May 2024
·
26 Reads
·
3 Citations
This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.
May 2024
·
26 Reads
·
3 Citations
November 2019
·
606 Reads
·
36 Citations
IMSI catchers threaten the privacy of mobile phone users by identifying and tracking them. Commercial IMSI catcher products exploit vulnerabilities in cellular network security standards to lure nearby mobile devices. Commercial IMSI catcher's technical capabilities and operational details are still kept as a secret and unclearly presented due to the lack of access to these products from the research perspective. On the other hand, there are several solutions to detect such IMSI catchers to protect the privacy of mobile subscribers. However, detecting IMSI catchers effectively on commercial smartphones is still a challenge. In this paper, we present a systematic study of IMSI catchers, especially commercially available ones. Starting from publicly available product brochures, we analyze information from the international patent databases, attacking techniques used by them and vulnerabilities exploited in cellular networks (2G, 3G, and 4G). To this end, we survey IMSI catcher detection techniques and their limitations. Finally, we provide insights that we believe help guide the development of more effective and efficient IMSI catcher detection techniques.
July 2019
·
1,469 Reads
·
108 Citations
Proceedings on Privacy Enhancing Technologies
Mobile communications are used by more than two-thirds of the world population who expect security and privacy guarantees. The 3rd Generation Partnership Project (3GPP) responsible for the worldwide standardization of mobile communication has designed and mandated the use of the AKA protocol to protect the subscribers’ mobile services. Even though privacy was a requirement, numerous subscriber location attacks have been demonstrated against AKA, some of which have been fixed or mitigated in the enhanced AKA protocol designed for 5G. In this paper, we reveal a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do. Our attack exploits a new logical vulnerability we uncovered that would require dedicated fixes. We demonstrate the practical feasibility of our attack using low cost and widely available setups. Finally we conduct a security analysis of the vulnerability and discuss countermeasures to remedy our attack.
May 2019
·
1,330 Reads
·
113 Citations
Cellular devices support various technical features and services for 2G, 3G, 4G and upcoming 5G networks. For example, these technical features contain physical layer throughput categories, radio protocol information, security algorithm, carrier aggregation bands and type of services such as GSM-R, Voice over LTE etc. In the cellular security standardisation context, these technical features and network services termed as device capabilities and exchanged with the network during the device registration phase. In this paper, we study device capabilities information specified for 4G and 5G devices and their role in establishing security association between the device and network. Our research results reveal that device capabilities are exchanged with the network before the authentication stage without any protection and not verified by the network. Consequently, we present three novel classes of attacks exploiting unprotected device capabilities information in 4G and upcoming 5G networks - identification attacks, bidding down attacks, and battery drain attacks against cellular devices. We implement proof-of-concept attacks using low-cost hardware and software setup to evaluate their impact against commercially available 4G devices and networks. We reported identified vulnerabilities to the relevant standardisation bodies and provide countermeasure to mitigate device capabilities attacks in 4G and upcoming 5G networks.
June 2018
·
529 Reads
·
42 Citations
Mobile network operators choose Self Organizing Network (SON) concept as a cost-effective method to deploy LTE/4G networks and meet user expectations for high quality of service and bandwidth. The main objective of SON is to introduce automation into network management activities and reduce human intervention. SON enabled LTE networks heavily rely on the information acquired from mobile phones to provide self-configuration, self-optimization, and self-healing features. However, mobile phones can be attacked over-the-air using rogue base stations. In this paper, we carefully study SON related LTE/4G security specifications and reveal several vulnerabilities. Our key idea is to introduce a rogue eNodeB that uses legitimate mobile devices as a covert channel to launch attacks against SON enabled LTE networks. We demonstrate low-cost, practical, silent and persistent Denial of Service attacks against the network and end-users by injecting fake measurement and configuration information into the SON system. An active attacker can shut down network services in 2 km2 area of a city for a certain period of time and also block network services to a selective set of mobile phones in a targeted area of 200 m to 2 km in radius. With the help of low cost tools, we design an experimental setup and evaluate these attacks on commercial networks. We present strategies to mitigate our attacks and outline possible reasons that may explain why these vulnerabilities exist in the system.
October 2016
·
188 Reads
·
17 Citations
With its high penetration rate and relatively good clock accuracy, smartphones are replacing watches in several market segments. Modern smartphones have more than one clock source to complement each other: NITZ (Network Identity and Time Zone), NTP (Network Time Protocol), and GNSS (Global Navigation Satellite System) including GPS. NITZ information is delivered by the cellular core network, indicating the network name and clock information. NTP provides a facility to synchronize the clock with a time server. Among these clock sources, only NITZ and NTP are updated without user interaction, as location services require manual activation. In this paper, we analyze security aspects of these clock sources and their impact on security features of modern smartphones. In particular, we investigate NITZ and NTP procedures over cellular networks (2G, 3G and 4G) and Wi-Fi communication respectively. Furthermore, we analyze several European, Asian, and American cellular networks from NITZ perspective. We identify three classes of vulnerabilities: specification issues in a cellular protocol, configurational issues in cellular network deployments, and implementation issues in different mobile OS's. We demonstrate how an attacker with low cost setup can spoof NITZ and NTP messages to cause Denial of Service attacks. Finally, we propose methods for securely synchronizing the clock on smartphones.
