2 research outputs found
Experimental Analysis of Subscribers' Privacy Exposure by LTE Paging
Over the last years, considerable attention has been given to the privacy of
individuals in wireless environments. Although significantly improved over the
previous generations of mobile networks, LTE still exposes vulnerabilities that
attackers can exploit. This might be the case of paging messages, wake-up
notifications that target specific subscribers, and that are broadcasted in
clear over the radio interface. If they are not properly implemented, paging
messages can expose the identity of subscribers and furthermore provide
information about their location. It is therefore important that mobile network
operators comply with the recommendations and implement the appropriate
mechanisms to mitigate attacks. In this paper, we verify by experiment that
paging messages can be captured and decoded by using minimal technical skills
and publicly available tools. Moreover, we present a general experimental
method to test privacy exposure by LTE paging messages, and we conduct a case
study on three different LTE mobile operators
Investigation of LTE Privacy Attacks by Exploiting the Paging Mechanism
In mobile communication in general, and LTE in particular, security
should be a main focus, also because of the vulnerabilities introduced
by the radio link. Compared to GSM and UMTS, the LTE security has
been improved. However, the paging procedure is still not protected in
LTE. The unprotected paging unfortunately opens possibility for hackers
to gather sensitive information or track the user s location. This thesis
studies attacks that are feasible because of the weaknesses of the paging
procedure.
A theoretical study of published papers about the attacks making use
of the paging procedure is conducted in this thesis. In addition, several
published papers proposing countermeasures against the attacks are also
studied.
In this thesis, a paging message catcher is set up and catches paging
messages from the commercial LTE. A paging message catcher is basically
a passive message sniffer. It listens to the paging channel of the LTE air
interface, and collects paging messages. The collected paging messages
are decoded and analyzed.
By analyzing the collected paging messages, it is confirmed that both
Telia s and Telenor s LTE have enabled a non-standardized smart paging
feature. The smart paging feature is introduced by most LTE vendors to
improve the network resource efficiency. The feature essentially enables
the network to page a user within one or few latest observed active cells
instead of a whole tracking area. It has a side effect though in terms
of location tracking by listening to the paging, as a paged user can be
located within a much smaller geographical area.
In this thesis, it is verified how often Telia s LTE updates the temporary
identity of a UE and what events trigger the updates. Telia is selected
because of subscription availability. In LTE, a temporary identity is
used to achieve user identity confidentiality. The temporary identity is
supposed to get updated often enough to avoid traceability over time.
A paging response feeder is attempted as well in this thesis with the goal
of verifying the feasibility and potential consequence for the victim. In
contrast to the paging message catcher which is passive, a paging response
feeder is an active attacking device. It acts as a UE and tries to feed in
paging response impersonating a victim