1. bookVolume 2020 (2020): Issue 1 (January 2020)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Copyright
© 2020 Sciendo

Protecting the 4G and 5G Cellular Paging Protocols against Security and Privacy Attacks

Published Online: 07 Jan 2020
Page range: 126 - 142
Received: 31 May 2019
Accepted: 16 Sep 2019
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Copyright
© 2020 Sciendo

This paper focuses on protecting the cellular paging protocol — which balances between the quality-of-service and battery consumption of a device — against security and privacy attacks. Attacks against this protocol can have severe repercussions, for instance, allowing attacker to infer a victim’s location, leak a victim’s IMSI, and inject fabricated emergency alerts. To secure the protocol, we first identify the underlying design weaknesses enabling such attacks and then propose efficient and backward-compatible approaches to address these weaknesses. We also demonstrate the deployment feasibility of our enhanced paging protocol by implementing it on an open-source cellular protocol library and commodity hardware. Our evaluation demonstrates that the enhanced protocol can thwart attacks without incurring substantial overhead.

Keywords

[1] 3GPP, Specification number TS 24.301, Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS). https://www.etsi.org/deliver/etsi_ts/124300_124399/124301/10.03.00_60/ts_124301v100300p.pdf.Search in Google Scholar

[2] 3GPP, Specification number TS 24.501, Non-Access-Stratum (NAS) protocol for 5G System (5GS). https://www.etsi.org/deliver/etsi_ts/124500_124599/124501/15.00.00_60/ts_124501v150000p.pdf.Search in Google Scholar

[3] 3GPP, Specification number TS 38.304, User Equipment (UE) procedures in idle mode and in RRC Inactive state. https://www.etsi.org/deliver/etsi_ts/138300_138399/138304/15.03.00_60/ts_138304v150300p.pdf.Search in Google Scholar

[4] mbedTLS. https://tls.mbed.org/source-code.Search in Google Scholar

[5] srsLTE. https://github.com/srsLTE/srsLTE.Search in Google Scholar

[6] USRP B210. https://www.ettus.com/all-products/UB210-KIT/.Search in Google Scholar

[7] Zigbee. https://zigbee.org/.Search in Google Scholar

[8] American Bankers Association et al. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ecdsa). ANSI X9, pages 62–1998.Search in Google Scholar

[9] Elaine Barker, John Kelsey, et al. NIST special publication 800-90A: Recommendation for random number generation using deterministic random bit generators. 2012.Search in Google Scholar

[10] Xiaomeng Chen, Jiayi Meng, Y Charlie Hu, Maruti Gupta, Ralph Hasholzner, Venkatesan Nallampatti Ekambaram, Ashish Singh, and Srikathyayani Srikanteswara. A Fine-grained Event-based Modem Power Model for Enabling In-depth Modem Energy Drain Analysis. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 1(2):45, 2017.Search in Google Scholar

[11] Tim Dittler, Florian Tschorsch, Stefan Dietzel, and Björn Scheuermann. ANOTEL: Cellular networks with location privacy. In Proceedings of the 2016 IEEE 41st Conference on Local Computer Networks (LCN).Search in Google Scholar

[12] Hannes Federrath, Anja Jerichow, Dogan Kesdogan, Andreas Pfitzmann, and Dirk Trossen. Minimizing the average cost of paging on the air interface-an approach considering privacy. In Proceedings of the 1997 IEEE 47th Vehicular Technology Conference. Technology in Motion, volume 2, pages 1253–1257. IEEE, 1997.Search in Google Scholar

[13] Byeongdo Hong, Sangwook Bae, and Yongdae Kim. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Proceedings of the 25th Annual Network and Distributed System Security Symposium, NDSS 2018.Search in Google Scholar

[14] Andrew Huang. Hacking the Xbox: an introduction to reverse engineering. 2002.Search in Google Scholar

[15] Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. LTEInspector: A systematic approach for adversarial testing of 4G LTE. In Proceedings of the 25th Annual Network and Distributed System Security Symposium, NDSS 2018.Search in Google Scholar

[16] Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.Search in Google Scholar

[17] Jonathan Katz, Alfred J Menezes, Paul C Van Oorschot, and Scott A Vanstone. Handbook of applied cryptography. CRC press, 1996.Search in Google Scholar

[18] Denis Foo Kune, John Koelndorfer, Nicholas Hopper, and Yongdae Kim. Location leaks on the GSM air interface. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS 2012.Search in Google Scholar

[19] Hasen Nicanfar, Javad Hajipour, Farshid Agharebparast, Peyman TalebiFard, and Victor CM Leung. Privacy-preserving handover mechanism in 4G. In Proceedings of the 2013 IEEE Conference on Communications and Network Security (CNS).Search in Google Scholar

[20] Adrian Perrig, Ran Canetti, J Doug Tygar, and Dawn Song. Efficient authentication and signing of multicast streams over lossy channels. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, S&P 2000.Search in Google Scholar

[21] Adrian Perrig, Ran Canetti, J Doug Tygar, and Dawn Song. The TESLA broadcast authentication protocol. Rsa Crypto-bytes, 5(2):2–13, 2002.Search in Google Scholar

[22] Ronald L Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.Search in Google Scholar

[23] Altaf Shaik, Ravishankar Borgaonkar, N Asokan, Valtteri Niemi, and Jean-Pierre Seifert. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. arXiv preprint arXiv:1510.07563, 2015.Search in Google Scholar

[24] Tuan Ta and John S Baras. Enhancing privacy in LTE paging system using physical layer identification. In Data Privacy Management and Autonomous Spontaneous Security, pages 15–28. Springer, 2012.Search in Google Scholar

[25] Katherine Q Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W Appel. Verified correctness and security of mbedTLS HMAC-DRBG. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.Search in Google Scholar

Plan your remote conference with Sciendo