TUTORIAL:

LTE AND 5G PROTOCOL SECURITY PROCEDURES AND

VULNERABILITY ANALYSES USING SOFTWARE RADIO TESTBEDS

PART II – UPPER LAYERS

Vuk Marojevic, Roger Piqueras Jover
Vuk.marojevic@ece.msstate.edu, rpiquerasjov@bloomberg.net

October 30th 2018

© Portions Copyright 2018 Bloomberg L.P.

ABOUT – ROGER PIQUERAS JOVER
● Recent dad who goes to a lot of live music shows, plays and watches too much soccer, and
does some security research on the side
● Security Researcher (aka Senior Security Architect), Office of the CTO at Bloomberg
● Formerly (5 years) Principal Member of Technical Staff at AT&T Security Research
● Mobile/wireless network security research
─ Mostly LTE PHY and upper layers
● If it communicates wirelessly, I am interested in its security
─ BLE
─ 802.11
─ Zigbee, Zigwave
─ LoRaWAN
● More details
─ http://rogerpiquerasjover.net/ @rgoestotheshows

© Portions Copyright 2018 Bloomberg L.P.

 EXPLORING MOBILE NETWORK PROTOCOL SECURITY

The first mobile networks were not designed with a strong security focus (no support for
encryption in 1G!!!)

Stronger
“Old” encryption Strong encryption PKI for IMSI
encryption
No BS Mutual protection
Mutual
authentication authentication More secure (?)
authentication

© Portions Copyright 2018 Bloomberg L.P.

LTE BASICS

© Portions Copyright 2018 Bloomberg L.P.

LTE MOBILE NETWORK ARCHITECTURE

© Portions Copyright 2018 Bloomberg L.P.

LTE CELL SELECTION AND CONNECTION

Extract
Cell Search
System Decode PBCH Power on
Configuration Procedure

Decode PSS and SSS to synchronize

RACH in time and frequency.
Idle state

Random Radio Access Connected Mobile

Access Bearer + (Attach) state connection

• System configuration
– Decode Master Information Block (MIB) from PBCH
– Decode System Information Blocks (SIBs) from PDSCH © Portions Copyright 2018 Bloomberg L.P.
LTE NAS ATTACH PROCEDURE

© Portions Copyright 2018 Bloomberg L.P.

MOBILE NETWORK USER/DEVICE IDENTIFIERS

IMEI – “Serial number” of the device

IMSI – secret id of the SIM that should never be disclosed

TMSI – temporary id used by the network once it knows who you are

MSISDN – Your phone number.

XYZ-867-5309

© Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALE

© Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALE
RACH handshake
between UE and eNB
RRC handshake between
UE and eNB

Connection setup
(authentication, set-up of
encryption, tunnel set-up,
etc)

Encrypted traffic

© Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALE

Unencrypted and unprotected. I can

sniff these messages and I can
transmit them pretending to be a
legitimate base station.

Other things sent in the clear:

• Base station config (broadcast
messages)
• Measurement reports
• Measurement report requests
• (Sometimes) GPS coordinates
• HO related messages
• Paging messages
• Etc

© Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALE

Regardless of mutual authentication and strong encryption, a mobile device engages in a

substantial exchange of unprotected messages with *any* LTE base station (malicious or
not) that advertises itself with the right broadcast information.

Spoiler alert – This also potentially applies to 5G. No viable solution proposed in the specifications yet.
(more on this later)

© Portions Copyright 2018 Bloomberg L.P.

EXPLORING LTE SECURITY WITH SOFTWARE-RADIO

© Portions Copyright 2018 Bloomberg L.P.

TOOLSET
● LTE open source implementation (eNB+UE)
─ Modified OpenLTE - http://openlte.sourceforge.net/
─ Recent work with modified srsLTE – https://github.com/srsLTE
• First available UE stack implementation!!!!!!
• LTE sniffer
─ Modifications to source for protocol exploit experimentation
● HW setup
─ USRP B210/USRP mini for active rogue base station
─ BUDGET: USRP B210 ($1100) + GPSDO ($625) + LTE Antenna (2x$30) = $1785
─ Machine running Ubunutu

All LTE active radio experiments MUST be performed inside a faraday cage!!!

© Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION

● Base station configuration broadcasted in the clear in MIB and SIB messages.
● srsLTE + AirScope
─ Dump everything on pcap
● Very useful information that could be leveraged by and adversary
─ Optimal tx power for a rogue base station
─ High priority frequencies to force priority cell reselection
─ Tracking Area of the legitimate cell (use a different one in your rogue eNodeB to force TAU update
messages)
─ Mapping of signaling channels
─ Paging channel mapping and paging configuration
● Broadcast message scanning tools available in both srsLTE
and openLTE

LTE/LTE-A Jamming, Spoofing and Sniffing: Threat Assessment and

Mitigation. Marc Lichtman, Roger Piqueras Jover, Mina Labib,
Raghunandan Rao, Vuk Marojevic, Jeffrey H. Reed. IEEE Communications
Magazine. Special issue on Critical Communications and Public Safety
Networks. April 2016.

© Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION

Time: 00:02:10.087204 Frame: 93

Subframe: 0
BCCH-BCH-Message
message
dl-Bandwidth: n50
phich-Config
phich-Duration: normal
phich-Resource: one
systemFrameNumber: {8
bits|0x17}
spare: {10 bits|0x0000|Right
Aligned}

LTE PBCH MIB packet

© Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION
Time: 00:02:10.102204 Frame: 94 Subframe: 5
BCCH-DL-SCH-Message
message
c1
systemInformationBlockType1
cellAccessRelatedInfo
plmn-IdentityList
PLMN-IdentityInfo
plmn-Identity
mcc
MCC-MNC-Digit: 3
MCC-MNC-Digit: 1
MCC-MNC-Digit: 0 Mobile operator
mnc
MCC-MNC-Digit: 4 LTE PDSCH SIB1 packet
MCC-MNC-Digit: 1
MCC-MNC-Digit: 0
cellReservedForOperatorUse: reserved
trackingAreaCode: {16 bits|0x2713}
cellIdentity: {28 bits|0x0075400F|Right Aligned} Cell ID
cellBarred: notBarred
intraFreqReselection: allowed
csg-Indication: false
cellSelectionInfo
q-RxLevMin: -60
freqBandIndicator: 17
RX power to select
schedulingInfoList that cell
SchedulingInfo
si-Periodicity: rf8
sib-MappingInfo
SIB-Type: sibType3
si-WindowLength: ms10
systemInfoValueTag: 11
Padding

© Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION

RACH config

Etc…RRC timers LTE PDSCH SIB2/3 packet

Paging config

User traffic
config

© Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION
● MIB/SIB messages are necessary for the operation of the network
─ Some things must be sent in the clear (i.e. a device connecting for the first time)
─ But perhaps not everything
● Things an attacker can learn from MIB and SIB messages
─ Optimal tx power for a rogue base station (no need to set up your USRP to its max tx power)
─ High priority frequencies to force priority cell reselection
─ Mobile operator who owns that tower
─ Tracking Area of the legitimate cell (use a different one in your rogue eNodeB to force TAU update
messages)
─ Mapping of signaling channels
─ Paging channel mapping and paging configuration
─ Etc

LTE/LTE-A Jamming, Spoofing and Sniffing: Threat Assessment and Mitigation. Marc Lichtman, Roger Piqueras Jover, Mina Labib,
Raghunandan Rao, Vuk Marojevic, Jeffrey H. Reed. IEEE Communications Magazine. Special issue on Critical Communications and Public
Safety Networks. April 2016.

© Portions Copyright 2018 Bloomberg L.P.

