#HITB2016AMS D1T1 Forcing A Targeted LTE Cellphone Into An Eavesdropping Network - Lin Huang

LTE is a more advanced mobile network but not absolutely secure. In this presentation, we will introduce a method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure in LTE networks resulting in the ability to force a targeted LTE cellphone to downgrade into a malicious GSM network where an attacker can subsequently eavesdrop its voice calls and GPRS data. We used LTE software plus USRP to verify this attack. Some open source projects, such as OpenLTE and Open Air Interface, can be modified to realize this attack. In this presentation, we will: 1.) Introduce the vulnerabilities in LTE RRC and NAS signaling 2.) Discuss the tricks in EMM cause setting 3.) Demonstrate the attack to the audience by video 4.) Present some defense proposals. This attack is not a simple DoS attack. We can select the targeted cellphone by filtering the IMSI number, so it will not influence the other cellphones and keep them still in the real network. We can force the cellphone into the malicious network and it has no chance to choose other secure network. ====== Lin Huang is a wireless security researcher, from Unicorn Team of Qihoo 360, China. Before entering this team, she worked for telecom operator Orange, for 9 years, as a wireless researcher. Her interests include the security issues in wireless communication, especially the cellular network security, and also other problems in ADS-B, GPS, Bluetooth, Wifi, and automotive electronics. She is one of the earliest users of USRP in China, and keeps active in SDR/USRP research and development since 2006. She contributed to several UMTS/LTE soft base station projects, e.g. Open Air Interface. In 2009, She wrote one free e-book for GNU Radio training, which is very popular in China. She was the speaker of DEFCON 23, giving a presentation of ‘Low-cost GPS simulator – GPS spoofing by SDR’.