Forcing a Targeted LTE Cellphone into an Unsafe Network presented at Defcon 2016

by Haoqi Shan, Wanqiao Zhang,

Summary : LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call. This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack.