SlideShare uma empresa Scribd logo

LTE Redirection attacks: Zhang Shan

Darren Pauli
Darren Pauli

Presentation given at DEF CON 24 and Ruxcon 12.

Tecnologia
1 de 31
Baixar para ler offline
LTE REDIRECTION Forcing Targeted LTE Cellphone into Unsafe Network Wanqiao Zhang Unicorn Team – Communication security researcher Haoqi Shan Unicorn Team – Hardware/Wireless security researcher Qihoo 360 Technology Co. Ltd.
LTE and IMSI catcher myths • In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf Shaik etc. introduced the LTE IMSI catcher and DoS attack.
IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network.
DoS Attack DoS message examples: ü You are an illegal cellphone! ü Here is NO network available. You could shut down your 4G/3G/2G modem.
Redirection Attack Malicious LTE: “Hello cellphone, come into my GSM network…”
Demo Fake LTE Network Fake GSM Network USRPs
Demo Video
Risk • If forced into fake network • The cellphone will have no service (DoS). • The fake GSM network can make malicious call and SMS. • If forced into rogue network • All the traffic (voice and data) can be eavesdropped. A femtocell controlled by attacker
LTE Basic Procedure • (Power on) • Cell search, MIB, SIB1, SIB2 and other SIBs • PRACH preamble • RACH response • RRC Connection Request • RRC Connection Setup • RRC Connection Setup Complete + NAS: Attach request + ESM: PDN connectivity request • RRC: DL info transfer + NAS: Authentication request • RRC: UL info transfer + NAS: Authentication response • RRC: DL info transfer + NAS: Security mode command • RRC: UL info transfer + NAS: Security mode completer • …… Unauthorized area Attack Space!
Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
How to Build Fake LTE Network • Computer + USRP
How to Build Fake LTE Network • There are some popular open source LTE projects: • Open Air Interface by Eurecom • http://www.openairinterface.org/ • The most completed and open source LTE software • Support connecting cellphone to Internet • But have complicated software architecture • OpenLTE by Ben Wojtowicz • http://openlte.sourceforge.net/ • Haven’t achieved stable LTE data connection but functional enough for fake LTE network • Beautiful code architecture • More popular in security researchers OpenLTE
OpenLTE Source Code (1/3) In current OpenLTE release, the TAU request isn’t handled. But TAU reject msg packing function is available. So we could add some codes to handle TAU case and give appropriate TAU reject cause.
Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
OpenLTE Source Code (1/3) Set the mme procedure as TAU REQUET Call the TAU reject msg packing function Refer to Attach reject function
OpenLTE Souce Code (2/3) DoS attack can directly utilize the cause setting in Attach Reject message.
Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
OpenLTE Source Code (3/3) redirectCarrierInfo can be inserted into RRC Connection Release message.
OpenLTE Source Code (3/3)
Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
Think from the other side Attacker Defender Why is RRC redirection message not encrypted?
Is This a New Problem? • "Security Vulnerabilities in the E-RRC Control Plane", 3GPP TSG-RAN WG2/RAN WG3/SA WG3 joint meeting, R3-060032, 9-13 January 2006 • This document introduced a ‘Forced handover’ attack: An attacker with the ability to generate RRC signaling—that is, any of the forms of compromise listed above—can initiate a reconfiguration procedure with the UE, directing it to a cell or network chosen by the attacker. This could function as a denial of service (if the target network cannot or will not offer the UE service) or to allow a chosen network to “capture” UEs. An attacker who already had full control of one system (perhaps due to weaker security on another RAT) could direct other systems’ UEs to “their” network as a prelude to more serious security attacks using the deeply compromised system. Used in this way, the ability to force a handover serves to expand any form of attack to UEs on otherwise secure systems, meaning that a single poorly secured network (in any RAT that interoperates with the E-UTRAN) becomes a point of vulnerability not only for itself but for all other networks in its coverage area.
3GPP’s Decision • “Reply LS on assumptions for security procedures”, 3GPP TSG SA WG3 meeting #45, S3-060833, 31st Oct - 3rd Nov 2006 (1) RRC Integrity and ciphering will be started only once during the attach procedure (i.e. after the AKA has been performed) and can not be de- activated later. (2) RRC Integrity and ciphering algorithm can only be changed in the case of the eNodeB handover.
Why 3GPP Made Such Decision • In special cases, e.g. earthquake, hot events • Too many people try to access one base station then make this base station overloaded. • To let network load balanced, this base station can ask the new coming cellphone to redirect to another base station. • If you don’t tell cellphones which base station is light-loaded, the cellphones will blindly and inefficiently search one by one, and then increase the whole network load. Overloaded Base station Overloaded Base station Overloaded Base station Light-loaded Base station
Network Availability vs.. Privacy • Global roaming • Battery energy saving • Load balance • IMSI Catcher • DoS Attack • Redirection Attack VS. Basic requirement High level requirement e.g. Wifi MAC addr tracking
Countermeasures (1/2) • Cellphone manufacture – smart response • Scheme 1: Don’t follow the redirection command, but auto-search other available base station. • Scheme 2: Follow the redirection command, but raise an alert to cellphone user: Warning! You are downgraded to low security network.
Countermeasures (2/2) • Standardization effort • Fix the weak security of legacy network: GSM • 3GPP TSG SA WG3 (Security) Meeting #83, S3-160702, 9-13 May 2016 Legacy Security Issues and Mitigation Proposals, Liaison Statement from GSMA. • Refuse one-way authentication • Disabling compromised encryption in mobile
Acknowledgements • Huawei • Peter Wesley (Security expert) • GUO Yi (3GPP RAN standardization expert) • CHEN Jing (3GPP SA3 standardization expert) • Qualcomm • GE Renwei (security expert) • Apple • Apple product security team
Thank you!

