LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE
|
|
- Nicholas McDowell
- 5 years ago
- Views:
Transcription
1 LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE Syed Rafiul Hussain*, Omar Chowdhury, Shagufta Mehnaz*, Elisa Bertino* Purdue University*, University of Iowa
2 Critical Infrastructure using Cellular Network 2
3 Security and Privacy Threats on Cellular Network IMSI IMSI = International Mobile Subscriber Identity No Service No Service No Service No Service 3
4 Limitations of Existing Attack Finding Strategies for Cellular Networks No Systematic Approach No adversary, just analyze the performance, and reliability q Is it possible to build a Systematic framework for adversarially analyzing the cellular network specification in order to find security and privacy related problems? 4
5 Scope Attach SMS Detach VoLTE Paging Handover Man-in-the-Middle Attacker Spurious billing Life threatening risks
6 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 6
7 Challenges q Stateful procedures and multiple participants q 4G LTE lacks formal specification ü written in natural language q Closed system ü Proprietary q Legal barrier ü Licensed spectrum 7
8 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 8
9 Background: LTE Architecture enodeb enodeb Evolved Packet Core (EPC) HSS PCRF enodeb enodeb UE enodeb MME SGW Internet enodeb PGW enodeb enodeb
10 Background (Attach) Identification Authentication Security algorithm negotiation TMSI Exchange UE enodeb Core Network Connection Setup Attach Request (IMSI/IMEI, UE s Security Capabilities) Network accepts the attach Select and Security allocates Algorithm Challenge temporary (LTE: identity Security Authentication (LTE: Mode Attach Command) Request) Accept) Confirm Response Attach Security (LTE: and Authentication Algorithm new temporary (LTE: Response) Security identity(lte: Mode Attach Complete) Complete) 10
11 Background (Paging & Detach) UE enodeb MME Paging paging_request detach_request detach_accept 11
12 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 12
13 Adversary Model q Dolev-Yao model Ø Eavesdrop Ø Drop or modify Ø Inject Ø Adheres to cryptographic assumptions q Why Dolev-Yao model? Ø Powerful adversary Ø Automatic tools (ProVerif, Tamarin) can leverage 13
14 Insight q Property characteristics Temporal ordering of events Cryptographic constructs Linear integer arithmetic and other predicates q Intuition: ü Model checker ü Cryptographic protocol verifier temporal trace property & Linear integer arithmetic Cryptographic Constructs How can we leverage reasoning power of these two? 14
15 LTEInspector UE state machine Core network state machine Adversarial model Threat instrumented abstract LTE ecosystem model Crypto. protocol verifier Model checker Attacks Testbed Domain knowledge Counterexample Desired properties from standard
16 Abstract LTE Model Standard q Specification Model for NAS layer (UE-MME) interactions Propositional logic level Model message types only, not message data Abstract away cryptographic constructs Two unidirectional channels UE disconnected MME disconnected auth_request auth_reject detach_request auth_request 6 ( mac_failure (mac_failure 2 (UE_sqn xsqn 7 (UE_sqn mobile_restart attach_request 8 UE_sqn + xsqn UE_sqn + auth_request range)) UE_sqn = range)) UE auth_failure mobile_restart ( mac_failure xsqn + 1, UE auth_response 1 waits for 5 authenticates attach_request auth_request (UE_sqn MME auth_reject 4 xsqn UE_sqn 9 detach_request 3 + range)) auth_request mobile_restart (mac_failure (UE_sqn attach_request UE_sqn xsqn UE_sqn = xsqn + range)) + 1, auth_failure 2 attach_request MME_sqn = 1 MME_sqn + 1, auth_request 3 attach_request MME waits for auth_response 4 auth_failure auth_response 5 auth_response xres_matches_s res attach_request Security_mode MME_sqn = _command 6 MME_sqn + 1, auth_request MME authenticates UE 16
17 Adversarial Model Instrumentor attach_request auth_response sec_mode_command attach_complete Dolev Yao Attacker adversary_turn m adv = no_operation (drop) m UE = attach_request m adv = detach_request (inject) ΥΕ auth_request sec_mode_command attach_accept paging_request ΜΜΕ 17
