On Key Reinstallation Attacks over 4G/5G LTE Networks: Feasibility and Negative Impact

Preprints and early-stage research may not have been peer reviewed yet.
If you want to read the PDF, try requesting it from the authors.


This paper studies the feasibility of key reinstal-lation attacks in the 4G LTE network. It is well known that LTE uses session keys for confidentiality and integrity protection of its control-plane signaling and ciphering of its data-plane packets. However, if the keys are not updated and counters are reset, key reinstallation attacks may arise. In this paper, we show that several design choices on both control and data planes in the current LTE security setup are vulnerable to key reinstallation attacks. Specifically, on the control plane, the LTE security association setup procedures, which establish security between the device and the network, are disconnected. The keys are installed through one procedure, whereas their associated parameters (such as uplink and downlink counters) are reset through another different procedure. The adversary can thus exploit the disjoint security setup procedures, and launch the key stream reuse attacks. He consequently breaks message encryption, when he tricks the victim to use the same pair of keys and counter value to encrypt multiple messages. This control-plane attack hijacks the location update procedure, thus rendering the device to be unreachable from the Internet. Moreover, it may also deregister the victim from the LTE network. On the data plane, vulnerability arises when the device establishes a new data session with the network. The data access setup procedure resets the counter, but the encryption key is never updated. Leveraging this design deficiency, the attacker can reset counters at the victim device by altering the data establishment procedure. The negative impact of this attack includes decrypting voice messages over the LTE calls, as well as threats on the Cellular IoT (the new approach to IoT in 5G) data traffic. We have confirmed our findings with two major US operators, and found that such attacks can be launched with software-defined radio devices that cost about $299. We further propose remedies to defend against such threats.

No file available

Request Full-text Paper PDF

To read the file of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.
Full-text available
Mobile communication systems now constitute an essential part of life throughout the world. Fourth generation "Long Term Evolution" (LTE) mobile communication networks are being deployed. The LTE suite of specifications is considered to be significantly better than its predecessors not only in terms of functionality but also with respect to security and privacy for subscribers. We carefully analyzed LTE access network protocol specifications and uncovered several vulnerabilities. Using commercial LTE mobile devices in real LTE networks, we demonstrate inexpensive, and practical attacks exploiting these vulnerabilities. Our first class of attacks consists of three different ways of making an LTE device leak its location: A semi-passive attacker can locate an LTE device within a 2 area within a city whereas an active attacker can precisely locate an LTE device using GPS co-ordinates or trilateration via cell-tower signal strength information. Our second class of attacks can persistently deny some or all services to a target LTE device. To the best of our knowledge, our work constitutes the first publicly reported practical attacks against LTE access network protocols. We present several countermeasures to resist our specific attacks. We also discuss possible trade-offs that may explain why these vulnerabilities exist and recommend that safety margins introduced into future specifications to address such trade-offs should incorporate greater agility to accommodate subsequent changes in the trade-off equilibrium.
Full-text available
In the last decades several systems based on video analysis have been proposed for automatically detecting accidents on the roads so as to ensure a quick intervention of emergency teams. However, in some situations the visual information is not sufficient or sufficiently reliable, while the use of microphones and audio event detectors can significantly improve the overall reliability of surveillance systems. In this paper we propose a novel method for detecting road accidents by analyzing audio streams so as to identify hazardous situations like tire skidding and car crashes. Our method is based on a two layer representa- tion of the audio stream: at a low level, the system extracts a set of features able to capture the discriminant properties of the events of interest; a high level representation based on the bag of words approach is then exploited in order to detect both short and sustained events. The deployment architecture for using the system in real environments is discussed, together with an experimental analysis carried out on a data set made publicly available for benchmarking purposes. The obtained results confirm the effectiveness of the proposed approach.
