Forcing a Targeted LTE Cellphone into an Eavesdropping Network


LTE is a more advanced mobile network but not absolutely secure.

In this presentation, we will introduce a method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure in LTE networks resulting in the ability to force a targeted LTE cellphone to downgrade into a malicious GSM network where an attacker can subsequently eavesdrop its voice calls and GPRS data.

We used LTE software plus USRP to verify this attack. Some open source projects, such as OpenLTE and Open Air Interface, can be modified to realize this attack. In this presentation, we will:

1.) Introduce the vulnerabilities in LTE RRC and NAS signaling

2.) Discuss the tricks in EMM cause setting

3.) Demonstrate the attack to the audience by video

4.) Present some defense proposals.

This attack is not a simple DoS attack. We can select the targeted cellphone by filtering the IMSI number, so it will not influence the other cellphones and keep them still in the real network. We can force the cellphone into the malicious network and it has no chance to choose other secure network.

Location: Track 1 Date: May 26, 2016 Time: 5:30 pm - 6:30 pm Lin Huang