IMSI CATCHERS(STINGRAY)
● Active device that intercepts mobile devices
─ Malicious base station advertising itself as legitimate
─ Transmits the same configuration and broadcast information as real base station
─ Forces all mobile devices in its range do disclose their IMSI in the clear
─ After catching the IMSI, releases connection and mobile device reconnects to real base station

● Wrongly assumed to require downgrading to GSM

─ Jam/block 3G and LTE signals
─ Use GSM-based IMSI catcher

● Can be implemented easily using open source tools

─ openBTS (GSM)
─ srsLTE/OpenLTE (LTE)

© Portions Copyright 2018 Bloomberg L.P.

IMSI CATCHERS(STINGRAY)

© Portions Copyright 2018 Bloomberg L.P.

IMSI CATCHERS(STINGRAY)

Unauthenticated
messages

Extract IMSI
from these
messages

© Portions Copyright 2018 Bloomberg L.P.

LOW-COST LTE IMSI CATCHER (STINGRAY)
● Despite common assumptions, in LTE the IMSI is always transmitted in the clear at least once
─ If the network has never seen that UE, it must use the IMSI to claim its identity
─ A UE will trust *any* eNodeB that claims it has never seen that device (pre-authentication messages)
─ IMSI can also be transmitted in the clear in error recovery situations (very rare)

● Implementation
─ USRP B210 + Ubuntu 14.10 + gnuradio 3.7.2
─ LTE base station – OpenLTE’s LTE_fdd_eNodeB (slightly modified)
• Added feature to record IMSI from Attach Request messages
─ Send attach reject after IMSI collection

● Stingrays also possible in LTE without need to downgrade connection to GSM

─ Not possible to implement a MitM threat (mutual authentication)

© Portions Copyright 2018 Bloomberg L.P.

LOW-COST LTE IMSI CATCHER (STINGRAY)

IMSI transmitted in the clear in an

AttachRequest NAS message

© Portions Copyright 2018 Bloomberg L.P.

DEVICE AND SIM TEMPORARY LOCK
● Attach reject and TAU (Tracking Area Update) reject messages not encrypted/integrity-
protected
● Spoofing this messages one can trick a device to
─ Believe it is not allowed to connect to the network (blocked)
─ Believe it is supposed to downgrade to or only allowed to connect to GSM

Real eNodeB

These are not the droids we are looking

for. I am not allowed to connect to my
provider anymore, I won’t try again.
REQUEST

REJECT
These are not the droids you are looking for… And you are not Rogue eNodeB
allowed to connect anymore to this network.

Jover, Roger Piqueras. "LTE security, protocol exploits and location tracking experimentation with low-cost © Portions Copyright 2018 Bloomberg L.P.
software radio." arXiv preprint arXiv:1607.05171 (2016).
SOFT DOWNGRADE TO GSM
● Use similar techniques to “instruct” the phone to downgrade to GSM
─ Only GSM services allowed OR LTE and 3G not allowed

● Once at GSM, the phone to connects to your rogue base station

─ Bruteforce the encryption
─ Listen to phone calls, read text messages
─ Man in the Middle
─ A long list of other bad things…

(Much more dangerous)

I will remove these restraints and rogue GSM base station
leave this cell with the door open…
and use only GSM from now on…
and I’ll drop my weapon.
REQUEST

REJECT
You will remove these restraints and leave this cell with the Rogue eNodeB
door open… and use only GSM from now on.
© Portions Copyright 2018 Bloomberg L.P.
DEVICE TEMPORARY LOCK AND SOFT DOWNGRADE
● Some results
─ The blocking of the device/SIM is only temporary
─ Device won’t connect until rebooted
─ SIM won’t connect until reboot
─ SIM/device bricked until timer T3245 expires (24 to 48 hours!)
─ Downgrade device to GSM and get it to connect to a rogue BS

● If the target is an M2M device, it could be a semi-persistent attack

─ Reboot M2M device remotely?
─ Send a technician to reset SIM?
─ Or just wait 48 hours for your M2M device to come back online…

Shaik, Altaf, et al. "Practical attacks against privacy and availability in 4G/LTE mobile communication systems." © Portions Copyright 2018 Bloomberg L.P.
arXiv preprint arXiv:1510.07563 (2015).
CONNECTION HIJACKING IN LTE
● LTE layer 2 encryption and integrity protection
─ Packets with known structure
─ AES Counter Mode (AES-CTR)
─ 16 bit checksum in the IP-UDP DNS request packets

● Protocol exploit
─ Track user (RNTI)
─ Identify DNS requests
─ MitM DNS requests (some “radio” challenges)
─ Apply mask to flip bits on destination IP address
─ Forward DNS requests to malicious DNS server

Rupprecht, David, Katharina Kohls, Thorsten Holz, and Christina Pöpper. "Breaking LTE on Layer Two.“ To be © Portions Copyright 2018 Bloomberg L.P.
presented at IEEE Security and Privacy 2019.
EXPLORING UPLINK PROTOCOL SECURITY

© Portions Copyright 2018 Bloomberg L.P.

SRSUE
● First open-source implementation of the mobile device stack
─ https://github.com/srsLTE/srsLTE/tree/master/srsue
─ First commit May 2017

● Platform to experiment with UL pre-authentication messages

● Now researchers can analyze exploits in the eNodeB and the mobile core network

© Portions Copyright 2018 Bloomberg L.P.

CONNECTION DETACH HANDSHAKE
● Procedure through which the UE disconnects from the network
─ Switch off UE
─ Airplane mode
─ Remove SIM

● Can be UE initiated and does not require ACK from network (!!!)

● Authentication/integrity protection (???)

© Portions Copyright 2018 Bloomberg L.P.

CONNECTION DETACH HANDSHAKE
● NAS detach request message
─ Includes EPS mobile identity
─ Can be GUTI or IMSI
─ It can even be the IMEI
3GPP TS 24.301
V13.7.0 (2016-09)
● In some cases it does not require
integrity protection 4.4.4.3 - Integrity checking of
─ It can be spoofed! NAS signalling messages in
the MME
3GPP TS 24.301 V13.7.0 (2016-09)
Page 47
5.5.2.2.1 - UE initiated detach procedure initiation
NAS Detach Request NOT
Page 122 integrity protected

NAS Detach Request can be sent with TMSI and even just the IMEI

© Portions Copyright 2018 Bloomberg L.P.

THERE’S MORE…

3GPP TS 24.301 V13.7.0 (2016-09)

4.4.4.3 - Integrity checking of NAS signalling messages in the MME

Between page 47 and 48

Even NAS security context is active, MME will process a NAS Detach
Request with a MAC that fails integrity check or cannot be verified

© Portions Copyright 2018 Bloomberg L.P.

REMOTE DEVICE DETACH
● Set up
─ Test smartphone (victim)
─ Linux box #1
• USRP B210 running srsUE (adversary)
─ Linux box #2
• USRP B210 running srsENB
• Open source LTE EPC

● Run RRC handshake and spoof Detach Request message with victim’s identity

● Knock out victim from network remotely

─ Though in the lab it is not “remotely”

● Testing it in a real network would be easy

─ But not legal
─ Next tests  commercial picocell

● Might not work in a real network if inter-layer integrity checks are well implemented

Raza, Muhammad Taqi, Fatima Muhammad Anwar, and Songwu Lu. "Exposing LTE Security Weaknesses at © Portions Copyright 2018 Bloomberg L.P.
Protocol Inter-Layer, and Inter-Radio Interactions." In International Conference on Security and Privacy in
Communication Systems, pp. 312-338. Springer, Cham, 2017.
LTE LOCATION LEAKS

© Portions Copyright 2018 Bloomberg L.P.

