More Like this

1. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE

   Hussain, S; Chowdhury, O; Mehnaz, S; Bertino, E. (February 2018, Network and Distributed Systems Security (NDSS) Symposium 2018)

   In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a model-based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, categorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed. 

   more » « less
2. Targeted Privacy Attacks by Fingerprinting Mobile Apps in LTE Radio Layer

   https://doi.org/10.1109/DSN58367.2023.00035  

   Baek, Jaejong; Soundrapandian, Pradeep Kumar; Kyung, Sukwha; Wang, Ruoyu; Shoshitaishvili, Yan; Doupé, Adam; Ahn, Gail-Joon (June 2023, 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN))

   IEEE/IFIP (Ed.)

   We investigate the feasibility of targeted privacy attacks using only information available in physical channels of LTE mobile networks and propose three privacy attacks to demonstrate this feasibility: mobile-app fingerprinting attack, history attack, and correlation attack. These attacks can reveal the geolocation of targeted mobile devices, the victim's app usage patterns, and even the relationship between two users within the same LTE network cell. An attacker also may launch these attacks stealthily by capturing radio signals transmitted over the air, using only a passive sniffer as equipment. To ensure the impact of these attacks on mobile users' privacy, we perform evaluations in both laboratory and real-world settings, demonstrating their practicality and dependability. Furthermore, we argue that these attacks can target not only 4G/LTE but also the evolving 5G standards. 

   more » « less
3. Performance Analysis of a Mission-Critical Portable LTE System in Targeted RF Interference

   Marojevic, Vuk; Rao, Raghunandan (September 2017, IEEE Vehicular Technology Conference (VTC) Fall, 2017)

   Mission-critical wireless networks are being upgraded to 4G long-term evolution (LTE). As opposed to capacity, these networks require very high reliability and security as well as easy deployment and operation in the field. Wireless communication systems have been vulnerable to jamming, spoofing and other radio frequency attacks since the early days of analog systems. Although wireless systems have evolved, important security and reliability concerns still exist. This paper presents our methodology and results for testing 4G LTE operating in harsh signaling environments. We use software-defined radio technology and open-source software to develop a fully configurable protocol-aware interference waveform. We define several test cases that target the entire LTE signal or part of it to evaluate the performance of a mission-critical production LTE system. Our experimental results show that synchronization signal interference in LTE causes significant throughput degradation at low interference power. By dynamically evaluating the performance measurement counters, the k-nearest neighbor classification method can detect the specific RF signaling attack to aid in effective mitigation. 

   more » « less
4. Modeling and Defense of Social Virtual Reality Attacks Inducing Cybersickness

   https://doi.org/10.1109/TDSC.2021.3121216  

   Valluripally, Samaikya; Gulhane, Aniket; Hoque, Khaza Anuarul; Calyam, Prasad (October 2021, IEEE Transactions on Dependable and Secure Computing)

   Social Virtual Reality Learning Environments (VRLE) offer a new medium for flexible and immersive learning environments with geo-distributed users. Ensuring user safety in VRLE application domains such as education, flight simulations, military training is of utmost importance. Specifically, there is a need to study the impact of ‘`immersion attacks’' (e.g., chaperone attack, occlusion) and other types of attacks/faults (e.g., unauthorized access, network congestion) that may cause user safety issues (i.e., inducing of cybersickness). In this paper, we present a novel framework to quantify the security, privacy issues triggered via immersion attacks and other types of attacks/faults. By using a real-world social VRLE viz., vSocial and creating a novel attack-fault tree model, we show that such attacks can induce undesirable levels of cybersickness. Next, we convert these attack-fault trees into stochastic timed automata (STA) representations to perform statistical model checking for a given attacker profile. Using this model checking approach, we determine the most vulnerable threat scenarios that can trigger high occurrence cases of cybersickness for VRLE users. Lastly, we show the effectiveness of our attack-fault tree modeling by incorporating suitable design principles such as hardening, diversity, redundancy and principle of least privilege to ensure user safety in a VRLE session. 

   more » « less
5. LTE PHY layer vulnerability analysis and testing using open-source SDR tools

   https://doi.org/10.1109/MILCOM.2017.8170787  

   Rao, Raghunandan M.; Ha, Sean; Marojevic, Vuk; Reed, Jeffrey H. (October 2017, Military Communications Conference (MILCOM), MILCOM 2017 - 2017 IEEE)

   This paper provides a methodology to study the PHY layer vulnerability of wireless protocols in hostile radio environments. Our approach is based on testing the vulnerabilities of a system by analyzing the individual subsystems. By targeting an individual subsystem or a combination of subsystems at a time, we can infer the weakest part and revise it to improve the overall system performance. We apply our methodology to 4G LTE downlink by considering each control channel as a subsystem. We also develop open-source software enabling research and education using software-defined radios. We present experimental results with open-source LTE systems and shows how the different subsystems behave under targeted interference. The analysis for the LTE downlink shows that the synchronization signals (PSS/SSS) are very resilient to interference, whereas the downlink pilots or Cell-Specific Reference signals (CRS) are the most susceptible to a synchronized protocol-aware interferer. We also analyze the severity of control channel attacks for different LTE configurations. Our methodology and tools allow rapid evaluation of the PHY layer reliability in harsh signaling environments, which is an asset to improve current standards and develop new and robust wireless protocols. 

   more » « less