*&&&
4ZNQPTJVN
PO
4FDVSJUZ
BOE
1SJWBDZ

Breaking LTE on Layer Two

David Rupprecht Katharina Kohls Thorsten Holz Christina Pöpper
Ruhr-University Bochum Ruhr-University Bochum Ruhr-University Bochum New York University Abu Dhabi
david.rupprecht@rub.de katharina.kohls@rub.de thorsten.holz@rub.de christina.poepper@nyu.edu

Abstract—Long Term Evolution (LTE) is the latest mobile of the LTE protocol stack. On the network layer (layer three),
communication standard and has a pivotal role in our infor- passive or active attackers can either localize a user or deny
mation society: LTE combines performance goals with modern the service and thus downgrade the phone to the insecure GSM
security mechanisms and serves casual use cases as well as critical
infrastructure and public safety communications. Both scenarios network [2]–[4]. On the physical layer (layer one), LTE can be
are demanding towards a resilient and secure specification and the target of jamming attacks that aim to deny the service [5]–
implementation of LTE, as outages and open attack vectors [8]. As a matter of fact, the previous research efforts focused
potentially lead to severe risks. Previous work on LTE protocol only on layer one or layer three protocols and—to the best
security identified crucial attack vectors for both the physical of our knowledge—no security analysis of data link layer
(layer one) and network (layer three) layers. Data link layer
(layer two) protocols, however, remain a blind spot in existing (layer two) protocols exists to date. This leads to a situation
LTE security research. of uncertainty about potential security and privacy threats
In this paper, we present a comprehensive layer two security that arise from the specification or implementation flaws of
analysis and identify three attack vectors. These attacks impair the data link layer and its three protocols: Medium Access
the confidentiality and/or privacy of LTE communication. More Control (MAC), Radio Link Control (RLC), and Packet Data
specifically, we first present a passive identity mapping attack
that matches volatile radio identities to longer lasting network Convergence Protocol (PDCP).
identities, enabling us to identify users within a cell and serving In this paper, we perform a security analysis of LTE on
as a stepping stone for follow-up attacks. Second, we demonstrate layer two and analyze these protocols for potential vulner-
how a passive attacker can abuse the resource allocation as abilities. As a result, we introduce two passive attacks and
a side channel to perform website fingerprinting that enables one active attack that impair the confidentiality and privacy
the attacker to learn the websites a user accessed. Finally, we
present the A LTE R attack that exploits the fact that LTE user of LTE communication. Table I shows an overview of the
data is encrypted in counter mode (AES-CTR) but not integrity attacks and their properties. We first focus on a passive
protected, which allows us to modify the message payload. adversary who can remain stealthy during an attack, i. e., being
As a proof-of-concept demonstration, we show how an active successful does not depend on any active interference with
attacker can redirect DNS requests and then perform a DNS the network entities or protocols. Our first passive attack,
spoofing attack. As a result, the user is redirected to a malicious
website. Our experimental analysis demonstrates the real-world the identity mapping attack, allows an adversary to map the
applicability of all three attacks and emphasizes the threat of user’s temporary network identity (TMSI) to the temporary
open attack vectors on LTE layer two protocols. radio identity (RNTI). More specifically, we demonstrate how
an attacker can precisely localize and identify a user within
I. I NTRODUCTION the cell, distinguish multiple transmission streams, and use
The latest mobile communication standard LTE represents this information as a stepping stone for subsequent attacks.
the daily communication infrastructure for billions of people One example for this is our second attack vector, the website
in the world and has a pivotal role in our information society. fingerprinting attack. Website fingerprinting is known from
LTE is designed to combine performance goals such as high other contexts like Tor [9], where traffic analysis reveals the
transmission rates and low latency with a series of security browsing behavior of users despite Tor’s onion encryption. In
features like formally proven mutual authentication, well- the context of LTE, we demonstrate a comparable information
established encryption algorithms such as AES, and separated leak in the resource allocation: even though transmissions are
security domains. Besides casual use cases, LTE also has encrypted, we can access plaintext information up to the PDCP
an emerging relevance for critical infrastructures and public and learn the transmission characteristics for individual users.
safety communications [1]. Both scenarios are demanding This information is sufficient to distinguish accessed websites
towards a resilient and secure specification and implementation and de-anonymize a connection that is perceived to be secure
of LTE, as outages and open attack vectors potentially lead to due to encryption. Both attacks already harm user privacy
severe risks. While the LTE specification considers a diverse separately, but they can be combined to an even stronger
set of security features, it can hardly predict all potential version of website fingerprinting, while solely depending on
attacks, and it is even harder to cover sets of restrictions in passive (downlink) sniffing.
real-world implementations. We further introduce an active attack called A LTE R that
Consequently, recent academic and non-academic work exploits the missing integrity protection of LTE user data to
identified various potential vulnerabilities on different layers perform a chosen-ciphertext attack. Our attack is based on the

