research-article

On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks

Authors:
Altaf Shaik

Technische Universität Berlin

Technische Universität Berlin
View Profile

,
Ravishankar Borgaonkar

University of Oxford and SINTEF Digital

University of Oxford and SINTEF Digital
View Profile

,
Shinjo Park

Technische Universität Berlin

Technische Universität Berlin
View Profile

,
Jean-Pierre Seifert

Technische Universität Berlin

Technische Universität Berlin
View Profile

WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile NetworksJune 2018Pages 75–86https://doi.org/10.1145/3212480.3212497

Published:18 June 2018Publication History

WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Pages 75–86

ABSTRACT

Mobile network operators choose Self Organizing Network (SON) concept as a cost-effective method to deploy LTE/4G networks and meet user expectations for high quality of service and bandwidth. The main objective of SON is to introduce automation into network management activities and reduce human intervention. SON enabled LTE networks heavily rely on the information acquired from mobile phones to provide self-configuration, self-optimization, and self-healing features. However, mobile phones can be attacked over-the-air using rogue base stations. In this paper, we carefully study SON related LTE/4G security specifications and reveal several vulnerabilities. Our key idea is to introduce a rogue eNodeB that uses legitimate mobile devices as a covert channel to launch attacks against SON enabled LTE networks.

We demonstrate low-cost, practical, silent and persistent Denial of Service attacks against the network and end-users by injecting fake measurement and configuration information into the SON system. An active attacker can shut down network services in 2 km2 area of a city for a certain period of time and also block network services to a selective set of mobile phones in a targeted area of 200 m to 2 km in radius. With the help of low cost tools, we design an experimental setup and evaluate these attacks on commercial networks. We present strategies to mitigate our attacks and outline possible reasons that may explain why these vulnerabilities exist in the system.