Full-text available
The control-plane protocols in 3G/4G mobile networks communicate with each other, and provide a rich set of control functions, such as radio resource control, mobility support, connectivity management, to name a few. Despite their significance, the problem of verifying protocol correctness remains largely unaddressed. In this paper, we examine control-plane protocol interactions in mobile networks. We propose CNetVerifier, a two-phase signaling diagnosis tool to detect problematic interactions in both design and practice. CNetVerifier first performs protocol screening based on 3GPP standards via domain-specific model checking, and then conducts phone-based empirical validation in operational 3G/4G networks. With CNetVerifier, we have uncovered seven types of troublesome interactions, along three dimensions of cross (protocol) layers, cross (circuit-switched and packet-switched) domains, and cross (3G and 4G) systems. Some are caused by necessary yet problematic cooperation (i.e., protocol interactions are needed but they misbehave), whereas others are due to independent yet unnecessary coupled operations (i.e., protocols interactions are not required but actually coupled). These instances span both design defects in 3GPP standards and operational slips by carriers and vendors. They all result in performance penalties or functional incorrectness. We deduce root causes, present empirical results, propose solutions, and summarize learned lessons.
Conference Paper
Full-text available
3G/4G cellular networks adopt usage-based charging. Mobile users are billed based on the traffic volume when accessing data service. In this work, we assess both this metered accounting architecture and application-specific charging policies by operators from the security perspective. We have identified loopholes in both, and discovered two effective attacks exploiting the loopholes. The "toll-free-data-access-attack" enables the attacker to access any data service for free. The "stealth-spam-attack" incurs any large traffic volume to the victim, while the victim may not be even aware of such spam traffic.Our experiments on two operational 3G networks have confirmed the feasibility and simplicity of such attacks. We also propose defense remedies.
Full-text available
In this paper, we report a newly discovered "off-path TCP sequence number inference" attack enabled by firewall middle boxes. It allows an off-path (i.e., not man-in-the-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Face book login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middle boxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middle box can be leaked to an off-path attacker. We found such firewall middle boxes to be very popular in cellular networks -- at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.
Full-text available
The 802.11 standard for wireless networks includes a Wired Equivalent Privacy (WEP) protocol, used to protect link-layer communications from eavesdropping and other attacks. We have discovered several serious security flaws in the protocol, stemming from misapplication of cryptographic primitives. The flaws lead to a number of practical attacks that demonstrate that WEP fails to achieve its security goals. In this paper, we discuss in detail each of the flaws, the underlying security principle violations, and the ensuing attacks. 1.
We introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. Several types of cryptographic Wi-Fi handshakes are affected by the attack. All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstalla-tion attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPA-TKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected. Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.
LTE is currently being proposed for use in a nationwide wireless broadband public safety network in the United States as well as for other critical applications where reliable communication is essential for safety. Unfortunately, like any wireless technology, disruption of these networks is possible through radio jamming. This article investigates the extent to which LTE is vulnerable to RF jamming, spoofing, and sniffing, and assesses different physical layer threats that could affect next-generation critical communication networks. In addition, we examine how sniffing the LTE broadcast messages can aid an adversary in an attack. The weakest links of LTE are identified and used to establish an overall threat assessment. Lastly, we provide a survey of LTE jamming and spoofing mitigation techniques that have been proposed in the open literature.
Conference Paper
In 3GPP LTE, the physical layer is divided into data and signaling, where the signaling (or control information) enables efficient data exchange/resource scheduling. The LTE uplink contains a physical channel known as the Physical Uplink Control Channel (PUCCH), which carries uplink control information such as message acknowledgements, scheduling requests, and channel status information from user equipment (UE) to LTE base stations (eNodeB). The PUCCH is located on the edges of the system bandwidth in a static location. The static allocation of the PUCCH presents a dilemma: an adversary can disrupt the uplink channel with minimal effort and only needs to know the PUCCH's spectrum allocation. In this paper we (i) take a closer look at the purpose and specification of the PUCCH, (ii) we propose various strategies to be used for the detection of interference specifically on the PUCCH, and (iii) we outline strategies for mitigating 'protocol-aware' interference on the PUCCH. Some of the mitigation strategies, such as control information duplication, can be implemented with minimal changes to LTE eNodeBs and UEs, while other countermeasures require augmentations to both eNodeB and UE hardware or software.