¥

%BWJE
3VQQSFDIU
6OEFS
MJDFOTF
UP
*&&& 

%0*
41
 TABLE I
OVERVIEW OF L AYER T WO ATTACKS

Model Attack Vector Attack Aim Attack Flaw Hardware Implementation

Identity Mapping Passive RNTI and TMSI Mapping Privacy (Identity, Location) Specification USRP Software Stack
Website Fingerprinting Passive Layer Two Scheduling Metadata Confidentiality Specification USRP Software Stack
A LTE R Active Lack of Integrity Protection Confidentiality, Redirection Specification 2x USRPs Software Stack

insight that user data is encrypted in counter mode (AES-CTR) By sharing our results, we hope to influence the upcoming
but not integrity protected, hence the cipher is malleable. We 5G specification to include countermeasures.
show how an adversary can actively manipulate the encrypted Responsible Disclosure. The lack of integrity protection was
payload and control specific parts of the message. More an active decision of the LTE specification body, mainly
specifically, we demonstrate how an attacker uses a malicious related to the additional overhead induced on the radio
LTE relay to manipulate the IP addresses within an encrypted layer [12]. We demonstrate that this missing integrity protec-
packet, thereby redirecting a packet to a malicious DNS server tion can be exploited in practice. We are in contact with the
in the uplink direction, while maintaining a stable and transpar- GSM Association (GSMA) and 3rd Generation Partnership
ent connection at all times. Even though A LTE R solely focuses Project (3GPP) security groups, following the guidelines of
on layer two, the attack still has cross-layer consequences and responsible disclosure. We hope to influence the upcoming 5G
impacts overlying protocols like IP and DNS. A LTE R affects specifications to add mitigations for the demonstrated attacks
all LTE devices and has implications up to the application and will actively work with GSMA and 3GPP to resolve these
layer. At the same time, the attack is hard to detect by existing attack vectors.
countermeasures like rogue base station detection [10], [11]
and makes a change in the LTE specification the only viable II. T ECHNICAL BACKGROUND
prevention from user data manipulation. The different components of the LTE network infrastructure
We have verified all attack vectors within a real-world, are defined by the roles they fulfill, e. g., they connect a
commercial network using a Software Defined Radio (SDR) user to the network, manage the resource allocation, or build
and an open-source LTE stack implementation. Our experi- the backbone of the network. The capabilities of all these
ments show that our attacks are feasible in practice and pose components are defined following the rule set of the LTE
a realistic threat to users. In particular, we show that the protocol stack and its respective layers. Within this paper, we
identity mapping attack can be performed in a commercial focus on the data link layer of the air interface between the
network on an estimate of 94.73 % of connections. Our website user and the network. In the following, we provide an overview
fingerprinting attack achieves an average detection rate of of the network and the LTE stack, along with an introduction
approximately 90 % for the Alexa top 50 in a closed-world of relevant authentication and encryption algorithms. Further-
scenario, tested with three different devices. Combining both more, we introduce the two adversary models that we consider
attacks creates a powerful non-invasive attacker that is barely in our attacks.
detectable. Finally, we have built a proof-of-concept malicious
relay and performed the A LTE R attack against a Commercial A. LTE Network Overview
Off-The-Shelf (COTS) mobile phone in a commercial network. The LTE network infrastructure consists of end devices for
We were able to successfully redirect a mobile phone to visit a users (User Equipment (UE)), base stations as intermediate
malicious website while maintaining a stable LTE connection. connectors called Evolved NodeB (eNodeB), and the core
In summary, we provide the following three contributions: network for mobility management with the aim to provide
• We perform an extensive LTE layer two analysis. In permanent Internet access. We conduct our attacks between
particular, we examine the control plane for possible the victim user and a benign base station.
information leaks that allow an attacker to gain access 1) UE: The user equipment is the end device provid-
to sensitive information. Furthermore, we investigate the ing services to the user. It has a permanent identity, the
effects of missing integrity protection on the user plane. International Mobile Subscriber Identity (IMSI), and different
• Based upon the performed analysis, we present three temporary identities within the network. One of these tem-
attacks: Two passive attacks allow identity mapping and porary identifiers is the Radio Network Temporary Identity
website fingerprinting purely based on metadata. The (RNTI), which helps to distinguish multiple connections on
active attack allows to redirect DNS traffic and, thus, the radio layer. Besides the connection establishment, the UE
perform a DNS spoofing attack. also applies encryption/decryption and integrity protection for
• We demonstrate the feasibility of all three attacks with transmissions through the network.
realistic setups. For each attack, we discuss the real- 2) eNodeB: The eNodeBs are the base stations of the LTE
world applicability, especially with a focus on attacker network and responsible for radio resource management and
capabilities and the impact for the user. Furthermore, we user data encryption. Furthermore, an eNodeB sends paging
discuss possible countermeasures to mitigate the threats. messages on a broadcast channel. For our attacks, we exploit


