LTE Security, Protocol Exploits and Location Tracking Experimentation with Low-cost Software Radio

Harut Barsamian Colloquia (Engineering Hall 2430)
Roger Piqueras Jover

Wireless Security Research Scientist

Abstract: The security flaws of legacy GSM networks, which lack of mutual authentication and implement an outdated encryption algorithm, are well understood among the technology community. Moreover, until now, the main cellular vulnerabilities being discovered and exploited in the mobile security research field were based on 2G base stations and GSM open source implementations. The Long Term Evolution (LTE) is the newest standard being deployed globally for mobile communications, and is generally considered secure. LTE's mutual authentication and strong encryption schemes result in the false assumption that LTE networks are not vulnerable to, for example, rogue base stations, IMSI catchers and protocol exploits. However, these threats are also possible in LTE.

Before the authentication and encryption steps of an LTE connection are executed, a mobile device engages in a substantial exchange of unprotected messages with *any* LTE base station (real or rogue) that advertises itself with the right broadcast information. Eavesdropping or spoofing these messages can be leveraged to implement a long list of exploits to which all LTE mobile devices are vulnerable. This talk will demonstrate how to eavesdrop LTE base station broadcast messages, and how to implement full-LTE IMSI catchers and other LTE protocol exploits, such as blocking SIMs and devices. Details will be provided as well on a previously unknown technique to track the location of mobile devices as the connection moves from tower to tower. We will discuss as well the necessary toolset to implement these and other exploits, which are possible with simply $1.5k worth of off-the-shelf hardware and some modifications of the code of widely available LTE open source implementations.

Bio: Roger Piqueras Jover is a wireless security research scientist at the CTO Security Architecture team of Bloomberg LP, where he leads projects on mobile/wireless security. He is also actively involved in hardware and network security, big data analysis and anomaly detection.

Previous to Bloomberg, he spent five years at the AT&T Security Research Center leading projects on LTE mobile network security. Jover holds a Dipl.-Ing. in telecommunications engineering from the Universitat Politecnica de Catalunya (UPC Barcelona), a master's in electrical and computer engineering from UC Irvine and a master's/MPhil (EBD) in electrical engineering from Columbia University. His research interests are in the area of mobile and wireless communications, resource allocation, new network architectures and technologies for 5G and security for wireless networks. In his spare time, he actively works in identifying, implementing on software-radio and proposing solutions to PHY layer threats, rogue base stations and protocol exploits against LTE cellular networks.