Experimental Study of Spoofing Alerts in 4g Lte Networks

Modern mobile phones should receive and display alert messages, such as AMBER alerts, emergency alerts, and (unblockable) presidential alerts, under the mandate of the Warning, Alert, and Response Act of 2006. In January 2018, an alert message that a ballistic missile was heading to Hawaii had been sent out in Hawaii state. Although it turned out to be caused by human error, it showed how this alert message could affect people. In addition, in October 2018, a test to broadcast unblockable presidential alert messages to all of the United States was conducted. These cases have raised concerns about what problems might arise when alert messages are misused or spoofed. In this thesis, we investigate the alert spoofing attacks in 4G LTE networks and provide 1) the detailed analysis of this attack, 2) design and implementation of such systems, 3) possible counter measures, and most importantly 4) the impact of such attacks in both indoor and outdoor environments. Our attack can be carried out using a software defined radio, and our modifications to the open source NextEPC and srsLTE software libraries. We evaluate our attack in a controlled environment and estimate the impact of such an attack based on empirical measurements. We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of the 50,000-seat stadium can be attacked with 90% success rate. The true impact of such an attack would, of course, depend on the density of cell phones in the range: false alerts in crowded cities or stadiums could potentially result in cascades of panic. Solving this problem will require large collaborative efforts among government, standardization organizations, network providers, and manufacturers. We also provide possible solutions to defend against such a spoofing attack.

[1]  Joeri de Ruiter,et al.  Defeating IMSI Catchers , 2015, CCS.

[2]  Swarun Kumar,et al.  LTE radio analytics made easy and accessible , 2015, SIGCOMM 2015.

[3]  Yongdae Kim,et al.  Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations , 2015, CCS.

[4]  Xinbing Wang,et al.  Insecurity of Voice Solution VoLTE in LTE Mobile Networks , 2015, CCS.

[5]  Tao Wang,et al.  Mobileinsight: extracting and analyzing cellular network information on smartphones , 2016, MobiCom.

[6]  Vincent Roca,et al.  FLUTE - File Delivery over Unidirectional Transport , 2012, RFC.

[7]  Cristina Cano,et al.  srsLTE: an open-source platform for LTE evolution and experimentation , 2016, WiNTECH@MobiCom.

[8]  Abbas Jamalipour,et al.  Wireless communications , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[9]  Tanesh Kumar,et al.  Overview of 5G Security Challenges and Solutions , 2018, IEEE Communications Standards Magazine.

[10]  R. Kędzierawski Universal software radio peripheral for ground penetrating radar prototyping , 2013 .

[11]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[12]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[13]  Matti Siekkinen,et al.  Saving Energy in Mobile Devices for On-Demand Multimedia Streaming -- A Cross-Layer Approach , 2014, TOMCCAP.

[14]  Ning Ding,et al.  Smartphone Background Activities in the Wild: Origin, Energy Drain, and Optimization , 2015, MobiCom.

[15]  H.T. Friis,et al.  A Note on a Simple Transmission Formula , 1946, Proceedings of the IRE.

[16]  Xuefeng Yin,et al.  Neural-Network-Assisted UE Localization Using Radio-Channel Fingerprints in LTE Networks , 2017, IEEE Access.

[17]  Feng Qian,et al.  A close examination of performance and power characteristics of 4G LTE networks , 2012, MobiSys '12.

[18]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[19]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[20]  Jörg Widmer,et al.  OWL: a reliable online watcher for LTE control channel measurements , 2016, ATC@MobiCom.

[21]  Jean-Pierre Seifert,et al.  SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale , 2011, USENIX Security Symposium.

[22]  Jari Arkko,et al.  MIKEY: Multimedia Internet KEYing , 2004, RFC.

[23]  Jeffrey H. Reed,et al.  Enhancing the Robustness of LTE Systems: Analysis and Evolution of the Cell Selection Process , 2017, IEEE Communications Magazine.

[24]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[25]  Songwu Lu,et al.  New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks , 2016, CCS.

[26]  Uri Blumenthal,et al.  The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model , 2004, RFC.

[27]  Kamin Whitehouse,et al.  Multipath Triangulation: Decimeter-level WiFi Localization and Orientation with a Single Unaided Receiver , 2018, MobiSys.

[28]  Chunyi Peng,et al.  CEIVE: Combating Caller ID Spoofing on 4G Mobile Phones Via Callee-Only Inference and Verification , 2018, MobiCom.

[29]  Jinsung Lee,et al.  CASTLE over the Air: Distributed Scheduling for Cellular Data Transmissions , 2019, MobiSys.

[30]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[31]  Torbjörn Wigren,et al.  Angle of Arrival Localization in {LTE} Using {MIMO} Pre-Coder Index Feedback , 2013, IEEE Communications Letters.

[32]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[33]  Xinyu Zhang,et al.  Accelerating Mobile Web Loading Using Cellular Link Information , 2017, MobiSys.

[34]  Roger Piqueras Jover,et al.  LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation , 2016, IEEE Communications Magazine.

[35]  Anpeng Huang,et al.  Interference Self-Coordination: A Proposal to Enhance Reliability of System-Level Information in OFDM-Based Mobile Networks via PCI Planning , 2014, IEEE Transactions on Wireless Communications.