skip to main content


Title: LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE
In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a modelbased testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, categorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed.  more » « less
Award ID(s):
1719369
NSF-PAR ID:
10055689
Author(s) / Creator(s):
; ; ;
Date Published:
Journal Name:
Network and Distributed Systems Security (NDSS) Symposium 2018
Page Range / eLocation ID:
http://dx.doi.org/10.14722/ndss.2018.23313
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a model-based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, categorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed. 
    more » « less
  2. Mission-critical wireless networks are being upgraded to 4G long-term evolution (LTE). As opposed to capacity, these networks require very high reliability and security as well as easy deployment and operation in the field. Wireless communication systems have been vulnerable to jamming, spoofing and other radio frequency attacks since the early days of analog systems. Although wireless systems have evolved, important security and reliability concerns still exist. This paper presents our methodology and results for testing 4G LTE operating in harsh signaling environments. We use software-defined radio technology and open-source software to develop a fully configurable protocol-aware interference waveform. We define several test cases that target the entire LTE signal or part of it to evaluate the performance of a mission-critical production LTE system. Our experimental results show that synchronization signal interference in LTE causes significant throughput degradation at low interference power. By dynamically evaluating the performance measurement counters, the k-nearest neighbor classification method can detect the specific RF signaling attack to aid in effective mitigation. 
    more » « less
  3. IEEE/IFIP (Ed.)
    We investigate the feasibility of targeted privacy attacks using only information available in physical channels of LTE mobile networks and propose three privacy attacks to demonstrate this feasibility: mobile-app fingerprinting attack, history attack, and correlation attack. These attacks can reveal the geolocation of targeted mobile devices, the victim's app usage patterns, and even the relationship between two users within the same LTE network cell. An attacker also may launch these attacks stealthily by capturing radio signals transmitted over the air, using only a passive sniffer as equipment. To ensure the impact of these attacks on mobile users' privacy, we perform evaluations in both laboratory and real-world settings, demonstrating their practicality and dependability. Furthermore, we argue that these attacks can target not only 4G/LTE but also the evolving 5G standards. 
    more » « less
  4. As Internet-of-Things (IoT) devices rapidly gain popularity, they raise significant privacy concerns given the breadth of sensitive data they can capture. These concerns are amplified by the fact that in many situations, IoT devices collect data about people other than their owner or administrator, and these stakeholders have no say in how that data is managed, used, or shared. To address this, we propose a new model of ownership, IoT Ephemeral Ownership (TEO). TEO allows stakeholders to quickly register with an IoT device for a limited period, and thus claim co-ownership over the sensitive data that the device generates. Device admins retain the ability to decide who may become an ephemeral owner, but no longer have access or control to the private data generated by the device. The encrypted data in TEO is accessible only by entities after seeking explicit permission from the different co-owners of that data. We verify the key security properties of our protocol underpinning TEO in the symbolic model using ProVerif. We also implement a cross-platform prototype of TEO for mobile phones and embedded devices, and integrate it into three real-world application case studies. Our evaluation shows that the latency and battery impact of TEO is typically small, adding ≤187 ms onto one-time operations, and introducing limited (<25%) overhead on recurring operations like private data storage. 
    more » « less
  5. As Internet-of-Things (IoT) devices rapidly gain popularity, they raise significant privacy concerns given the breadth of sensitive data they can capture. These concerns are amplified by the fact that in many situations, IoT devices collect data about people other than their owner or administrator, and these stakeholders have no say in how that data is managed, used, or shared. To address this, we propose a new model of ownership, IoT Ephemeral Ownership (TEO). TEO allows stakeholders to quickly register with an IoT device for a limited period, and thus claim co-ownership over the sensitive data that the device generates. Device admins retain the ability to decide who may become an ephemeral owner, but no longer have access or control to the private data generated by the device. The encrypted data in TEO is accessible only by entities after seeking explicit permission from the different co-owners of that data. We verify the key security properties of our protocol underpinning TEO in the symbolic model using ProVerif. We also implement a cross-platform prototype of TEO for mobile phones and embedded devices, and integrate it into three real-world application case studies. Our evaluation shows that the latency and battery impact of TEO is typically small, adding ≤ 187 ms onto one-time operations, and introducing limited (<25%) overhead on recurring operations like private data storage. 
    more » « less