Recomendados

Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Cs fallback feature
Cs fallback featureCs fallback feature
Cs fallback featureAchmad Salsabil
 
Initial LTE call Setup Flow
Initial LTE call Setup FlowInitial LTE call Setup Flow
Initial LTE call Setup Flowassinha
 
WCDMA Based Events
WCDMA Based EventsWCDMA Based Events
WCDMA Based EventsM Ismail Raza
 
Volte Introduction
Volte IntroductionVolte Introduction
Volte IntroductionDobrin Dobrev
 
LTE KPI
LTE KPILTE KPI
LTE KPISitha Sok
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
Kpi 2g troubleshootin
Kpi 2g troubleshootinKpi 2g troubleshootin
Kpi 2g troubleshootinAbd Yehia
 

Recomendados

Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Cs fallback feature
Cs fallback featureCs fallback feature
Cs fallback featureAchmad Salsabil
 
Initial LTE call Setup Flow
Initial LTE call Setup FlowInitial LTE call Setup Flow
Initial LTE call Setup Flowassinha
 
WCDMA Based Events
WCDMA Based EventsWCDMA Based Events
WCDMA Based EventsM Ismail Raza
 
Volte Introduction
Volte IntroductionVolte Introduction
Volte IntroductionDobrin Dobrev
 
LTE KPI
LTE KPILTE KPI
LTE KPISitha Sok
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
Kpi 2g troubleshootin
Kpi 2g troubleshootinKpi 2g troubleshootin
Kpi 2g troubleshootinAbd Yehia
 
VoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVikas Shokeen
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBJustin MA (馬嘉昌)
 
Ericsson SDCCH establishment Issue
Ericsson SDCCH establishment IssueEricsson SDCCH establishment Issue
Ericsson SDCCH establishment IssueHoussein Abou Chacra
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...Vikas Shokeen
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guideMorg
 
Technical_Training_of_5G_Networking_Design.pptx
Technical_Training_of_5G_Networking_Design.pptxTechnical_Training_of_5G_Networking_Design.pptx
Technical_Training_of_5G_Networking_Design.pptxBijoy Banerjee
 
