LTEInspector: A Systematic Approach for
Adversarial Testing of 4G LTE
Syed Rafiul Hussain Omar Chowdhury
Purdue University The University of Iowa
[email protected]
[email protected]
[email protected]
[email protected]
Abstract—In this paper, we investigate the security and pri-
vacy of the three critical procedures of the 4G LTE protocol (i.e.,
attach, detach, and paging), and in the process, uncover potential
design flaws of the protocol and unsafe practices employed by the
stakeholders. For exposing vulnerabilities, we propose a model-
based testing approach LTEInspector which lazily combines a
symbolic model checker and a cryptographic protocol verifier
in the symbolic attacker model. Using LTEInspector, we have
uncovered 10 new attacks along with 9 prior attacks, cate-
gorized into three abstract classes (i.e., security, user privacy,
and disruption of service), in the three procedures of 4G LTE.
Notable among our findings is the authentication relay attack that
enables an adversary to spoof the location of a legitimate user
to the core network without possessing appropriate credentials.
To ensure that the exposed attacks pose real threats and are
indeed realizable in practice, we have validated 8 of the 10 new
attacks and their accompanying adversarial assumptions through
experimentation in a real testbed.
I. I NTRODUCTION
The adoption of Fourth generation Long Term Eval-
uation (4G LTE)—the de facto standard for cellular
telecommunication—has seen a stable growth in recent years,
replacing prior generations due to its promise of improved
assurances (e.g., higher bandwidth, reliable connectivity, en-
hanced security). Cellular networks which are part of a nation’s
critical infrastructure not only influence our society as a whole
(e.g., business, public-safety message dissemination) but also
can impact us at a more personal level by enabling applica-
tions that often improve our quality of life (e.g., navigation).
Because of their ubiquitous presence and use for critical appli-
cations, cellular networks are, however, attractive attack targets
for malicious parties. Resourceful adversaries (e.g., nation-
states, foreign intelligence agencies, terrorists) can wreak
havoc by exploiting vulnerabilities of the cellular network
ecosystem (e.g., surveillance [1], cyberwarfare [2]). It is hence
pivotal to investigate the existing design and deployments of
cellular networks for detecting potential vulnerabilities.
There is already a substantial work that has analyzed the
security and privacy of telecommunication systems, and also
Network and Distributed Systems Security (NDSS) Symposium 2018
18-21 February 2018, San Diego, CA, USA
ISBN 1-1891562-49-5
http://dx.doi.org/10.14722/ndss.2018.23313
www.ndss-symposium.org
Shagufta Mehnaz Elisa Bertino
Purdue University Purdue University
identified design weaknesses of the 3GPP (Third Generation
Partnership Project) standard [3], [4] and unsafe practices by
the responsible stakeholders [5], [6], [7], [8], [9], [10], [11],
[12], [13], [14], [15], [16], [17]. Such work, however, has at
least one of the following limitations: (A) Analyses do not
use systematic methodologies for attack discovery [5], [6], [7],
[8], [9], [10], [11], [12], [13], [15]; (B) Analyses focus on
prior generations of the protocols only, and hence some of the
findings do not directly apply to 4G LTE [5], [6], [7], [8], [9],
[10], [11], [12], [16]; (C) Analyses do not explicitly reason
about adversarial actions [17].
Problem and scope. The 4G LTE protocol can be viewed
as an amalgamation of multiple critical procedures, such as
attach, paging, detach, handover, and calls — to name a few.
Each of these procedures is complex and requires an in-depth
security and privacy analysis of its own. Among the different
procedures, attach, paging, and detach are critical for the
correct and reliable functionality of the other procedures. For
instance, without a correct and secure attach procedure (i.e.,
the initial secure connection setup), the security bootstrapping
process is likely to be vulnerable; this may have serious
consequences, such as man-in-the-middle attacks, spurious
mobile billing, or even life threatening risks. This paper thus
addresses the following central research question: is it possible
to develop a systematic approach for scrutinizing the attach,
detach, and paging procedures to uncover vulnerabilities that
can be shown to be realizable in practice by an adversary?
Challenges. Any testing approach analyzing the security and
privacy of the 4G LTE protocol needs to address the following
challenges: (a) Specification: The cellular protocol lacks a for-
mal specification, and the standard [3], [4] often suffers from
ambiguity and under-specification. (b) Protocol Complexity:
The cellular protocol—comprising of multiple (cryptographic)
sub-protocols—is stateful in nature [17]. Also, analyses will
likely experience scalability challenges due to the presence of
multiple types of protocol participants, and messages contain-
ing data with a large domain. (c) Closed system: A majority of
the deployed cellular systems are proprietary and closed sys-
tems which require any testing approach to be black-box and
system-agnostic. (d) Legal barrier: Regulatory requirements
[18] prohibit transmission in the licensed spectrum making
dynamic network testing and attack validation challenging.
Approach. For analyzing the critical procedures of 4G LTE,
in this paper, we take a first step by proposing LTEInspector
which employs a property-driven adversarial model-based test-
ing philosophy. LTEInspector considers the standard symbolic
adversary model (alternatively known as the Dolev-Yao model
[19]) for its analysis. LTEInspector takes the relevant 4G LTE
abstract model M and a desired property ϕ, and tries to find a
violation of ϕ in M. The set of properties that LTEInspector
aims to check include authenticity (e.g., disallowing imperson-
ation), availability (e.g., preventing service denial), integrity
(e.g., restricting unauthorized billing), and secrecy of user’s
sensitive information (e.g., preventing activity profiling).
As a prerequisite of LTEInspector’s analysis, we first
construct the 4G LTE ecosystem model by consulting the
standard [3], [4]. Our model M (publicly available in https:
//github.com/relentless-warrior/LTEInspector) captures the ab-
stract functionality (ignoring low-level implementation details)
of the 4G LTE ecosystem—only relevant to the analysis of the
three procedures—as synchronous communicating finite state
machines (FSM). Each FSM captures the stateful functionality
of a protocol participant’s (i.e, user’s cellular device and the
core network) at the Non-Access Stratum (NAS) protocol
layer [3], [4]. The two FSMs communicate with each other
through public (adversary-controlled) communication channels
by sending each other NAS layer messages.
Our analysis is an instance of the parameterized system
verification problem (i.e., parameterized by the number of
protocol participants) which is generally undecidable [20];
achieving both soundness and completeness is thus impos-
sible. Consequently, we follow the conventional method of
aiming for soundness instead of completeness, that is, if our
approach reports a violation, it is indeed a violation; we cannot,
however, detect all violations. Also, checking compliance
of the protocol model against desired security and privacy
properties often requires simultaneously reasoning about: (➊)
temporal ordering of different events/actions (i.e., trace prop-
erties such as response properties [21]), (➋) cryptographically-
protected messages and constructs (e.g., encryption, hashing),
and (➌) other rich constraints (e.g., linear integer arithmetic
constraints). General purpose model checkers [22], [23] have
shown promise in successfully reasoning about properties
concerning ➊ and ➌. Cryptographic protocol verifiers [24],
[25], [26], [27], [28], [29], although proficient in verifying
cryptography related properties, for tractability reasons only
provide primitive support at best for properties concerning ➊
and ➌. This naturally leads us to the question: is it possible
to get the best of both these techniques?
To this end, LTEInspector lazily (or, on an on-demand
basis) combines the reasoning powers of a symbolic model
checker and a cryptographic protocol verifier. To the best of
our knowledge, in the context of 4G LTE, the use of symbolic
model checking and a cryptographic protocol verifier to reason
about rich temporal trace properties is novel. In this approach,
we first abstract away all cryptography-related constructs from
the model M and the desired property ϕ and only reason
about aspects ➊ and ➌ of the ϕ (denoted by ϕabs ). For any
violation of ϕabs in M, the symbolic model checker would
yield a counterexample π demonstrating the violation. Now,
π may include adversary actions which may not be realizable
due to cryptographic assumption violations (e.g., constructing a
valid ciphertext of a message without possessing the encryption
key). To rule out such cases, for each adversary action in π, we
query a cryptographic protocol verifier to check the action’s
feasibility with accordance to the cryptographic assumptions.