18 Model Checker q Temporal trace properties Ø Liveness something good eventually happens Ø Safety nothing bad happens q NuSMV φ 1 : It is always the case that whenever UE is in the wait for auth request, it will eventually authenticate MME. auth_request auth_reject detach_request auth_request 6 ( mac_failure (mac_failure 2 (UE_sqn xsqn 7 (UE_sqn mobile_restart attach_request 8 UE_sqn + xsqn UE_sqn + auth_request range)) UE_sqn = range)) UE auth_failure mobile_restart ( mac_failure xsqn + 1, UE auth_response 1 waits for for 5 authenticates attach_request auth_request (UE_sqn MME auth_reject 4 xsqn UE_sqn 9 detach_request 3 + range)) auth_request mobile_restart (mac_failure (UE_sqn UE disconnected authentication_reject Victim UE Emergency calls only attach_request MME 18
19 Cryptographic Protocol Verifier q Injective-correspondence (authentication) Every authentication_reject message received by UE must be sent by the core network q ProVerif Secrecy Authenticity Observational equivalence 19
20 Testbed Validation q Malicious enodeb setup (USRP, OpenLTE, srslte) q Malicious UE setup (USRP, srsue) q COTS smartphones q SIM cards of four major US carriers q Custom-built core network q USRP, OpenLTE, srslte, and USIM 20
21 Challenges 1 2 Preliminaries LTEInspector 3 Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 21
22 Findings q Uncovered 10 new attacks Attack Procedures Responsible Notable Impacts Auth Sync. Failure Attach 3GPP DoS Traceability Attach carriers Coarse-grained location tracking Numb using auth_reject Attach 3GPP, smartphones DoS Authentication relay Attach 3GPP Location spoofing Paging Channel Hijacking Paging 3GPP DoS Stealthy Kicking-off Paging 3GPP DoS, coarse-grained location tracking Panic Paging 3GPP Artificial chaos for terrorist activity Energy Depletion Paging 3GPP Battery depletion/dos Linkability Paging 3GPP Coarse-grained location tracking Targeted/Non-targeted Detach Detach 3GPP DoS q Identified 9 prior attacks: IMSI-catching, DoS, Linkability, MitM in 3G and 2G, etc. 22
23 Authentication Synchronization Failure Attack q Assumption: Ø Victim UE s IMSI Ø Malicious UE setup Malicious UE Victim UE Core Network IMSI attach_request (IMSI) attach_request (IMSI) attach_request (IMSI). attach_request (MSI) SQN UE =x SQN CN =x SQN CN ++ SQN CN ++ SQN CN ++ SQN CN UE and CN sequence numbers get desynchronized ++ 23
24 Panic Attack paging (ETWS) 24
25 Attack Chaining (Authentication Relay or Mafia Attack) Indiana Connected Authentication_response Authentication_request Attach_request NID Attach_request Authentication_request Authentication_response Authentication_re Attach_request sponse Indiana California 25
26 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Findings & Attack Validation Future Work Conclusion 7 26
27 Responsible Disclosure and Impacts q Mobile network operators q Resolved the issue of using EEA0 (no encryption) q Other issues are in progress 27
28 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Findings & Attack Validation Future Work Conclusion 7 28
29 Future Work UE NAS enodeb MME NAS RRC RRC RRC RRC PCCH-Message ::= SEQUENCE +-message ::= CHOICE [c1] +-c1 ::= CHOICE [paging] +-paging ::= SEQUENCE [0110] +-pagingrecordlist ::= SEQUENCE OF OPTIONAL:Omit +-systeminfomodification ::= ENUMERATED [true] OPTIONAL:Exist +-etws-indication ::= ENUMERATED [true] OPTIONAL:Exist +-noncriticalextension ::= SEQUENCE OPTIONAL:Omit 29
30 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Findings & Attack Validation Future Work Conclusion 7 30
31 Conclusion Proposed a systematic approach for analyzing the specification Uncovered 10 new attacks and 9 prior attacks Validated most of the attacks in a testbed 31
32 Questions 32
33 LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE Syed Rafiul Hussain*, Omar Chowdhury, Shagufta Mehnaz*, Elisa Bertino* Purdue University*, University of Iowa
34 Cryptographic Protocol Verifier q Injective-correspondence (authentication) Every authentication_reject message received by UE must be sent by the core network q ProVerif Secrecy Authenticity Observational equivalence (hyper-properties) q Why not ProVerif only? Rich temporal trace properties Constraints on linear integer arithmetic 34
35 Traceability attack q Assumption: Ø Victim UE s IMSI Ø Malicious UE setup Ø secutity_mode_command attach_request. security_mode_command (MAC, nonce) security_mode_command security_mode_command attach_complete. security_mode_reject security_mode_complete 35
36 Numb Attack q Assumption: malicious enodeb setup Learn from SystemInformationBlock messages Connected authentication_reject NID tracking_area_update_request Emergency calls only