Wcdma bts-alarm-descriptions
Wcdma bts-alarm-descriptionsWcdma bts-alarm-descriptions
Wcdma bts-alarm-descriptionsMahmoud Abd Elrahman
 
Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)Cesar Cardozo Barrios
 
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationNokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationmohammed khairy
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flowMohd Nazir Shakeel
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call dropMuffat Itoro
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guideKlajdi Husi
 
gsm layer 3 messages
gsm layer 3 messages gsm layer 3 messages
gsm layer 3 messagesJorge Genes Forcadell
 
Mobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple WordsMobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple WordsAssim Mubder
 
3GPP SON Series: RACH Optimization
3GPP SON Series: RACH Optimization3GPP SON Series: RACH Optimization
3GPP SON Series: RACH Optimization3G4G
 
Interworking wcdma to lte
Interworking wcdma to lteInterworking wcdma to lte
Interworking wcdma to ltebahar
 
Interview question for 2g,3g,4g
Interview question for 2g,3g,4gInterview question for 2g,3g,4g
Interview question for 2g,3g,4gVijay Anand
 
Lte resource grid
Lte resource gridLte resource grid
Lte resource gridAchmad Salsabil
 
190937694 csfb-call-flows
190937694 csfb-call-flows190937694 csfb-call-flows
190937694 csfb-call-flowsamakRF
 
395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptxSudheeraIndrajith
 
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)son6971
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupPrashant Sengar
 

Mais conteúdo relacionado

Mais procurados

VoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVikas Shokeen
 
Ericsson SDCCH establishment Issue
Ericsson SDCCH establishment IssueEricsson SDCCH establishment Issue
Ericsson SDCCH establishment IssueHoussein Abou Chacra
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...Vikas Shokeen
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guideMorg
 
Technical_Training_of_5G_Networking_Design.pptx
Technical_Training_of_5G_Networking_Design.pptxTechnical_Training_of_5G_Networking_Design.pptx
Technical_Training_of_5G_Networking_Design.pptxBijoy Banerjee
 
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationNokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationmohammed khairy
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flowMohd Nazir Shakeel
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call dropMuffat Itoro
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guideKlajdi Husi
 
Mobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple WordsMobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple WordsAssim Mubder
 
3GPP SON Series: RACH Optimization
3GPP SON Series: RACH Optimization3GPP SON Series: RACH Optimization
3GPP SON Series: RACH Optimization3G4G
 
Interworking wcdma to lte
Interworking wcdma to lteInterworking wcdma to lte
Interworking wcdma to ltebahar
 
Interview question for 2g,3g,4g
Interview question for 2g,3g,4gInterview question for 2g,3g,4g
Interview question for 2g,3g,4gVijay Anand
 
190937694 csfb-call-flows
190937694 csfb-call-flows190937694 csfb-call-flows
190937694 csfb-call-flowsamakRF
 
395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptxSudheeraIndrajith
 

Mais procurados (20)

VoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVoLTE KPI Performance Explained
VoLTE KPI Performance Explained
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFB
 
Ericsson SDCCH establishment Issue
Ericsson SDCCH establishment IssueEricsson SDCCH establishment Issue
Ericsson SDCCH establishment Issue
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guide
 
Technical_Training_of_5G_Networking_Design.pptx
Technical_Training_of_5G_Networking_Design.pptxTechnical_Training_of_5G_Networking_Design.pptx
Technical_Training_of_5G_Networking_Design.pptx
 
Wcdma bts-alarm-descriptions
Wcdma bts-alarm-descriptionsWcdma bts-alarm-descriptions
Wcdma bts-alarm-descriptions
 
Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)
 
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationNokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
 
Huawei case analysis call drop
Huawei case analysis call dropHuawei case analysis call drop
Huawei case analysis call drop
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guide
 
gsm layer 3 messages
gsm layer 3 messages gsm layer 3 messages
gsm layer 3 messages
 
Mobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple WordsMobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple Words
 
