Skip to main content
SpringerLink
Log in

Experimental Analysis of Subscribers’ Privacy Exposure by LTE Paging

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Over the last years, considerable attention has been given to the privacy of individuals in wireless environments. Although significantly improved over the previous generations of mobile networks, LTE still exposes vulnerabilities that attackers can exploit. This might be the case of paging messages, wake-up notifications that target specific subscribers, and that are broadcasted in clear over the radio interface. If they are not properly implemented, paging messages can expose the identity of subscribers and furthermore provide information about their location. It is therefore important that mobile network operators comply with the recommendations and implement the appropriate mechanisms to mitigate attacks. In this paper, we verify by experiment that paging messages can be captured and decoded by using minimal technical skills and publicly available tools. Moreover, we present a general experimental method to test privacy exposure by LTE paging messages, and we conduct a case study on three different LTE mobile operators.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. More precisely, the circuit card is known as the Universal Integrated Circuit Card (UICC) or Subscriber Identity Module (SIM), while the Java application running on top of it is known as Universal Subscriber Identity Module (USIM) [10]; however, this level of details is not important for our current work, and it is popular in the literature to refer to USIM as including both hardware and software.

References

  1. 3GPP: LTE. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/technologies/keywords-acronyms/98-lte. Accessed 2 Aug 2018.

  2. 3GPP: Numbering, addressing and identification. TS 23.003, 3rd Generation Partnership Project (3GPP) (2012). http://www.3gpp.org/ftp/Specs/html-info/23003.htm. Accessed 2 Aug 2018.

  3. 3GPP: Evolved universal terrestrial radio access (E-UTRA); requirements for support of radio resource management. TS 36.133, 3rd Generation Partnership Project (3GPP) (2013). http://www.3gpp.org/ftp/Specs/html-info/36133.htm. Accessed 2 Aug 2018.

  4. 3GPP: Mobile radio interface layer 3 specification core network protocols; stage 2 (structured procedures). TS 23.108, 3rd Generation Partnership Project (3GPP) (2014). http://www.3gpp.org/ftp/Specs/html-info/23108.htm. Accessed 2 Aug 2018.

  5. 3GPP: Evolved universal terrestrial radio access (E-UTRA); radio resource control (RRC); protocol specification. TS 36.331, 3rd Generation Partnership Project (3GPP) (2016). http://www.3gpp.org/ftp/Specs/html-info/36331.htm. Accessed 2 Aug 2018.

  6. 3GPP: Characteristics of the Universal Subscriber Identity Module (USIM) application, release 14.4.0. TS 31.102, 3rd Generation Partnership Project (3GPP) (2017). http://www.3gpp.org/ftp//Specs/archive/31_series/31.102/31102-e40.zip. Accessed 2 Aug 2018.

  7. 3GPP: Evolved universal terrestrial radio access (E-UTRA); medium access control (MAC) protocol specification. TS 36.321, 3rd Generation Partnership Project (3GPP) (2017). http://www.3gpp.org/ftp/Specs/html-info/36321.htm. Accessed 2 Aug 2018.

  8. Antennas: Pulse electronics W1900 antennas. https://eu.mouser.com/ProductDetail/Pulse-Electronics/W1900/. Accessed 2 Aug 2018.

  9. Bojic, I., Yoshimura, Y., & Ratti, C. (2017). Opportunities and challenges of trip generation data collection techniques using cellular networks. IEEE Communications Magazine, 55(3), 204–209.

    Article  Google Scholar 

  10. Cichonski, J., Franklin, J. M., & Bartock, M. (2016). LTE architecture overview and security analysis. NIST draft NISTIR, 8071.

  11. Ettus Research: USRP B200mini (board only). https://www.ettus.com/product/details/USRP-B200mini. Accessed 2 Aug 2018.

  12. Europen Communication Office: ECO frequency information system. http://www.efis.dk. Accessed 2 Aug 2018.

  13. Firmin, F. (2017). The evolved packet core. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/technologies/keywords-acronyms/100-the-evolved-packet-core. Accessed 2 Aug 2018.

  14. GSA: Evolution from LTE to 5G—April 2018 update. TS, Global mobile Suppliers Association (2018). http://gsacom.com/wp-content/uploads/2015/10/151013-Evolution_to_LTE_report.pdf. Accessed 2 Aug 2018.

  15. Jimenez, E. C., Nakarmi, P. K., Naslund, M., & Norrman, K. (2017). Subscription identifier privacy in 5G systems. In 2017 international conference on selected topics in mobile and wireless networking (MoWNeT) (pp. 1–8).

  16. Jover, R. P. Some key challenges in securing 5G wireless networks. https://ecfsapi.fcc.gov/file/10130278051628/fcc_submit.pdf. Accessed 2 Aug 2018.

  17. Jover, R. P. (2016). LTE security, protocol exploits and location tracking experimentation with low-cost software radio. CoRR abs/1607.05171. arXiv:1607.05171.

  18. Kune, D. F., Kölndorfer, J., Hopper, N., & Kim, Y. (2012). Location leaks over the GSM air interface. In: 19th annual network and distributed system security symposium, NDSS 2012, San Diego, California, USA, February 5–8, 2012. http://www.internetsociety.org/location-leaks-over-gsm-air-interface.

  19. Lichtman, M., Jover, R. P., Labib, M., Rao, R. M., Marojevic, V., & Reed, J. H. (2016). LTE/LTE-a jamming, spoofing, and sniffing: Threat assessment and mitigation. IEEE Communications Magazine, 54(4), 54–61.