LOCATION LEAKS AND DEVICE TRACKING - RNTI
● RNTI
─ PHY layer id sent in the clear in EVERY SINGLE packet, both UL and DL
─ Identifies uniquely every UE within a cell
• Changes infrequently
• Based on several captures in the NYC and Honolulu areas
─ No distinguishable behavior per operator or per base station manufacturer
─ Assigned by the network in the MAC RAR response to the RACH preamble

© Portions Copyright 2018 Bloomberg L.P.

LOCATION LEAKS AND DEVICE TRACKING - RNTI

© Portions Copyright 2018 Bloomberg L.P.

LOCATION LEAKS AND DEVICE TRACKING - RNTI

© Portions Copyright 2018 Bloomberg L.P.

RNTI TRACKING WITH OPEN-SOURCE TOOLS

RNTIs being tracked

within this cell
(srsLTE)

© Portions Copyright 2018 Bloomberg L.P.

 Cell ID = 60
Handoff between cell 60 and cell 50

Cell ID = 50

© Portions Copyright 2018 Bloomberg L.P.

Handoff between cell 60 and cell 50

© Portions Copyright 2018 Bloomberg L.P.

Handoff between cell 60 and cell 50

© Portions Copyright 2018 Bloomberg L.P.

Handoff between cell 60 and cell 50

© Portions Copyright 2018 Bloomberg L.P.

 0x2A60 = 10848
Handoff between cell 60 and cell 50

© Portions Copyright 2018 Bloomberg L.P.

 0x2A60 = 10848
Handoff between cell 60 and cell 50

© Portions Copyright 2018 Bloomberg L.P.

 RNTI = 112
Handoff between cell 60 and cell 50

© Portions Copyright 2018 Bloomberg L.P.

Handoff between cell 60 and cell 50

© Portions Copyright 2018 Bloomberg L.P.

RNTI LOCATION LEAKS AND DEVICE TRACKING
● Unprotected RRC Connection Reconfiguration message for handover should not occur
─ eNBs that used to have this issue have since been configured correctly

● According to 3GPP TR 33.899 V1.3.0 (2017-08)

─ RNTI tracking is not a privacy issue because RNTI is not a long lived id
• But I keep seeing in the lab the RNTI of my devices not changing for hours…
─ TMSI can be mapped to RNTI, but TMSI is also short lived id
• But the TMSI changes rather infrequently as well…

● LTE hijacking paper shows it is indeed possible!

─ https://alter-attack.net/media/breaking_lte_on_layer_two.pdf

Rupprecht, David, Katharina Kohls, Thorsten Holz, and Christina Pöpper. "Breaking LTE on Layer Two.“ To be © Portions Copyright 2018 Bloomberg L.P.
presented at IEEE Security and Privacy 2019.
OTHER POTENTIAL LTE LOCATION LEAKS
● Paging messages sent in the clear
─ Known location tracking techniques based on sniffing paging messages
─ Silent text message to target IMSI/TMSI/MSISDN
─ If a paging is sniffed, the UE is in the same Tracking Area as the sniffer
─ If connection establishment is sniffed, the UE is in the same cell as the sniffer

Khan, Haibat, Benjamin Dowling, and Keith M. Martin. "Identity Confidentiality in 5G Mobile Telephony © Portions Copyright 2018 Bloomberg L.P.
Systems."
OTHER POTENTIAL LTE LOCATION LEAKS

50
OTHER POTENTIAL LTE LOCATION LEAKS
● Simple location inference
─ Eavesdrop MAC RAR messages
─ Time Advance  distance from eNodeB
─ Very low resolution unless one captures MAC RARs from multiple base stations

TX2
TX1 Delay t1
TX1

RACH
Frame <j> Frame <j+1>
User 1
TX2 Delay t2

User 2 Time advance 2

Time advance 1

Tri-lateration of user’s location with

eavesdropped MAC-RAR messages

© Portions Copyright 2018 Bloomberg L.P.

5G SECURITY

© Portions Copyright 2018 Bloomberg L.P.