37 Background (Attach) Identification Authentication Security algorithm negotiation TMSI Exchange UE enodeb MME Connection Setup Attach Request (IMSI/IMEI, UE s Security Capabilities) Network accepts the attach Select and Security allocates Algorithm Challenge temporary (LTE: identity Security Authentication (LTE: Mode Attach Command) Request) Accept) Confirm Response Attach Security (LTE: and Authentication Algorithm new temporary (LTE: Response) Security identity(lte: Mode Attach Complete) Complete) Time Time Time 37
Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information
Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li and Elisa Bertino Purdue University, The University
More informationVirtual Evolved Packet Core (VEPC) Placement in the Metro Core- Backhual-Aggregation Ring BY ABHISHEK GUPTA FRIDAY GROUP MEETING OCTOBER 20, 2017
Virtual Evolved Packet Core (VEPC) Placement in the Metro Core- Backhual-Aggregation Ring BY ABHISHEK GUPTA FRIDAY GROUP MEETING OCTOBER 20, 2017 LTE: All-IP, simplified network architecture [1] Introduction
More informationPrivacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information
Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li and Elisa Bertino Purdue University, University
More informationLoad Tester v4.0 Release Notes - Page 1 of 6 -
Load Tester v4.0 Release Notes - Page 1 of 6 - Version 4.0 Release Date: July 18, 2014 1. LTE Load Tester Console: 4.0.0.4 2. ENodeB Emulator: 10.1.0.8 3. IP Traffic Emulator: 4.0.0.4 4. Diameter Emulator:
More informationDefeating IMSI Catchers. Fabian van den Broek et al. CCS 2015
Defeating IMSI Catchers Fabian van den Broek et al. CCS 2015 Ren-Jay Wang CS598 - COMPUTER SECURITY IN THE PHYSICAL ckground 3GPP 3GPP 3 rd Generation Partnership Project Encompasses: GSM and related 2G
More informationNew Privacy Issues in Mobile Telephony: Fix and Verification
New Privacy Issues in Mobile Telephony: Fix and Verification Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Kevin Redon, Nico Golde, Ravi Borgaonkar CCS 2012, Raleigh, NC October 2012 In my bag
More informationDAY 2. HSPA Systems Architecture and Protocols
DAY 2 HSPA Systems Architecture and Protocols 1 LTE Basic Reference Model UE: User Equipment S-GW: Serving Gateway P-GW: PDN Gateway MME : Mobility Management Entity enb: evolved Node B HSS: Home Subscriber
More informationCommunication and Distributed Systems Seminar on : LTE Security. By Anukriti Shrimal May 09, 2016
Communication and Distributed Systems Seminar on : LTE Security By Anukriti Shrimal May 09, 2016 LTE network with interfaces LTE Security 2 Contents LTE Security : Why, What, How EPS Architecture Design
More informationTaking Over Telecom Networks
Taking Over Telecom Networks Hardik Mehta (@hardw00t) Loay Abdelrazek (@sigploit) Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 1 Press Release: some highlights
More informationLTE Security How Good Is It?
SESSION ID: TECH-RO3 LTE Security How Good Is It? Jeffrey Cichonski IT Specialist (Security) National Institute of Standards & Technology @jchonski Joshua Franklin IT Specialist (Security) National Institute
More information- Page 1 of 8 -
LTE Load Tester v3.0 Release Notes - Page 1 of 8 - Introduction Polaris Networks LTE Load Tester is a test-tool to generate traffic load on an LTE EPC Node to measure and analyze the performance of the
More information3GPP security hot topics: LTE/SAE and Home (e)nb
3GPP security hot topics: LTE/SAE and Home (e)nb Valtteri Niemi 3GPP SA3 (Security) chairman Nokia Research Center, Lausanne, Switzerland Marc Blommaert 3GPP LTE/SAE security rapporteur Devoteam Telecom
More informationDelivery of Voice and Text Messages over LTE 13 年 5 月 27 日星期 一
Delivery of Voice and Text Messages over LTE 1. The Market for Voice and SMS 2. Third Party Voice over IP 3. The IP Multimedia Subsystem 4. Circuit Switched Fallback 5. VoLGA LTE was designed as a data
More informationDedicated Core Networks on MME
This chapter describes the Dedicated Core Networks feature in the following sections: Feature Summary and Revision History, on page 1 Feature Description, on page 2 How It Works, on page 4 Configuring
More informationImplementation of Enhanced AKA in LTE Network
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 5, May 2015, pg.1124
More informationIT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://www.certqueen.com
IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://www.certqueen.com Exam : 4A0-M02 Title : Alcatel-Lucent Mobile Gateways for the LTE Evolved Packet Core Version : Demo 1 / 7
More informationLTE Network Automation under Threat
