LTEInspector: A Systematic Approach for

Adversarial Testing of 4G LTE

Syed Rafiul Hussain*, Omar Chowdhury†, Shagufta Mehnaz*, Elisa Bertino*

Purdue University*, University of Iowa†
Critical Infrastructure using Cellular Network

2
 Security and Privacy Threats on Cellular
Network
IMSI

No No
IMSI = International Mobile Subscriber Identity No
Service
No
Service

Service Service

3
 Limitations of Existing Attack Finding
Strategies for Cellular Networks

No adversary, just analyze the

No Systematic performance, and reliability
Approach

q  Is it possible to build a Systematic framework for adversarially analyzing the cellular

network specification in order to find security and privacy related problems?
4
Scope
Attach SMS

Detach VoLTE

Paging Handover

Man-in-the-Middle
Spurious billing Life threatening risks
Attacker
 Challenges 1

Preliminaries
2

LTEInspector 3

4 Findings &
Attack Validation
Responsible Disclosure 5
and Impact
6 Future Work

Conclusion 7

6
Challenges
q  Stateful procedures and multiple
participants

q  4G LTE lacks formal specification

ü written in natural language

q  Closed system
ü Proprietary

q  Legal barrier
ü Licensed spectrum
7
 Challenges 1

Preliminaries
2

LTEInspector 3

4 Findings &
Attack Validation
Responsible Disclosure 5
and Impact
6 Future Work

Conclusion 7

8
 Background: LTE Architecture

Evolved Packet Core (EPC)

eNodeB
HSS
eNodeB PCRF
UE
MME
eNodeB
Internet
eNodeB eNodeB SGW

eNodeB
PGW
eNodeB

eNodeB
Background (Attach)
Security algorithm TMSI Exchange
Identification Authentication
negotiation

UE eNodeB Core Network

Connection Setup
Attach Request (IMSI/IMEI, UE’s Security Capabilities)
Selectand
Network accepts the attach Security Algorithm
Challenge
allocates (LTE:
(LTE:
temporary Security
Authentication
identity Mode
(LTE: Command)
Request)
Attach Accept)

ResponseAttach
Confirm (LTE:and
Security new temporary
Authentication
Algorithm identity(LTE:
Response)
(LTE: Security ModeAttach Complete)
Complete)

10
 Background (Paging & Detach)
UE eNodeB MME

paging_request

Paging

detach_request
detach_accept

11
 Challenges 1

Preliminaries
2

LTEInspector 3

4 Findings &
Attack Validation
Responsible Disclosure 5
and Impact
6 Future Work

Conclusion 7

12
 Adversary Model
q  Dolev-Yao model
Ø  Eavesdrop
Ø  Drop or modify
Ø  Inject
Ø  Adheres to cryptographic assumptions

q  Why Dolev-Yao model?

Ø  Powerful adversary
Ø  Automatic tools (ProVerif, Tamarin) can leverage

13
Insight
q  Property characteristics
§  Temporal ordering of events
§  Cryptographic constructs
§  Linear integer arithmetic and other
predicates
temporal trace
q  Intuition: property Cryptographic
ü  Model checker & Constructs
Linear integer
ü  Cryptographic protocol verifier arithmetic

How can we leverage reasoning power of these two?

14
 LTEInspector

UE state machine Core network state Adversarial model Threat instrumented abstract LTE
machine ecosystem model

Crypto.
protocol Model
verifier checker

Domain Desired
Testbed Counter-
knowledge properties from
example
Attacks standard
 /auth failure
th reject
mme sqn + 1, auth request —mobile ^ restart /

Abstract LTE Model ≈attach request/mme sqn =

auth_request∧
𝑎𝑢𝑡ℎ_𝑟𝑒𝑗𝑒𝑐𝑡∨𝑑𝑒𝑡𝑎𝑐ℎ auth_request∧
_𝑟𝑒𝑞𝑢𝑒𝑠𝑡∕—
(¬mac_failure Œauth ∧
 mobile restart /attach request UE
UE 6
auth response
UE
authenticates (mac_failure ∨
wait2 for wait for (¬mac (UE_sqn ≤ failure
xsqn
7
Standard ¬ (UE_sqn
n + 1,
connected mobile_restart∕ ≤ UE_sqn + sq
< ue
attach_request
MME auth request 8
≤xsqn≤UE_sqn +
MME
/ue sqn
range))
/= xsqn
∕UE_sqn =
auth_request∧
Õ(auth reject _ detach request range))
mobile_restart ∕ auth_failure
UE xsqn + 1, UE
auth_response
UE )/
security mode command
disconnected
1
∕attach_request