Conference Paper
Reactive jamming is considered the most powerful jamming attack as the attack efficiency is maximized while the risk of being detected is minimized. Currently, there are no effective anti-jamming solutions to secure OFDM wireless communications under reactive jamming attack. On the other hand, MIMO has emerged as a technology of great research interest in recent years mostly due to its capacity gain. In this paper, we explore the use of MIMO technology for jamming resilient OFDM communication, especially its capability to communicate against the powerful reactive jammer. We first investigate the jamming strategies and their impacts on the OFDM-MIMO receivers. We then present a MIMO-based anti-jamming scheme that exploits interference cancellation and transmit precoding capabilities of MIMO technology to turn a jammed non-connectivity scenario into an operational network. Our testbed evaluation shows the destructive power of reactive jamming attack, and also validates the efficacy and efficiency of our defense mechanisms.
Conference Paper
Both voice and data are indispensable services in current cellular networks. In this work, we study the inter-play of voice and data in operational LTE networks. We assess how the popular CSFB-based voice service affects the IP-based data sessions in 4G LTE networks, and visa versa. Our findings reveal that the interference between them is mutual. On one hand, voice calls may incur throughput drop, lost 4G connectivity, and application aborts for data sessions. One the other hand, users may miss incoming voice calls when turning on data access. The fundamental problem is that, signaling and control for circuit-switched voice and packet-switched data have dependency and coupling effect via the LTE phone client. We further propose fixes to the identified issues.
Conference Paper
While keystream reuse in stream ciphers and one-time pads has been a well known problem for several decades, the risk to real systems has been underappreciated. Previous techniques have relied on being able to accurately guess words and phrases that appear in one of the plaintext messages, making it far easier to claim that "an attacker would never be able to do that." In this paper, we show how an adversary can automatically recover messages encrypted under the same keystream if only the type of each message is known (e.g. an HTML page in English). Our method, which is related to HMMs, recovers the most probable plaintext of this type by using a statistical language model and a dynamic programming algorithm. It produces up to 99% accuracy on realistic data and can process ciphertexts at 200ms per byte on a $2,000 PC. To further demonstrate the practical effectiveness of the method, we show that our tool can recover documents encrypted by Microsoft Word 2002 [22].
Conference Paper
We introduce TinySec, the first fully-implemented link layer security architecture for wireless sensor networks. In our design, we leverage recent lessons learned from design vulnerabilities in security protocols for other wireless networks such as 802.11b and GSM. Conventional security protocols tend to be conservative in their security guarantees, typically adding 16--32 bytes of overhead. With small memories, weak processors, limited energy, and 30 byte packets, sensor networks cannot afford this luxury. TinySec addresses these extreme resource constraints with careful design; we explore the tradeoffs among different cryptographic primitives and use the inherent sensor network limitations to our advantage when choosing parameters to find a sweet spot for security, packet overhead, and resource requirements. TinySec is portable to a variety of hardware and radio platforms. Our experimental results on a 36 node distributed sensor network application clearly demonstrate that software based link layer protocols are feasible and efficient, adding less than 10% energy, latency, and bandwidth overhead.
Conference Paper
A nonce is a cryptographic input value which must never repeat within a given context. Nonces are important for the security of many cryptographic building blocks, such as stream ciphers, block cipher modes of operation, and message authentication codes. Nonetheless, the correct generation of nonces is rarely discussed in the cryptographic literature. In this paper, we collect a number of nonce generators and describe their cryptographic properties. In particular, we derive upper bounds on the nonce collision probabilities of nonces that involve a random component, and lower bounds on the resulting nonce lengths. We also discuss an important practical vulnerability of nonce-based systems, namely the nonce reset problem. While ensuring that nonces never repeat is trivial in theory, practical systems can suffer from accidental or even malicious resets which can wipe out the nonce generators current state. After describing this problem, we compare the resistance of the nonce generators described to nonce resets by again giving formal bounds on collision probabilities and nonce lengths. The main purpose of this paper is to provide a help for system designers who have to choose a suitable nonce generator for their application. Thus, we conclude by giving recommendations indicating the most suitable nonce generators for certain applications.
In this paper, we present a practical key recovery attack on WEP, the link-layer security protocol for 802.11b wireless networks. The attack is based on a partial key exposure vulnerability in the RC4 stream cipher discovered by Fluhrer, Mantin, and Shamir. This paper describes how to apply this flaw to breaking WEP, our implementation of the attack, and optimizations that can be used to reduce the number of packets required for the attack. We conclude that the 802.11b WEP standard is completely insecure, and we provide recommendations on how this vulnerability could be mitigated and repaired.
