LTE Security and Protocol Exploits presented at Shmoocon 2016

by Roger Piqueras Jover,

Summary : The Long Term Evolution (LTE) is the newest standard being deployed globally for mobile communications. Despite the well understood security flaws of legacy 2G networks, which lack of mutual authentication and implement an outdated encryption algorithm, LTE is generally considered secure given its mutual authentication and strong encryption scheme. To the day, the main cellular vulnerabilities being exploited in most IMSI catchers and stingrays are based on 2G base stations. Nevertheless, rogue base stations and protocol exploits are also possible in LTE. Before the authentication and encryption steps of a connection are executed, a mobile device engages in a substantial exchange of messages with *any* LTE base station (real or rogue) that advertises itself with the right broadcast information. And this broadcast information is sent in the clear and can be easily sniffed. This talk overviews my work on LTE protocol exploits ranging from full-LTE IMSI catchers, blocking of the SIM or the device until device reboot, severe battery drain, location leaks and low-power jamming. Some of these exploits have been previously released in some form and some others have not, such as a new way to track devices as they hand over from tower to tower.
Roger Piqueras Jover is a Wireless Security Research Scientist at the Security Architecture team of Bloomberg LP. Previous to that, he spent 5 years as Principal Member of Technical Staff at the AT&T Security Research Center. His work focuses on LTE mobile network security, protocol exploits and exploring the security of anything that communicates wirelessly.