The security flaws of legacy GSM networks, which lack of mutual authentication and implement an outdated encryption algorithm, are well understood among the technology community. Moreover, until now, the main cellular vulnerabilities being discovered and exploited in the mobile security research field were based on 2G base stations and GSM open source implementations. The Long Term Evolution (LTE) is the newest standard being deployed globally for mobile communications, and is generally considered secure. LTE’s mutual authentication and strong encryption schemes result in the false assumption that LTE networks are not vulnerable to, for example, rogue base stations, IMSI catchers and protocol exploits. However, these threats are also possible in LTE. Before the authentication and encryption steps of an LTE connection are executed, a mobile device engages in a substantial exchange of unprotected messages with *any* LTE base station (real or rogue) that advertises itself with the right broadcast information. Eavesdropping or spoofing these messages can be leveraged to implement a long list of exploits to which all LTE mobile devices are vulnerable. This talk will demonstrate how to eavesdrop LTE base station broadcast messages, and how to implement full-LTE IMSI catchers and other LTE protocol exploits, such as blocking SIMs and devices. Details will be provided as well on a previously unknown technique to track the location of mobile devices as the connection moves from tower to tower. We will discuss as well the necessary toolset to implement these and other exploits, which are possible with simply $1.5k worth of off-the-shelf hardware and some modifications of the code of widely available LTE open source implementations.
28. DEVICE AND SIM TEMPORARY LOCK
● Attach reject and TAU (Tracking Area Update) reject messages not encrypted/integrity-
protected
● Spoofing this messages one can trick a device to
─ Believe it is not allowed to connect to the network (blocked)
─ Believe it is supposed to downgrade to or only allowed to connect to GSM
● Attack set-up
─ USRP + openLTE LTE_fdd_eNodeB (slightly modified)
─ Devices attempt to attach (Attach Request, TAU request, etc)
─ Always reply to Request with Reject message
─ Experiment with “EMM Reject causes” defined by 3GPP
Real eNodeB
Rogue eNodeB
REQUEST
REJECT
These are not the droids you are looking for… And you are not
allowed to connect anymore to this network.
These are not the droids we are looking
for. I am not allowed to connect to my
provider anymore, I won’t try again.
30. SOFT DOWNGRADE TO GSM
● Use similar techniques to “instruct” the phone to downgrade to GSM
─ Only GSM services allowed OR LTE and 3G not allowed
─ Tested with my phone and 2 LTE USB dongles
● Once at GSM, the phone to connects to your rogue base station
─ Bruteforce the encryption
─ Listen to phone calls, read text messages
─ Man in the Middle
─ A long list of other bad things…
(Much more dangerous)
rogue GSM base station
Rogue eNodeB
REQUEST
REJECT
You will remove these restraints and leave this cell with the
door open… and use only GSM from now on.
I will remove these restraints and
leave this cell with the door open…
and use only GSM from now on…
and I’ll drop my weapon.