In case all adversary actions in π turn out to be feasible, we can
2
report π to be a feasible vulnerability. If, however, there exists
one adversary action in π which is not feasible, we refine the
property ϕabs to rule out traces in which the adversary takes
that action. The analysis is then run again with the refined
property. For further confidence, we validate π by concretely
executing it in a testbed.
Finally, we show the application of a technique we call
attack chaining in which seemingly low-impact attacks are
stitched together to yield a damaging high-impact attack. We
show its successful application by chaining together attacks,
exposed using LTEInspector, to allow an adversary to carry
out an authentication relay attack in the 4G LTE network.
Findings. Notable among our findings is the authentication
relay attack which enables an adversary to connect to the core
networks—without possessing any legitimate credentials—
while impersonating a victim cellular device. Through this
attack the adversary can poison the location of the victim
device in the core networks, thus allowing setting up a false
alibi or planting fake evidence during a criminal investigation.
Other notable attacks reported in this paper enable an
adversary to obtain user’s coarse-grained location information
and also mount denial of service (DoS) attacks. In particular,
using LTEInspector, we obtained the intuition of an attack
which enables an adversary to possibly hijack a cellular
device’s paging channel with which it can not only stop
notifications (e.g., call, SMS) to reach the device but also can
inject fabricated messages resulting in multiple implications
including energy depletion and activity profiling.
Contributions. In summary, the paper makes the following
technical contributions:
(1) We propose LTEInspector—a systematic model-based
adversarial testing approach—that leverages the combined
power of a symbolic model checker and a protocol verifier
for analyzing three critical procedures (i.e., attach, detach,
and paging) of the 4G LTE network. The general principle
employed by LTEInspector is to be tool-agnostic, that is, it can
be instantiated through any generic symbolic model checker
and cryptographic protocol verifier.
(2) We show the effectiveness of our approach in finding
new vulnerabilities as well as 9 prior attacks. Our approach
has contributed to exposing 10 new attacks.
(3) We show that the majority of our new attacks (i.e., 8 out
of 10) are realizable in practice through experimentation in a
low cost (i.e., $3, 900), real test-bed while adhering to ethical,
legal, and moral practices.
II. LTE P RELIMINARIES
In this section, we provide a brief primer of 4G LTE. For
the ease of exposition, we simplify the network architecture
substantially (see Figure 1) and only focus on the aspects
relevant to the attach, detach, and paging procedures.
A. LTE Network Architecture
The LTE network is broadly comprised of the following
three components: the cellular device (also known as user
equipment or UE), the radio access network (or, (E-UTRAN),
and the core network or Evolved Packet Core (EPC).
UE: UE is the cellular device equipped with a universal
subscriber identity module known as SIM card. The SIM card
procedures—without fine-grained implementation details—as
two synchronous communicating finite state machines (FSM)
(denoted by Mvanilla ). The two FSMs in Mvanilla (one for the
UE and another for the MME) communicate with each other
by sending messages through public communication channel.
We model the communication channel between the two FSMs
MUE and MMME with two uni-directional channels; one
from MUE to MMME and another from MMME to MUE .
The choice of two unidirectional channels instead of a single
bidirectional channel is not only for modeling convenience
but also for effortlessly modeling weaker adversaries than
Adv+c during adversary model instrumentation (e.g., only one
direction of the public channel to be adversary controlled).
To keep the analysis tractable, in Mvanilla , we do not
model message data with arbitrarily large domains. For in-
stance, the attach request message can possibly contain IMSI
as a data; in our model, we do not capture the IMSI
and just model attach request as a possible message type.
We, however, model message data-dependent conditions as
environment-controlled (or, in short, environmental) Boolean
variables. For instance, for each message that can have in-
tegrity protection, we capture its integrity verification with a
unique Boolean variable mac failure whose value is nonde-
terministically set by the environment during model checking.
Mvanilla can capture an unbounded number of sequential ses-
sions. It, however, can neither capture an unbounded number
of parallel sessions nor an unbounded number of protocol
participants; the latter is shown to be undecidable [34].
Adversarial model instrumentor. The adversarial model in-
strumentor takes Mvanilla and instruments it to incorporate
the presence of an adversary to obtain a new model Madv .
We model a cryptography-agnostic adversary Adv−c which
possesses the same capabilities of Adv+c except for its crypto-
graphic proficiency (i.e., A-3). We model the Adv−c capabili-
ties for each unidirectional public channel ch in the following
manner. Capability A-1 is modeled as ch’s property, that is, ch
nondeterministically drops any message msg passing through
it (represented as a no operation) or replaces it with another
plausible message including the current message msg.
Modeling capability A-2 for ch requires considering an
adversarial FSM which nondeterministically injects one of
the possible messages including no operation. We call such
adversary FSMs the injection adversaries. In the case both
the legitimate protocol participant and the adversary simulta-
neously push messages msgv and msgadv , respectively, into
ch, the message received on the other side is decided by
the value of an environmental Boolean variable adv turn;
the value of adv turn is nondeterministically chosen by the
environment. Precisely, the other side of ch will receive
msgadv only if the value of adv turn is set to be true by the
environment. The nondeterministic behavior of the channels
and the injection adversaries are crucial for reasoning about
all possible adversary strategies. Our instrumentation makes
it effortless to customize the capabilities of the adversary, for
instance, independently making each ch to have adversarial
interference.
General-purpose Model Checker (MC). MC takes as input
Madv and a desired abstract property ϕ, and checks to see
whether all possible executions of Madv (considering all
possible values of the environmental variables) satisfy ϕ. In
5
the case MC finds an execution π of Madv which violates ϕ,
MC outputs π as an evidence of the violation (also, known as
the counterexample). π includes the adversary actions which
were used to violate ϕ, and alternatively, can be viewed as
the attack strategy. The Adv−c used when model checking
Madv does not have the necessary cryptographic proficiency
of Adv+c (i.e., A-3), and hence π can violate cryptographic
assumptions, making it unrealizable in practice. We rule out
such spurious πs through the following process.
Validating counterexamples with CPV. For a given coun-
terexample π, we check each sub-step of π that requires
manipulating some crytographically-protected message type.
We model each small sub-step in a CPV, denoted as Mcrypto .
We then pose a query to CPV that will be violated in Mcrypto
only if the Adv+c has the specific capability that π requires.
For few message types, such as, paging, we know from the
3GPP standard that there are no confidentiality and integrity
protections; for those message types we do not invoke the
CPV.
Testbed experimentation. Once both MC and CPV ad-
judicate a given π to be feasible, we try to realize this
attack in a testbed. This is essential because π may not be
realizable in practice due to possible technical safeguards. Any
π validated in the testbed experiment can thus be considered
a vulnerability. We built a testbed using low-cost software
defined radios and open-source LTE software stack having a
price tag of around $3, 900 which we would argue is within
the reach of a motivated adversary.
C. Example Demonstrating LTEInspector’s Effectiveness
We now show the effectiveness of LTEInspector’s vul-
nerability detection through a concrete example. For ease of
exposition, we rely on a simplified and partial model of the
LTE ecosystem shown in Figure 4 for this example.
In the example, the UE FSM (the top FSM) has 3 states
and 9 transitions whereas the MME FSM (the bottom FSM)
has 3 states and 6 transitions. Transition labels are of the
form “condition/actions” in which condition is a proposi-
tional logic formula specifying the condition under which the
transition will be triggered whereas the actions component
refers to a sequence of actions that will be performed (in their
appearance order) by the FSM after the transition is taken.