 UE eNodeB When data needs to be sent in uplink direction, the UE
User Plane Control Plane Control Plane User Plane layer issues a scheduling request at a configured location. The
NAS eNodeB utilizes the Downlink Control Information (DCI) for
3 IP RRC RRC IP notifying the UE when and where the resources are available
PDCP PDCP in uplink and downlink direction. As we will see later, the
Scope 2 RLC RLC DCI information leaks sensitive information that enables us to
MAC MAC perform a website fingerprinting attack.
1 PHY PHY
Radio Link Control (RLC). The RLC protocol offers three
Air Interface
transmission modes: (i) Acknowledged Mode (AM), (ii) Un-
acknowledged Mode (UM), and (iii) Transparent Mode (TM).
Fig. 1. Overview of the LTE Protocol stack and the scope of our analysis. Depending on the mode, the RLC protocol applies error
correction, segmentation, and assembles data into the correct
order of upper-layer packets. Furthermore, it manages retrans-
the fact that UEs select the eNodeB with the highest signal missions including the detection of retransmitted packets.
strength allowing us to establish an active malicious relay. Packet Data Convergence Protocol (PDCP). The PDCP
3) Evolved Packet Core (EPC): The EPC is the core of protocol provides encryption and integrity protection for con-
the network and is responsible for authentication, mobility trol plane messages to the overlying Radio Resource Control
management, and forwarding of user data. It triggers the (RRC) layer and transfers encrypted user plane data to upper-
procedure for sending out paging requests when user data is level protocols like IP. Within the data link layer, the PDCP
incoming. layer is the first to apply encryption algorithms, hence, we can
directly read the payload and header information of all packets
B. LTE Protocol Stack below this sublayer. This allows us to passively analyze the
The LTE protocol stack between the UE and the eNodeB meta information of layer two transmissions, e. g., the PDCP
is depicted in Figure 1. We briefly explain each layer and its length of a packet, and perform the website fingerprinting
tasks from bottom to top. Later on, we describe the individual attack. Further, we exploit the lack of user data integrity
security mechanisms within the protocol stack separately, since protection for our A LTE R attack.
some work in a cross-layer fashion. 3) Network Layer: There are three sublayers on the net-
1) Physical Layer: As the lowest layer in the protocol work layer: Non-Access Stratum (NAS), Radio Resource
stack, the physical layer is responsible for transmitting infor- Control (RRC), and IP. The NAS layer performs mobility with
mation over the air interface. The physical layer searches for the core network using encrypted and integrity protected mes-
cell candidates and synchronizes with a selected cell. Further, sages. On the RRC sublayer, all radio connections between the
it controls the transmission power for the physical channel and UE and the eNodeB are managed, including the configuration
adapts encoding and modulation schemes. The values for these of all lower-level protocols down to the physical layer. Finally,
parameters are adjusted by a channel quality indicator that is the IP protocol handles transmissions to overlying transport
regularly sent by the UE’s MAC protocol. protocols like TCP and UDP and, therefore, maintains con-
2) Data Link Layer: The data link layer extends the phys- nections to the Internet.
ical layer bit pipe by additional services towards the upper C. Mobility Management
layers and provides mechanisms for reliability, security, and The mobility of devices in the LTE network holds additional
integrity. It is organized in three sublayers: (i) MAC protocol challenges for the specification and implementation of all
scheduling the medium access, (ii) RLC protocol managing the respective protocols. In the context of this work, the paging
segmentation or concatenation of data units, and (iii) PDCP procedure is of particular interest.
protocol performing ciphering tasks and optional IP header
compression. Paging. The paging procedure is used to notify the UE
of incoming data transmissions or a call. Sending paging
Medium Access Control (MAC). The MAC protocol man- messages is initiated by the eNodeB, i. e., it broadcasts the
ages the access to the radio resources of LTE. To do so, each Temporary Mobile Subscriber Identity (TMSI) of a certain
UE with an active radio connection must be distinguishable UE on the paging channel. All UEs within the cell that do not
by a unique identity, the RNTI. To obtain such an RNTI, have an active radio connection listen to the paging channel
the UE performs the Random Access Preamble (RAP) with and react to a message in case their TMSI is sent. The paging
the eNodeB of its current cell and exchanges an unencrypted procedure affects the identity mapping attack, as it helps the
Random Access Response (RAR). In this process, the MAC adversary to learn the unique identifier of a user within the
layer of the eNodeB determines the available radio resources network.
for the UE, matches these assigned resources to the RNTI,
and finally signals this information to the UE to be used for D. Authentication and Encryption
the following transmissions. We use the unique information of LTE uses a challenge-response protocol for Authentication
the RNTI to perform our identity mapping attack. and Key Agreement (AKA) in which the core network (EPC)