3GPP SON Series: RACH Optimization
3GPP SON Series: RACH Optimization3GPP SON Series: RACH Optimization
3GPP SON Series: RACH Optimization
 
Interworking wcdma to lte
Interworking wcdma to lteInterworking wcdma to lte
Interworking wcdma to lte
 
Interview question for 2g,3g,4g
Interview question for 2g,3g,4gInterview question for 2g,3g,4g
Interview question for 2g,3g,4g
 
Lte resource grid
Lte resource gridLte resource grid
Lte resource grid
 
190937694 csfb-call-flows
190937694 csfb-call-flows190937694 csfb-call-flows
190937694 csfb-call-flows
 
395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx395317358-LTE-Resource-Usage-Optimization.pptx
395317358-LTE-Resource-Usage-Optimization.pptx
 

Destaque

Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)son6971
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupPrashant Sengar
 
Quick attach summaryl
Quick attach summarylQuick attach summaryl
Quick attach summarylLarry Cragun
 
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen StilkolTRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkolchiportal
 
20121129 lte basic procedures (2)
20121129 lte basic procedures (2)20121129 lte basic procedures (2)
20121129 lte basic procedures (2)Debasish Sahoo
 
LTE EPC Technology Essentials
LTE EPC Technology EssentialsLTE EPC Technology Essentials
LTE EPC Technology EssentialsHussien Mahmoud
 
LTE Architecture and LTE Attach
LTE Architecture and LTE AttachLTE Architecture and LTE Attach
LTE Architecture and LTE Attachaliirfan04
 
Lte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcpLte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcpPrashant Sengar
 
Lte attach-messaging
Lte attach-messagingLte attach-messaging
Lte attach-messagingPraveen Kumar
 
AIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM International
 
Lte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingLte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingPrashant Sengar
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
LTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsLTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsBP Tiwari
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure3G4G
 

Destaque (20)

Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setup
 
Quick attach summaryl
Quick attach summarylQuick attach summaryl
Quick attach summaryl
 
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen StilkolTRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
TRACK C: PDN (Power Delivery Network)/ Ronen Stilkol
 
20121129 lte basic procedures (2)
20121129 lte basic procedures (2)20121129 lte basic procedures (2)
20121129 lte basic procedures (2)
 
LTE EPC Technology Essentials
LTE EPC Technology EssentialsLTE EPC Technology Essentials
LTE EPC Technology Essentials
 
EPS presentation
EPS presentationEPS presentation
EPS presentation
 
LTE Procedures
LTE ProceduresLTE Procedures
LTE Procedures
 
LTE Architecture and LTE Attach
LTE Architecture and LTE AttachLTE Architecture and LTE Attach
LTE Architecture and LTE Attach
 
3 gpp lte-rlc
3 gpp lte-rlc3 gpp lte-rlc
3 gpp lte-rlc
 
Lte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcpLte protocol-stack-mac-rlc-pdcp
Lte protocol-stack-mac-rlc-pdcp
 
Lte attach-messaging
Lte attach-messagingLte attach-messaging
Lte attach-messaging
 
AIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network Architecture
 
Lte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingLte rrc-connection-setup-messaging
Lte rrc-connection-setup-messaging
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
c1 & c2 values
c1 & c2 values c1 & c2 values
c1 & c2 values
 
LTE Key Technologies
LTE Key TechnologiesLTE Key Technologies
LTE Key Technologies
 
LTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsLTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc Aspects
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
 
PDN Overview
PDN OverviewPDN Overview
PDN Overview
 

Semelhante a LTE Redirection attacks: Zhang Shan

4g security presentation
4g security presentation4g security presentation
4g security presentationKyle Ly
 
Mobile computing – module 6
Mobile computing – module 6 Mobile computing – module 6
Mobile computing – module 6 JIGNESH PATEL
 
Security threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkSecurity threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkmmubashirkhan
 
Lte in ten_minutes
Lte in ten_minutesLte in ten_minutes
Lte in ten_minutesAnkur Raj
 
