ABSTRACT
Mobile network operators choose Self Organizing Network (SON) concept as a cost-effective method to deploy LTE/4G networks and meet user expectations for high quality of service and bandwidth. The main objective of SON is to introduce automation into network management activities and reduce human intervention. SON enabled LTE networks heavily rely on the information acquired from mobile phones to provide self-configuration, self-optimization, and self-healing features. However, mobile phones can be attacked over-the-air using rogue base stations. In this paper, we carefully study SON related LTE/4G security specifications and reveal several vulnerabilities. Our key idea is to introduce a rogue eNodeB that uses legitimate mobile devices as a covert channel to launch attacks against SON enabled LTE networks.
We demonstrate low-cost, practical, silent and persistent Denial of Service attacks against the network and end-users by injecting fake measurement and configuration information into the SON system. An active attacker can shut down network services in 2 km2 area of a city for a certain period of time and also block network services to a selective set of mobile phones in a targeted area of 200 m to 2 km in radius. With the help of low cost tools, we design an experimental setup and evaluate these attacks on commercial networks. We present strategies to mitigate our attacks and outline possible reasons that may explain why these vulnerabilities exist in the system.
- 3GPP. 2009. Telecommunication management; Self-Organizing Networks (SON); Concepts and requirements. TS 32.500. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/32500.htmGoogle Scholar
- 3GPP. 2011. Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Architecture description. TS 36.401. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36401.htmGoogle Scholar
- 3GPP. 2011. Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Self-configuring and self-optimizing network (SON) use cases and solutions. TR 36.902. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36902.htmGoogle Scholar
- 3GPP. 2012. Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) procedures in idle mode. TS 36.304. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36304.htmGoogle Scholar
- 3GPP. 2013. Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; Stage 2. TS 36.300. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36300.htmGoogle Scholar
- 3GPP. 2013. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification. TS 36.331. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36331.htmGoogle Scholar
- 3GPP. 2017. Technical Specification Group Services and System Aspects; Study on the security aspects of the next generation system (Release 14). TR 33.899. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/33899.htmGoogle Scholar
- 4G Americas. 2013. Self-Optimizing networks in 3GPP Release 11: The benefits of SON in LTE, Whitepaper. (Oct. 2013).Google Scholar
- Airhop communications. {n. d.}. Powering 4G networks. http://www.airhopcomm.com. ({n. d.}).Google Scholar
- O. G. Aliu, A. Imran, M. A. Imran, and B.Evans. 2013. A Survey of Self Organisation in Future Cellular Networks. IEEE Communications Surveys Tutorials 15, 1 (2013), 336--361.Google ScholarCross Ref
- Mehdi Amirijoo, Pal Frenger, Fredrik Gunnarsson, Johan Moe, and Kristina Zetterberg. 2009. On self-optimization of the random access procedure in 3G long term evolution. In 2009 IFIP/IEEE International Symposium on Integrated Network Management-Workshops. IEEE, New York, NY, USA, 177--184.Google ScholarCross Ref
- AVIAT. {n. d.}. Wireless products for small cell applications. https://startupgenome.co/aviat-networks. ({n. d.}).Google Scholar
- Cellwize. {n. d.}. Driving value through SON. http://www.cellwize.com. ({n. d.}).Google Scholar
- Cerwall, Patrik. 2017. Ericsson Mobility Report. (June 2017).Google Scholar
- Joseph Demarest. 2014. Taking down botnets: Public and private efforts to disrupt and dismantle cybercriminal networks. Statement before the Subcommittee on Crime and Terrorism, United States Senate (2014).Google Scholar
- Gamry Instruments. {n. d.}. The Faraday Cage: What is it? How does it work? ({n. d.}). http://www.gamry.com/application-notes/instrumentation/faraday-cage/Google Scholar
- Ismael Gomez-Miguelez, Andres Garcia-Saavedra, Paul D. Sutton, Pablo Serrano, Cristina Cano, and Douglas J. Leith. 2016. srsLTE: An Open-Source Platform for LTE Evolution and Experimentation. CoRR abs/1602.04629 (2016). arXiv:1602.04629 http://arxiv.org/abs/1602.04629Google Scholar