LTE Network Automation under Threat Altaf Shaik *, Ravishankar Borgaonkar * Technische Universität Berlin and Kaitiaki Labs Email: altaf329@sect.tu-berlin.de SINTEF Digital and Kaitiaki Labs Email: rbbo@kth.se
More informationAuthenticated Key Management Scheme for Intra-Mme Handover Over LTE Networks
International Journal of Research in Engineering and Science (IJRES) ISSN (Online): 2320-9364, ISSN (Print): 2320-9356 Volume 4 Issue 10 ǁ October. 2016 ǁ PP. 19-28 Authenticated Key Management Scheme
More informationTemporary Document Page 2 - switches off, the allocated resources and PCC rules information of PDN GWs used by the UE in non- network will not be dele
Temporary Document Page 1 - TSG SA WG2 Architecture S2#58 S2-072558 25-29 June 2007 Orlando, FL, USA Source: Huawei Title: Attach Type in attach procedure Document for: Discussion / Approval Agenda Item:
More informationPOWER-ON AND POWER-OFF PROCEDURES
POWER-ON AND POWER-OFF PROCEDURES TABLE OF CONTENTS 1. Power-On Sequence 2. Network and Cell Selection 3. RRC Connection Establishment 4. Attach Procedure 5. Detach Procedure 1. POWER-ON SEQUENCE The following
More informationDedicated Core Networks on MME
This chapter describes the Dedicated Core Networks feature in the following sections: Feature Summary and Revision History, page 1 Feature Description, page 2 How It Works, page 5 Configuring DECOR on
More informationTHREATS TO PACKET CORE SECURITY OF 4G NETWORK
07 CONTENTS Terms and abbreviations... : main components and protocols...4 Attack scenarios...5 What is necessary for a successful attack...5 Threats to EPC security...7. Fraud...7. Connection hijacking...8.
More informationWireless Network Security Spring 2014
Wireless Network Security 14-814 Spring 2014 Patrick Tague Class #16 Network Privacy & Anonymity 2014 Patrick Tague 1 Network Privacy Issues Network layer interactions in wireless networks often expose
More informationA Review of 3G-WLAN Interworking
A Review of 3G-WLAN Interworking B.Bindusha Reddy #, Dr Syed Umar *, M.Satya Anusha & *Assistant. Professor, Department of ECM, KL University, A.P., INDIA. #, & Student, Department of ECM, KL University,
More informationGTP-based S2b Interface Support on the P-GW and SAEGW
GTP-based S2b Interface Support on the P-GW and SAEGW This chapter describes the GTP-based S2b interface support feature on the standalone P-GW and the SAEGW. Feature, page 1 How the S2b Architecture Works,
More informationExam Questions 4A0-M02
Exam Questions 4A0-M02 Alcatel-Lucent Mobile Gateways for the LTE Evolved Packet Core https://www.2passeasy.com/dumps/4a0-m02/ 1.Which of the following statements is FALSE regarding the enodeb? A. The
More informationLoad Tester v11.2 Release Notes - Page 1 of 16 -
Load Tester v11.2 Release Notes - Page 1 of 16 - Version 11.2.0.5 Release Date: August 18, 2017 1. Dependent Tcl library version changed from 8.6 to 8.5 Resolved Issues Issue # Summary 11258 Load Tester
More informationVersion LTE Emulators v10.2 Release Notes - Page 1 of 16 - Release Date: Aug 28, Resolved Issues
Version 10.2.0.15 Release Date: Aug 28, 2015 Resolved Issues LTE Emulators v10.2 Release Notes - Page 1 of 16-11336 MME does not release previous S1 association when UE Context Release Request procedure
More informationSimulation of LTE Signaling
Simulation of LTE Signaling 1 Florin SANDU, 2 Szilárd CSEREY, 3 Eugen MILE-CIOBANU 1 "Transilvania University of Brasov Bd Eroilor nr. 29A RO-500036 Brasov sandu@unitbv.ro, 2,3 SIEMENS Program and System
More informationSecurity Issues In Mobile IP
Security Issues In Mobile IP Zhang Chao Tsinghua University Electronic Engineering 1 OUTLINE 1.Introduction 2.Typical threats 3. Mobile IPv6 and new threats 4.Open issues 2 OUTLINE 1.Introduction 2.Typical
More informationPreventing (Network) Time Travel with Chronos. Omer Deutsch, Neta Rozen Schiff, Danny Dolev, Michael Schapira
Preventing (Network) Time Travel with Chronos Omer Deutsch, Neta Rozen Schiff, Danny Dolev, Michael Schapira Network Time Protocol (NTP) NTP synchronizes time across computer systems over the Internet.
More information07/08/2016. Sami TABBANE. I. Introduction II. Evolved Packet Core III. Core network Dimensioning IV. Summary
Core network and transmission dimensioning Sami TABBANE 1 CONTENTS I. Introduction II. Evolved Packet Core III. Core network Dimensioning IV. Summary 2 1 CONTENTS I. Introduction 3 Introduction LTE Commercialization
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationE. The enodeb performs the compression and encryption of the user data stream.
