Murat: Multi-RAT False Base Station Detector

In recent years, there has been an increasing interest in false base station detection systems. Most of these rely on software that users download into their mobile phones. The software either performs an analysis of radio environment measurements taken by the mobile phone or reports these measurements to a server on the Internet, which then analyzes the aggregated measurements collected from many mobile phones. These systems suffer from two main drawbacks. First, they require modification to the mobile phones in the form of software and an active decision to participate from users. This severely limits the number of obtained measurements. Second, they do not make use of the information the mobile network has regarding network topology and configuration. This results in less reliable predictions than could be made. We present a network-based system for detecting false base stations that operate on any 3GPP radio access technology, without requiring modifications to mobile phones, and that allows taking full advantage of network topology and configuration information available to an operator. The analysis is performed by the mobile network based on measurement reports delivered by mobile phones as part of normal operations to maintain the wireless link. We implemented and validated the system in a lab experiment and a real operator trial. Our approach was adopted by the 3GPP standardization organization.

[1]  Thorsten Holz,et al.  Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE , 2020, USENIX Security Symposium.

[2]  Thorsten Holz,et al.  Lost traffic encryption: fingerprinting LTE/4G traffic on layer two , 2019, WiSec.

[3]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[4]  Hai Thanh Nguyen,et al.  Detecting IMSI-Catcher Using Soft Computing , 2015, SCDS.

[5]  Ravishankar Borgaonkar,et al.  New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols , 2019, IACR Cryptol. ePrint Arch..

[6]  Elisa Bertino,et al.  5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol , 2019, CCS.

[7]  Yongdae Kim,et al.  Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Thorsten Holz,et al.  LTE security disabled: misconfiguration in commercial networks , 2019, WiSec.

[9]  Jean-Pierre Seifert,et al.  White-Stingray: Evaluating IMSI Catchers Detection Applications , 2017, WOOT.

[10]  Yunhao Liu,et al.  FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild , 2017, NDSS.

[11]  Edgar R. Weippl,et al.  The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection , 2016, RAID.

[12]  Alissa Knight Hacking Connected Cars: Tactics, Techniques, and Procedures , 2020 .

[13]  Hai Thanh Nguyen,et al.  A Network Based IMSI Catcher Detection , 2016, 2016 6th International Conference on IT Convergence and Security (ICITCS).

[14]  Riaz Ahmed Shaikh,et al.  IMSI Catcher Detection Method for Cellular Networks , 2019, 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS).

[15]  Jean-Pierre Seifert,et al.  On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks , 2018, WISEC.

[16]  Katharina Kohls,et al.  IMP4GT: IMPersonation Attacks in 4G NeTworks , 2020, NDSS.

[17]  Dare Abodunrin Detection and Mitigation methodology for Fake Base Stations Detection on 3G / 2G Cellular Networks. , 2015 .

[18]  Jinsung Lee,et al.  This is Your President Speaking: Spoofing Alerts in 4G LTE Networks , 2019, MobiSys.

[19]  Do Van Thanh,et al.  Strengthening Mobile Network Security Using Machine Learning , 2016, MobiWIS.

[20]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Ian Smith,et al.  SeaGlass: Enabling City-Wide IMSI-Catcher Detection , 2017, Proc. Priv. Enhancing Technol..

[22]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[23]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[24]  Yongdae Kim,et al.  Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE , 2019, USENIX Security Symposium.

[25]  Elisa Bertino,et al.  Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information , 2019, NDSS.