sends an authentication request to the UE. This request con- the connection establishment procedure. Furthermore, identity
tains an authentication token for verification of the network’s mapping serves as a stepping stone for the second attack: web-
permanent key on the SIM card of the UE. In case of a site fingerprinting by transmission metadata. Website finger-
successful verification, both the network and the UE can printing reveals the browsing behavior of a user by exploiting
derive a session key from the long-term secret and the random resource allocation scheduling of the network.
nonce. Using this temporary key material, the NAS and RRC
sublayers of the data link layer can establish encryption and A. Identity Mapping Attack
integrity protection mechanisms, respectively. The selection The identity mapping attack exploits temporary identifiers
of certain security algorithms depends on the network and on layer two during the radio connection establishment. It does
is defined in the security mode command, sent out by the not depend on any active interference like comparable paging
EPC/eNodeB. attacks [2], [15], [16]. Compared to the previous mention of
LTE specifies different security mechanisms based on well- this attack vector [3], we describe the attack details and present
established encryption algorithms such as AES. Integrity pro- a practical evaluation in a commercial network using a simple
tection is accomplished by a cipher block chaining message downlink sniffer. In the following, we introduce the attacker
authentication code (CBC-MAC) that is appended to signaling assumptions, the connection establishment process, give an
messages. User data is encrypted in counter mode (AES- overview of the attack procedure, and present experimental
CTR), where the encryption algorithm is used as a keystream results.
generator, and the ciphertext is computed by XORing the Attack Assumption. For the identity mapping attack, we
keystream with the plaintext1 . In fact, this helps us later to assume that the attacker knows neither the RNTI nor the
perform our A LTE R attack given that the cipher is malleable. TMSI of a victim. The attacker learns the mapping between
E. Attacker Model both identities during the radio layer connection establishment,
We use two different attacker models for our layer two which is triggered every time a user sends or receives data
security analysis. The passive attacker acts as an eavesdropper through the network. We exploit the fact that radio packets
and can passively sniff radio layer information within the contain both their own radio layer identity (RNTI) and the
victim’s cell and remains unnoticed. In contrast, the active TMSI of the overlying Non-Access Stratum (NAS). The map-
attacker extends these capabilities for intercepting messages ping can then be further exploited, e. g., the attacker performs
as a Man-in-the-Middle (MitM) attacker. More specifically, a paging attack to map the TMSI to the public phone number
such an attacker can alter message contents and forward the or she can perform a website fingerprint attack.
altered packets to the next node. Both attackers depend only on Connection Establishment Process. In the connecting pro-
low-budget SDR hardware (in practice, our setup costs about cess, the UE sends a Random Access Preamble (RAP) to
2600 $ for the active relay) and uses open-source LTE stack the eNodeB (cf. Figure 2 1 ) and receives the response
implementations [13], [14] that we extended for our attacks. (RAR) including the Cell Radio Network Temporary Identity
These constraints and requirements render both passive and (C-RNTI) 2 . The C-RNTI serves as a unique identifier of the
active attacks a realistic threat in practice. In summary, we user within one radio session until the connection is released.
assume the following attacker model: In response to receiving the C-RNTI, the UE sends an RRC
Passive Attacker. The passive attacker eavesdrops transmis- connection request to the eNodeB 3 , which includes the
sions in up- and downlink direction within the same cell the UE’s identity. This can either be the TMSI or a random
user is located in. Therefore, the attacker can receive and value in case the UE does not possess a valid TMSI at this
decode signals sent out by the eNodeB and the UE. To do so, it moment. The eNodeB completes the connection establishment
is not mandatory to have any knowledge about the established by replying with the RRC connection setup message 4 . In
key material. our attack, we either exploit the RRC connection request 3 in
uplink direction, or the RRC connection setup 4 in downlink
Active Attacker. In addition to the scope of the passive
direction.
attacker, the active attack includes capabilities for sending
radio signals on certain frequencies. Using these capabilities, The Attack. Matching the C-RNTI and the TMSI becomes
the attacker can establish a malicious relay in the network possible, as packets on the MAC layer use the C-RNTI to
by impersonating a UE towards the network and an eNodeB be addressed correctly, i. e., delivered to the correct UE. The
towards the user. Again, no knowledge of the key material is UE receives the C-RNTI within the Random Access Response
required for our attacks. (RAR) 2 which from now on identifies the UE on the MAC
layer. At this point, we benefit from the fact that there are
III. PASSIVE L AYER T WO ATTACKS only ten possible Random Access RNTIs (RA-RNTIs), hence,
Our passive attacks comprise identity mapping, in which we can monitor all possible RAR and derive the C-RNTI.
the attacker learns the identity of a user by eavesdropping on The information of the RAR in message 2 is sufficient for
1 LTE specifies this as EEAn, where n specifies the underlying encryption
conducting the identity mapping in the following steps 3 , 4
algorithm; EEA2 is relevant in our context and the underlying algorithm is of the connection establishment. In particular, we match the
AES. C-RNTI and the TMSI by (a) using an uplink sniffer or


 UE Attacker eNodeB sniffer implements the srsLTE software stack. For verifying
Random Access Preamble the success of both attack variants, we record traces at the UE
1 MAC
RA-RNTI uplink (a) and the downlink sniffer (b).
Random Access Response
2 MAC
C-RNTI Procedure. In our experiments, we first assure that all required
RRC Connection Request preconditions are met and subsequently perform the identity
U-link Sniffer (a) 3 RRC
TMSI
RRC Connection Setup
mapping attack.
D-link Sniffer (b) 4 RRC
TMSI • Precondition: TMSI. The UE performs a radio con-
nection establishment with the eNodeB followed by a
Fig. 2. Radio Connection Establishment Process. We learn the C-RNTI by successful AKA with the core network. The core network
monitoring all RARs (2) on the downlink shared channel. We now either replies with the UE’s valid TMSI for all further commu-
exploit the RRC connection request (3) or contention-based resolution (4).
nication. This assures that the UE uses a valid TMSI for
the following steps.
by (b) exploiting the contention-based resolution of the RRC • Precondition: Radio Idle. The UE remains idle withing
connection setup. the range of the RRC inactivity timer (as default 10 s).
(a) In response to the RAR 2 , the UE sends the RRC Then, the eNodeB signals the UE to transit into the
connection request 3 including the TMSI. We use the RRC idle state. This assures the performance of the
C-RNTI for identifying the uplink resource allocation for radio connection establishment process as soon as the
the target UE, e. g., we can distinguish multiple transmis- UE intends to send data through the network.
sions in the uplink direction (cf. Figure 2, green) and filter Both preconditions create a setup that is comparable to the
out the specific RRC connection request that matches the characteristics of a real-world scenario, i. e., we assume the
monitored C-RNTI. In other words, we know when the possession of a valid TMSI for the user and conduct the attack
UE uses the uplink for transmitting the RRC connection during the connection establishment.
request including the TMSI. We can now match the 1) Attack Step 1. We setup a new TCP connection to
C-RNTI 2 and TMSI 3 for a successful attack. an arbitrary server in the Internet and trigger the radio
(b) After the RRC connection request, the eNodeB proac- connection establishment process (cf. Figure 2).
tively applies contention-based resolution for resolving 2) Attack Step 2. We use the downlink sniffer to eavesdrop
possible collisions during the random access procedure the random access responses of the eNodeB for learning
(cf. Figure 2 1 ). Such collisions can occur when more all C-RNTI candidates. Up to this point the attack steps
than one UE choose the same RAP within the same are generic, i. e., we can use the C-RNTI of message 2
time slot. The only case of contention-free RAPs oc- for the up- or downlink sniffer. We continue with attack
curs during a handover procedure. In all other cases, mode (b).
the RRC connection setup 4 includes a copy of the 3) Attack Step 3. The eNodeB sends the TMSI in the RRC
RRC connection request 3 with its UE identity. More connection setup 4 within the contention-based resolu-
precisely, the specification states that the UE contention tion. We eavesdrop this information using the downlink
resolution identity field of the RRC connection setup must sniffer.
contain the previous uplink data unit (see [17] in Section 4) Attack Step 4. We match the set of C-RNTIs of attack
6.1.3.4). In our case the precious uplink data unit is the step 2 with the TMSI of the contention-based resolution.
RRC connection request. As the RRC connection request We can now identify and localize the user within the cell.
contains the UE identity, e. g., the TMSI or random value, The above attack procedure depends on the presence of a
we can now match the C-RNTI 2 and TMSI 4 . valid TMSI within the contention-based resolution. We verify
1) Experiments: We demonstrate the real-world feasibility this as an attack procedure with high success probability in our
of the identity mapping attack by conducting it in a commer- experiments and discuss the use of either an up- or downlink
cial network. In the following, we introduce the technical setup sniffer in the discussion.
and attack procedure. 2) Results: We successfully repeat the identity mapping
Experimental Setup. In our setup, we use two SDRs [13], attack three times using a downlink sniffer. Furthermore, we
one representing the target UE (cf. Figure 2), and the other provide a theoretical analysis of uplink traces as proof for the
representing the attacker’s downlink sniffer (b). feasibility of the uplink sniffer. Figure 3 depicts the Wireshark
The target UE implements a modified version of srsUE [14], trace of the RRC connection setup contention-based resolution
e. g., we extend the software stack such that we can connect to (attack step 3), recorded by the downlink sniffer. In particular,
a commercial network. This requires commercial SIM support we see the RRC connection setup message 4 addressed to
only, which we realize by using the PCSC library [18]. Using C-RNTI of the target UE 1 that we learned from the RAR
these extensions, we can establish an IP connection through of the eNodeB. In the contention-based resolution 2 , we
the commercial network to the Internet. The second SDR find the TMSI assigned to the target UE 3 as part of the
acts as the attacker’s passive downlink sniffer. We use it to RRC connection request. By combining both identifiers, we
listen to the broadcast channels of the eNodeB. Again, the successfully match layer two and three identities.