Volume: 140 Questions Question No: 1 Which of the following statements is FALSE regarding the enodeb? A. The enodebs maybe interconnect TEID with each other via anx2 interface. B. The enodeb is an element
More informationSecurity functions in mobile communication systems
Security functions in mobile communication systems Dr. Hannes Federrath University of Technology Dresden Security demands Security functions of GSM Known attacks on GSM Security functions of UMTS Concepts
More informationLong Term Evolution - Evolved Packet Core S1 Interface Conformance Test Plan
Long Term Evolution - Evolved Packet Core S1 Interface Conformance Test Plan Table of Contents 1 SCOPE... 10 2 REFERENCES... 10 3 ABBREVIATIONS... 11 4 OVERVIEW... 14 5 TEST CONFIGURATION... 16 5.1 NETWORK
More informationETSI TS V ( )
TS 133 401 V10.3.0 (2012-07) Technical Specification Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; 3GPP System Architecture Evolution (SAE);
More informationGUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier
SysSec System Security Lab. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier Byeongdo Hong, Sangwook Bae, Yongdae Kim KAIST SysSec Feb. 19, 2018 Paging Area
More information5G NSA(Non-Standalone Architecture)
This chapter describes the following topics: Feature Summary and Revision History, page 1 Feature Description, page 2 How It Works, page 2 Configuring DCNR, page 5 Monitoring and Troubleshooting, page
More informationSecure military communications on 3G, 4G and WiMAX
Calhoun: The NPS Institutional Archive DSpace Repository Theses and Dissertations Thesis and Dissertation Collection 2013-09 Secure military communications on 3G, 4G and WiMAX Schoinas, Panagiotis Monterey,
More informationNetwork Access Control and VoIP. Ben Hostetler Senior Information Security Advisor
Network Access Control and VoIP Ben Hostetler Senior Information Security Advisor Objectives/Discussion Points Network Access Control Terms & Definitions Certificate Based 802.1X MAC Authentication Bypass
More informationDelivery of Voice and Text Messages over LTE
Delivery of Voice and Text Messages over LTE 1. The Market for Voice and SMS 2. Third Party Voice over IP 3. The IP Multimedia Subsystem 4. Circuit Switched Fallback 5. VoLGA Two main approaches to the
More information2. enodeb Emulator: Simulation of emtc and NB-IoT UE and enodeb conforming to 3GPP Release 13 enhancements for Cellular IoT.
Version 13.0.0.2 Release Date: Feb 17, 2017 NetTest v13.0 Release Notes Page 1 of 12 1. C-SGN Emulator: Includes the MME, SGW and PGW Emulators with new interfaces and functions for testing CIoT base stations
More informationMobile Security Fall 2011
Mobile Security 14-829 Fall 2011 Patrick Tague Class #17 Location Security and Privacy HW #3 is due today Announcements Exam is in-class on Nov 9 Agenda Location security Location privacy Location, Location,
More informationThe Open-Source SDR LTE Platform for First Responders. Software Radio Systems
The Open-Source SDR LTE Platform for First Responders Software Radio Systems www.softwareradiosystems.com www.github.com/srslte Outline SRS - Software Radio Systems NIST PSIAP and OpenFirst srslte The
More informationLTE Radio Interface Architecture. Sherif A. Elgohari
LTE Radio Interface Architecture Sherif A. Elgohari (selgohari@ieee.org) Agenda Overall System Architecture Radio Protocol Architecture Radio Link Control Medium Access Control Physical Layer Control Plan
More informationThis section describes MME support for Cell Traffic Trace.