References

3GPP. 2009. Telecommunication management; Self-Organizing Networks (SON); Concepts and requirements. TS 32.500. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/32500.htmGoogle Scholar
3GPP. 2011. Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Architecture description. TS 36.401. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36401.htmGoogle Scholar
3GPP. 2011. Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Self-configuring and self-optimizing network (SON) use cases and solutions. TR 36.902. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36902.htmGoogle Scholar
3GPP. 2012. Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) procedures in idle mode. TS 36.304. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36304.htmGoogle Scholar
3GPP. 2013. Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; Stage 2. TS 36.300. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36300.htmGoogle Scholar
3GPP. 2013. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification. TS 36.331. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36331.htmGoogle Scholar
3GPP. 2017. Technical Specification Group Services and System Aspects; Study on the security aspects of the next generation system (Release 14). TR 33.899. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/33899.htmGoogle Scholar
4G Americas. 2013. Self-Optimizing networks in 3GPP Release 11: The benefits of SON in LTE, Whitepaper. (Oct. 2013).Google Scholar
Airhop communications. {n. d.}. Powering 4G networks. http://www.airhopcomm.com. ({n. d.}).Google Scholar
O. G. Aliu, A. Imran, M. A. Imran, and B.Evans. 2013. A Survey of Self Organisation in Future Cellular Networks. IEEE Communications Surveys Tutorials 15, 1 (2013), 336--361.Google ScholarCross Ref
Mehdi Amirijoo, Pal Frenger, Fredrik Gunnarsson, Johan Moe, and Kristina Zetterberg. 2009. On self-optimization of the random access procedure in 3G long term evolution. In 2009 IFIP/IEEE International Symposium on Integrated Network Management-Workshops. IEEE, New York, NY, USA, 177--184.Google ScholarCross Ref
AVIAT. {n. d.}. Wireless products for small cell applications. https://startupgenome.co/aviat-networks. ({n. d.}).Google Scholar
Cellwize. {n. d.}. Driving value through SON. http://www.cellwize.com. ({n. d.}).Google Scholar
Cerwall, Patrik. 2017. Ericsson Mobility Report. (June 2017).Google Scholar
Joseph Demarest. 2014. Taking down botnets: Public and private efforts to disrupt and dismantle cybercriminal networks. Statement before the Subcommittee on Crime and Terrorism, United States Senate (2014).Google Scholar
Gamry Instruments. {n. d.}. The Faraday Cage: What is it? How does it work? ({n. d.}). http://www.gamry.com/application-notes/instrumentation/faraday-cage/Google Scholar
Ismael Gomez-Miguelez, Andres Garcia-Saavedra, Paul D. Sutton, Pablo Serrano, Cristina Cano, and Douglas J. Leith. 2016. srsLTE: An Open-Source Platform for LTE Evolution and Experimentation. CoRR abs/1602.04629 (2016). arXiv:1602.04629 http://arxiv.org/abs/1602.04629Google Scholar
Mordechai Guri, Yisroel Mirsky, and Yuval Elovici. 2017. 9-1-1 DDoS: Attacks, Analysis and Mitigation. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, IEEE, New York, NY, USA, 218--232.Google ScholarCross Ref
Huang, Lin. 2016. Forcing a Targeted LTE Cellphone into an Eavesdropping Network. In Hack In The Box.Google Scholar
Huawei Technologies. 2011. LTE eRAN3.0 Handover Fault Diagnosis. https://www.scribd.com/document/138513253/Huawei-LTE-Handover-events. (2011).Google Scholar
Huawei Technologies. 2012. eWBB2.0 DBS3900 LTE TDD Product Description. http://www.huawei.com/ilink/enenterprise/download/HW_205528. (2012).Google Scholar
Huawei Technologies. 2015. eRAN ANR Management Feature Parameter Description. https://www.scribd.com/document/319018225/Huawei-ANR-Management-ERAN7-0-04. (2015).Google Scholar
Huawei Technologies. 2016. eRAN TDD MRO Feature Parameter Description. http://www.honorcup.ru/upload/iblock/164/7.pdf. (2016).Google Scholar
Klas Johansson. 2007. Cost Effective Deployment Strategies for Heterogenous Wireless Networks. Ph.D. dissertation, KTH, Stockholm.Google Scholar
R. P. Jover. 2013. Security attacks against the availability of LTE mobility networks: Overview and research directions. In 16th International Symposium on Wireless Personal Multimedia Communications (WPMC). IEEE, New York, NY, USA, 1--9.Google Scholar
M. Labib, V. Marojevic, and J. H. Reed. 2015. Analyzing and enhancing the resilience of LTE/LTE-A systems to RF spoofing. (Oct 2015), 315--320.Google Scholar
Marc Lichtman, Roger Piqueras Jover, Mina Labib, Raghunandan Rao, Vuk Marojevic, and Jeffrey H. Reed. 2016. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Communications Magazine 54, 4 (April 2016), 54--61. Google ScholarDigital Library
Lime Microsystems. 2016. LimeSDR. https://www.crowdsupply.com/lime-micro/limesdr. (2016).Google Scholar
Magdalena Nohrborg. {n. d.}. Self-Organizing Networks. http://www.3gpp.org/technologies/keywords-acronyms/105-son. ({n. d.}).Google Scholar
Qualcomm. 2016. Self managing and enabling seamless roaming. https://www.qualcomm.com/videos/qualcomm-wi-fi-son. (2016).Google Scholar
Qualcomm Research. 2014. Small Cells and UltraSON https://www.qualcomm.com/media/documents/files/small-cells-and-ultrason-presentation.pdf. (2014).Google Scholar
Qualcomm Research. 2015. LTE Small Cell SON Test Cases; Functionality and Interworking. https://www.qualcomm.com/media/documents/files/lte-small-cell-son-test-cases.pdf. (2015).Google Scholar
Raghunandan M Rao, Sean Ha, Vuk Marojevic, and Jeffrey Reed. 2017. LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools. IEEE Military Communications Conference (2017).Google Scholar
Selfnet 2016. SELFNET - Framework for Self-Organized Network Management in Virtualized and Software Defined Networks. https://selfnet-5g.eu/. (2016).Google Scholar
Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In 23rd Annual Network and Distributed System Security Symposium. The Internet Society, Reston, VA, USA.Google ScholarCross Ref
Abhishek B. Sharma, Leana Golubchik, and Ramesh Govindan. 2010. Sensor Faults: Detection Methods and Prevalence in Real-world Datasets. ACM Trans. Sen. Netw. 6, 3, Article 23 (June 2010), 39 pages. Google ScholarDigital Library
Neil Sinclair, David Harle, Ian A. Glover, James Irvine, and Robert C. Atkinson. 2013. Parameter Optimization for LTE Handover Using an Advanced SOM Algorithm. In 2013 IEEE 77th Vehicular Technology Conference (VTC Spring). IEEE, New York, NY, USA, 1--6.Google Scholar
Sistelbanda. {n. d.}. SN4G SON. http://sistelbanda.es/. ({n. d.}).Google Scholar
Small Cell Forum. 2016. Using SON in HetNet deployments. http://scf.io/en/documents/173_-_Role_of_SON_in_the_HetNet_deployment_process.php. (June 2016).Google Scholar
Patrick Traynor, Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel, and Thomas La Porta. 2009. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09). ACM, New York, NY, USA, 223--234. Google ScholarDigital Library
Unwired Labs. {n. d.}. OpenCellID. http://opencellid.org/. ({n. d.}).Google Scholar

Index Terms

On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks
1. Networks
  1. Network types
    1. Mobile networks
2. Security and privacy
  1. Network security
    1. Denial-of-service attacks
    2. Mobile and wireless security

Recommendations

New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

SMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the ...
Read More
Security Analysis of Handover Key Management in 4G LTE/SAE Networks

The goal of 3GPP Long Term Evolution/System Architecture Evolution (LTE/SAE) is to move mobile cellular wireless technology into its fourth generation. One of the unique challenges of fourth-generation technology is how to close a security gap through ...
Read More
LTE Self-Organising Networks (SON): Network Management Automation for Operational Efficiency
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks
June 2018
317 pages
ISBN:9781450357319
DOI:10.1145/3212480
General Chair:
Panos Papadimitratos
KTH, Sweden
,
Program Chairs:
Kevin Butler
University of Florida, USA
,
Christina Pöpper
New York University Abu Dhabi, UAE
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 June 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate98of338submissions,29%
Upcoming Conference
WiSec '24

Sponsor:

sigsac

17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 27 - 30, 2024

Seoul , Republic of Korea
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 39
  Total Citations
  View Citations
- 890
  Total Downloads
- Downloads (Last 12 months)97
- Downloads (Last 6 weeks)13
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks

WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks

ABSTRACT

References

Cited By

Index Terms

Recommendations

New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks

Security Analysis of Handover Key Management in 4G LTE/SAE Networks

LTE Self-Organising Networks (SON): Network Management Automation for Operational Efficiency