 MAC-LTE DL-SCH: (SFN=0, SF=9) UEId=0 (UE Contention Resolution Identit the attacker must guess the exact location of the UE, which
[Context (RNTI=53643)]
challenges using an uplink sniffer.
…
[RNTI: 53643]
In contrast, there is no advance synchronization between
1
[RNTI Type: C-RNTI (3)] the eNodeB and the UE in the downlink direction, i. e., the
… downlink sniffer can be deployed without any knowledge
2 Contention Resolution (matching Msg3 from frame 1756, 20ms ago) about the UE’s location. In conclusion, it is preferable to use
UE Contention Resolution Identity: 478c10451cd6
the downlink sniffer on an average of 94.73 % of contention-
LTE Radio Resource Control (RRC) protocol
UL-CCCH-Message
based resolution access procedures rather than depending on
Message: c1 (0) the advance synchronization in the uplink direction.
c1: rrcConnectionRequest (1)
criticalExtensions: rrcConnectionRequest-r8
B. Website Fingerprinting
rrcConnectionRequest-r8 Tor is a prominent example for website fingerprinting at-
Ue-Identity: s-TMSI (0) tacks, where an adversary learns the destination of a con-
S-TMSI
nection despite the layered encryption of Tor [9], [19]. This
mmec: 78 [bit length 8, 0111 1000 de]
3 m-TMSI: c10451cd [bit length 32, 110 …]
becomes possible due to information leaks in the metadata
LTE Radio Resource Control (RRC) protocol
of a connection, e. g., characteristic timing patterns of trans-
DL-CCCH-Message missions that allow distinguishing different websites. In the
Message: c1 (0) following, we demonstrate how the challenge of website
c1: rrcConnectionSetup (1) fingerprinting can be mapped to LTE layer two attacks.
criticalExtensions: rrcConnectionSetup-r8
4
The MAC layer is responsible for scheduling the data trans-
rrcConnectionSetup-r8
mission of a connection. In particular, the DCI information
Fig. 3. Identity Mapping Attack: We can decode the TMSI of the RRC defines the data allocation for the uplink and downlink for each
connection request as part of the contention resolution identity in the downlink user individually. As a passive adversary, we can eavesdrop on
RRC connection setup message. The contention resolution identity (2) is part this information and learn the user data consumption, i. e., the
of the MAC header and located before the RRC connection setup (4). We
successfully map the TMSI to the C-RNTI with a downlink sniffer. volume of traffic that was sent and received over a connection.
This becomes possible by decoding the DCI information that
provides unencrypted information up to the PDCP layer. From
As the downlink sniffer depends on the presence of the this information, we learn metadata features, like the length of
TMSI within the RRC connection setup, we record a total a PDCP packet, which helps to distinguish requests to different
of 96,911 connection establishment procedures within five websites in their time series representation.
days. We conduct these measurements within the cell of a For conducting a closed-world website fingerprinting attack,
commercial network. Our results show that in 96.85 % of all we record a corpus of labeled traces for a representative set
radio connection establishments we find a contention-based of websites. Starting from this information set, we analyze
resolution, of which 91.75 % contain the required TMSI. As traces of new connections and compare their characteristics
this covers the majority of connections, the downlink sniffer with the metadata features of the already recorded corpus.
can be considered a reliable attack variant. An attack can be considered successful if we manage to
3) Discussion: We next discuss the real-world applicability identify requested websites just from metadata information at
of identity mapping and compare the deployment of an up- or an acceptable success rate.
downlink sniffer. 1) Experiments: We conduct the website fingerprinting
Real-World Applicability. The identity mapping attack by it- attack within our own LTE network for recording a sample
self is not detectable, as it is completely passive. Deploying the corpus of layer two traces in up- and downlink connection,
passive downlink sniffer only depends on standard hardware according to the following experimental setup and attack
and an open software stack. Nevertheless, one constraint is the procedure.
existence of a valid TMSI. Experimental Setup. We build a lab LTE network setup by
While the proposed identity mapping combines arbitrary deploying a modified version of the srsLTE eNodeB along
pairs of C-RNTIs and TMSIs, we can extend the attack by with an OpenAirInterface Evolved Packet Core (EPC) [14],
common active paging techniques [2], [3], [16]. This allows [20]. Both components behave specification conform and we
us to identify and localize specific users for a pre-known TMSI can connect COTS mobile phones with a programmable SIM
within the cell. We achieve this targeted detection of users at card to our LTE network. In particular, we test three Android
the expense of being detectable through active interference. phones and access the Alexa top 50 websites overall 100 times
Uplink vs. Downlink. The eNodeB synchronizes uplink trans- with each phone automatically by using Appium [21]. For
missions depending on the distance between the UE and itself. each new visit, we reset all caches at the phone. Each page
In particular, it estimates the required transmission delay and visit results in a pcap trace, recorded at the eNodeB. We can
signals the time offset for sending data in advance. Deploying distinguish user and control plane traffic based on the logical
an uplink sniffer between the UE and the eNodeB requires the channel ID in the MAC header and thus obtain traces free
attacker to synchronize with this advance offset. Consequently, from control traffic. The raw user plane traces then document