The feature for subscriber and equipment tracing provides detailed information at the call level on one or more UEs and serves as an additional source of information (along with Performance Measurements)
More informationLTE EPC Emulators v10.0 Release Notes - Page 1 of 15 -
LTE EPC Emulators v10.0 Release Notes - Page 1 of 15 - Version 10.0.0.7 Release Date: Feb 24, 2014 Components 1. LTE Emulators : MME (with internal HSS), SGW and PGW (with internal PCRF) 1. LTE Emulators
More informationEfficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection
Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection Author: Jing-Lin Wu, Wen-Shenq Juang and Sian-Teng Chen Department of Information Management, Shih Hsin University,
More informationWireless Network Security Spring 2013
Wireless Network Security 14-814 Spring 2013 Patrick Tague Class #19 Location Privacy & Tracking Agenda Location privacy and tracking Implications / risks of location information Location privacy and anonymity
More information3GPP TS V ( )
TS 33.401 V11.5.0 (2012-09) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System Architecture Evolution (SAE); Security architecture
More informationAccess Restriction based on Regional Zone Code
This chapter describes access restrictions based on regional zone codes, which are configured under a TAI-Object. Feature Description, page 1 How It Works, page 1 Configuring, page 5 Monitoring and Troubleshooting
More informationRequirement Plan Plan Name: LTE_Data_Retry Plan Id: LTEDATARETRY Version Number: 31 Release Date: June 2018
Requirement Plan Requirement Plan Plan Name: Plan Id: LTEDATARETRY Version Number: 31 Release Date: June 2018 This document provides initial information related to Verizon Wireless Long Term Evolution
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.1: Network Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) 2 Network Security INTRODUCTION 3 What
More informationLTE Access Controller (LAC) for Small Cell Tool Design and Technology
LTE Access Controller (LAC) for Small Cell Tool Design and Technology http://parallelwireless.com/products/lte-access-controller/ 1 Team Expertise Came Together to Reimagine the RAN Core Access Networking,
More information5G-ENSURE. Privacy Enablers. (Project Number )
5G-ENSURE (Project Number 671562) Privacy Enablers madalina.baltatu@telecomitalia.it luciana.costa@telecomitalia.it dario.lombardo@telecomitalia.it Privacy enhanced identity protection Privacy Enablers
More informationNB-IoT RAT and Attach Without PDN Connectivity Support
NB-IoT RAT and Attach Without PDN Connectivity Support This feature chapter describes the MME support for the CIoT optimizations attach without PDN connectivity and NB-IoT RAT type. Feature Summary and
More informationVirtual Mobile Core Placement for Metro Area BY ABHISHEK GUPTA FRIDAY GROUP MEETING NOVEMBER 17, 2017
Virtual Mobile Core Placement for Metro Area BY ABHISHEK GUPTA FRIDAY GROUP MEETING NOVEMBER 17, 2017 Motivation Volume of data to be transported in across a mobile network keeps increasing Proprietary
More informationVirtual Mobile Core Placement for Metro Area BY ABHISHEK GUPTA FRIDAY GROUP MEETING JANUARY 5, 2018
Virtual Mobile Core Placement for Metro Area BY ABHISHEK GUPTA FRIDAY GROUP MEETING JANUARY 5, 2018 Motivation Volume of data to be transported across a mobile network keeps increasing Traditional EPC
More informationINTRODUCTION TO LTE. ECE MOBILE COMMUNICATION Monday, 25 June 2018
INTRODUCTION TO LTE ECE 2526 - MOBILE COMMUNICATION Monday, 25 June 2018 1 WHAT IS LTE? 1. LTE stands for Long Term Evolution and it was started as a project in 2004 by the Third Generation Partnership
More information2 Overview of existing cipher mode setting procedure
3GPP TSG SA WG3 Security SA3#33 S3-040262 10-14 May 2004 Beijing, China Source: Title: Document for: Agenda Item: Vodafone Analysis of the authenticated GSM cipher command mechanism Discussion and decision
More informationNS-AKA: An Improved and Efficient AKA Protocol for 3G (UMTS) Networks
NS-AKA: An Improved and Efficient AKA Protocol for 3G (UMTS) Networks Neetesh Saxena, Narendra S. Chaudhari Abstract- In this paper, we propose an improved and efficient AKA protocol named NS-AKA to prevent
More informationTest Plan for LTE Interoperability
Test Plan for LTE Interoperability Revision 1.0 December 2011 2011 CTIA The Wireless Association. All rights reserved. CTIA has granted a license to CTIA Authorized Testing Laboratories to use this Test
More informationIxLoad LTE Evolved Packet Core Network Testing: enodeb simulation on the S1-MME and S1-U interfaces
