Experimental Analysis of Subscribers' Privacy Exposure by LTE Paging

TL;DR

This paper experimentally demonstrates that LTE paging messages can be captured and decoded with minimal skills, exposing subscriber identities and locations, and proposes a method to assess privacy risks across different operators.

Contribution

It introduces a general experimental method to evaluate LTE paging privacy exposure and provides a case study on three operators, highlighting vulnerabilities.

Findings

Paging messages can be captured and decoded easily.

Subscriber identities and locations can be exposed.

Privacy vulnerabilities vary among operators.

Abstract

Over the last years, considerable attention has been given to the privacy of individuals in wireless environments. Although significantly improved over the previous generations of mobile networks, LTE still exposes vulnerabilities that attackers can exploit. This might be the case of paging messages, wake-up notifications that target specific subscribers, and that are broadcasted in clear over the radio interface. If they are not properly implemented, paging messages can expose the identity of subscribers and furthermore provide information about their location. It is therefore important that mobile network operators comply with the recommendations and implement the appropriate mechanisms to mitigate attacks. In this paper, we verify by experiment that paging messages can be captured and decoded by using minimal technical skills and publicly available tools. Moreover, we present a general experimental method to test privacy exposure by LTE paging messages, and we conduct a case study on three different LTE mobile operators.