5G STANDARDS
● 5G largely a marketing buzz word
─ But there’s some actual very interesting technology behind
─ First deployments and tests already happening
● Release 15 of the 3GPP standards
─ December 2017
─ First release of 5G – New Radio + 5G System
● Most changes at the PHY layer
─ mmWave
─ Massive MIMO
● Work to address some protocol exploits
─ IMSI obfuscation and encryption
─ PKI for IMSI concealing
● Security standards published in March 2018
─ 3GPP TS 33.501 V1.0.0 (2018-03)

© Portions Copyright 2018 Bloomberg L.P.

IMSI PROTECTION
● IMSI encrypted (concealed) with public key of home operator
─ Probabilistic asymmetric encryption
─ Same IMSI encrypted multiple times results in different ciphertexts (to avoid tracking)

● IMSI catching much harder

● Challenges
─ What happens if private key of home operator is “lost” or needs to be rotated?
• New SIM?
• New public key burned in SIM?
• “Outside of the scope of the 3GPP specifications”

© Portions Copyright 2018 Bloomberg L.P.

SUPI – THE NEW IMSI
● SUPI – Subscription Permanent Identifier
─ New IMSI in 5G
─ SUCI (SUbscription Concealed Identifier) – Encrypted SUPI

● Challenges
─ “If the home network has not provisioned the public key in USIM, the SUPI protection in initial registration
procedure is not provided. In this case, the null-scheme shall be used by the ME.”
• Null cipher still supported
─ “In case of an unauthenticated emergency call, privacy protection for SUPI is not required.”
• Can a rogue base station fool a UE to initiate such an emergency call?

© Portions Copyright 2018 Bloomberg L.P.

PROTOCOL EXPLOITS IN 5G
● Most LTE protocol exploits caused by implicit trust in pre-authentication messages
─ RRC, MAC, NAS layers

● 5G aims to tackle known exploits in LTE

─ E.g. AttachReject DoS and downgrade to GSM mentioned explicitly

● Leverage public key of home operator?

─ Does not work with roaming devices
─ Public key from all operators?
• Not scalable
• Unrealistic

● How are the 5G security specifications preventing exploiting pre-authentication messages?

─ As of now, 5G appears to be vulnerable to pre-authentication message protocol exploits

© Portions Copyright 2018 Bloomberg L.P.

PROTOCOL EXPLOITS IN 5G
● I am not the only one claiming this…

Huang Lin (360 Radio Security Research Institute). “5G Security Enhancement“. Hack in the Box 2018.. © Portions Copyright 2018 Bloomberg L.P.
“OUT OF SCOPE”
This works for most wireless security specifications:

Ctrl+F for {“scope”,”out of scope”,”out of the scope”, etc}

In mobile communication standard documents

● 5.2.5 – Subscriber privacy

─ “The provisioning and updating of the home network public key is out of the scope of the present document.
It can be implemented using, e.g. the Over the Air (OTA) mechanism.”

● 12.2 – Mutual authentication

─ “The structure of the PKI used for the certificate is out of scope of the present document.”

● C.3.3 – Processing on home network side

─ “How often the home network generates new public/private key pair and how the public key is provisioned to
the UE are out of the scope of this clause.”

© Portions Copyright 2018 Bloomberg L.P.

NULL CIPHERING
● Supported ciphering modes
─ NEA0 - Null ciphering algorithm
─ 128-NEA1 - 128-bit SNOW 3G based algorithm
─ 128-NEA2 - 128-bit AES based algorithm
─ 128-NEA3 - 128-bit ZUC based algorithm

● Null ciphering is a supported option

─ Same for null integrity
─ Potential security edge cases
─ Bidding down attacks
• Public key of home operator burned in SIM
• How to authenticate a bidding down request at a foreign (roaming) network?

● Note null ciphering support often a requirement for Lawful Interception

© Portions Copyright 2018 Bloomberg L.P.

