LTE security, protocol exploits and location tracking experimentation with low-cost software radio

TL;DR

This paper investigates LTE network vulnerabilities through real-world radio link analysis, demonstrating exploits, rogue base stations, and a novel device tracking technique, highlighting security concerns in LTE deployments.

Contribution

It provides new insights into LTE protocol exploits, rogue base station implementation, and introduces a previously unknown device tracking method based on real radio capture analysis.

Findings

LTE networks are vulnerable to protocol exploits and rogue base stations.

Implementation of LTE rogue base stations and IMSI catchers can disrupt devices.

A novel technique for tracking device movement across cells is proposed.

Abstract

The Long Term Evolution (LTE) is the latest mobile standard being implemented globally to provide connectivity and access to advanced services for personal mobile devices. Moreover, LTE networks are considered to be one of the main pillars for the deployment of Machine to Machine (M2M) communication systems and the spread of the Internet of Things (IoT). As an enabler for advanced communications services with a subscription count in the billions, security is of capital importance in LTE. Although legacy GSM (Global System for Mobile Communications) networks are known for being insecure and vulnerable to rogue base stations, LTE is assumed to guarantee confidentiality and strong authentication. However, LTE networks are vulnerable to security threats that tamper availability, privacy and authentication. This manuscript, which summarizes and expands the results presented by the author at ShmooCon 2016 \cite{jover2016lte}, investigates the insecurity rationale behind LTE protocol exploits and LTE rogue base stations based on the analysis of real LTE radio link captures from the production network. Implementation results are discussed from the actual deployment of LTE rogue base stations, IMSI catchers and exploits that can potentially block a mobile device. A previously unknown technique to potentially track the location of mobile devices as they move from cell to cell is also discussed, with mitigations being proposed.