Location Disclosure in LTE Networks by using IMSI Catcher

Abstract

Long-Term Evolution (LTE) is currently being deployed in vast areas of the world and is the latest implemented standard in mobile communication. The standard is considered to have significant improvements compared to its predecessors; however, several weaknesses exists. One of the deficiencies in LTE is that a big portion of the signaling messages is transmitted without protection. International Mobile Subscriber Identity (IMSI) Catchers and Paging Catchers exploit this weakness to perform several attacks against privacy in LTE, which disrupts the communication service and weakens the credibility of mobile operators.

An IMSI Catcher is essentially a device masquerading itself as com- mercial Base Station (BS) used to track devices and break subscriber privacy. In this thesis, IMSI Catchers in LTE networks are studied. An LTE IMSI Catcher has been implemented using a Universal Software Radio Peripheral (USRP) and the open source platform OpenAirInterface. By the help of IMSI Catchers, an attack against subscriber privacy was conducted. The attack efficiently acquires subscription identities (IMSIs) within a limited area and then redirects subscribers back to the commer- cial network. The attack has been carefully tested and successfully proven feasible. It was found that the IMSI acquisition process is very efficient, and several IMSIs were collected within a few seconds of operation.

Additionally, Paging Catchers are studied in this thesis. A Paging Catcher is a tracking device used to perform attacks against subscriber privacy passively; however, unlike the IMSI Catcher, the Paging Catcher masquerades itself as a commercial User Equipment (UE). A Paging Catcher has been implemented using a USRP and the open source plat- form srsLTE. This thesis verifies that a Paging Catcher attack locates LTE devices within a limited area and breaks subscriber privacy. The attack illustrates that the Paging Catcher conveniently receives paging messages broadcasted by nearby BSs. The paging messages contain Tem- porary Mobile Subscriber Identities (TMSIs) which is mapped to social identities. The attack has successfully been proven feasible; however, the Paging Catcher is dependant of the smart paging feature to locate the subscriber precisely.