Although the actions component can be empty (denoted with
–), the condition component cannot be empty. We represent
the states with barebone arrows (i.e., arrows with no condition
and action) as the initial states of the FSMs. We use ➊,
➋,. . . to denote the UE transitions whereas we use ➀, ➁,. . . ,
to denote the MME transitions. The FSMs have the following
environmental variables: mobile restart (signifying UE reboot-
ing); mac failure (improper MAC for auth request message);
xres matches sres (correct authentication response message
for a given authentication request message). Both the FSMs
start with their respective sequence numbers to be 0.
The response property we want to verify is the following:
“It is always the case that whenever the UE FSM is in the
wait for auth request state, it will eventually move to the
state where the UE authenticates the MME” (denoted by ϕ1 ).
The property is desirable as its violation signifies a denial-
of-service attack in which the UE cannot proceed to the next
stage of the attach procedure after initiating it.
 +-*.'(&/-&)* 0
5678'9:;:<7 3 =:75<8'9:>6:?7 , @ +-*.'(&/-&)* 0 (1mac_failure 0 (UE_sqn 2 xsqn
(mac_failure 3 1(UE_sqn 2 xsqn 2 2 UE_sqn + range)) , UE_sqn =
ID MC property details 6 xsqn + 1, auth_response
UE_sqn + range)) ,4auth_failure
ϕ1 It is always the case that whenever the UE FSM is 2 7
in the wait for auth request state, it will eventu- !"#$%&'(&)*+(* , attach_request
ally move to the state where the UE authenticates 8
the MME. +-*.'(&/-&)* 0
(1mac_failure 0 (UE_sqn 2
ϕ2 Refinement over ϕ1 : Once UE FSM moves to the !"#$%&'(&)*+(* UE UE
UE , attach_request
xsqn 2 UE_sqn + range))
wait for &auth request state, the environment 1 waits for 5 authenticates
will never set the value of mobile restart to be disconnected
auth_request , UE_sqn = xsqn + 1, MME
true. 5678'9:;:<7 3 auth_response
ϕ3 Refinement over ϕ2 : mac failure is never set to 4 =:75<8'9:>6:?7 , @ 9
true by the environment. 3 +-*.'(&/-&)* 0
!"#$%&'(&)*+(* (mac_failure 3 1(UE_sqn 2 xsqn 2 UE_sqn +
ϕ4 Refinement over ϕ3 : UE FSM never receives the , attach_request range)) ,4auth_failure
detach req message. d
ϕ5 Refinement over ϕ4 : UE FSM never receives the Attacker-controlled UE to MME channel d Attacker-controlled MME to UE channel
auth reject message.
auth_failure , @
2 5
Table I: MC properties used in attach_request , auth_response 0
xres_matches_sres ,
the motivating example. MME_sqn = MME_sqn + 1,
MME C&B-($*D'!"E&'B"!!+FE MME
MME +-*.'(&/-&)*
1 waits for authenticates
ID CPV property details disconnected
auth_response 0 auth_response attach_request , MME_sqn UE
Ψ1 Every attach request message received by 1xres_matches_sres , = MME_sqn + 1,
+-*.'(&/-&)*
the MME should be preceded by a unique 3 +-*.'(&A&B*
6
attach request message sent by the UE. 4
attach_request , MME_sqn
= MME_sqn + 1, +-*.'(&/-&)*
Table II: CPV Properties used in
the motivating example. Figure 4: A simplified LTE ecosystem model.

When ϕ1 is checked against the given Madv , it gives the
trivial counterexample π in which after the UE FSM moves
to the wait for auth request state, it continuously observes
the value of the environmental variable mobile restart to be
true (triggering transition ➌)—signifying the repeated restart
of the UE—which even though plausible, is not interesting
as the Adv+c has no control over UE reboot. One possible
way of removing this π is to refine ϕ1 to add the restriction
that once UE FSM moves to the wait for auth request state,
the environment will never set the value of mobile restart
to be true. When this refined property (denoted by ϕ2 —see
Table I) is checked, the MC yields a π in which all the
auth request messages received by the UE fails the MAC
verification (triggering transition ➋) because the MC assigns
the value of the mac failure to be continuously true. We then
refine ϕ2 further to ensure that mac failure is never set to true
by the MC and obtain the property ϕ3 .
Attack 1: Checking Madv against ϕ3 using MC yields
another π in which after UE FSM moves to the wait for
auth request state, it receives a network initiated detach
request (detach req)–injected by the adversary—triggering
transition ➍ which moves it to the disconnected state and due
to avoiding reboot after transitioning to wait for auth request
state (in ϕ2 ), stops the UE FSM to get out of the disconnected
state. This is a legitimate attack and we would like to know
whether it is possible for the attacker to forge a network initi-
ated detach request. A close inspection of the standard reveals
that once the security context has been established between
the UE and the MME, the network initiated detach request
should be integrity protected only. Our experiment with the
UE, however, revealed that the UE does not actually check
the validity of the MAC for detach req even in the case the
security context has been established. This means such an
attack is plausible and we have verified it in our testbed. We
then refine ϕ3 further to exclude this π and ensure that the UE
FSM never receives the network initiated detach request; as a
result, we obtain the refined property ϕ4 .
Attack 2: We then check Madv against ϕ4 , and it yields an-
other similar π in which the UE FSM receives an auth reject
message (triggering transition ➍); this moves the FSM to the
disconnected state. Again, one needs to determine whether the
adversary can fabricate an auth reject message. A close in-
spection of the standard revealed that the auth reject message
is never integrity protected and our experimentation validated
it. In a similar way, we refine ϕ4 to exclude any auth reject
message and obtain our final property ϕ5 .
Attack 3: Finally, checking Madv against ϕ5 with MC results
in a very interesting π in which the adversary sends the
range (a UE-specific constant non-negative integer) number
of fake attach request messages to the MME, before the UE
reboots and sends the attach request. After receiving each
attach request message, the MME increases its own sequence
number (according to transitions ➀ and ➃) and uses the value
of the sequence number to provide replay protection to the
auth request message which it sends to the UE. As the UE
is still in the disconnected state (with its sequence number 0,
i.e., U E sqn = 0) and there is no transition that is triggered
by the auth request when the UE is in the disconnected
state (see Figure 4), these auth request messages are ignored.
Then the UE observes a mobile restart (triggering transition
➊) and sends an attach request to the MME which the
adversary allows to reach the MME. After the MME receives
it (transitions ➀, ➃, and ➅), the MME as usual responds
with an auth request with the sequence number range + 1.
The adversary also allows the auth request from the MME
to reach the UE. Upon receiving the message, the UE checks
for mac failure (which cannot be true as we excluded it while
refining ϕ2 to obtain ϕ3 ) and checks whether the received
sequence number from MME (denoted with xsqn) satisfies
the following: U E sqn ≤ xsqn ≤ U E sqn + range; this
condition will fail as xsqn = range + 1 resulting in the
UE not being able to attach with the MME. To ensure that
validity of the π, one has to verify whether the Adv−c can
inject a fake attach request message; we use the CPV to

6
validate it. We pose an injective-correspondence [32] query,
Ψ1 (shown in Table II) which asserts that every attach request
message received by the MME should be preceded by a unique
attach request message sent by the UE. The CPV produced
an attack in which the adversary injected an attach request;
validating the desired sub-step of π. We have also observed the
feasibility of this attack in our testbed. We call this attack the
authentication synchronization failure attack; this attack is
also applicable against a recent proposal for defeating IMSI
catchers [16]. One of the challenges of detecting such an
attack through CPVs is to precisely capture the sanity check
corresponding to the sequence number. It is not immediately
clear to us how one would directly capture such a requirement
in the CPV in a fine-grained fashion. The MC, however, can
efficiently reason about such requirement precisely. This shows
the effectiveness of combining a MC with a CPV for attack
discovery.