POTENTIAL SECURITY EDGE CASES
● “In case the UE registers for Emergency Services and receives an Identifier Request, the UE shall
use the null-scheme for generating the SUCI in the Identifier Response.”

● “If the UE receives a NAS security mode command selecting NULL integrity and ciphering
algorithms, the UE shall accept this as long as the IMS Emergency session progresses.”

● “If the authentication failure is detected in the AMF then the UE is not aware of the failure in the
AMF, but still needs to be prepared, according to the conditions specified in TS 24.301, to accept a
NAS SMC from the AMF requesting the use of the NULL ciphering and integrity algorithms.”

● “If the AMF cannot identify the subscriber, or cannot obtain authentication vector (when SUPI is
provided), the AMF shall send NAS SMC with NULL algorithms to the UE regardless of the
supported algorithms announced previously by the UE.”

● …

© Portions Copyright 2018 Bloomberg L.P.

5G SECURITY - ARE WE THERE YET?

NAS integrity activation:

“Replay protection shall be activated when integrity protection is activated, except when the NULL
integrity protection algorithm is selected.”

Are we there yet? The long path to securing 5G mobile communication networks“
https://www.linkedin.com/pulse/we-yet-long-path-securing-5g-mobile-communication-piqueras-jover

© Portions Copyright 2018 Bloomberg L.P.

Q&A

http://rogerpiquerasjover.net ---- @rgoestotheshows

© Portions Copyright 2018 Bloomberg L.P.

