dc.description.abstract | Long-Term Evolution (LTE) is currently being deployed in vast areas of
the world and is the latest implemented standard in mobile communication.
The standard is considered to have significant improvements compared to
its predecessors; however, several weaknesses exists. One of the deficiencies
in LTE is that a big portion of the signaling messages is transmitted
without protection. International Mobile Subscriber Identity (IMSI)
Catchers and Paging Catchers exploit this weakness to perform several
attacks against privacy in LTE, which disrupts the communication service
and weakens the credibility of mobile operators.
An IMSI Catcher is essentially a device masquerading itself as com-
mercial Base Station (BS) used to track devices and break subscriber
privacy. In this thesis, IMSI Catchers in LTE networks are studied. An
LTE IMSI Catcher has been implemented using a Universal Software
Radio Peripheral (USRP) and the open source platform OpenAirInterface.
By the help of IMSI Catchers, an attack against subscriber privacy was
conducted. The attack efficiently acquires subscription identities (IMSIs)
within a limited area and then redirects subscribers back to the commer-
cial network. The attack has been carefully tested and successfully proven
feasible. It was found that the IMSI acquisition process is very efficient,
and several IMSIs were collected within a few seconds of operation.
Additionally, Paging Catchers are studied in this thesis. A Paging
Catcher is a tracking device used to perform attacks against subscriber
privacy passively; however, unlike the IMSI Catcher, the Paging Catcher
masquerades itself as a commercial User Equipment (UE). A Paging
Catcher has been implemented using a USRP and the open source plat-
form srsLTE. This thesis verifies that a Paging Catcher attack locates
LTE devices within a limited area and breaks subscriber privacy. The
attack illustrates that the Paging Catcher conveniently receives paging
messages broadcasted by nearby BSs. The paging messages contain Tem-
porary Mobile Subscriber Identities (TMSIs) which is mapped to social
identities. The attack has successfully been proven feasible; however, the
Paging Catcher is dependant of the smart paging feature to locate the
subscriber precisely. | |