This example demonstrates the analysis power of
LTEInspector’s approach, that is, based on the violation of
a single desired property (and, its refinements) LTEInspector
was able to find three different attacks which have been shown
to be realizable in practice. As we will demonstrate later,
Attacks 1 or 2 can be stitched with a relay attack to yield
the authentication relay attack.
D. Implementation
We now discuss some additional details of LTEInspector.
MC and CPV: We instantiate LTEInspector’s MC compo-
nent with NuSMV [22] and use ProVerif [24] for CPV.
Model. We manually construct the abstract LTE model by
consulting the 3GPP standard [3], [4]. Our model has a total
of 13 states and 107 transitions. Our current model and the
respective properties are publicly available at https://github.
com/relentless-warrior/LTEInspector.
Properties. Our properties were extracted from the 3GPP
standard [3], [4]. We have tested Madv against 14 properties
in total in which 7 properties were analyzed with NuSMV
whereas 7 properties were analyzed with ProVerif. Note that,
we do not claim our list of properties to be exhaustive.
IV. LTEI NSPECTOR F INDINGS
In this section, we highlight the findings of LTEInspector.
For readers’ convenience, we have provided a summary of the
attacks and their implications in Table III.
A. Attacks Against Attach Procedure
We now present our findings on the attach procedure.
A-1 Authentication Synchronization Failure Attack: This
attack exploits the UE’s sequence number sanity check to
disrupt its attach procedure. Precisely, the adversary interacts
with the HSS through the MME to ensure that the sequence
numbers of the UE and the HSS are out-of-sync. As a result,
the authentication challenge received through the legitimate
auth request message fails the UE’s sanity check and conse-
quently is discarded by the UE.
Adversary assumptions. For successfully carrying out this
attack, the adversary is required to set up a malicious UE
and also is required to the know the victim UE’s IMSI.
7
Such a threat is very practical and has been validated through
experimentation in our testbed (see Section V-A1).
Detection. We exposed this attack by first model checking
Madv with respect to a refinement ϕ5 of the following
property: “It is always the case that whenever the UE FSM
is in the wait for auth request state, it will eventually move
to the state where the UE authenticates the MME” (see Table
I for details). We observed a violation of ϕ5 in Madv where
the Adv−c fabricates attach request messages and sends them
to the MME. To validate the Adv−c ’s capability of forging an
attach request message, we leverage ProVerif which showed
that forging attach request messages are possible; validating
the feasibility of the attack.
Malicious Victim
MME HSS
UE UE
5ÌÊÇ :
attach_request (+/5+) +/5+ JEs
attach_request (+/5+)
+/5+ JEt
attach_request (+/5+)
+/5+ JEI
attach_request (+/5+) +/5+
4#0&á #760á :4'5á %-á
JEIEs
authentication_request
for :530 L J E I E s
+-á :530 L J E I E s;
}z O „}z - }z E ˜‡”‹
authentication_failure
(OUJ? B=EHQNA)
Figure 5: Authentication synchronization failure attack.
Attack description: The steps of this attack are shown in
Figure 5. It is very similar to the description of Attack 3 in
Section III-C with one caveat. It is just not sufficient to send the
same attach request message m times (where m > range).
The malicious UE needs to send different security capabilities
(by selecting different encryption and integrity protection
algorithms) in successive attach request messages. This is
crucial as the HSS only processes an attach request message
only if one or more of the information elements in the current
attach request message differs from the already received one.
In which case, in accordance to subclause 5.5.1.2 of 3GPP
standard [35], the previously initiated attach procedure is
aborted and the new attach request message is processed
(including, the increment of the sequence number).
Re-synchronization: When the sequence number sanity check
fails on the UE side, it sends an auth failure message
(cause: sync. failure) to the EPC with AU T S parameter
containing the UE’s current sequence number resulting in the
EPC to re-synchronize its sequence number. Even after re-
synchronization, the adversary can continue repeating step 1
to make the UE and the HSS sequence numbers to go out-of-
sync again; preventing the UE from connecting to the EPC.
Implication: The major implication of this attack is the service
disruption suffered by the victim UE.
A-2 Traceability Attack: This attack exploits the re-
sponses of security mode command messages to track a
particular victim UE. Typically during the attach procedure, the
MME uses the security mode command message to choose
one of the UE-supported cipher suites to use for communi-
cation. When the UE receives this message, it is expected to
respond with a security mode complete message when the
received message satisfies the MAC validation. In case of
MAC failure, the UE responds with a security mode reject
message. The MME can also send a security mode command
 Affected Assumption Standard/ New Vali- Setup
ID Attack name proce- Adversary assumptions validation Stakeholder attack? Detection process Notable implications dated cost
dure slip-up
Authentication Known IMSI, malicious IMSI [13], Denial-of-attach or Denial-of- $2600 (2
A-1 sync. failure Attach UE Section V-A1
3GPP Yes LTEInspector
services. USRPs)
Valid security mode Operational
Inspired LTEInspector Coarse-grained location infor- $2600 (2
A-2 Traceability Attach command, malicious Section V-A1 networks,
eNodeB mobile devices by [10] mation leakage. USRPs)
Numb using $1300 (1
A-3 auth reject Attach Malicious eNodeB Section V-A1 3GPP Yes LTEInspector Denial of all cellular services.
USRP)
3GPP, Reading incoming/outgoing
Authentication Known IMSI, malicious IMSI [13]; operational LTEInspector, messages of victim, stealthy $3900 (3
A-4 relay Attach Yes
eNodeB Section V-A1 networks attack chaining denial of all/selective services, USRPs)
location history poisoning.
Intuition from
Paging chan- Known IMSI, malicious IMSI [13], Stealthy denial of incoming $1300 (1
P-1 nel hijacking Paging eNodeB Section V-A1 3GPP Yes LTEInspector, services. USRP)
domain Knowledge
Stealthy Known IMSI, malicious IMSI [13], Consequence of P-1, Detaching a victim from the $1300 (1
P-2 kicking-off Paging eNodeB Section V-A1 3GPP Yes domain knowledge network surreptitiously. USRP)
Life threatening impact against
Consequence of P-1, mass people, e.g., artificial $1300 (1
P-3 Panic Paging Malicious eNodeB Section V-A1 3GPP Yes domain knowledge USRP)
chaos for terrorist activity.
Energy deple- Paging Known IMSI, GUTI, IMSI
GUTI
[13];
[8], 3GPP
Inspired Consequence of P-1,
by [36], Battery depletion. $1300 (1
P-4 tion malicious eNodeB domain knowledge USRP)
Section V-A1 [37]
3GPP,
Known IMSI or old Section V-A1 enhanced Coarse-grained location infor- $1300 (1
P-5 Linkability Paging
pseudo-IMSI
Yes ProVerif only
mation leakage USRP)
AKA [16]
Detach/ Malicious eNodeB, IMSI [13]; Inspired LTEInspector, Denial of services/Downgrade $1300 (1
D-1 Downgrade Detach known IMSI (for 3GPP attack chaining (for
Section V-A1 by [13] to 2G/3G. USRP)
targeted version) targeted version)
Table III: Summary of our findings ( =validated, =partially validated, =not validated) of the reported attacks.