FURTHER READING
FURTHER READING
● Shaik, Altaf, et al. "Practical attacks against privacy and availability in 4G/LTE mobile communication
systems." arXiv preprint arXiv:1510.07563 (2015).
● Jover, Roger Piqueras. LTE Security and Protocol Exploits. ShmooCon 2016.
● Jover, Roger Piqueras, Joshua Lackey, and Arvind Raghavan. "Enhancing the security of LTE networks against
jamming attacks." EURASIP Journal on Information Security 2014.1 (2014): 1-14.
● Jover, Roger Piqueras. "Security attacks against the availability of LTE mobility networks: Overview and
research directions." Wireless Personal Multimedia Communications (WPMC), 2013 16th International Symposium
on. IEEE, 2013.
● M. Lichtman, R. Piqueras Jover, M. Labib, R. Rao, V. Marojevic,and J. H. Reed, “LTE/LTE-A Jamming, Spoofing
and Sniffing: Threat Assessment and Mitigation,” Communications Magazine, IEEE, vol. 54,no. 4, 2016.
● Engel, Tobias. "SS7: Locate. Track. Manipulate." FTP: http://events. ccc.
de/congress/2014/Fahrplan/system/attachments/2553/or iginal/31c3-ss7-locate-track-manipulate. pdf. 2014.
● Kumar, Swarun, et al. "LTE radio analytics made easy and accessible." ACM SIGCOMM Computer Communication
Review. Vol. 44. No. 4. ACM, 2014.
● Spaar, Dieter. "A practical DoS attack to the GSM network." In DeepSec (2009).
● Kune, Denis Foo, et al. "Location leaks on the GSM Air Interface." ISOC NDSS (Feb 2012) (2012).
● Jermyn, Jill, et al. "Scalability of Machine to Machine systems and the Internet of Things on LTE mobile
networks." World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2015 IEEE 16th International Symposium
on a. IEEE, 2015.
● Lichtman, Marc, et al. "Vulnerability of LTE to hostile interference." Global Conference on Signal and
Information Processing (GlobalSIP), 2013 IEEE. IEEE, 2013.
FURTHER READING
● Golde, Nico, Kévin Redon, and Jean-Pierre Seifert. "Let me answer that for you: Exploiting broadcast
information in cellular networks." Presented as part of the 22nd USENIX Security Symposium (USENIX Security
13). 2013.
● Mulliner, Collin, Nico Golde, and Jean-Pierre Seifert. "SMS of Death: From Analyzing to Attacking Mobile
Phones on a Large Scale." USENIX Security Symposium. 2011.
● Bhattarai, Sudeep, et al. "On simulation studies of cyber attacks against lte networks." Computer
Communication and Networks (ICCCN), 2014 23rd International Conference on. IEEE, 2014.
● Ghavimi, Fayezeh, and Hsiao-Hwa Chen. "M2M Communications in 3GPP LTE/LTE-A Networks: Architectures, Service
Requirements, Challenges, and Applications." Communications Surveys & Tutorials, IEEE 17.2 (2015): 525-549.
● Nakarmi, Prajwol Kumar, Oscar Ohlsson, and Michael Liljenstam. "An Air Interface Signaling Protection Function
for Mobile Networks: GSM Experiments and Beyond." Trustcom/BigDataSE/ISPA, 2015 IEEE. Vol. 1. IEEE, 2015.
● Khosroshahy, Masood, et al. "Botnets in 4G cellular networks: Platforms to launch DDoS attacks against the air
interface." Mobile and Wireless Networking (MoWNeT), 2013 International Conference on Selected Topics in.
IEEE, 2013.
● Bailey, D. "War Texting: Weaponizing Machine to Machine." Black-Hat USA (2011).
● Nohl, Karsten, and Sylvain Munaut. "Wideband GSM sniffing." In 27th Chaos Communication Congress. 2010.
● Prasad, Anand. "3GPP SAE-LTE Security." NIKSUN WWSMC (2011).
● Jermyn, Jill, Gabriel Salles-Loustau, and Saman Zonouz. "An analysis of dos attack strategies against the LTE
RAN." Journal of Cyber Security 3.2 (2014): 159-180.
● Bailey, Don, and Nick DePetrillo. "The Carmen Sandiego Project." Proc. of BlackHat (Las Vegas, NV, USA, 2010)
(2010).
FURTHER READING
● Hussain, Syed Rafiul, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. "LTEInspector: A Systematic Approach
for Adversarial Testing of 4G LTE." In Symposium on Network and Distributed Systems Security (NDSS), pp. 18-
21. 2018.
● Rupprecht, David, Katharina Kohls, Thorsten Holz, and Christina Pöpper. "Breaking LTE on Layer Two." In
Breaking LTE on Layer Two, p. 0. IEEE..
● Hussain, Syed Rafiul, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. "LTEInspector: A Systematic Approach
for Adversarial Testing of 4G LTE." In Symposium on Network and Distributed Systems Security (NDSS), pp. 18-
21. 2018..
● Jover, Roger Piqueras, and Vuk Marojevic. "Security and Protocol Exploit Analysis of the 5G Specifications."
arXiv preprint arXiv:1809.06925 (2018).
● Raza, Muhammad Taqi, Fatima Muhammad Anwar, and Songwu Lu. "Exposing LTE Security Weaknesses at Protocol
Inter-Layer, and Inter-Radio Interactions." In International Conference on Security and Privacy in
Communication Systems, pp. 312-338. Springer, Cham, 2017.
● Khan, Haibat, Benjamin Dowling, and Keith M. Martin. "Identity Confidentiality in 5G Mobile Telephony
Systems.“ 2018.
● Mjølsnes, Stig F., and Ruxandra F. Olimid. "Easy 4G/LTE IMSI Catchers for Non-Programmers." In International
Conference on Mathematical Methods, Models, and Architectures for Computer Network Security, pp. 235-246.
Springer, Cham, 2017.
● Khan, M., Ginzboorg, P., Järvinen, K. and Niemi, V., 2018. Defeating the Downgrade Attack on Identity Privacy
in 5G. arXiv preprint arXiv:1811.02293.
● Basin, David, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. "A Formal
Analysis of 5G Authentication." In Proceedings of the 2018 ACM SIGSAC Conference on Computer and
Communications Security, pp. 1383-1396. ACM, 2018.