Easy 4G/LTE IMSI Catchers for Non-Programmers

IMSI Catchers are tracking devices that break the privacy of the subscribers of mobile access networks, with disruptive effects to both the communication services and the trust and credibility of mobile network operators. Recently, we verified that IMSI Catcher attacks are really practical for the state-of-the-art 4G/LTE mobile systems too. Our IMSI Catcher device acquires subscription identities (IMSIs) within an area or location within a few seconds of operation and then denies access of subscribers to the commercial network. Moreover, we demonstrate that these attack devices can be easily built and operated using readily available tools and equipment, and without any programming. We describe our experiments and procedures that are based on commercially available hardware and unmodified open source software

Experimental Analysis of Subscribers' Privacy Exposure by LTE Paging

Over the last years, considerable attention has been given to the privacy of individuals in wireless environments. Although significantly improved over the previous generations of mobile networks, LTE still exposes vulnerabilities that attackers can exploit. This might be the case of paging messages, wake-up notifications that target specific subscribers, and that are broadcasted in clear over the radio interface. If they are not properly implemented, paging messages can expose the identity of subscribers and furthermore provide information about their location. It is therefore important that mobile network operators comply with the recommendations and implement the appropriate mechanisms to mitigate attacks. In this paper, we verify by experiment that paging messages can be captured and decoded by using minimal technical skills and publicly available tools. Moreover, we present a general experimental method to test privacy exposure by LTE paging messages, and we conduct a case study on three different LTE mobile operators

A Survey on Wireless Security: Technical Challenges, Recent Advances and Future Trends

This paper examines the security vulnerabilities and threats imposed by the inherent open nature of wireless communications and to devise efficient defense mechanisms for improving the wireless network security. We first summarize the security requirements of wireless networks, including their authenticity, confidentiality, integrity and availability issues. Next, a comprehensive overview of security attacks encountered in wireless networks is presented in view of the network protocol architecture, where the potential security threats are discussed at each protocol layer. We also provide a survey of the existing security protocols and algorithms that are adopted in the existing wireless network standards, such as the Bluetooth, Wi-Fi, WiMAX, and the long-term evolution (LTE) systems. Then, we discuss the state-of-the-art in physical-layer security, which is an emerging technique of securing the open communications environment against eavesdropping attacks at the physical layer. We also introduce the family of various jamming attacks and their counter-measures, including the constant jammer, intermittent jammer, reactive jammer, adaptive jammer and intelligent jammer. Additionally, we discuss the integration of physical-layer security into existing authentication and cryptography mechanisms for further securing wireless networks. Finally, some technical challenges which remain unresolved at the time of writing are summarized and the future trends in wireless security are discussed.Comment: 36 pages. Accepted to Appear in Proceedings of the IEEE, 201

Signaling Security in LTE Roaming

LTE (Long Term Evolution) also known as 4G, is highly in demand for its incomparable levels of experience like high data rates, low latency, good Quality of Services(QoS) and roaming features. LTE uses Diameter protocol, which makes LTE an all IP network, connecting multiple network providers, providing flexibility in adding nodes and flexible mobility management while roaming. Which in turn makes LTE network more vulnerable to malicious actors. Diameter protocol architecture includes many nodes and the communication between the nodes is done through request and answer messages. Diameter manages the control session. Control session includes the signaling traffic which consists of messages to manage the user session. Roaming signaling traffic arises due to subscribers movement out of the geographical range of their home network to any other network. This signaling traffic moves over the roaming interconnection called S9 roaming interface. This thesis project aims to interfere and manipulate traffic from both user-to-network and network-to-network interfaces in order to identify possible security vulnerabilities in LTE roaming. A fake base-station is installed to establish a connection to a subscriber through the air interface. The IMSI (International Mobile Subscription Identity) is captured using this fake station. To explore the network-to-network communication an emulator based LTE testbed is used. The author has investigated how Diameter messages can be manipulated over the S9 interface to perform a fraud or DoS attack using the IMSI number. The consequences of such attacks are discussed and the countermeasures that can be considered by the MNOs (Mobile Network Operators) and Standardization Committees

Vulnerabilities of signaling system number 7 (SS7) to cyber attacks and how to mitigate against these vulnerabilities.

As the mobile network subscriber base exponentially increases due to some attractive offerings such as anytime anywhere accessibility, seamless roaming, inexpensive handsets with sophisticated applications, and Internet connectivity, the mobile telecommunications network has now become the primary source of communication for not only business and pleasure, but also for the many life and mission critical services. This mass popularisation of telecommunications services has resulted in a heavily loaded Signaling System number 7 (SS7) signaling network which is used in Second and Third Generations (2G and 3G) mobile networks and is needed for call control and services such as caller identity, roaming, and for sending short message servirces. SS7 signaling has enjoyed remarkable popularity for providing acceptable voice quality with negligible connection delays, pos- sibly due to its circuit-switched heritage. However, the traditional SS7 networks are expensive to lease and to expand, hence to cater for the growing signaling demand and to provide the seamless interconnectivity between the SS7 and IP networks a new suite of protocols known as Signaling Transport (SIGTRAN) has been designed to carry SS7 signaling messages over IP. Due to the intersignaling between the circuit-switched and the packet-switched networks, the mo- bile networks have now left the “walled garden”, which is a privileged, closed and isolated ecosystem under the full control of mobile carriers, using proprietary protocols and has minimal security risks due to restricted user access. Potentially, intersignaling can be exploited from the IP side to disrupt the services provided on the circuit-switched side. This study demonstrates the vulnerabilities of SS7 messages to cyber-attacks while being trans- ported over IP networks and proposes some solutions based on securing both the IP transport and SCTP layers of the SIGTRAN protocol stack

Project BeARCAT : Baselining, Automation and Response for CAV Testbed Cyber Security : Connected Vehicle & Infrastructure Security Assessment

Connected, software-based systems are a driver in advancing the technology of transportation systems. Advanced automated and autonomous vehicles, together with electrification, will help reduce congestion, accidents and emissions. Meanwhile, vehicle manufacturers see advanced technology as enhancing their products in a competitive market. However, as many decades of using home and enterprise computer systems have shown, connectivity allows a system to become a target for criminal intentions. Cyber-based threats to any system are a problem; in transportation, there is the added safety implication of dealing with moving vehicles and the passengers within