    Article  Google Scholar 

  20. Lucent, A.: The LTE network architecture—A comprehensive tutorial. Strategic Whitepaper (2009).

  21. Marben: Free online 3GPP LTE ASN.1 messages decoder. http://www.marben-products.com/asn.1/services/decoder-asn1-lte.html. Accessed 2 Aug 2018.

  22. Mitshell: libmich. https://github.com/mitshell/libmich.

  23. Mjølsnes, S. F., & Olimid, R. F. (2017). The challenge of private identification. In International workshop on open problems in network security (iNetSec) (pp. 39–53).

  24. Mjølsnes, S. F., & Olimid, R. F. (2017). Easy 4G/LTE IMSI catchers for non-programmers. In Computer network security—7th international conference on mathematical methods, models, and architectures for computer network security, MMM-ACNS 2017, Warsaw, Poland, Proceedings, August 28–30, 2017 (pp. 235–246).

  25. Mjølsnes, S. F., & Olimid, R. F. (2017). Experimental assessment of private information disclosure in LTE mobile networks. In Proceedings of the 14th international joint conference on e-business and telecommunications (ICETE 2017)—Volume 4: SECRYPT, Madrid, Spain, July 24–26, 2017 (pp. 507–512).

  26. NKOM: Ekomstatistikken 1. Halvår 2017, Utvalgte Figurer med Kommentarer. TS 1. Halvår 2017, Nasjonal Kommunikasjonsmyndighet (NKOM) (2017). https://www.nkom.no/forside/_attachment/30658?_download=true&_ts=15f7167389b. Accessed 2 Aug 2018.

  27. Norton, Q. (2006). GNU radio opens an unseen world. Available http://archive.wired.com/science/discoveries/news/2006/06/70933. Accessed 2 Aug 2018.

  28. Norwegian National Telecommunication Authority: Finnsenderen. http://www.finnsenderen.no/finnsender. Accessed 2 Aug 2018.

  29. Nowoswiat, D. (2013). Nokia insights. Managing LTE core network signaling traffic. https://insight.nokia.com/managing- lte- core-network- signaling- traffic.

  30. Park, S., Shaik, A., Borgaonkar, R., Martin, A., & Seifert, J. P. (2017). White-stingray: Evaluating IMSI catchers detection applications. In 11th USENIX workshop on Offensive Technologies (WOOT 17). Vancouver, BC: USENIX Association. https://www.usenix.org/conference/woot17/workshop-program/presentation/park.

  31. Romano, G. (2016). 3GPP RAN progress on 5G. ftp://www.3gpp.org/Information/presentations/presentations_2016/3GPP%20RAN%20Progress%20on%205G%20-%20NetFutures.pdf. Accessed 2 Aug 2018.

  32. Rupprecht, D., Dabrowski, A., Holz, T., Weippl, E. R., & Pöpper, C. (2017). On security research towards future mobile network generations. CoRR abs/1710.08932. arXiv:1710.08932.

  33. Shaik, A., Seifert, J., Borgaonkar, R., Asokan, N., & Niemi, V. (2016). Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In 23nd annual network and distributed system security symposium, NDSS 2016, San Diego, California, USA, February 21–24, 2016.

  34. Sridhar, K. (2012). Introduction to evolved packet core (EPC): EPC elements, protocols and procedures. TS, Alcatel Lucent. http://www.cvt-dallas.org/Aug12-Sridhar.pdf. Accessed 2 Aug 2018.

  35. srsLTE: Open source 3GPP LTE library. https://github.com/srsLTE/srsLTE. Accessed 2 Aug 2018.

  36. Ta, T., & Baras, J. S. (2012). Enhancing privacy in LTE paging system using physical layer identification. In Data privacy management and autonomous spontaneous security, 7th international workshop, DPM 2012, and 5th international workshop, SETOP 2012, Pisa, Italy, revised selected papers, September 13–14, 2012 (pp. 15–28).

  37. Traynor, P., Amrutkar, C., Rao, V., Jaeger, T., McDaniel, P. D., & Porta, T. F. L. (2011). From mobile phones to responsible devices. Security and Communication Networks, 4(6), 719–726.

    Article  Google Scholar 

  38. Traynor, P., Enck, W., McDaniel, P., & Porta, T. L. (2009). Mitigating attacks on open functionality in SMS-capable cellular networks. IEEE/ACM Transactions on Networking, 17(1), 40–53.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Security and Communication Technology, NTNU, Norwegian University of Science and Technology, Trondheim, Norway

    Christian Sørseth, Shelley Xianyu Zhou, Stig F. Mjølsnes & Ruxandra F. Olimid

  2. Department of Computer Science, University of Bucharest, Bucharest, Romania

    Ruxandra F. Olimid

Authors
  1. Christian Sørseth
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shelley Xianyu Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stig F. Mjølsnes
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ruxandra F. Olimid
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ruxandra F. Olimid.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Christian Sørseth and Shelly Xianyu Zhou performed most of the work for this paper during their MSc studies at NTNU.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sørseth, C., Zhou, S.X., Mjølsnes, S.F. et al. Experimental Analysis of Subscribers’ Privacy Exposure by LTE Paging. Wireless Pers Commun 109, 675–693 (2019). https://doi.org/10.1007/s11277-019-06585-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-019-06585-7

Keywords

Search

Navigation