January 2016
·
1,744 Reads
·
245 Citations
October 2015
·
1,384 Reads
·
129 Citations
Mobile communication systems now constitute an essential part of life throughout the world. Fourth generation "Long Term Evolution" (LTE) mobile communication networks are being deployed. The LTE suite of specifications is considered to be significantly better than its predecessors not only in terms of functionality but also with respect to security and privacy for subscribers. We carefully analyzed LTE access network protocol specifications and uncovered several vulnerabilities. Using commercial LTE mobile devices in real LTE networks, we demonstrate inexpensive, and practical attacks exploiting these vulnerabilities. Our first class of attacks consists of three different ways of making an LTE device leak its location: A semi-passive attacker can locate an LTE device within a 2 sq.km area within a city whereas an active attacker can precisely locate an LTE device using GPS co-ordinates or trilateration via cell-tower signal strength information. Our second class of attacks can persistently deny some or all services to a target LTE device. To the best of our knowledge, our work constitutes the first publicly reported practical attacks against LTE access network protocols. We present several countermeasures to resist our specific attacks. We also discuss possible trade-offs that may explain why these vulnerabilities exist and recommend that safety margins introduced into future specifications to address such trade-offs should incorporate greater agility to accommodate subsequent changes in the trade-off equilibrium.
... After the vulnerability was responsibly disclosed to the GSM Association in CVD-2021-0045, Soosahabi and Bayoumi published a framework for the dentification and mitigation of the SPARROW covert channel [19]. As part of a comprehensive security analysis of the A1 interface in a 5G Open RAN system, Thimmaraju et al. [20] evaluated the feasibility of covert channels with O-RAN's management components, the so-called RAN Intelligence Controllers (RICs). The authors described a timing channel that encodes information by setting and removing a preshared policy as well as a storage channel that utilizes a preshared key value within a policy to transmit the hidden information. ...
May 2024
... These credentials include the Subscriber Permanent Identifier (SUPI), which is the unique identifier assigned to each UE for identification. In previous mobile network generations, such as LTE (where it is known as IMSI), IMSI catchers posed a significant threat by allowing the tracking of individuals since the identifier was transmitted in plain text [53,54]. To mitigate this risk in 5G, SUPI encryption was implemented, but only as an optional control. ...
November 2019
... 5.1.1 of [7] describes some important security characteristics that should be met by cellular networks. In fact, as previous works [28,38,54,55] considered them, the following properties are necessary for the protection of the user identity confidentiality: ...
July 2019
Proceedings on Privacy Enhancing Technologies
... Recent studies highlight 5G vulnerabilities that underscore the need for robust cybersecurity measures and testing [7], [8]. Open-source projects like Open5GS [9], Free5GC [10], and OAI [11] have been crucial in assessing new deployment structures, services, and protocols within 5G networks. ...
May 2019
... Bluetooth pairing is explained in [4][5][6], whereas LoRa's spread factor affects power usage & bit rate [7] and is a static configuration compared to LTE. Sigfox [8] has a unique security model that is resistant to MitM attacks, except when utilizing the mobile network as the backbone link. IMSI can be exposed in LTE networks, while IMEI is kept private. ...
June 2018
... Our fingerprinting methods stay the same, permitting us to associate fingerprints with IMSI and follow LTE clients. LTE service threats: accessibility and benefit downsizing attacks, demonstrated in [12], with vulnerable networks to malicious base station attacks. Hackers can contaminate internal data, causing call disruptions and service downgrade. ...
January 2016
... Existing research efforts that specialize in black-box testing of wireless communication protocol implementations can be categorized into the following high-level categories: (A) Manual analysis or fixed test case-based approaches [10,45,57,58]; (B) Reverse engineering-based approaches [23,25,37,41,51,62]; (C) State machine learning-based approaches [16,22,31,35,46]. Approaches in categories (A) and (B) are either unscalable due to manual effort or ineffective in identifying intricate bugs in complex and stateful protocols that require long execution packet traces to be exercised. ...
October 2016
... In contrast to BTS resource depletion, the blind DoS attack pinpoints a UE by establishing an RRC connection using its S-TMSI in LTE or 5G networks [9], [10]. The S-TMSI can be harvested via silent paging attacks [48] or packet sniffing. Based on 3GPP TS 38.331 [20], the BS will delete the victim's RRC security context and release the connection, thus triggering a DoS scenario. ...
October 2015