D. Attack Chaining will forward the c to the eNodeBadv which the eNodeBadv
will send to the UEvic . After the UEvic receives c, unaware
We now demonstrate the application of the attack chaining that the eNodeBadv sent it, it will solve the challenge c to
technique through the authentication relay attack. generate the correct response r. The UEvic will then send r to
A-4 Authentication Relay Attack: In this attack, one the eNodeBadv which it will forward to the UEadv . The UEadv
of our exposed attacks (e.g., paging with IMSI) is stitched then will use r to respond to the MME challenge. Using the
with a relay attack with which an adversary impersonates the same principle, the UEadv will finish the rest of the steps of
victim UE to connect to the EPC without possessing proper the attach procedure.
credentials, and in the process, spoof the victim UE’s location Discussion. Unlike a typical man-in-the-middle attack, the
in the core networks. adversary in this attack can neither decrypt the encrypted traffic
Adversary assumptions. For this attack, the adversary is between the victim UE and the core networks, nor can inject
required to setup a malicious eNodeB (eNodeBadv ) and a valid encrypted traffic unless the service provider blatantly
malicious UE (UEadv ), and also needs to know the IMSI of disregards the standard’s security recommendations and choose
the victim UE. We assume there is a private channel between a weak-/no- security context during connection establishment.
the eNodeBadv and the UEadv . Implications: The implications of this attack include:
Attack description. In this attack, the adversary impersonates (1) Deception: The adversary deceives the victim into be-
an already attached victim UE (UEvic ) to connect to the EPC by lieving that the UEvic is connected to the core network.
collaborating with the eNodeBadv and the UEadv . Suppose the (2) Location History Poisoning: Since the UEadv does not
UEvic is already attached with the legitimate eNodeB denoted need to be in the same tracking area as the UEvic , it can
by eNodeBbenign . The attack can be broken down into two authenticate itself to the EPC from a different tracking area and
main goals: (i) Force UEvic to disconnect from the EPC; (ii) thus provide misleading location information about the UEvic .
UEadv pretends to be UEvic to connect to the EPC. Thus, the UEadv can poison the location history of the UEvic
by performing this attack successively from different tracking
Disconnecting UEvic from the EPC: For disconnecting the
areas. As a result, a fugitive or criminal hiding in one location
UEvic from the EPC, we use our paging with IMSI attack. This
can deceive the core network into believing that the criminal
can also be achieved with our network initiated detach request
has attached to the core network from a different location.
or auth reject attacks.
(3) Loss of confidentiality: The security mode command
UEadv connecting to the EPC by impersonating as UEvic : message sent by the MME during the attach procedure in-
As the UEvic detached itself from the EPC due to a paging with cludes the selected cipher (EEA0-EEA7) and integrity protec-
IMSI message, it will try attach to the eNodeB with the highest tion (EIA0-EIA7) algorithms of the MME. By observing the
signal strength; which is the eNodeBadv . The UEvic will send security mode command messages of all four major network
an attach request message mreq to the eNodeBadv which the providers in the US, we have observed that at least one
eNodeBadv forwards to the UEadv . The UEadv then sends the carrier (OP-I) never used encryption (i.e., uses EEA0—no
same attach request mreq to the eNodeBbenign . The legitimate cipher). Note that, to keep the four major US network oper-
MME will send an authentication challenge c to the UEadv ators anonymous, we use pseudonyms (i.e., OP-I, OP-II, OP-
through the eNodeBbenign upon receipt of mreq . The UEadv III, OP-IV) to identify them. We have observed this insecure

10
 Dete- a custom-built LTE network and commercial networks with a
# Prior attack How/Why?
cted
logical Faraday cage [13].
1 Downgrade using tau reject [13] Yes LTEInspector.
2 Denial of all services [13] Yes LTEInspector.
Do not model A. Testbed Setup and Assumption Validation
3 Denial of selected services [13] No data for
attach request. We now describe our testbed setup for attack validation.
Location tracking through mapping Do not model mul-
4 user’s phone number/social network ID No tiple instance of 1) Malicious eNodeB Setup: We have used a Universal
to GUTI [8], [13]. UEs.
5 IMSI catching [16] Yes LTEInspector.
Software-defined Radio Peripheral device (i.e., USRP B210
Do not model RRC [39]) connected to an Intel Core i7 machine running Ubuntu
6 Fine-grained location exposure [13] No 14.04 as the hardware component and OpenLTE [40], an
layer messages.
7
DoS exploiting race condition with
Yes LTEInspector. open source LTE protocol stack implementation, to set up a
paging response [38] in 2G malicious eNodeB which costs around $1300 for the dedicated
Service hijacking exploiting race condi-
8 tion with paging response [38] in 2G Yes LTEInspector. hardware (i.e., excluding the core i7 machine). We used
Linkability using TMSI reallocation OpenLTE’s LTE_Fdd_enodeb application which simultane-
9 Yes LTEInspector.
command [11] in 3G ously acts as a bare-minimal eNodeB, a mobility management
Linkability of IMSI to GUTI using entity (MME), and a home subscriber server (HSS). We have
10 paging request [10] in 3G Yes LTEInspector.
Linkability using
implemented support for the detach procedure in OpenLTE as
11 auth sync failure [10] in 3G Yes LTEInspector. it originally had support for the attach procedure only. We
12 Man-in-the-Middle in 2G [9] Yes LTEInspector. have also instrumented OpenLTE to inject different fabricated
13 Man-in-the-Middle in 3G [12] No Do not model data. messages (e.g., network initiated detach request message)
Table IV: Prior attacks (related to attach, detach, and paging when necessary. For validating attacks against the paging
procedures) that are detected/not detected by LTEInspector. procedure, we use srsLTE [41] which we enhanced to support
eNodeB-initiated paging messages; its original support only
practice multiple times in two different geographical locations. included MME-initiated paging messages.
The adversary hence can learn the UEvic ’s conversation, SMSs,
eNodeB configuration. Our malicious eNodeB can imper-
and data through the UEadv and the eNodeBadv . We reported
sonate the legitimate eNodeB of a network operator (i.e.,
this to the affected carrier which has now been addressed.
OP-I to OP-IV) by broadcasting system info block messages
(4) Complete or Selective DoS: Using this attack, the with higher signal power. For successful impersonation, these
UEadv and the eNodeBadv can relay the incoming/outgoing messages must include parameter values that are equal to
traffic of the UEvic and the EPC. Therefore, the UEadv and that of an operator’s legitimate eNodeB. The adversary uses
the eNodeBadv can deny the UEvic ’s phone-calls/SMS/data- a UE with the operator’s SIM to learn the parameters in
transfers completely/selectively. Consequently, the operational the system info block messages sent by the operator’s eN-
network is deprived of the charges for the incoming/outgoing odeB. In our setup, we use both our custom-built sniffer
calls and SMSs. and QXDM [42] to sniff the incoming and outgoing LTE
(5) Profiling victim’s service usage: Since all the incom- messages on a consumer UE to learn the operator’s parameters.
ing/outgoing communications of the UEvic take place through Table V shows the parameters that we capture from the
the UEadv and the eNodeBadv , the adversary can profile the operator eNodeB’s system info block messages. We use them
service usage pattern (i.e., patterns of phone calls, SMSs, data) to configure the malicious eNodeB with OpenLTE.
of the victim.
Parameters Description
E. Prior Attacks Detected by LTEInspector band The frequency band number of the network operator.
dl earfcn E-UTRA absolute radio frequency channel number.
In addition to the new attacks, LTEInspector is capable mcc Mobile country code specific to a country.
mnc Mobile network code specific to a network operator.
of detecting 9 [16], [13], [38], [10], [11], [9] out of 13 prior p0 nominal pucch Power control parameter.
attacks (see Table IV) that are relevant in the context of attach, p0 nominal pusch Power control parameter.
detach, and paging procedures. The previous attacks [13], q rx lev min Used for cell re-selection.
