6
 
Security threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkSecurity threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g network
 
Lte in ten_minutes
Lte in ten_minutesLte in ten_minutes
Lte in ten_minutes
 
Lte in ten_minutes
Lte in ten_minutesLte in ten_minutes
Lte in ten_minutes
 
Posting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docxPosting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docx
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future frauds
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
 
128-ch2.pptx
128-ch2.pptx128-ch2.pptx
128-ch2.pptx
 
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networksBlack hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networks
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
 
Computer network notes with company specific questions
Computer network notes with company specific questionsComputer network notes with company specific questions
Computer network notes with company specific questions
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
 
N0363079085
N0363079085N0363079085
N0363079085
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
 
Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computing
 
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
 
Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtap Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtap
 

Recently uploaded

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Recently uploaded (20)

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

LTE Redirection attacks: Zhang Shan

  • 1. LTE REDIRECTION Forcing Targeted LTE Cellphone into Unsafe Network Wanqiao Zhang Unicorn Team – Communication security researcher Haoqi Shan Unicorn Team – Hardware/Wireless security researcher Qihoo 360 Technology Co. Ltd.
  • 2. LTE and IMSI catcher myths • In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf Shaik etc. introduced the LTE IMSI catcher and DoS attack.
  • 3. IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network.
  • 4. DoS Attack DoS message examples: ü You are an illegal cellphone! ü Here is NO network available. You could shut down your 4G/3G/2G modem.
  • 5. Redirection Attack Malicious LTE: “Hello cellphone, come into my GSM network…”
  • 6. Demo Fake LTE Network Fake GSM Network USRPs
  • 8. Risk • If forced into fake network • The cellphone will have no service (DoS). • The fake GSM network can make malicious call and SMS. • If forced into rogue network • All the traffic (voice and data) can be eavesdropped. A femtocell controlled by attacker
  • 9. LTE Basic Procedure • (Power on) • Cell search, MIB, SIB1, SIB2 and other SIBs • PRACH preamble • RACH response • RRC Connection Request • RRC Connection Setup • RRC Connection Setup Complete + NAS: Attach request + ESM: PDN connectivity request • RRC: DL info transfer + NAS: Authentication request • RRC: UL info transfer + NAS: Authentication response • RRC: DL info transfer + NAS: Security mode command • RRC: UL info transfer + NAS: Security mode completer • …… Unauthorized area Attack Space!
  • 10. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
  • 11. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
  • 12. Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
  • 13. How to Build Fake LTE Network • Computer + USRP
  • 14. How to Build Fake LTE Network • There are some popular open source LTE projects: • Open Air Interface by Eurecom • http://www.openairinterface.org/ • The most completed and open source LTE software • Support connecting cellphone to Internet • But have complicated software architecture • OpenLTE by Ben Wojtowicz • http://openlte.sourceforge.net/ • Haven’t achieved stable LTE data connection but functional enough for fake LTE network • Beautiful code architecture • More popular in security researchers OpenLTE
  • 15. OpenLTE Source Code (1/3) In current OpenLTE release, the TAU request isn’t handled. But TAU reject msg packing function is available. So we could add some codes to handle TAU case and give appropriate TAU reject cause.
  • 16. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
  • 17. OpenLTE Source Code (1/3) Set the mme procedure as TAU REQUET Call the TAU reject msg packing function Refer to Attach reject function
  • 18. OpenLTE Souce Code (2/3) DoS attack can directly utilize the cause setting in Attach Reject message.
  • 19. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
  • 20. OpenLTE Source Code (3/3) redirectCarrierInfo can be inserted into RRC Connection Release message.
  • 22. Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
  • 23. Think from the other side Attacker Defender Why is RRC redirection message not encrypted?
  • 24. Is This a New Problem? • "Security Vulnerabilities in the E-RRC Control Plane", 3GPP TSG-RAN WG2/RAN WG3/SA WG3 joint meeting, R3-060032, 9-13 January 2006 • This document introduced a ‘Forced handover’ attack: An attacker with the ability to generate RRC signaling—that is, any of the forms of compromise listed above—can initiate a reconfiguration procedure with the UE, directing it to a cell or network chosen by the attacker. This could function as a denial of service (if the target network cannot or will not offer the UE service) or to allow a chosen network to “capture” UEs. An attacker who already had full control of one system (perhaps due to weaker security on another RAT) could direct other systems’ UEs to “their” network as a prelude to more serious security attacks using the deeply compromised system. Used in this way, the ability to force a handover serves to expand any form of attack to UEs on otherwise secure systems, meaning that a single poorly secured network (in any RAT that interoperates with the E-UTRAN) becomes a point of vulnerability not only for itself but for all other networks in its coverage area.
  • 25. 3GPP’s Decision • “Reply LS on assumptions for security procedures”, 3GPP TSG SA WG3 meeting #45, S3-060833, 31st Oct - 3rd Nov 2006 (1) RRC Integrity and ciphering will be started only once during the attach procedure (i.e. after the AKA has been performed) and can not be de- activated later. (2) RRC Integrity and ciphering algorithm can only be changed in the case of the eNodeB handover.
  • 26. Why 3GPP Made Such Decision • In special cases, e.g. earthquake, hot events • Too many people try to access one base station then make this base station overloaded. • To let network load balanced, this base station can ask the new coming cellphone to redirect to another base station. • If you don’t tell cellphones which base station is light-loaded, the cellphones will blindly and inefficiently search one by one, and then increase the whole network load. Overloaded Base station Overloaded Base station Overloaded Base station Light-loaded Base station
  • 27. Network Availability vs.. Privacy • Global roaming • Battery energy saving • Load balance • IMSI Catcher • DoS Attack • Redirection Attack VS. Basic requirement High level requirement e.g. Wifi MAC addr tracking
  • 28. Countermeasures (1/2) • Cellphone manufacture – smart response • Scheme 1: Don’t follow the redirection command, but auto-search other available base station. • Scheme 2: Follow the redirection command, but raise an alert to cellphone user: Warning! You are downgraded to low security network.
  • 29. Countermeasures (2/2) • Standardization effort • Fix the weak security of legacy network: GSM • 3GPP TSG SA WG3 (Security) Meeting #83, S3-160702, 9-13 May 2016 Legacy Security Issues and Mitigation Proposals, Liaison Statement from GSMA. • Refuse one-way authentication • Disabling compromised encryption in mobile
  • 30. Acknowledgements • Huawei • Peter Wesley (Security expert) • GUO Yi (3GPP RAN standardization expert) • CHEN Jing (3GPP SA3 standardization expert) • Qualcomm • GE Renwei (security expert) • Apple • Apple product security team