Signaling Security in LTE Roaming

LTE (Long Term Evolution) also known as 4G, is highly in demand for its incomparable levels of experience like high data rates, low latency, good Quality of Services(QoS) and roaming features. LTE uses Diameter protocol, which makes LTE an all IP network, connecting multiple network providers, providing flexibility in adding nodes and flexible mobility management while roaming. Which in turn makes LTE network more vulnerable to malicious actors. Diameter protocol architecture includes many nodes and the communication between the nodes is done through request and answer messages. Diameter manages the control session. Control session includes the signaling traffic which consists of messages to manage the user session. Roaming signaling traffic arises due to subscribers movement out of the geographical range of their home network to any other network. This signaling traffic moves over the roaming interconnection called S9 roaming interface. This thesis project aims to interfere and manipulate traffic from both user-to-network and network-to-network interfaces in order to identify possible security vulnerabilities in LTE roaming. A fake base-station is installed to establish a connection to a subscriber through the air interface. The IMSI (International Mobile Subscription Identity) is captured using this fake station. To explore the network-to-network communication an emulator based LTE testbed is used. The author has investigated how Diameter messages can be manipulated over the S9 interface to perform a fraud or DoS attack using the IMSI number. The consequences of such attacks are discussed and the countermeasures that can be considered by the MNOs (Mobile Network Operators) and Standardization Committees