Posting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docxPosting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docxharrisonhoward80223
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future fraudsRanjeet Kumar
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)Mumbai Academisc
 
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networksBlack hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networksijsrd.com
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
Computer network notes with company specific questions
Computer network notes with company specific questionsComputer network notes with company specific questions
Computer network notes with company specific questionsTaleManju
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.RAVI RAJ
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of ThingsRishabh Sharma
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkSam Bowne
 
Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computingmadhurbyheart
 
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015Mark Niehus, RCDD
 
Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtap Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtapVikas Jagtap
 

Semelhante a LTE Redirection attacks: Zhang Shan (20)

The mfn 3
The mfn 3The mfn 3
The mfn 3
 
4g security presentation
4g security presentation4g security presentation
4g security presentation
 
Mobile computing – module 6
Mobile computing – module 6 Mobile computing – module 6
Mobile computing – module 6
 
Security threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkSecurity threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g network
 
Lte in ten_minutes
Lte in ten_minutesLte in ten_minutes
Lte in ten_minutes
 
Lte in ten_minutes
Lte in ten_minutesLte in ten_minutes
Lte in ten_minutes
 
Posting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docxPosting 1 Reply Required What concerns should be underst.docx
Posting 1 Reply Required What concerns should be underst.docx
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future frauds
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
 
128-ch2.pptx
128-ch2.pptx128-ch2.pptx
128-ch2.pptx
 
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networksBlack hole Attack Avoidance Protocol for wireless Ad-Hoc networks
Black hole Attack Avoidance Protocol for wireless Ad-Hoc networks
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
 
Computer network notes with company specific questions
Computer network notes with company specific questionsComputer network notes with company specific questions
Computer network notes with company specific questions
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
 
N0363079085
N0363079085N0363079085
N0363079085
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
 
Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computing
 
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
LookingAroundCorners-DAS Simplified-final- BICSI Sept 2015
 
Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtap Introduction to networking by vikas jagtap
Introduction to networking by vikas jagtap
 

Último

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Último (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