waits for
(¬
5
mac_failure ∧ “ auth
authenticates
xres matches sres/ auth_request (UE_sqn
(mac failure MME _
Ãmobile restart /attach
ƒauth response ^
4
𝑎𝑢𝑡ℎ _𝑟𝑒𝑗𝑒𝑐𝑡
request ∨ ≤xsqn≤UE_sqn 9 /aut
𝑑𝑒𝑡𝑎𝑐ℎ_𝑟𝑒𝑞𝑢𝑒𝑠𝑡∕3— + range))
auth_request∧
q  Specification Model for NAS layer mobile_restart
UE channel (mac_failure ∨ ¬(UE_sqn
channel
∕ attach_request ∕UE_sqn =UE_sqn
xsqn +control
(UE-MME) interactions Attacker controlledMME to Attacker
≤xsqn ≤UE to MME range))
UE to MME + 1, MME
∕ auth_failure to
§  Propositional logic level Attacker controlled
channel UE
auth_response
acker controlled
channel
§  Model message types only, not auth_failure∕ —
message data ¡auth failure/
2 5

auth_response∧
ƒauth
/auth failure attach_request∕ xres ma
start /attach request
MME xres_matches_s MME
(mac failure _ ¬(ue sqn  xsqn  ue sqn + rang
§  Abstract away cryptographic disconnected 1
MME MME_sqn = waits for security m
authenticates
“auth request ^ res ∕
MME_sqn + 1, auth_response attach_request∕
constructs

¿attach request/ auth_request MME Security_mode
MME_sqn =
UE equest )/
MME §  Two unidirectional channels
mme sqn = mme sqn + 1, 3 _command
6
/ue sqn = xsqn + 1, auth response wait for MME_sqn + 1,
4
connected
MME auth request attach_request∕ auth request 16
< ue sqn + range) auth response auth_request
 —mobile restart/attach request

Œauth request ^
Adversarial
UE Model Instrumentor
 mobile restart/attach request UE
wait for (¬mac failure ^ (ue sqn  xsqn
UE
authenticates
Disconnected < ue sqn + range)
auth request MME
/ue sqn = xsqn + 1, auth response
Õ(auth reject
attach_request
_ detach request)/ Dolev Yao Attacker
“auth request ^
auth_response adversary_turn
(mac failure _ ¬(ue sqn  xsqn  ue sqn + range))
Ã
sec_mode_command
mobile restart/attach request /auth failure
attach_complete

Attacker controlled Attacker controlled

​ ↓𝑎𝑑𝑣  = no_operation (drop)
𝑚
UE to MME MME to
​ ↓𝑈𝐸  = attach_request
𝑚 channel ​𝑚↓𝑎𝑑𝑣  = detach_request
UE channel (inject)
ƒauth response ^
¡auth failure/ xres matches sres/
security mode command
auth_request
ΥΕ ¿attach request/ MME sec_mode_command MME
MME mme sqn = mme sqn + 1, wait for attach_accept ΜΜΕ authenticates
Disconnected auth request auth responsepaging_request UE

≈attach request/mme sqn =

17
¬auth response ^ mme sqn + 1, auth request
 Model Checker
q  Temporal trace properties
Ø  Liveness – something good eventually happens Victim UE MME
Ø  Safety – nothing bad happens
q  NuSMV
​𝞿↓1 : It is always the case that whenever UE is in the wait
for auth request, it will eventually authenticate MME.

attach_request
auth_request∧
𝑎𝑢𝑡ℎ_𝑟𝑒𝑗𝑒𝑐𝑡∨𝑑𝑒𝑡𝑎𝑐ℎ
6
auth_request∧
_𝑟𝑒𝑞𝑢𝑒𝑠𝑡 ∕—
(¬mac_failure ∧ authentication_reject
(mac_failure ∨ (UE_sqn ≤xsqn
2 7
¬(UE_sqnmobile_restart∕≤ UE_sqn +
attach_request
8
≤xsqn≤UE_sqn + range)) ∕UE_sqn =
UE auth_request∧
UE
range)) ∕
UE auth_failure
mobile_restart waits for (¬mac_failure xsqn + 1,
∧ UE
auth_response Emergency
1 waits for 5 authenticates calls only
disconnected ∕attach_request auth_request
auth_request (UE_sqn MME
4
𝑎𝑢𝑡ℎ _ 𝑟𝑒𝑗𝑒𝑐𝑡∨ ≤xsqn≤UE_sqn 9
𝑑𝑒𝑡𝑎𝑐ℎ_𝑟𝑒𝑞𝑢𝑒𝑠𝑡∕3— + range))
auth_request∧
mobile_restart 18
(mac_failure ∨ ¬(UE_sqn
Cryptographic Protocol Verifier
q  Injective-correspondence (authentication)
Every authentication_reject message received by UE must be sent by the core network

q  ProVerif
§  Secrecy
§  Authenticity
§  Observational equivalence

19
 Testbed Validation
q  Malicious eNodeB setup (USRP, OpenLTE,
srsLTE)

q  Malicious UE setup (USRP, srsUE)

