Investigation of LTE Privacy Attacks by Exploiting the Paging Mechanism
Abstract
In mobile communication in general, and LTE in particular, securityshould be a main focus, also because of the vulnerabilities introducedby the radio link. Compared to GSM and UMTS, the LTE security hasbeen improved. However, the paging procedure is still not protected inLTE. The unprotected paging unfortunately opens possibility for hackersto gather sensitive information or track the user s location. This thesisstudies attacks that are feasible because of the weaknesses of the pagingprocedure.
A theoretical study of published papers about the attacks making useof the paging procedure is conducted in this thesis. In addition, severalpublished papers proposing countermeasures against the attacks are alsostudied.
In this thesis, a paging message catcher is set up and catches pagingmessages from the commercial LTE. A paging message catcher is basicallya passive message sniffer. It listens to the paging channel of the LTE airinterface, and collects paging messages. The collected paging messagesare decoded and analyzed.
By analyzing the collected paging messages, it is confirmed that bothTelia s and Telenor s LTE have enabled a non-standardized smart pagingfeature. The smart paging feature is introduced by most LTE vendors toimprove the network resource efficiency. The feature essentially enablesthe network to page a user within one or few latest observed active cellsinstead of a whole tracking area. It has a side effect though in termsof location tracking by listening to the paging, as a paged user can belocated within a much smaller geographical area.
In this thesis, it is verified how often Telia s LTE updates the temporaryidentity of a UE and what events trigger the updates. Telia is selectedbecause of subscription availability. In LTE, a temporary identity isused to achieve user identity confidentiality. The temporary identity issupposed to get updated often enough to avoid traceability over time.
A paging response feeder is attempted as well in this thesis with the goalof verifying the feasibility and potential consequence for the victim. Incontrast to the paging message catcher which is passive, a paging responsefeeder is an active attacking device. It acts as a UE and tries to feed inpaging response impersonating a victim.