Interference and jamming severely disrupt our ability to communicate by decreasing the effective signal-to-noise ratio and by making parameter estimation difficult at the receiver. The objective of this research work is to design robust wireless systems and algorithms to suppress the adverse effects of non-intentional co-channel interference (CCI) or intentional jamming. In particular, we develop chip-combining schemes with timing, channel, and noise-power estimation techniques, all of which mitigate CCI or jamming. We also exploit the spatial diversity and iterative receiver techniques for this purpose. Most of the existing timing estimation algorithms are robust against either large frequency offsets or CCI, but not against both at the same time. Hence, we develop a new frame boundary estimation method that is robust in the presence of severe co-channel interference and large carrier-frequency offsets. To solve the high peak-to-average-power ratio problem of a multicarrier code division multiple access (MC-CDMA) system and enhance its robustness against fading and jamming, we propose a constant-envelope MC-CDMA system employing cyclic delay diversity (CDD) as transmit diversity. We analyze the diversity order, coding gain, and bit-error rate upper bound. We also propose a blind, accurate, and computationally efficient signal-to-noise ratio estimator for the proposed system. We propose a configurable robust anti-jam receiver that estimates the frequency- or time-domain jammer state information (JSI) and uses it for chip combining in the corresponding domain. A soft-JSI-based chip-combining technique is proposed that outperforms conventional hard-JSI-based chip combining. We also derive a chip combiner that provides sufficient statistics to the decoder. Channel estimation is necessary for coherent signal detection and JSI estimation. Conversely, knowledge of the jamming signal power and JSI of different subcarriers can improve the accuracy of the channel estimates. Hence, we propose joint iterative estimation of the multiple-input multiple-output (MIMO) channel coefficients, jamming power, and JSI for a coded MC-CDMA MIMO system operating under jamming and a time-varying frequency-selective fading channel. Finally, we reduce the computational complexity of the JSI-based anti-jam receivers by introducing an expectation-maximization-based joint channel and noise-covariance estimator that does not need either the subcarrier JSI or the individual powers of the AWGN and jamming signal. Ph.D. Committee Chair: Gordon L. Stuber; Committee Member: Alfred D. Andrew; Committee Member: John A. Buck; Committee Member: Steven W. McLaughlin; Committee Member: Ye (Geoffrey) Li
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE
  • Syed Hussain
  • Rafiul
Hussain, Syed Rafiul and et al. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In NDSS, 2018.
Secret signaling system (U, 1919)
  • Gilbert Vernam
  • Sandford
Vernam, Gilbert Sandford. Secret signaling system (U, 1919). U.S. Patent, 131071.
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
  • Hanno Böck
Böck, Hanno and et al. Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. IACR Cryptology ePrint Archive, 2016:475, 2016.
Vulnerabilities of LTE and LTE-Advanced Communication White Paper
  • M Naseef
Naseef, M. Vulnerabilities of LTE and LTE-Advanced Communication White Paper. 2014.
Dissecting VoLTE: Exploiting free data channels and security problems in Master Thesis KAIST
  • Kim Dongkwan
Kim Dongkwan, Dissecting VoLTE: Exploiting free data channels and security problems in Master Thesis KAIST, 2016.
Breaking and fixing volte: Exploiting hidden data channels and mis-implementations
  • Hongil Kim
Kim, Hongil and et al. Breaking and fixing volte: Exploiting hidden data channels and mis-implementations. In ACM CCS, 2015.
Protocol State Fuzzing of TLS Implementations
  • De Ruiter
  • Joeri
  • Erik Poll
De Ruiter, Joeri and Poll, Erik. Protocol State Fuzzing of TLS Implementations. In USENIX Security Symposium, 2015.
Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions
  • Muhammad Raza
  • Taqi
Raza, Muhammad Taqi and et al. Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions. In SecureComm, 2017.
Real threats to your data bills: Security loopholes and defenses in mobile data charging
  • Chunyi Peng
Peng, Chunyi and et al. Real threats to your data bills: Security loopholes and defenses in mobile data charging. In ACM CCS, 2014.