LTE Redirection attacks: Zhang Shan

  • 1. LTE REDIRECTION Forcing Targeted LTE Cellphone into Unsafe Network Wanqiao Zhang Unicorn Team – Communication security researcher Haoqi Shan Unicorn Team – Hardware/Wireless security researcher Qihoo 360 Technology Co. Ltd.
  • 2. LTE and IMSI catcher myths • In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf Shaik etc. introduced the LTE IMSI catcher and DoS attack.
  • 3. IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network.
  • 4. DoS Attack DoS message examples: ü You are an illegal cellphone! ü Here is NO network available. You could shut down your 4G/3G/2G modem.
  • 5. Redirection Attack Malicious LTE: “Hello cellphone, come into my GSM network…”
  • 6. Demo Fake LTE Network Fake GSM Network USRPs
  • 8. Risk • If forced into fake network • The cellphone will have no service (DoS). • The fake GSM network can make malicious call and SMS. • If forced into rogue network • All the traffic (voice and data) can be eavesdropped. A femtocell controlled by attacker
  • 9. LTE Basic Procedure • (Power on) • Cell search, MIB, SIB1, SIB2 and other SIBs • PRACH preamble • RACH response • RRC Connection Request • RRC Connection Setup • RRC Connection Setup Complete + NAS: Attach request + ESM: PDN connectivity request • RRC: DL info transfer + NAS: Authentication request • RRC: UL info transfer + NAS: Authentication response • RRC: DL info transfer + NAS: Security mode command • RRC: UL info transfer + NAS: Security mode completer • …… Unauthorized area Attack Space!
  • 10. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
  • 11. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
  • 12. Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
  • 13. How to Build Fake LTE Network • Computer + USRP
  • 14. How to Build Fake LTE Network • There are some popular open source LTE projects: • Open Air Interface by Eurecom • http://www.openairinterface.org/ • The most completed and open source LTE software • Support connecting cellphone to Internet • But have complicated software architecture • OpenLTE by Ben Wojtowicz • http://openlte.sourceforge.net/ • Haven’t achieved stable LTE data connection but functional enough for fake LTE network • Beautiful code architecture • More popular in security researchers OpenLTE
  • 15. OpenLTE Source Code (1/3) In current OpenLTE release, the TAU request isn’t handled. But TAU reject msg packing function is available. So we could add some codes to handle TAU case and give appropriate TAU reject cause.
  • 16. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!
  • 17. OpenLTE Source Code (1/3) Set the mme procedure as TAU REQUET Call the TAU reject msg packing function Refer to Attach reject function
  • 18. OpenLTE Souce Code (2/3) DoS attack can directly utilize the cause setting in Attach Reject message.
  • 19. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.
  • 20. OpenLTE Source Code (3/3) redirectCarrierInfo can be inserted into RRC Connection Release message.
  • 22. Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to.
  • 23. Think from the other side Attacker Defender Why is RRC redirection message not encrypted?
  • 24. Is This a New Problem? • "Security Vulnerabilities in the E-RRC Control Plane", 3GPP TSG-RAN WG2/RAN WG3/SA WG3 joint meeting, R3-060032, 9-13 January 2006 • This document introduced a ‘Forced handover’ attack: An attacker with the ability to generate RRC signaling—that is, any of the forms of compromise listed above—can initiate a reconfiguration procedure with the UE, directing it to a cell or network chosen by the attacker. This could function as a denial of service (if the target network cannot or will not offer the UE service) or to allow a chosen network to “capture” UEs. An attacker who already had full control of one system (perhaps due to weaker security on another RAT) could direct other systems’ UEs to “their” network as a prelude to more serious security attacks using the deeply compromised system. Used in this way, the ability to force a handover serves to expand any form of attack to UEs on otherwise secure systems, meaning that a single poorly secured network (in any RAT that interoperates with the E-UTRAN) becomes a point of vulnerability not only for itself but for all other networks in its coverage area.
  • 25. 3GPP’s Decision • “Reply LS on assumptions for security procedures”, 3GPP TSG SA WG3 meeting #45, S3-060833, 31st Oct - 3rd Nov 2006 (1) RRC Integrity and ciphering will be started only once during the attach procedure (i.e. after the AKA has been performed) and can not be de- activated later. (2) RRC Integrity and ciphering algorithm can only be changed in the case of the eNodeB handover.
  • 26. Why 3GPP Made Such Decision • In special cases, e.g. earthquake, hot events • Too many people try to access one base station then make this base station overloaded. • To let network load balanced, this base station can ask the new coming cellphone to redirect to another base station. • If you don’t tell cellphones which base station is light-loaded, the cellphones will blindly and inefficiently search one by one, and then increase the whole network load. Overloaded Base station Overloaded Base station Overloaded Base station Light-loaded Base station
  • 27. Network Availability vs.. Privacy • Global roaming • Battery energy saving • Load balance • IMSI Catcher • DoS Attack • Redirection Attack VS. Basic requirement High level requirement e.g. Wifi MAC addr tracking
  • 28. Countermeasures (1/2) • Cellphone manufacture – smart response • Scheme 1: Don’t follow the redirection command, but auto-search other available base station. • Scheme 2: Follow the redirection command, but raise an alert to cellphone user: Warning! You are downgraded to low security network.
  • 29. Countermeasures (2/2) • Standardization effort • Fix the weak security of legacy network: GSM • 3GPP TSG SA WG3 (Security) Meeting #83, S3-160702, 9-13 May 2016 Legacy Security Issues and Mitigation Proposals, Liaison Statement from GSMA. • Refuse one-way authentication • Disabling compromised encryption in mobile
  • 30. Acknowledgements • Huawei • Peter Wesley (Security expert) • GUO Yi (3GPP RAN standardization expert) • CHEN Jing (3GPP SA3 standardization expert) • Qualcomm • GE Renwei (security expert) • Apple • Apple product security team