AdaptOver | Proceedings of the 28th Annual International Conference on Mobile Computing And Networking

8 min read Original article ↗

Abstract

Abstract

In cellular networks, attacks on the communication link between a mobile device and the core network significantly impact privacy and availability. Up until now, fake base stations have been required to execute such attacks. Since they require a continuously high output power to attract victims, they are limited in range and can be easily detected both by operators and dedicated apps on users' smartphones.

This paper introduces AdaptOver---a MITM attack system designed for cellular networks, specifically for LTE and 5G-NSA. AdaptOver allows an adversary to decode, overshadow (replace) and inject arbitrary messages over the air in either direction between the network and the mobile device. Using overshadowing, AdaptOver can cause a persistent (≥ 12h) DoS or a privacy leak by triggering a UE to transmit its persistent identifier (IMSI) in plain text. These attacks can be launched against all users within a cell or specifically target a victim based on its phone number.

We implement AdaptOver using a software-defined radio and a low-cost amplification setup. We demonstrate the effects and practicality of the attacks on a live operational LTE and 5G-NSA network with a wide range of smartphones. Our experiments show that AdaptOver can launch an attack on a victim more than 3.8km away from the attacker. Given its practicability and efficiency, AdaptOver shows that existing countermeasures that are focused on fake base stations are no longer sufficient, marking a paradigm shift for designing security mechanisms in cellular networks.

Summary

To view this AI-generated plain language summary, you must have Premium access.

Formats available

You can view the full content in the following formats:

References

[1]

3GPP. 2020. 3GPP TS 24.301 V16.5.1. https://www.3gpp.org/ftp//Specs/archive/24_series/24.301/24301-g51.zip Last accessed: 21.09.2020.

[2]

3GPP. 2022. 3GPP TR 33.809 V0.18.0. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3539

[3]

Amarisoft. 2022. AMARI Callbox Series. https://www.amarisoft.com/products/test-measurements/amari-lte-callbox/

[4]

Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Nico Golde, Kevin Redon, and Ravishankar Borgaonkar. 2012. New privacy issues in mobile telephony: fix and verification. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). Association for Computing Machinery, New York, NY, USA, 205--216.

[5]

David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). Association for Computing Machinery, New York, NY, USA, 1383--1396.

[6]

CellularPrivacy. 2020. Android-IMSI-Catcher-Detector. https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector Last accessed: 07.12.2020.

[7]

Merlin Chlosta, David Rupprecht, Christina Pöpper, and Thorsten Holz. 2021. 5G SUCI-catchers: still catching them all?. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21). Association for Computing Machinery, New York, NY, USA, 359--364.

[8]

T. Cover. 1972. Broadcast channels. IEEE Transactions on Information Theory 18, 1 (Jan. 1972), 2--14. Conference Name: IEEE Transactions on Information Theory.

[9]

Adrian Dabrowski, Georg Petzl, and Edgar R. Weippl. 2016. The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection. https://www.springerprofessional.de/en/the-messenger-shoots-back-network-operator-based-imsi-catcher-de/10656298

[10]

Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, and Edgar Weippl. 2014. IMSI-catch me if you can: IMSI-catcher-catchers. In Proceedings of the 30th Annual Computer Security Applications Conference on - ACSAC '14. ACM Press, New Orleans, Louisiana, 246--255.

[11]

Mitziu Echeverria, Zeeshan Ahmed, Bincheng Wang, M. Fareed Arif, Syed Rafiul Hussain, and Omar Chowdhury. 2021. PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification. arXiv:2101.00328 [cs] (Jan. 2021). http://arxiv.org/abs/2101.00328 arXiv: 2101.00328.

[12]

MOS Equipment. 2022. Mission Darkness BlockBox Lab XL. https://mosequipment.com/products/mission-darkness-blockbox-lab-xl

[13]

ESD. 2022. ESD Overwatch System. https://nsi-globalcounterintelligence.com/service/esd-overwatch-system/

[14]

Teng Fei and Wenye Wang. 2019. LTE Is Vulnerable: Implementing Identity Spoofing and Denial-of-Service Attacks in LTE Networks. In 2019 IEEE Global Communications Conference (GLOBECOM). IEEE, Waikoloa, HI, USA, 1--6. Last accessed: 30.04.2020.

[15]

Dan Forsberg, Günther Horn, Wolf-Dietrich Moeller, and Valtteri Niemi. 2012. LTE Security (2 ed.). Wiley, Chichester, West Sussex.

[16]

Xinxin Hu, Caixia Liu, Shuxin Liu, Wei You, Yingle Li, and Yu Zhao. 2019. A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security. IEEE Access 7 (2019), 125424--125441. Conference Name: IEEE Access.

[17]

Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Proceedings 2018 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. Last accessed: 30.04.2020.

[18]

Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. 2019. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information. In Proceedings 2019 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. Last accessed: 27.07.2020.

[19]

Syed Rafiul Hussain, Mitziu Echeverria, Ankush Singla, Omar Chowdhury, and Elisa Bertino. 2019. Insecure connection bootstrapping in cellular networks: the root of all evil. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '19). Association for Computing Machinery, Miami, Florida, 1--11. Last accessed: 30.04.2020.

[20]

Igor Ivanov and Avner BenHanoch. 2022. Mellanox/sockperf. https://github.com/Mellanox/sockperf original-date: 2015-04-28T12:20:10Z.

[21]

Roger Piqueras Jover. 2016. LTE security, protocol exploits and location tracking experimentation with low-cost software radio. arXiv:1607.05171 [cs] (July 2016). http://arxiv.org/abs/1607.05171 arXiv: 1607.05171, Last accessed: 30.04.2020.