the (f1 , rnti), (f2 , pdcpd ) PDCP direction (up- or downlink), average success and standard deviation for a 10-fold cross-
(f3 , pdcps ) PDCP sequence number, (f4 , pdcpl ) PDCP length, validation, as well as (2) the false positive matches for each
and the timestamp of each packet. site in particular.
Procedure. Our classification procedure consists of two con- 2) Results: Our results are shown in Table II represent
secutive analysis steps. First, we compare all captured traces the average true positive (TP) rates, i. e., the relative number
using fast dynamic time warping (FastDTW) as a distance of correct website guesses, and the standard deviation (SD)
metric for the comparison of recorded traces [22]. This time over all ten repetitions of the cross-validation. We achieve an
series analysis stretches two input vectors X, Y in a way average success rate of 89.63 %±10.63 in uplink and 89.13 %
that the Euclidean distances between corresponding points are ±11.2 in downlink transmissions for individual devices, i. e.,
minimal. In other words, DTW helps to compute the similarity when comparing traces for each phone individually.
of measured traffic without depending on synchronization,
e. g., we use this for distinguishing websites by individual TABLE II
traffic patterns. Second, we use the distances as an input to W EBSITE F INGERPRINTING S UCCESS R ATES
the k-nearest neighbor algorithm (k-NN) as decision function. Android Downlink Uplink
In particular, for an unknown trace, we search the closest (1- Device OS TP SD TP SD
NN) other trace within the set of labeled traces [23] and use LG Nexus 5 v5.1 0.949 ±0.067 0.936 ±0.071
this to classify the new sample. We repeat the analysis using Huawei p9 Lite v7.0 0.932 ±0.108 0.922 ±0.117
a 10-fold cross-validation for the verification of our results. Motorola Moto G4 v6.0.1 0.808 ±0.144 0.816 ±0.148
The standard, i. e., non-optimized time warping problem,
constructs a warp path W given two time series X, Y of While we apply comparably simple analysis methods, the
lengths |X|, |Y |: success rates of the website fingerprinting attack indicate a
W = w 1 , w2 , . . . , w K promising starting point for future work.
(1) 3) Discussion: We present the website fingerprinting attack
max(|X|, |Y |) ≤ K < |X| + |Y |,
as a first proof-of-concept for demonstrating the threat of
where K is the length of the warp path, and the k th element traffic analysis on PDCP sublayer metadata. While our results
of the warp path is wk = (i, j) with i as index of a time series indicate high success rates for the up- and downlink traffic
element in X and j an index of Y , respectively. We get an of different devices, we emphasize that these first insights
optimal warp path Wopt if the distance is minimal: are limited in several ways. In the following, we discuss the
real-world application and how future work can improve our