q  COTS smartphones

q  SIM cards of four major US carriers

q  Custom-built core network

q USRP, OpenLTE, srsLTE, and USIM

20
 Challenges 1

Preliminaries
2

LTEInspector 3

Findings &
4 Attack Validation

Responsible Disclosure 5
and Impact
6 Future Work

Conclusion 7

21
 Findings
q Uncovered 10 new attacks
Attack Procedures Responsible Notable Impacts
Auth Sync. Failure Attach 3GPP DoS
Traceability Attach carriers Coarse-grained location tracking
Numb using auth_reject Attach 3GPP, smartphones DoS
Authentication relay Attach 3GPP Location spoofing
Paging Channel Hijacking Paging 3GPP DoS
Stealthy Kicking-off Paging 3GPP DoS, coarse-grained location tracking
Panic Paging 3GPP Artificial chaos for terrorist activity
Energy Depletion Paging 3GPP Battery depletion/DoS
Linkability Paging 3GPP Coarse-grained location tracking
Targeted/Non-targeted Detach 3GPP DoS
Detach

q Identified 9 prior attacks: IMSI-catching, DoS, Linkability, MitM in 3G and 2G, etc. 22
 Authentication Synchronization Failure Attack
q Assumption:
Ø  Victim UE’s IMSI
Ø  Malicious UE setup
Malicious UE Victim UE Core Network

𝐼𝑀𝑆𝐼
​𝑆𝑄𝑁↓𝑈𝐸  ​𝑆𝑄𝑁↓𝐶𝑁 
attach_request (IMSI) =𝑥 =𝑥
attach_request (IMSI) ​𝑆𝑄𝑁↓𝐶𝑁 
attach_request (IMSI) ​𝑆++
𝑄𝑁↓𝐶𝑁 
…. ++
​𝑆𝑄𝑁↓𝐶𝑁 
attach_request (MSI) ++
​𝑆𝑄𝑁↓𝐶𝑁 
++
UE and CN sequence numbers get desynchronized 23
Panic Attack

paging (ETWS)

24
Attack Chaining (Authentication Relay or
Mafia Attack)
Indiana

Connected

Authentication_response
Authentication_request
Attach_request
NID Authentication_response
Attach_request
Authentication_request

Authentication_re
Authentication
sponse
_request
Attach_request

Indiana California 25
 Challenges 1

Preliminaries
2

LTEInspector 3

Findings &
4 Attack Validation
Responsible Disclosure
and Impact 5

6 Future Work

Conclusion 7

26
Responsible Disclosure and Impacts
q Mobile network operators

q Resolved the issue of using EEA0 (no encryption)

q Other issues are in progress

27
 Challenges 1

Preliminaries
2

LTEInspector 3

Findings &
4 Attack Validation
Responsible Disclosure
and Impact 5

6 Future Work

Conclusion 7

28
Future Work
UE eNodeB MME
NAS NAS

RRC RRC RRC RRC

PCCH-Message ::= SEQUENCE

  +-message ::= CHOICE [c1]
    +-c1 ::= CHOICE [paging]
      +-paging ::= SEQUENCE [0110]
        +-pagingRecordList ::= SEQUENCE OF OPTIONAL:Omit
        +-systemInfoModification ::= ENUMERATED [true]
OPTIONAL:Exist
        +-etws-Indication ::= ENUMERATED [true] OPTIONAL:Exist
        +-nonCriticalExtension ::= SEQUENCE OPTIONAL:Omit

29
 Challenges 1

Preliminaries
2

LTEInspector 3

Findings &
4 Attack Validation
Responsible Disclosure
and Impact 5

6 Future Work

Conclusion 7

30
Conclusion
Proposed a systematic approach for analyzing the specification

Uncovered 10 new attacks and 9 prior attacks

Validated most of the attacks in a testbed

https://github.com/relentless-warrior/LTEInspector

31
Questions

32
 LTEInspector: A Systematic Approach for
Adversarial Testing of 4G LTE

Syed Rafiul Hussain*, Omar Chowdhury†, Shagufta Mehnaz*, Elisa Bertino*

Purdue University*, University of Iowa†
Cryptographic Protocol Verifier
q  Injective-correspondence (authentication)
Every authentication_reject message received by UE must be sent by the core network

q  ProVerif
§  Secrecy
§  Authenticity
§  Observational equivalence
(hyper-properties)
q  Why not ProVerif only?
§  Rich temporal trace properties
§  Constraints on linear integer
arithmetic
34
 Traceability attack
q Assumption:
Ø  Victim UE’s IMSI
Ø  Malicious UE setup
Ø  secutity_mode_command

attach_request
….
security_mode_command (MAC, nonce)

….
attach_complete
security_mode_command security_mode_command
security_mode_reject security_mode_complete
35
 Numb Attack
q Assumption: malicious eNodeB setup
•  Learn from SystemInformationBlock messages

authentication_reject
NID
Connected
tracking_area_update_request

Emergency
calls only
Background (Attach)
Security algorithm TMSI Exchange
Identification Authentication
negotiation

UE eNodeB MME

Connection Setup
Attach Request (IMSI/IMEI, UE’s Security Capabilities)
Selectand
Network accepts the attach Security Algorithm
Challenge
allocates (LTE:
(LTE:
temporary Security
Authentication
identity Mode
(LTE: Command)
Request)
Attach Accept)

ResponseAttach
Confirm (LTE:and
Security new temporary
Authentication
Algorithm identity(LTE:
Response)
(LTE: Security ModeAttach Complete)
Complete)
Time
Time

Time
37