Investigation of LTE Privacy Attacks by Exploiting the Paging Mechanism

Abstract

In mobile communication in general, and LTE in particular, security should be a main focus, also because of the vulnerabilities introduced by the radio link. Compared to GSM and UMTS, the LTE security has been improved. However, the paging procedure is still not protected in LTE. The unprotected paging unfortunately opens possibility for hackers to gather sensitive information or track the user s location. This thesis studies attacks that are feasible because of the weaknesses of the paging procedure.

A theoretical study of published papers about the attacks making use of the paging procedure is conducted in this thesis. In addition, several published papers proposing countermeasures against the attacks are also studied.

In this thesis, a paging message catcher is set up and catches paging messages from the commercial LTE. A paging message catcher is basically a passive message sniffer. It listens to the paging channel of the LTE air interface, and collects paging messages. The collected paging messages are decoded and analyzed.

By analyzing the collected paging messages, it is confirmed that both Telia s and Telenor s LTE have enabled a non-standardized smart paging feature. The smart paging feature is introduced by most LTE vendors to improve the network resource efficiency. The feature essentially enables the network to page a user within one or few latest observed active cells instead of a whole tracking area. It has a side effect though in terms of location tracking by listening to the paging, as a paged user can be located within a much smaller geographical area.

In this thesis, it is verified how often Telia s LTE updates the temporary identity of a UE and what events trigger the updates. Telia is selected because of subscription availability. In LTE, a temporary identity is used to achieve user identity confidentiality. The temporary identity is supposed to get updated often enough to avoid traceability over time.

A paging response feeder is attempted as well in this thesis with the goal of verifying the feasibility and potential consequence for the victim. In contrast to the paging message catcher which is passive, a paging response feeder is an active attacking device. It acts as a UE and tries to feed in paging response impersonating a victim.