IxLoad LTE Evolved Packet Core Network Testing: enodeb simulation on the S1-MME and S1-U interfaces IxLoad is a full-featured layer 4-7 test application that provides realworld traffic emulation testing
More informationScaling the LTE Control-Plane for Future Mobile Access
Scaling the LTE Control-Plane for Future Mobile Access Speaker: Rajesh Mahindra Mobile Communications & Networking NEC Labs America Other Authors: Arijit Banerjee, Utah University Karthik Sundaresan, NEC
More informationSoftware Defined Network Architectures for Wireless Networks
Software Defined Network Architectures for Wireless Networks Krishna M. Sivalingam Professor, Department of CSE, IIT Madras, Chennai 600036, India Partly Supported by DST-EPSRC India-UK Advanced Technology
More informationUMTS System Architecture and Protocol Architecture
UMTS System Architecture and Protocol Architecture Overview on overall system architecture UMTS network architecture and elements Mobile station High-level functions UMTS domains and strata UMTS/GPRS protocol
More informationGSM security country report: Estonia
GSM security country report: Estonia GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin September 2014 Abstract. GSM networks differ widely in their protection capabilities against common
More information5G NSA for MME. Feature Summary and Revision History
Feature Summary and Revision History, on page 1 Feature Description, on page 2 How It Works, on page 5 Configuring, on page 10 Monitoring and Troubleshooting, on page 13 Feature Summary and Revision History
More informationSoftware Defined: supports any FDD LTE band. Long Range: Up to 20km. Small Form Factor. Easy-to-use, simple management GUI
Deployable Network-In-A-Box Software Defined: supports any FDD LTE band O the r P ro d uc t s A v ai l abl e UMTS Network GSM Network EVDO Network CMDA Network WiMAX Network Multi-standard Core Network
More informationvepc-based Wireless Broadband Access
With 70 years of experience, Iskratel is the leading European provider of infocommunications solutions and has, its own R&D and manufacturing centres, 900 employees and a local presence in more than 30
More informationMobile Security Fall 2013
Mobile Security 14-829 Fall 2013 Patrick Tague Class #4 Telecom System Security General Vulnerabilities Service interruption vulnerabilities Due to increased capacity offered by high speed communication
More informationIEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 1, FIRST QUARTER A Survey on Security Aspects for LTE and LTE-A Networks
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 1, FIRST QUARTER 2014 283 A Survey on Security Aspects for LTE and LTE-A Networks Jin Cao, Maode Ma, Senior Member, IEEE Hui Li, Member, IEEE, Yueyu
More informationWhy IIJ Seeks to Become a Full MVNO
2. Focused Research (1) Why IIJ Seeks to Become a Full MVNO 2.1 MVNO Business Models In 2018, IIJ finally begins full MVNO services, the biggest challenge we have had since launching our MVNO business
More informationLEGAL DISCLAIMERS AND NOTICES
CBRS Network Service Technical Specifications CBRSA-TS-1002 V1.0.0 February 1, 2018 LEGAL DISCLAIMERS AND NOTICES THIS SPECIFICATION IS PROVIDED "AS IS," WITHOUT ANY REPRESENTATION OR WARRANTY OF ANY KIND,
More informationPreventing (Network) Time Travel with Chronos. Omer Deutsch, Neta Rozen Schiff, Danny Dolev, Michael Schapira
Preventing (Network) Time Travel with Chronos Omer Deutsch, Neta Rozen Schiff, Danny Dolev, Michael Schapira Network Time Protocol (NTP) NTP synchronizes time across computer systems over the Internet.
More informationIntegrate OAI-as-a-Service into M-CORD. Wilson Wang Chien-Hao Chen Wei-Yu Chen Ching Tang
Integrate OAI-as-a-Service into M-CORD Wilson Wang Chien-Hao Chen Wei-Yu Chen Ching Tang 1 About Us Wilson Wang (ITRI / NCTU) Chien-Hao Chen (ITRI) Jimmy Wen (ITRI) Wei-Yu Chen (NCTU) Ching Tang (NCTU)
More informationEasy 4G/LTE IMSI Catchers for Non-Programmers
Easy 4G/LTE IMSI Catchers for Non-Programmers Stig F. Mjølsnes and Ruxandra F. Olimid Department of Information Security and Communication Technology, NTNU, Norwegian University of Science and Technology,
More informationOperator Policy. What Operator Policy Can Do. A Look at Operator Policy on an SGSN
The proprietary concept of an operator policy, originally architected for the exclusive use of an SGSN, is non-standard and currently unique to the ASR 5x00. This optional feature empowers the carrier
More informationKey words- Long-Term Evolution (LTE), Multi Hop, Worldwide Interoperable For Microwave Access (Wimax), Elliptic Curve Diffie Hellman (ECDH).
