4G/5G security is an emerging problem that can potentially affect us in the next 2-3 years, especially with IoT, V2V, UAV and other applications of advanced wireless technology emerging. Public safety and mission critical networks can largely benefit from commercial 4G/5G technologies and network deployments and their evolution. To understand the vulnerabilities of these networks, we built a software radio-based testbed that models 4G environments and developed a series of different cyber attacks to compromise the 4G radio access network. Motivated by the fact that mobile networks highly rely on control channel signaling, we challenged the system performance and availability by attacking individual LTE control channels and signals. Moreover, since user equipment (UEs) implicitly trust networks before the mutual authentication handshake is completed, we tested the effect that fake base stations and fake signaling, which we coined control channel spoofing, have on the behavior UEs. By running numerous tests in controlled radio environments with standard compliant and mission critical LTE networks and commercial UEs we found that a number of radio frequency attacks can cause serious damage to the network performance and availability. One of the simplest, yet most severe attacks that can cause denial of service is to transmit the LTE synchronization signals asynchronously to those of legitimate networks. Fortunately, there is a simple solution to this threat that all LTE UEs face. It consists of the UE correlating received signals, messages and authentication results. An important lesson learned is that standards need to consider operational edge cases for which simple solutions may exist, such as the one that we proposed to mitigate denial of service attacks from control channel spoofing.
Presenter: Vuk Marojevic is an associate professor of electrical and computer engineering at Mississippi State University. He graduated from the University of Hannover (M.S.), Germany, and Barcelona Tech-UPC (Ph.D.), both in electrical engineering. Prior to joining Mississippi State, he was with Wireless@Virginia Tech, where he developed various cognitive radio and LTE testbeds and conducted several wireless protocol measurement campaigns. He led Virginia Tech’s LTE vulnerability analysis research and proposed several ways to harden LTE. His pioneering work on LTE control channel spoofing was picked up by industry and made it into 3GPP Release 13. His research interests are in software-defined radio, spectrum sharing, 4G/5G cellular technology, wireless network security, and resource management with application to mission-critical networks and unmanned aircraft systems.