Location Disclosure in LTE Networks by using IMSI Catcher
Abstract
Long-Term Evolution (LTE) is currently being deployed in vast areas ofthe world and is the latest implemented standard in mobile communication.The standard is considered to have significant improvements compared toits predecessors; however, several weaknesses exists. One of the deficienciesin LTE is that a big portion of the signaling messages is transmittedwithout protection. International Mobile Subscriber Identity (IMSI)Catchers and Paging Catchers exploit this weakness to perform severalattacks against privacy in LTE, which disrupts the communication serviceand weakens the credibility of mobile operators.
An IMSI Catcher is essentially a device masquerading itself as com-mercial Base Station (BS) used to track devices and break subscriberprivacy. In this thesis, IMSI Catchers in LTE networks are studied. AnLTE IMSI Catcher has been implemented using a Universal SoftwareRadio Peripheral (USRP) and the open source platform OpenAirInterface.By the help of IMSI Catchers, an attack against subscriber privacy wasconducted. The attack efficiently acquires subscription identities (IMSIs)within a limited area and then redirects subscribers back to the commer-cial network. The attack has been carefully tested and successfully provenfeasible. It was found that the IMSI acquisition process is very efficient,and several IMSIs were collected within a few seconds of operation.
Additionally, Paging Catchers are studied in this thesis. A PagingCatcher is a tracking device used to perform attacks against subscriberprivacy passively; however, unlike the IMSI Catcher, the Paging Catchermasquerades itself as a commercial User Equipment (UE). A PagingCatcher has been implemented using a USRP and the open source plat-form srsLTE. This thesis verifies that a Paging Catcher attack locatesLTE devices within a limited area and breaks subscriber privacy. Theattack illustrates that the Paging Catcher conveniently receives pagingmessages broadcasted by nearby BSs. The paging messages contain Tem-porary Mobile Subscriber Identities (TMSIs) which is mapped to socialidentities. The attack has successfully been proven feasible; however, thePaging Catcher is dependant of the smart paging feature to locate thesubscriber precisely.