K
current findings.
dist(Wopt ) = dist(wk (i), wk (j)), (2)
k=1 Our measurements are biased towards time, location, and
network setup, e. g., we recorded all traces from a single
where dist(wk (i), wk (j)) is the distance between two data position and in closed blocks with our experimental LTE
point indexes of i ∈ X, j ∈ Y in the k th element of the network that is completely under our control.
warp path. The standard implementation of the Dynamic Time
The choice of conducting the website fingerprinting within
Warping, as introduced in Equations 1 and 2, has a complexity
our experimental network has two main reasons. First, the
of O(N 2 ), whereas we refer to the approximate FastDTW
configuration of mobile networks is volatile, e.g., features like
implementation with complexity O(N ) [22].
the physical cell ID or retransmission timers might change
Applying FastDTW as distance metric, we generate a dis-
over time. Such fluctuations can influence the experimental
tance matrix Mdist = K × L with mutual distances between
results and disrupt their reproducibility. A real-world attacker
traces of a training set gk ∈ G and a test set tl ∈ T :
⎛ ⎞ must face short-term and long-term changes of the network
d(g1 , t1 ) d(g1 , t2 ) · · · d(g1 , tL ) configuration and in website contents, i. e., a representative
⎜ d(g2 , t1 ) d(g2 , t2 ) · · · d(g2 , tL ) ⎟ trace corpus requires continuous updates. Second, we are
⎜ ⎟
Mdist = ⎜ .. .. .. .. ⎟ , (3) unable to monitor the uplink transmissions on the PDCP layer
⎝ . . . . ⎠
of a connection in a commercial network (see Section III-A3).
d(gK , t1 ) d(gK , t2 ) · · · d(gK , tL )
Consequently, it would remain unclear whether such uplink
where d(gk , tl ) is the distance between the respective train- metadata is a suitable candidate for website fingerprinting
ing and test trace. The matrix includes all candidate websites attacks. In contrast to the commercial setup, our experimental
of the recorded corpus, e. g., depending on the training and LTE network enables us to monitor transmissions also in
test set size, we draw a defined number of traces from each uplink direction for a coherent evaluation of traffic features.
website. From the distances, we define the 1-NN nearest We use a closed-world setup and identify websites in a set
neighbor, i. e., the lowest distance trace within the training of k candidates, which is very small in comparison to the
data for the current test trace. More precisely, we determine actual number of existing websites. Open-world setups [19],
the minimum of each column in the distance matrix Mdist . [24] increase the realism and allow arbitrary page visits for a
As a metric for the success of the attack, we derive (1) the monitored set of k websites.


 We limit the scope of this paper to a first demonstration malicious relay, and the commercial eNodeB (IV-B1), reliably
of website fingerprinting on LTE traffic. While website fin- distinguish DNS packets from other transmissions (IV-B2),
gerprinting in general is a well-established research area, the and alter the destination IP without violating the existing
application to LTE traffic is novel. We limit our evaluation to checksums of packets (IV-B3).
the presented general proof-of-concept and leave the demon- 1) Stable Malicious Relay: Our malicious relay is of fun-
stration of the attack in a commercial network, along with the damental importance for the A LTE R attack. It impersonates a
use of sophisticated experiments, to future work. valid eNodeB towards the user and acts as a UE towards the
network, i. e., it relays all transmissions between both entities.
IV. A LTE R : LTE U SER DATA M ANIPULATION ATTACK Deploying a MitM relay means to compete with all other radio
The lack of integrity protection for LTE user data opens connections offered by benign eNodeBs in the vicinity of the
an attack vector for active manipulation of the ciphertext. user. Therefore, we must motivate the UE to connect to our
We exploit this vulnerability in the A LTE R attack, in which relay rather than the commercial network and provide a stable
we deploy a malicious MitM relay between the UE and and legitimate connection during the entire attack.
the eNodeB to manipulate the (encrypted) payload of user
Connecting to the Relay. One option to lure a user into
data transmissions. We instantiate A LTE R to perform a DNS
connecting to the malicious relay is overshadowing the au-
redirection attack and describe the individual attack steps in
thentic frequencies of the commercial network at a higher
the following.
transmission power. This approach holds the risk of letting
A. High-level Overview of DNS Redirection Attack the malicious relay connect to itself: As we remember, our
relay impersonates a UE towards the network and an eNodeB
Our goal is to manipulate the destination IP address of a
towards the user. We avoid a connection between the UE and
DNS request and detour requests to a malicious rather than
eNodeB component of our relay by using the physical cell
the original DNS server. Accordingly, this puts us in the
identity of the commercial network, i. e., we use the physical
position of redirecting the DNS requests to a server under
cell identity of the commercial eNodeB to establish a fixed
adversarial control rather than the intended destination. The
connection between our UE component and the commercial
attack procedure is as follows (cf. Figure 4).
network.
As a precondition for the attack, we deploy a malicious
relay within the vicinity of the user and assure a stable Stable Radio Connection. For conducting a stealthy attack,
radio connection towards both the UE and a commercial our malicious relay must comply with all original protocol
eNodeB. As soon as the user’s mobile is switched on, the capabilities while passing on transmissions between the UE
UE and the commercial network perform the Authentication and the eNodeB. In particular, our relay needs to be aware of
and Key Agreement (AKA) (cf. Figure 4 0 ) to establish configuration parameters for the data bearer, the RLC, and the
the security parameters for an upcoming connection. Send- underlying physical layer, as otherwise, the connection would
ing a DNS request to the server is triggered under many terminate. While the data bearer and RLC configuration remain
circumstances, e.g., when the user intends to visit a website stable for the network, we guess the parameters of the physical
or an app contacts a server. To perform a DNS request, the layer that are set for each new radio connection individually.
UE first encapsulates the request in a UDP and IP packet The idea behind individual guessing is as follows: After
and then encrypts the packet using AES in counter mode the Authentication and Key Agreement (AKA) took place
(AES-CTR). Next, the UE forwards the packet to the intended between the UE and the commercial network, the security
DNS server, using its original IP destination address 1 . Our mode command defines the encryption and integrity protection
MitM relay intercepts this transmission, distinguishes DNS algorithms for the new radio connection. The eNodeB com-
packets from other payloads, and applies a manipulation mask ponent of our malicious relay then opens up all possible slots
to change the original destination IP to the address of our for uplink transmissions, waiting for the UE to use one of the
malicious DNS server 2 . After the manipulation, our relay potential slots. Based on the chosen slot, the malicious relay
forwards the manipulated request (all other packets are relayed guesses the respective configuration parameter. We can apply
unaltered) to the commercial network 3 , where it is decrypted the individual guessing for both physical parameters, e. g., the
and forwarded to the malicious instead of the original DNS scheduling request index and the channel quality indicator.
server 4 . In the downlink path, we add another manipulation Both parameters use different uplink slots, and we monitor
mask and assure that the source IP address matches the target transmissions, respectively. If the value remains stable, we
of the outgoing packet 5 , such that the manipulation remains assume its correctness. We then notify the UE component of
undetected. our relay about the parameters and set them for the uplink
transmission to the commercial network.
B. Challenges 2) Identifying DNS Requests and Responses: Since we
While the attack procedure is straightforward, we must only redirect DNS requests to our malicious DNS server, the
consider a set of technical challenges to maintain a stable destination IP addresses of all other packets must remain intact
connection and remain undetected during the attack procedure. to maintain the Internet connection of the UE. Therefore, we
In particular, we must assure a connection between the UE, need a reliable way to distinguish DNS request packets from


