Protecting the 4G and 5G Cellular Paging Protocols against Security and Privacy Attacks


This paper focuses on protecting the cellular paging protocol — which balances between the quality-of-service and battery consumption of a device — against security and privacy attacks. Attacks against this protocol can have severe repercussions, for instance, allowing attacker to infer a victim’s location, leak a victim’s IMSI, and inject fabricated emergency alerts. To secure the protocol, we first identify the underlying design weaknesses enabling such attacks and then propose efficient and backward-compatible approaches to address these weaknesses. We also demonstrate the deployment feasibility of our enhanced paging protocol by implementing it on an open-source cellular protocol library and commodity hardware. Our evaluation demonstrates that the enhanced protocol can thwart attacks without incurring substantial overhead.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] 3GPP, Specification number TS 24.301, Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS).

  • [2] 3GPP, Specification number TS 24.501, Non-Access-Stratum (NAS) protocol for 5G System (5GS).

  • [3] 3GPP, Specification number TS 38.304, User Equipment (UE) procedures in idle mode and in RRC Inactive state.

  • [4] mbedTLS.

  • [5] srsLTE.

  • [6] USRP B210.

  • [7] Zigbee.

  • [8] American Bankers Association et al. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ecdsa). ANSI X9, pages 62–1998.

  • [9] Elaine Barker, John Kelsey, et al. NIST special publication 800-90A: Recommendation for random number generation using deterministic random bit generators. 2012.

  • [10] Xiaomeng Chen, Jiayi Meng, Y Charlie Hu, Maruti Gupta, Ralph Hasholzner, Venkatesan Nallampatti Ekambaram, Ashish Singh, and Srikathyayani Srikanteswara. A Fine-grained Event-based Modem Power Model for Enabling In-depth Modem Energy Drain Analysis. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 1(2):45, 2017.

  • [11] Tim Dittler, Florian Tschorsch, Stefan Dietzel, and Björn Scheuermann. ANOTEL: Cellular networks with location privacy. In Proceedings of the 2016 IEEE 41st Conference on Local Computer Networks (LCN).

  • [12] Hannes Federrath, Anja Jerichow, Dogan Kesdogan, Andreas Pfitzmann, and Dirk Trossen. Minimizing the average cost of paging on the air interface-an approach considering privacy. In Proceedings of the 1997 IEEE 47th Vehicular Technology Conference. Technology in Motion, volume 2, pages 1253–1257. IEEE, 1997.

  • [13] Byeongdo Hong, Sangwook Bae, and Yongdae Kim. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Proceedings of the 25th Annual Network and Distributed System Security Symposium, NDSS 2018.

  • [14] Andrew Huang. Hacking the Xbox: an introduction to reverse engineering. 2002.

  • [15] Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. LTEInspector: A systematic approach for adversarial testing of 4G LTE. In Proceedings of the 25th Annual Network and Distributed System Security Symposium, NDSS 2018.

  • [16] Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.

  • [17] Jonathan Katz, Alfred J Menezes, Paul C Van Oorschot, and Scott A Vanstone. Handbook of applied cryptography. CRC press, 1996.

  • [18] Denis Foo Kune, John Koelndorfer, Nicholas Hopper, and Yongdae Kim. Location leaks on the GSM air interface. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS 2012.

  • [19] Hasen Nicanfar, Javad Hajipour, Farshid Agharebparast, Peyman TalebiFard, and Victor CM Leung. Privacy-preserving handover mechanism in 4G. In Proceedings of the 2013 IEEE Conference on Communications and Network Security (CNS).

  • [20] Adrian Perrig, Ran Canetti, J Doug Tygar, and Dawn Song. Efficient authentication and signing of multicast streams over lossy channels. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, S&P 2000.

  • [21] Adrian Perrig, Ran Canetti, J Doug Tygar, and Dawn Song. The TESLA broadcast authentication protocol. Rsa Crypto-bytes, 5(2):2–13, 2002.

  • [22] Ronald L Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.

  • [23] Altaf Shaik, Ravishankar Borgaonkar, N Asokan, Valtteri Niemi, and Jean-Pierre Seifert. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. arXiv preprint arXiv:1510.07563, 2015.

  • [24] Tuan Ta and John S Baras. Enhancing privacy in LTE paging system using physical layer identification. In Data Privacy Management and Autonomous Spontaneous Security, pages 15–28. Springer, 2012.

  • [25] Katherine Q Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W Appel. Verified correctness and security of mbedTLS HMAC-DRBG. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.


Journal + Issues