[8], [12] that LTEInspector cannot detect exploit one of the q hyst Used for cell re-selection
DRX cycle Paging cycle
following which LTEInspector currently does not support: (1)
message data, (2) multiple instances of UEs or MMEs, (3) Table V: Configuration parameters captured from Operator’s
other layers’ (e.g., RRC layer) messages, (4) 2G/3G procedures system info block messages.
that are different from 4G LTE, (5) properties about sets Learning IMSI/IMEI. As soon as the victim UE is forced
of traces, and (6) performance related parameters (e.g., data to connect with the malicious eNodeB, the malicious eNodeB
transmission and reception rate). sends an identity request (IMSI/IMEI) message to the vic-
tim UE which responds with the identity response message
V. VALIDATION OF ATTACKS WITH T ESTBED including its IMSI/IMEI.
In this section, we describe the verification of the new Learning GUTI. We use the well-known set intersection
attacks (along with their adversarial assumptions) detected by technique to find the GUTI as described in [8].
LTEInspector. We have tried to exercise restraint—conforming
to best practices—in validating the effectiveness of the dif- 2) Malicious UE Setup: We use a USRP B210 [39] running
ferent vulnerabilities while maintaining the validation process srsUE [43] (open source protocol stack implementation for
meaningful. To limit the impact of our attacks, we use both UE) as the malicious UE which costs around $1300.

11
 Detach Type Our observation of victim UE’s response
Re-attach re- No cellular signals (shows “No Service”). Requires mobile
quired restart or SIM re-insert to get the 4G LTE back again.
Re-attach not Detaches from 4G LTE. Immediately downgrades to
required 3G/2G and sends attach request to the 3G/2G network.
IMSI detach Does not detach from the 4G LTE network.
Table VI: Victim UE’s responses to different types of detach.
paging cycle/occasions. To this end, we captured and decoded
the system info block and attach request messages—sent in
plaintext by the carrier’s eNodeB and the victim UE, respec-
tively, and learned the parameters relevant for computing the
victim UE’s paging occasion (e.g., DRX cycle, IMSI). The
malicious eNodeB then injected fake paging messages (with
no paging records) at the paging occasions of the victim UE.
We observed that the victim UE only received the fake paging
messages instead of the legitimate messages.
After hijacking the victim UE’s paging channel, we allowed
two senders to place phone calls and send SMSs to victim’s
phone number triggering the (benign) MME to send multiple
paging messages to the victim UE. We observed that the victim
did not receive any of the legitimate paging messages, i.e., the
service notifications. The victim’s unresponsiveness was also
noticed on the sender-side.
P-2 Stealthy Kicking-off Attack: For this attack, instead
of injecting empty paging messages, the malicious eNodeB
fabricated the paging messages with a paging record contain-
ing the victim UE’s IMSI. As soon as the victim UE received
this message, we observed that it locally detached itself from
the network and sent an attach request, confirming the attack.
P-3 Panic Attack: To inject fake paging messages to
arbitrary neighboring UEs, the malicious eNodeB broadcasted
paging messages at all possible paging occasions. Each of
these paging messages had the ETWS (earthquake and tsunami
warning system) bits set to provide the UEs an alert noti-
fication. Upon receiving such alert notification, a UE looks
for the actual warning message which the eNodeB broadcasts
through the system information block type 10 or 11 or 12
messages. Since such warning messages may be received by
other mobile phones which are not subject to our experiment,
we refrained the malicious eNodeB from sending the actual
warning messages.
P-4 Energy Depletion Attack: We quantitatively measure
the UE’s energy depletion due to this attack. In particular, we
leverage the strong correlation between energy consumption
with message transmission rate [47]. We essentially measured
the message transmission rate in the benign and attack case,
and drew conclusions about energy consumption. To realize
this attack, we configured the malicious eNodeB to broadcast
paging message with the victim’s GUTI at every third paging
occasion (i.e., ∼ 3 seconds) of the victim UE. Upon reception
of this paging message, we observed that the victim UE sent
an encrypted and integrity protected service request message
to the malicious eNodeB. We also carried out this attack where
the paging message included the victim’s IMSI in which case,
however, the victim initiated the attach procedure. For the
paging with GUTI, we carried out the attack for an hour and
observed that the victim sent 1200 service request messages.
In the benign case (measured from 4G LTE traces [48]),
however, on average the UE responds to 156 (std. dev. 14.27)
paging messages . Roughly, the energy depletion due to this
13
attack ∼ 8 times to that of the benign condition. The attacker
can make it worse, in case it chooses to inject the paging with
GUTI in every paging occasion.
VI. R ELATED W ORK
In this section, we present existing efforts that focus on
the security, privacy, and availability of cellular networks. In
this context, although prior work has extensively investigated
the security and privacy issues of 2G and 3G protocols [8],
[6], [7], [49], [50], there is less work that addresses the same
concerns for the 4G LTE networks [13].
The closest to LTEInspector’s approach is by Tu et al. [17]
where they focus on identifying non-trivial interactions—using
an explicit-state model checker [23]—between the different
control-plane protocol layers of LTE. Unlike LTEInspector,
their work, however, can neither explicitly reason about ad-
versarial actions nor can support cryptographic constructs.
Man-in-the-Middle Attacks: Meyer et al. [12] exploit the null
integrity of the security mode command message in 3G net-
works to perform a man-in-the-middle attack. In contrast, our
authentication relay attack in 4G LTE allows the adversary to
connect to the EPC without nullifying the security capabilities.
In this attack the adversary, however, cannot decrypt or inject
valid encrypted messages unless the operator uses a weak or no
security context. Rupprecht et al. [44] used an implementation
bug in a particular LTE dongle (Huawei E3276 USB Dongle)
to demonstrate a man-in-the-middle attack for 4G LTE.
IMSI Catching Attacks and 5G AKA Solutions: The IMSI
catching attacks [51], [5], [52] still prevail for 4G LTE
networks as they did for 2G and 3G networks. Arapinis et
al. [10] propose to use public key encryption mechanism for
protecting against the IMSI exposure attacks. However, public
key encryption of the IMSI will likely incur high overhead
during the attach procedure. Also, this mechanism will require
managing multiple public keys for different MMEs (i.e., the
serving network) in the SIM, as well as modification of the
LTE protocol implementation in the legacy UEs. Due to these
reasons, the 3GPP community has not yet adopted this solution
for real deployments. Broek et al. [16] and Khan et al. [53]
both proposed changing pseudonym-based (PMSI) defense
against IMSI catching attack which have several limitations as
discussed in Section IV. The 5G AKA protocol proposed by
Norman et al.[54] can be viewed as a hybrid of the approaches
by Arapinis et al. [10] and Broek et al. [16]. In such a protocol,
the UE encrypts the IMSI using HSS’ public key—unlike the
public-key of MME as in Arapinis et al. [10]—during the very
first occurrence of the attach procedure and then subsequently
uses pseudo-IMSIs for communicating with MME. Although
this approach does not have to manage multiple MME public
keys, it will likely incur additional overhead due to the use of
public key encryption and also suffers from the same weakness
as the solution proposed in [16]. Dabrowski et al. [14] and
Nohl [52] have designed a mobile application that warns the
users about the likely presence of IMSI catchers. In contrast,
LTEInspector can identify the IMSI catching attack and other
attacks that the adversary may launch after knowing the IMSIs.
Linkability Attacks: Arapinis et al. [10] exploit the paging
messages with GUTI for linking the IMSI to the GUTI in 3G
protocols. In contrast, using paging message with IMSI in 4G
LTE we demonstrate how an adversary along with other attacks
(discussed in Section IV-B) can link the IMSIs in 3GPP [35]
and the old PMSI with the new PMSI in the enhanced
Authentication and Key Agreement (AKA) mechanism [16].
Traceability Attacks: Arapinis et al. [11] presented a trace-
ability attack by exploiting an implementation bug in the 3G
network which violates the 3GPP standard recommendation of
adopting new temporary identity for the UE with a tracking
area change. In another work, Arapinis et al. [10] demonstrate
another traceability attack in which the adversary replays the
auth request for the victim UE to all the UEs in an area and
detects the presence of the victim UE from the causes (MAC
failure or SQN synchronization failure). In contrast, our
traceability attack with the security mode command procedure
exploits the missing nonces in security mode command, a
different implementation bug of the commercial networks.
Denial-of-Service (DoS) Attacks: Shaik et al. [13] demonstrate
3 DoS attacks against UEs in which downgrading to 3G/2G
and denial of all network services are performed with the same
tracking area update reject message with just two different
causes. In contrast, our DoS attacks use four new techniques
as discussed in Section IV. As opposed to the DoS attacks
against the UE, Jover et al. [15] discuss a DoS attack against
the EPC using a compromised UE/eNodeB that sends huge
number of attach request messages to the EPC and thus takes
the EPC down. Jermyn et al. [55] show a similar DoS attack
and simulate a set of compromised UEs that exhaust the victim
UEs’ traffic capacity. Golde et al. [38] exploit a race condition
in the paging message responses in 2G networks that enables a
malicious UE to send the paging response message before the
victim UE, and thus preventing the victim UE from receiving
incoming phone calls/SMS.
VII. D ISCUSSION
Properties amenable to our analysis. LTEInspector can
reason about temporal trace properties (with cryptographic
constructs) of both safety and liveness variations. Our current
model cannot handle properties that require reasoning about
sets of traces (e.g., noninterference) instead of a single trace.
For such properties, we mainly rely on the protocol verifier.
Defenses. We deliberately do not discuss defenses for the
observed attacks as retrospectively adding security into an
existing protocol without breaking backward compatibility
often yields band-aid-like-solutions which do not hold up
under extreme scrutiny. It is also not clear, especially, for the
authentication relay attack whether a defense exists that does
not require major infrastructural or protocol overhaul. A pos-
sibility is to employ a distance-bounding protocol; realization
of such protocol is, however, rare in practice [56]. Due to the
strict performance requirements of 4G LTE, any public-key
cryptography-based solution is unlikely to be feasible. On the
contrary, symmetric-key cryptography often have scalability
issues due to establishing a common shared key for broadcast-
ing sensitive (e.g., paging) messages. Further investigation on
defenses is, therefore, required for balancing the performance
and scalability as well as guaranteeing the security.
Limitations. Although LTEInspector suggests a systematic ap-
proach, it currently requires human intervention, for instance,
deciding which sub-steps of the counterexample is required to
be modeled in ProVerif and how. Also, our FSM extraction is
14
currently manual and the extracted FSMs are not complete. In
the same vein, the list of properties we have checked is not
exhaustive. Our current model also does not capture all the
data embedded in the messages.
Threat to Validity. Our manually extracted FSMs from the
3GPP standard may not reflect the behavior of real operational
networks. Inaccuracies in the FSMs may induce false positives,
although, we have not observed any. Due to ethical considera-
tions, we limit our experiments to a custom-built network for
some attack validations which may not faithfully capture the
operational network behavior.
VIII. C ONCLUSION AND F UTURE W ORK
In this paper, we propose LTEInspector which employs
an adversarial model-based testing philosophy for expos-
ing attacks against three critical procedures of 4G LTE.
LTEInspector harnesses the strengths of both a symbolic model
checkers and a protocol verifier and is demonstrated to be
effective in finding 10 novel and 9 prior attacks. We have also
validated most of our attacks (i.e., 8 out of 10) in a testbed.
Future work. In future, we would like to explore the
following four directions: (i) supporting analysis of other pro-
cedures and protocol layers (e.g., RRC and PDCP) messages;
(ii) automating some of the manual tasks in LTEInspector; (iii)
enriching the model features and analysis of LTEInspector to
handle message data; (iv) investigating the defense techniques.
ACKNOWLEDGEMENT
We thank our Shepherd, Yongdae Kim, and the anony-
mous reviewers for their valuable suggestions. This work
was supported by Intel/CERIAS RAship, FFTF fellowship
by Schlumberger Foundation, NSF grant CNS-1657124, NSF
grant CNS-1719369, and Intel as part of the NSF/Intel ICN-
WEN program.
R EFERENCES
[1] Hackers Are Tapping Into Mobile Networks’ Backbone, New Re-
search Shows, https://www.forbes.com/sites/parmyolson/2015/10/14/
hackers-mobile-network-backbone-ss7.
[2] Hackers Take Down the Most Wired Country in Europe, https://www.
wired.com/2007/08/ff-estonia/.
[3] 3GPP Standard, www.3gpp.org.
[4] 3GPP Standard. Release 12., http://www.3gpp.org/specifications/
releases/68-release-12.
[5] D. Abodunrin, Y. Miche, and S. Holtmanns, “Some dangers from 2g
networks legacy support and a possible mitigation,” in Communications
and Network Security (CNS), Sept 2015, pp. 585–593.
[6] P. P. C. Lee, T. Bu, and T. Woo, “On the detection of signaling dos
attacks on 3g wireless networks,” in 26th International Conference on
Computer Communications (INFOCOM), May 2007, pp. 1289–1297.
[7] N. Golde, K. Redon, and R. Borgaonkar, “Weaponizing Femtocells:
The Effect of Rogue Devices on Mobile Telecommunications,” in
Proceedings of the 19th Annual Network & Distributed System Security
Symposium, Feb. 2012.
[8] D. F. Kune, J. Koelndorfer, and Y. Kim, “Location leaks on the gsm
air interface,” in NDSS, 2012.
[9] I. Androulidakis, “Intercepting mobile phone calls and short messages
using a gsm tester,” in 18th Conference on Computer Networks, Ustron,
Poland, A. Kwiecień, P. Gaj, and P. Stera, Eds., 2011, pp. 281–288.
[10] M. Arapinis, L. Mancini, E. Ritter, M. Ryan, N. Golde, K. Redon,
and R. Borgaonkar, “New privacy issues in mobile telephony: Fix and
verification,” in Proceedings of the 2012 ACM Conference on Computer
and Communications Security, ser. CCS ’12. ACM, 2012, pp. 205–216.
[11] M. Arapinis, L. I. Mancini, E. Ritter, and M. Ryan, “Privacy through
pseudonymity in mobile telephony systems,” in NDSS, 2014.
[12] U. Meyer and S. Wetzel, “A man-in-the-middle attack on umts,” in
Proceedings of the 3rd ACM Workshop on Wireless Security, ser. WiSe
’04. ACM, 2004, pp. 90–97.
[13] A. Shaik, J. Seifert, R. Borgaonkar, N. Asokan, and V. Niemi, “Practical
attacks against privacy and availability in 4g/lte mobile communication
systems,” in 23nd Annual Network and Distributed System Security
Symposium, NDSS, San Diego, CA, USA, February 21-24, 2016.
[14] A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. Weippl, “Imsi-
catch me if you can: Imsi-catcher-catchers,” in Proceedings of the 30th
Annual Computer Security Applications Conference, ser. ACSAC ’14.
ACM, 2014, pp. 246–255.
[15] R. P. Jover, “Security attacks against the availability of lte mobility
networks: Overview and research directions,” in Wireless Personal Mul-
timedia Communications (WPMC), 2013 16th International Symposium
on, June 2013, pp. 1–9.
[16] F. van den Broek, R. Verdult, and J. de Ruiter, “Defeating imsi catchers,”
in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and
Communications Security, ser. CCS ’15. ACM, 2015, pp. 340–351.
[17] G.-H. Tu, Y. Li, C. Peng, C.-Y. Li, H. Wang, and S. Lu, “Control-plane
protocol interactions in cellular networks,” in Proceedings of the 2014
ACM Conference on SIGCOMM. ACM, 2014, pp. 223–234.
[18] Cellular Service, https://www.fcc.gov/wireless/bureau-divisions/
mobility-division/cellular-service.
