Biblio

Mobile network operators choose Self Organizing Network (SON) concept as a cost-effective method to deploy LTE/4G networks and meet user expectations for high quality of service and bandwidth. The main objective of SON is to introduce automation into network management activities and reduce human intervention. SON enabled LTE networks heavily rely on the information acquired from mobile phones to provide self-configuration, self-optimization, and self-healing features. However, mobile phones can be attacked over-the-air using rogue base stations. In this paper, we carefully study SON related LTE/4G security specifications and reveal several vulnerabilities. Our key idea is to introduce a rogue eNodeB that uses legitimate mobile devices as a covert channel to launch attacks against SON enabled LTE networks. We demonstrate low-cost, practical, silent and persistent Denial of Service attacks against the network and end-users by injecting fake measurement and configuration information into the SON system. An active attacker can shut down network services in 2 km2 area of a city for a certain period of time and also block network services to a selective set of mobile phones in a targeted area of 200 m to 2 km in radius. With the help of low cost tools, we design an experimental setup and evaluate these attacks on commercial networks. We present strategies to mitigate our attacks and outline possible reasons that may explain why these vulnerabilities exist in the system.

With its high penetration rate and relatively good clock accuracy, smartphones are replacing watches in several market segments. Modern smartphones have more than one clock source to complement each other: NITZ (Network Identity and Time Zone), NTP (Network Time Protocol), and GNSS (Global Navigation Satellite System) including GPS. NITZ information is delivered by the cellular core network, indicating the network name and clock information. NTP provides a facility to synchronize the clock with a time server. Among these clock sources, only NITZ and NTP are updated without user interaction, as location services require manual activation. In this paper, we analyze security aspects of these clock sources and their impact on security features of modern smartphones. In particular, we investigate NITZ and NTP procedures over cellular networks (2G, 3G and 4G) and Wi-Fi communication respectively. Furthermore, we analyze several European, Asian, and American cellular networks from NITZ perspective. We identify three classes of vulnerabilities: specification issues in a cellular protocol, configurational issues in cellular network deployments, and implementation issues in different mobile OS's. We demonstrate how an attacker with low cost setup can spoof NITZ and NTP messages to cause Denial of Service attacks. Finally, we propose methods for securely synchronizing the clock on smartphones.