The security flaws of legacy GSM networks, which lack of mutual authentication and implement an outdated encryption algorithm, are well understood among the technology community and have been extensively discussed for years. However, my smartphone’s settings do not provide the means to shut down the GSM radio to prevent my phone from connecting to a potentially insecure GSM access point. Instead, I have the option to turn off LTE, the fastest mobile network.
This is not the only confusing aspect of mobile network security. Given LTE’s mutual authentication and strong encryption scheme result, there is a general assumption that LTE rogue base stations are not possible. However, before the connection authentication step, any mobile device implicitly trusts (and exchanges a substantial amount of messages with) any LTE base station, legitimate or not, that advertises itself with the right parameters. Such implicit trust and unprotected messages can be exploited to block mobile devices and track their location.
Finally, it is generally assumed that Stingrays and IMSI catchers are expensive equipment that require downgrading the connection of mobile devices to GSM. However, a basic fully-LTE IMSI catcher can be implemented by means of low-cost software radio and slight modification of a well known open-source implementation of the LTE stack.
This talk will present an exploration of the security of LTE networks, as well as experimentation results of passive eavesdropping threats, LTE protocol exploits to block mobile devices and a location leak that allows tracking mobile devices as the connection is handed off from tower to tower.
30. DEVICE AND SIM TEMPORARY LOCK
● Attach reject and TAU (Tracking Area Update) reject messages not encrypted/integrity-
protected
● Spoofing this messages one can trick a device to
─ Believe it is not allowed to connect to the network (blocked)
─ Believe it is supposed to downgrade to or only allowed to connect to GSM
● Attack set-up
─ USRP B210 + openLTE LTE_fdd_eNodeB (slightly modified)
─ Devices attempt to attach (Attach Request, TAU request, etc)
─ Always reply to Request with Reject message
─ Experiment with “EMM Reject causes” defined by 3GPP
Real eNodeB
Rogue eNodeB
REQUEST
REJECT
These are not the droids you are looking for… And you are not
allowed to connect anymore to this network.
These are not the droids we are looking
for. I am not allowed to connect to my
provider anymore, I won’t try again.
32. SOFT DOWNGRADE TO GSM
● Use similar techniques to “instruct” the phone to downgrade to GSM
─ Only GSM services allowed OR LTE and 3G not allowed
─ Tested with my phone and 2 LTE USB dongles
● Once at GSM, the phone to connects to your rogue base station
─ Bruteforce the encryption
─ Listen to phone calls, read text messages
─ Man in the Middle
─ A long list of other bad things…
(Much more dangerous)
rogue GSM base station
Rogue eNodeB
REQUEST
REJECT
You will remove these restraints and leave this cell with the
door open… and use only GSM from now on.
I will remove these restraints and
leave this cell with the door open…
and use only GSM from now on…
and I’ll drop my weapon.