Over the last years, considerable attention has been given to the privacy of
individuals in wireless environments. Although significantly improved over the
previous generations of mobile networks, LTE still exposes vulnerabilities that
attackers can exploit. This might be the case of paging messages, wake-up
notifications that target specific subscribers, and that are broadcasted in
clear over the radio interface. If they are not properly implemented, paging
messages can expose the identity of subscribers and furthermore provide
information about their location. It is therefore important that mobile network
operators comply with the recommendations and implement the appropriate
mechanisms to mitigate attacks. In this paper, we verify by experiment that
paging messages can be captured and decoded by using minimal technical skills
and publicly available tools. Moreover, we present a general experimental
method to test privacy exposure by LTE paging messages, and we conduct a case
study on three different LTE mobile operators