- Mordechai Guri, Yisroel Mirsky, and Yuval Elovici. 2017. 9-1-1 DDoS: Attacks, Analysis and Mitigation. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, IEEE, New York, NY, USA, 218--232.Google ScholarCross Ref
- Huang, Lin. 2016. Forcing a Targeted LTE Cellphone into an Eavesdropping Network. In Hack In The Box.Google Scholar
- Huawei Technologies. 2011. LTE eRAN3.0 Handover Fault Diagnosis. https://www.scribd.com/document/138513253/Huawei-LTE-Handover-events. (2011).Google Scholar
- Huawei Technologies. 2012. eWBB2.0 DBS3900 LTE TDD Product Description. http://www.huawei.com/ilink/enenterprise/download/HW_205528. (2012).Google Scholar
- Huawei Technologies. 2015. eRAN ANR Management Feature Parameter Description. https://www.scribd.com/document/319018225/Huawei-ANR-Management-ERAN7-0-04. (2015).Google Scholar
- Huawei Technologies. 2016. eRAN TDD MRO Feature Parameter Description. http://www.honorcup.ru/upload/iblock/164/7.pdf. (2016).Google Scholar
- Klas Johansson. 2007. Cost Effective Deployment Strategies for Heterogenous Wireless Networks. Ph.D. dissertation, KTH, Stockholm.Google Scholar
- R. P. Jover. 2013. Security attacks against the availability of LTE mobility networks: Overview and research directions. In 16th International Symposium on Wireless Personal Multimedia Communications (WPMC). IEEE, New York, NY, USA, 1--9.Google Scholar
- M. Labib, V. Marojevic, and J. H. Reed. 2015. Analyzing and enhancing the resilience of LTE/LTE-A systems to RF spoofing. (Oct 2015), 315--320.Google Scholar
- Marc Lichtman, Roger Piqueras Jover, Mina Labib, Raghunandan Rao, Vuk Marojevic, and Jeffrey H. Reed. 2016. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Communications Magazine 54, 4 (April 2016), 54--61. Google ScholarDigital Library
- Lime Microsystems. 2016. LimeSDR. https://www.crowdsupply.com/lime-micro/limesdr. (2016).Google Scholar
- Magdalena Nohrborg. {n. d.}. Self-Organizing Networks. http://www.3gpp.org/technologies/keywords-acronyms/105-son. ({n. d.}).Google Scholar
- Qualcomm. 2016. Self managing and enabling seamless roaming. https://www.qualcomm.com/videos/qualcomm-wi-fi-son. (2016).Google Scholar
- Qualcomm Research. 2014. Small Cells and UltraSON https://www.qualcomm.com/media/documents/files/small-cells-and-ultrason-presentation.pdf. (2014).Google Scholar
- Qualcomm Research. 2015. LTE Small Cell SON Test Cases; Functionality and Interworking. https://www.qualcomm.com/media/documents/files/lte-small-cell-son-test-cases.pdf. (2015).Google Scholar
- Raghunandan M Rao, Sean Ha, Vuk Marojevic, and Jeffrey Reed. 2017. LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools. IEEE Military Communications Conference (2017).Google Scholar
- Selfnet 2016. SELFNET - Framework for Self-Organized Network Management in Virtualized and Software Defined Networks. https://selfnet-5g.eu/. (2016).Google Scholar
- Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In 23rd Annual Network and Distributed System Security Symposium. The Internet Society, Reston, VA, USA.Google ScholarCross Ref
- Abhishek B. Sharma, Leana Golubchik, and Ramesh Govindan. 2010. Sensor Faults: Detection Methods and Prevalence in Real-world Datasets. ACM Trans. Sen. Netw. 6, 3, Article 23 (June 2010), 39 pages. Google ScholarDigital Library
- Neil Sinclair, David Harle, Ian A. Glover, James Irvine, and Robert C. Atkinson. 2013. Parameter Optimization for LTE Handover Using an Advanced SOM Algorithm. In 2013 IEEE 77th Vehicular Technology Conference (VTC Spring). IEEE, New York, NY, USA, 1--6.Google Scholar
- Sistelbanda. {n. d.}. SN4G SON. http://sistelbanda.es/. ({n. d.}).Google Scholar
- Small Cell Forum. 2016. Using SON in HetNet deployments. http://scf.io/en/documents/173_-_Role_of_SON_in_the_HetNet_deployment_process.php. (June 2016).Google Scholar
- Patrick Traynor, Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel, and Thomas La Porta. 2009. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09). ACM, New York, NY, USA, 223--234. Google ScholarDigital Library
- Unwired Labs. {n. d.}. OpenCellID. http://opencellid.org/. ({n. d.}).Google Scholar
Index Terms
- On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks
Recommendations
New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecuritySMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the ...
Security Analysis of Handover Key Management in 4G LTE/SAE Networks
The goal of 3GPP Long Term Evolution/System Architecture Evolution (LTE/SAE) is to move mobile cellular wireless technology into its fourth generation. One of the unique challenges of fourth-generation technology is how to close a security gap through ...
Comments