[22]

Rohde&Schwarz GmbH & Co. KG. 2022. R&S®NESTOR Cellular Network Analysis Software. https://scdn.rohde-schwarz.com/ur/pws/dl_downloads/dl_common_library/dl_brochures_and_datasheets/pdf_1/NESTOR_bro_en_3607-1907-12_v1200.pdf

[23]

Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In 2019 IEEE Symposium on Security and Privacy (SP). 1153--1168.

[24]

Martin Kotuliak, Simon Erni, Patrick Leu, Marc Röschlin, and Srdjan Capkun. 2021. LTrack: Stealthy Tracking of Mobile Phones in LTE. arXiv (June 2021).

[25]

Thomas Laurent. 2022. dielectric duplexer - 4G and 5G reference software. https://open-cells.com/index.php/dielectric-duplexer/

[26]

Zhenhua Li, Weiwei Wang, Christo Wilson, Jian Chen, Chen Qian, Taeho Jung, Lan Zhang, Kebin Liu, Xiangyang Li, and Yunhao Liu. 2017. FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild.

[27]

Marc Lichtman, Roger Piqueras Jover, Mina Labib, Raghunandan Rao, Vuk Marojevic, and Jeffrey H. Reed. 2016. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Communications Magazine 54, 4 (April 2016), 54--61. Conference Name: IEEE Communications Magazine.

[28]

Norbert Ludant and Guevara Noubir. 2021. SigUnder: a stealthy 5G low power attack and defenses. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21). Association for Computing Machinery, New York, NY, USA, 250--260.

[29]

Mikrotik. 2022. mANT LTE 5o. https://mikrotik.com/product/mant_lte_5o

[30]

Prajwol Kumar Nakarmi and Karl Norrman. 2018. Detecting false base stations in mobile networks. https://www.ericsson.com/en/blog/2018/6/detecting-false-base-stations-in-mobile-networks Last accessed: 07.12.2020.

[31]

Peter Ney, Ian Smith, Gabriel Cadamuro, and Tadayoshi Kohno. 2017. SeaGlass: Enabling City-Wide IMSI-Catcher Detection. Proceedings on Privacy Enhancing Technologies 2017, 3 (July 2017), 39--56.

[32]

Ivan Palamà, Francesco Gringoli, Giuseppe Bianchi, and Nicola Blefari-Melazzi. 2021. IMSI Catchers in the wild: A real world 4G/5G assessment. Computer Networks 194 (2021), 108137.

[33]

Shinjo Park, Altaf Shaik, Ravishankar Borgaonkar, and Jean-Pierre Seifert. 2019. Anatomy of Commercial IMSI Catchers and Detectors. In Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society (WPES'19). Association for Computing Machinery, New York, NY, USA, 74--86.

[34]

Andre Puschmann, Ismael Gomez, Pedro Alvarez, Xavier Arteaga, Francisco Paisana, Paul Sutton, and Justin Tallon. 2020. srsLTE/srsLTE. https://github.com/srsLTE/srsLTE Last accessed: 28.04.2020.

[35]

Cooper Quintin. 2020. Detecting Fake 4G Base Stations in Real Time. Published: DEF CON, Last accessed: 07.12.2020.

[36]

David Rupprecht, Kai Jansen, and Christina Pöpper. 2016. Putting {LTE} Security Functions to the Test: A Framework to Evaluate Implementation Correctness. https://www.usenix.org/conference/woot16/workshop-program/presentation/rupprecht

[37]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Poepper. 2020. IMP4GT: IMPersonation Attacks in 4G NeTworks. In Proceedings 2020 Network and Distributed System Security Symposium. Internet Society, San Diego, CA.

[38]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Popper. 2019. Breaking LTE on Layer Two. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1121--1136. Last accessed: 30.04.2020.

[39]

Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. In Proceedings 2016 Network and Distributed System Security Symposium. Internet Society, San Diego, CA, 15.

[40]

Ankush Singla, Rouzbeh Behnia, Syed Rafiul Hussain, Attila Yavuz, and Elisa Bertino. 2021. Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 501--515.

[41]

SRLabs. 2019. SnoopSnitch. https://opensource.srlabs.de/projects/snoopsnitch

[42]

Zhaowei Tan, Boyan Ding, Jinghao Zhao, Yunqi Guo, and Songwu Lu. 2022. Breaking Cellular IoT with Forged Data-Plane Signaling: Attacks and Countermeasure. ACM Transactions on Sensor Networks (April 2022). Just Accepted.

[43]

Thanh van Do, Hai Thanh Nguyen, Nikolov Momchil, and Van Thuan Do. 2015. Detecting IMSI-Catcher Using Soft Computing. In Soft Computing in Data Science, Michael W. Berry, Azlinah Mohamed, and Bee Wah Yap (Eds.). Vol. 545. Springer Singapore, Singapore, 129--140. Series Title: Communications in Computer and Information Science.

[44]

Yuchen Wang, Zhenfeng Zhang, and Yongquan Xie. 2021. {Privacy-Preserving} and {Standard-Compatible} {AKA} Protocol for 5G. 3595--3612. https://www.usenix.org/conference/usenixsecurity21/presentation/wang-yuchen

[45]

Harald Welte. 2021. SIMtrace 2. https://osmocom.org/projects/simtrace2/wiki

[46]

Hojoon Yang, Sangwook Bae, Mincheol Son, Hongil Kim, Song Min Kim, and Yongdae Kim. 2019. Hiding in plain signal: physical signal overshadowing attack on LTE. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 55--72. Last accessed: 16.10.2020.