In this paper, we investigate the security and privacy
of the three critical procedures of the 4G LTE protocol (i.e.,
attach, detach, and paging), and in the process, uncover potential
design flaws of the protocol and unsafe practices employed by the
stakeholders. For exposing vulnerabilities, we propose a model-based
testing approach LTEInspector which lazily combines a
symbolic model checker and a cryptographic protocol verifier
in the symbolic attacker model. Using LTEInspector, we have
uncovered 10 new attacks along with 9 prior attacks, categorized
into three abstract classes (i.e., security, user privacy,
and disruption of service), in the three procedures of 4G LTE.
Notable among our findings is the authentication relay attack that
enables an adversary to spoof the location of a legitimate user
to the core network without possessing appropriate credentials.
To ensure that the exposed attacks pose real threats and are
indeed realizable in practice, we have validated 8 of the 10 new
attacks and their accompanying adversarial assumptions through
experimentation in a real testbed.
more »
« less
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE
In this paper, we investigate the security and privacy
of the three critical procedures of the 4G LTE protocol (i.e.,
attach, detach, and paging), and in the process, uncover potential
design flaws of the protocol and unsafe practices employed by the
stakeholders. For exposing vulnerabilities, we propose a modelbased
testing approach LTEInspector which lazily combines a
symbolic model checker and a cryptographic protocol verifier
in the symbolic attacker model. Using LTEInspector, we have
uncovered 10 new attacks along with 9 prior attacks, categorized
into three abstract classes (i.e., security, user privacy,
and disruption of service), in the three procedures of 4G LTE.
Notable among our findings is the authentication relay attack that
enables an adversary to spoof the location of a legitimate user
to the core network without possessing appropriate credentials.
To ensure that the exposed attacks pose real threats and are
indeed realizable in practice, we have validated 8 of the 10 new
attacks and their accompanying adversarial assumptions through
experimentation in a real testbed.
more »
« less
- Award ID(s):
- 1719369
- NSF-PAR ID:
- 10055689
- Date Published:
- Journal Name:
- Network and Distributed Systems Security (NDSS) Symposium 2018
- Page Range / eLocation ID:
- http://dx.doi.org/10.14722/ndss.2018.23313
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Mission-critical wireless networks are being upgraded to 4G long-term evolution (LTE). As opposed to capacity, these networks require very high reliability and security as well as easy deployment and operation in the field. Wireless communication systems have been vulnerable to jamming, spoofing and other radio frequency attacks since the early days of analog systems. Although wireless systems have evolved, important security and reliability concerns still exist. This paper presents our methodology and results for testing 4G LTE operating in harsh signaling environments. We use software-defined radio technology and open-source software to develop a fully configurable protocol-aware interference waveform. We define several test cases that target the entire LTE signal or part of it to evaluate the performance of a mission-critical production LTE system. Our experimental results show that synchronization signal interference in LTE causes significant throughput degradation at low interference power. By dynamically evaluating the performance measurement counters, the k-nearest neighbor classification method can detect the specific RF signaling attack to aid in effective mitigation.more » « less
-
IEEE/IFIP (Ed.)We investigate the feasibility of targeted privacy attacks using only information available in physical channels of LTE mobile networks and propose three privacy attacks to demonstrate this feasibility: mobile-app fingerprinting attack, history attack, and correlation attack. These attacks can reveal the geolocation of targeted mobile devices, the victim's app usage patterns, and even the relationship between two users within the same LTE network cell. An attacker also may launch these attacks stealthily by capturing radio signals transmitted over the air, using only a passive sniffer as equipment. To ensure the impact of these attacks on mobile users' privacy, we perform evaluations in both laboratory and real-world settings, demonstrating their practicality and dependability. Furthermore, we argue that these attacks can target not only 4G/LTE but also the evolving 5G standards.more » « less
-
As Internet-of-Things (IoT) devices rapidly gain popularity, they raise significant privacy concerns given the breadth of sensitive data they can capture. These concerns are amplified by the fact that in many situations, IoT devices collect data about people other than their owner or administrator, and these stakeholders have no say in how that data is managed, used, or shared. To address this, we propose a new model of ownership, IoT Ephemeral Ownership (TEO). TEO allows stakeholders to quickly register with an IoT device for a limited period, and thus claim co-ownership over the sensitive data that the device generates. Device admins retain the ability to decide who may become an ephemeral owner, but no longer have access or control to the private data generated by the device. The encrypted data in TEO is accessible only by entities after seeking explicit permission from the different co-owners of that data. We verify the key security properties of our protocol underpinning TEO in the symbolic model using ProVerif. We also implement a cross-platform prototype of TEO for mobile phones and embedded devices, and integrate it into three real-world application case studies. Our evaluation shows that the latency and battery impact of TEO is typically small, adding ≤187 ms onto one-time operations, and introducing limited (<25%) overhead on recurring operations like private data storage.more » « less
-
As Internet-of-Things (IoT) devices rapidly gain popularity, they raise significant privacy concerns given the breadth of sensitive data they can capture. These concerns are amplified by the fact that in many situations, IoT devices collect data about people other than their owner or administrator, and these stakeholders have no say in how that data is managed, used, or shared. To address this, we propose a new model of ownership, IoT Ephemeral Ownership (TEO). TEO allows stakeholders to quickly register with an IoT device for a limited period, and thus claim co-ownership over the sensitive data that the device generates. Device admins retain the ability to decide who may become an ephemeral owner, but no longer have access or control to the private data generated by the device. The encrypted data in TEO is accessible only by entities after seeking explicit permission from the different co-owners of that data. We verify the key security properties of our protocol underpinning TEO in the symbolic model using ProVerif. We also implement a cross-platform prototype of TEO for mobile phones and embedded devices, and integrate it into three real-world application case studies. Our evaluation shows that the latency and battery impact of TEO is typically small, adding ≤ 187 ms onto one-time operations, and introducing limited (<25%) overhead on recurring operations like private data storage.more » « less