260 Enhancing the Security and Reliability for Data Transmission in Wireless Networks N.Karpagam 1, S.Nithya 2 II-M.E(CS) 1, Assistant Professor / ECE 2, Dhanalakshmi Srinivasan Engineering College, Perambalur
More informationSystem Architecture Evolution
System Architecture Evolution Contents 2.1 Architecture of LTE 2.2 Communication Protocols 2.3 Example Information Flows 2.4 Bearer Management 2.5 State Diagrams 2.6 Spectrum Allocation 2.1 Architecture
More informationQuestioning the Feasibility of UMTS GSM Interworking Attacks
Questioning the Feasibility of UMTS GSM Interworking Attacks Christoforos Ntantogian 1, Christos Xenakis 2 1 Department of Informatics and Telecommunications, University of Athens, Greece 2 Department
More informationCyber Security Threats to Telecom Networks. Rosalia D Alessandro Hardik Mehta Loay Abdelrazek
Cyber Security Threats to Telecom s Rosalia D Alessandro Hardik Mehta Loay Abdelrazek Press Release: some highlights Cyber Security Threats to Telecom s - Rosalia D Alessandro, Hardik Mehta and Loay Abdelrazek
More informationFor mal Ver if icat ion of t he Secur it y f o r Du a l Co n n ec t iv it y in LTE
For mal Ver if icat ion of t he Secur it y f o r Du a l Co n n ec t iv it y in LTE Noamen Ben Henda, Karl Norrman, Katharina Pfeffer Ericsson Research Security, Sweden ou t l in e Motivation Formal Verification
More informationChapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach
Chapter 7 Wireless and Mobile Networks Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith Ross Pearson/Addison Wesley April 2016 7-1 Background: # wireless (mobile) phone subscribers
More informationA reliable distributed cellular core network for hyper-scale public clouds
A reliable distributed cellular core network for hyper-scale public clouds Binh Nguyen, Tian Zhang, Bozidar Radunovic, Ryan Stutsman Thomas Karagiannis, Jakub Kocur, Jacobus Van der Merwe University of
More informationLoad Balance MME in Pool
Load Balance MME in Pool Document ID: 119021 Contributed by Saurabh Gupta and Krishna Kishore DV, Cisco TAC Engineers. Jun 19, 2015 Contents Introduction S10 Interface and Configuration S10 Interface Description
More informationS-GW Event Reporting
This chapter describes the record content and trigger mechanisms for S-GW event reporting. When enabled the S-GW writes a record of session events and sends the resulting event files to an external file
More informationState Space Analysis to Refactor the Mobile Core
State Space Analysis to Refactor the Mobile Core Heikki Lindholm, Lirim Osmani, Hannu Flinck, Sasu Tarkoma, Ashwin Rao University of Helsinki, Nokia Networks ABSTRACT A state space analysis of the variables
More informationClosed Subscriber Groups
Feature Description, page 1 How It Works, page 1 Configuring, page 6 Monitoring and Troubleshooting, page 7 Feature Description The MME provides support for (CSG). This enables the MME to provide access
More informationNetwork Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013
Network Security: Cellular Security Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2013 Outline Cellular networks GSM security architecture and protocols Counters UMTS AKA and session
More informationMultiservice Switching Forum Contribution
Multiservice Switching Forum Contribution Contribution Number: msf2010.095.01 Last Saved: 03/26/2013 16:03 A3/P3 Working Group: Interoperability and Test Title: Test Plan for LTE/EPC Interoperability Event
More informationSecurity Advances and Challenges in 4G Wireless Networks
2010 Eighth Annual International Conference on Privacy, Security and Trust Security Advances and Challenges in 4G Wireless Networks N. Seddigh, B. Nandy, R. Makkar J.F. Beaumont Solana Networks Defence
More information5G Non Standalone for SAEGW
This chapter describes the 5G Non Standalone (NSA) feature in the following sections: Feature Summary and Revision History, on page 1 Feature Description, on page 2 How It Works, on page 3 Configuring
More informationUNIK4230: Mobile Communications Spring Semester, Per Hj. Lehne
UNIK4230: Mobile Communications Spring Semester, 2015 Per Hj. Lehne per-hjalmar.lehne@telenor.com 916 94 909 Network Architecture and Functionality 5 February 2015 Contents Network Architecture Protocol
More informationHSS and PCRF Based P-CSCF Restoration Support
This feature enables support for HSS-based and PCRF-based P-CSCF restoration that helps to minimize the time a UE is unreachable for terminating calls after a P-CSCF failure. Feature Description, page
More informationGuess Who s Texting You?
TelcoSecDay @ Troopers 3/20/12 Heidelberg, Germany Guess Who s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria Source: path.com
More informationOpenAirInterface (OAI): A flexible open-source 4G/5G SDR Platform. Giovanni Rigazzi Andrea Tassi
OpenAirInterface (OAI): A flexible open-source 4G/5G SDR Platform Giovanni Rigazzi Andrea Tassi Summary Introduction Popular SDR platforms OAI Software and Hardware platforms 5G experimentations Next steps
More informationSession 5 The e v e o v l o ve v d P a P c a k c e k t e t Co C r o e r (EP E C P ) C : T he a l a l-ip based
Session 5 The evolved Packet Core (EPC): The all-ip based Core Network of LTE ITU ASP COE Training on Technology, Standardization and Deployment of Long Term Evolution (IMT) Sami TABBANE 9-11 December
More informationHigh-Touch Delivery Learning Services
Data Sheet High-Touch Delivery Learning Services Implementing Cisco Service Provider Mobility LTE Networks The Implementing Cisco LTE Packet Core Networks (SPLTE) Version 1.0 is an instructor-led course
More information