[19] D. Dolev and A. C. Yao, “On the security of public
key protocols,” Stanford, CA, USA, Tech. Rep., 1981,
http://www.ncstrl.org:8900/ncstrl/servlet/search?formname=detail&id=oai
[20] K. R. Apt and D. C. Kozen, “Limits for automatic verification of finite-
state concurrent systems,” Inf. Process. Lett., vol. 22, no. 6, pp. 307–309,
May 1986.
[21] Z. Manna and A. Pnueli, “A hierarchy of temporal properties (invited
paper, 1989),” in Proceedings of the ninth annual ACM symposium on
Principles of distributed computing. ACM, 1990, pp. 377–410.
[22] A. Cimatti, E. M. Clarke, F. Giunchiglia, and M. Roveri, “Nusmv: A
new symbolic model verifier,” in Proceedings of the 11th International
Conference on Computer Aided Verification, ser. CAV ’99. London,
UK, UK: Springer-Verlag, 1999, pp. 495–499.
[23] G. Holzmann, Spin Model Checker, the: Primer and Reference Manual,
1st ed. Addison-Wesley Professional, 2003.
[24] B. Blanchet, “Modeling and verifying security protocols with the
applied pi calculus and proverif,” Foundations and Trends in Privacy
and Security, vol. 1, no. 1-2, pp. 1–135, 2016.
[25] S. Meier, B. Schmidt, C. Cremers, and D. Basin, “The tamarin prover
for the symbolic analysis of security protocols,” in Proceedings of the
25th International Conference on Computer Aided Verification (CAV).
Springer-Verlag, 2013, pp. 696–701.
[26] A. Armando and et al., “The avispa tool for the automated validation of
internet security protocols and applications,” in Proceedings of the 17th
International Conference on Computer Aided Verification, ser. CAV’05.
Springer-Verlag, 2005, pp. 281–285.
[27] J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis,
“Refinement types for secure implementations,” ACM Trans. Program.
Lang. Syst., vol. 33, no. 2, pp. 8:1–8:45, Feb. 2011.
[28] G. Lowe, “Breaking and fixing the needham-schroeder public-key pro-
tocol using fdr,” in Proceedings of the Second International Workshop
on Tools and Algorithms for Construction and Analysis of Systems, ser.
TACAs ’96. Springer-Verlag, 1996, pp. 147–166.
[29] C. J. Cremers, “Unbounded verification, falsification, and characteriza-
tion of security protocols by pattern refinement,” in Proceedings of the
15th ACM Conference on Computer and Communications Security, ser.
CCS ’08. ACM, 2008, pp. 119–128.
[30] A. C. Yao, “Theory and application of trapdoor functions,” in Pro-
ceedings of the 23rd Annual Symposium on Foundations of Computer
Science, ser. SFCS ’82. IEEE Computer Society, 1982, pp. 80–91.
[31] J.-K. Tsay and S. F. Mjølsnes, “A vulnerability in the umts and lte
authentication and key agreement protocols,” in Proceedings of the 6th
MMM-ACNS. Springer-Verlag, 2012, pp. 65–76.
15
[32] B. Blanchet, “Automatic verification of correspondences for security
protocols,” Journal of Computer Security, vol. 17, no. 4, pp. 363–434,
Jul. 2009.
[33] M. Abadi and B. Blanchet, “Analyzing Security Protocols with Secrecy
Types and Logic Programs,” in 29th Annual ACM SIGPLAN - SIGACT
Symposium on Principles of Programming Languages (POPL 2002).
Portland, Oregon: ACM Press, Jan. 2002, pp. 33–44.
[34] E. A. Emerson and K. S. Namjoshi, “Reasoning about rings,” in Pro-
ceedings of the 22Nd ACM SIGPLAN-SIGACT Symposium on Principles
of Programming Languages (POPL). ACM, 1995, pp. 85–94.
[35] 3GPP. Non-Access-Stratum (NAS) protocol for Evolved Packet System
(EPS); Stage 3 Specification 3GPP TS 24.301 version 12.8.0 Release
12., [Online]. Available: http://www.3gpp.org/dynareport/24301.htm.
[36] R. Racic, D. Ma, and H. Chen, “Exploiting mms vulnerabilities to
stealthily exhaust mobile phone’s battery,” in Securecomm and Work-
shops, Aug 2006, pp. 1–10.
[37] J. Serror, H. Zang, and J. C. Bolot, “Impact of paging channel overloads
or attacks on a cellular network,” in Proceedings of the 5th ACM
Workshop on Wireless Security, 2006, pp. 75–84.
[38] N. Golde, K. Redon, and J.-P. Seifert, “Let me answer that for you:
Exploiting broadcast information in cellular networks,” in Proceedings
of the 22Nd USENIX Conference on Security, 2013, pp. 33–48.
[39] USRP B210, https://www.ettus.com/product/details/UB210-KIT.
[40] OpenLTE, http://openlte.sourceforge.net/.
[41] srsLTE, https://github.com/srsLTE.
[42] Qxdm Professional Qualcomm Extensible Diagnostic-
Monitor, www.qualcomm.com/media/documents/files/
qxdm-professional-qualcomm-extensible-diagnostic-monitor.pdf.
[43] srsUE, https://github.com/srsLTE/srsUE.
[44] D. Rupprecht, K. Jansen, and C. Pöpper, “Putting lte security functions
to the test: A framework to evaluate implementation correctness,” in
Proceedings of the 10th USENIX Conference on Offensive Technologies,
ser. WOOT’16, 2016, pp. 40–51.
[45] N. Bui and J. Widmer, “Owl: A reliable online watcher for lte control
channel measurements,” in Proceedings of the 5th Workshop on All
Things Cellular: Operations, Applications and Challenges, ser. ATC
’16. ACM, 2016, pp. 25–30.
[46] OpenEPC, www.openepc.com.
[47] P. Y. Kong, “Power consumption and packet delay relationship for het-
erogeneous wireless networks,” IEEE Communications Letters, vol. 17,
no. 7, pp. 1376–1379, July 2013.
[48] Y. Li, C. Peng, Z. Yuan, J. Li, H. Deng, and T. Wang, “Mobileinsight:
Extracting and analyzing cellular network information on smartphones,”
in Proceedings of the 22nd Annual International Conference on Mobile
Computing and Networking, ser. MobiCom ’16, 2016, pp. 202–215.
[49] P. Traynor, P. McDaniel, and T. La Porta, “On attack causality in
internet-connected cellular networks,” in Proceedings of 16th USENIX
Security Symposium, 2007, pp. 21:1–21:16.
[50] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and
T. La Porta, “On cellular botnets: Measuring the impact of malicious
devices on a cellular network core,” in Proceedings of the 16th ACM
Conference on Computer and Communications Security (CCS), 2009,
pp. 223–234.
[51] R. Borgaonkar and S. Udar, “Understanding imsi privacy,” in BlackHat,
2014.
[52] K. Nohl, “Mobile self-defense.” [Online]. Avail-
able: https://events.ccc.de/congress/2014/Fahrplan/system/attachments/
2493/original/Mobile Self Defense-Karsten Nohl-31C3-v1.pdf
[53] M. S. A. Khan and C. J. Mitchell, “Trashing imsi catchers in mobile
networks,” in Proceedings of the 10th ACM Conference on Security and
Privacy in Wireless and Mobile Networks, 2017, pp. 207–218.
[54] Protecting IMSI and User Privacy in 5G Networks, www.ericsson.com/
res/docs/2016/protecting-imsi-and-user-privacy-in-5g-networks.pdf.
[55] J. Jermyn, G. Salles-Loustau, and S. Zonouz, “An analysis of dos attack
strategies against the lte ran,” vol. 3, 2014, pp. 159–180.
[56] K. B. Rasmussen and S. Čapkun, “Realization of rf distance bounding,”
in Proceedings of the 19th USENIX Conference on Security, ser.
USENIX Security’10, 2010, pp. 25–25.