LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools

This paper provides a methodology to study the PHY layer vulnerability of wireless protocols in hostile radio environments. Our approach is based on testing the vulnerabilities of a system by analyzing the individual subsystems. By targeting an individual subsystem or a combination of subsystems at a time, we can infer the weakest part and revise it to improve the overall system performance. We apply our methodology to 4G LTE downlink by considering each control channel as a subsystem. We also develop open-source software enabling research and education using software-defined radios. We present experimental results with open-source LTE systems and shows how the different subsystems behave under targeted interference. The analysis for the LTE downlink shows that the synchronization signals (PSS/SSS) are very resilient to interference, whereas the downlink pilots or Cell-Specific Reference signals (CRS) are the most susceptible to a synchronized protocol-aware interferer. We also analyze the severity of control channel attacks for different LTE configurations. Our methodology and tools allow rapid evaluation of the PHY layer reliability in harsh signaling environments, which is an asset to improve current standards and develop new robust wireless protocols.Comment: 7 pages, 7 figures. Publication accepted at IEEE MILCOM, 2017. This updated version is very close to the camera-ready version of the pape

Identifying the Fake Base Station: A Location Based Approach

Fake base station (FBS) attack is a great security challenge to wireless user equipment (UE). During the cell selection stage, the UE receives multiple synchronization signals (SSs) from multiple nearby base stations (BSs), and then synchronizes itself with the strongest SS. A FBS also can transmit a SS with sufficient power to confuse the UE, which makes the UE connect to the FBS, and may lead to the leakage of private information. In this letter, countermeasure to the FBS attack by utilizing the location information is investigated. Two location awareness based FBS-resistance schemes are proposed by checking the received signal strength according to the position of the UE and a legitimate BS map. The successful cheating rate (SCR) definded as the probability that the UE will connect to the FBS is investigated. Numeric results show that with the two proposed schemes, the SCR can be greatly reduced especially when the transmit power of the FBS is large. Beyond that, a cooperation aided method is further proposed to improve the performance, and we show that the cooperation aided method can further suppress the SCR when the signal strength from the FBS is similar to that from the legitimate BS.Comment: To be published in IEEE communications letter