 UE Relay Commercial Network Internet
Encapsulate
Malicious Malicious Original Original
Core
EEA2 DNS HTTP DNS HTTP
Network
Server Server Server Server

AKA
0
Original
1 2 3 Manipulated 4
destIP
destIP
5
Malicious
Original srcIP
srcIP

Fig. 4. A LTE R: Overview of the DNS redirection attack. We deploy a malicious relay as a MitM between the UE and the commercial network and alter the
destination IP address of a DNS request to redirect messages to our malicious DNS server. Eventually, the UE connects to the malicious HTTP server.




 

suggest this method for increasing the attack robustness but

   use fixed values for the demonstration of A LTE R.
 "
3) Packet Modification: Once we have identified a DNS
 

packet, we alter the destination IP address for the redirection.

 ! We do this by applying a manipulation mask to the original
 IP and flip bits in a way that results in the malicious server
address. In this manipulation, we must maintain the validity of
 
the IP and UDP header. Packet headers are protected against
 transmission errors through a 16 bit checksum of the header
        




elements [25]. We need to consider this protection mechanism

when manipulating the destination IP address, as an invalid
Fig. 5. PDCP lengths of DNS requests in comparison to average TCP SYN checksum results in discarding the IP packet at the first router
packets. We distinguish the relative frequencies of DNS requests in the uplink on the transmission path [26].
UL (solid lines) and downlink DL (dotted lines) and the average of SYN
packets (vertical lines), respectively. The statistic is based on the corpus of Calculating the Manipulation Mask. LTE user data is en-
traces for our website fingerprinting. crypted in AES in counter mode, i. e., the sender computes
the ciphertext c by XORing ⊕ the output of the encryption
algorithm with the plaintext m [27]. However, the encryption
other transmissions through our relay. This is challenged by
algorithm is malleable, and an adversary can modify a cipher-
the fact that we receive encrypted data, i. e., we cannot identify
text into another ciphertext which later decrypts to a related
DNS requests by their disclosed payload. We overcome this
plaintext.
by identifying packets through their length: DNS packets are
In particular, an active attacker can add a manipulation
usually smaller than other TCP packets.
mask via ⊕ to the ciphertext c, with the goal of flipping
Using this simple classification method holds the risk of
certain bits in the message (see Figure 6). On the receiver side,
confusing DNS requests with TCP SYN packets of comparable
the message is decrypted to obtain the plaintext m by again
length. We use our large corpus of website fingerprinting traces
XORing the manipulated ciphertext c with the same output
to analyze the frequency of DNS, TCP SYN, and all other types
of the encryption algorithm. As a result, we can find the same
of packets in the up- and downlink stream (cf. Figure 5). In the
bit flips as in the manipulation mask when inspecting the
downlink direction, the distribution of DNS packet lengths and
manipulated plaintext m . For performing the manipulation in
the average TCP SYN length differ significantly and allow for
a precise manner, the original plaintext m must be known to
a reliable distinction. This becomes more challenging in the
the attacker to compute the manipulation mask:
uplink direction, therefore, we suggest an interactive approach
for increasing the reliability of the decision. mask = m ⊕ m . (4)
Using the packet length as a filter, we separate approxi-
mately 96.21 % of other TCP packets from a set of 3.79 % The mask is flexible in a sense that it does not necessarily
of either TCP SYN or DNS packets. The relay then alters the cover the whole ciphertext c, but can be restricted to the
destination IP address of the candidate packets and tests the destination IP field. We know the exact offset to the IP address,
response of the DNS server, i. e., if we receive a valid response as the IP header is embedded at the beginning of the PDCP
the packet was a DNS request and we forward the altered frame. Therefore, we can apply the manipulation mask without
packet. In all other cases, we forward an unaltered packet. We causing collateral damage in other parts of the payload and


 IV (Direction, …)
checksum. The target IP address must fulfill the following
Plaintext m
EEAX requirements:
EEA2: AES
Key The 16-bit sum of the original IP address, represented by
Ciphertext c
its octet, e. g., ip_a.ip_b.ip_c.ip_d, must equal the
Sender
sum of the target IP plus the TTL field (cf. Figure 7). In
Manipulation Mask this case, the checksum remains valid even though the IP
address and the TTL are manipulated. The TTL field can be
Active Manipulated incremented or decremented. We need to ensure that packets
Attacker Ciphertext c’ with a decremented TTL can still reach the malicious server
within the remaining time until the hop limit is reached.
IV (Direction, …)
EEAX In the downlink direction, the exact value of the TTL field
EEA2: AES
Key is unknown, since it depends on the number of hops that
Manipulated
were traversed previously to reaching our malicious relay. This
Receiver Plaintext m’ prevents us from altering the TTL field in a deterministic
way. Rather than manipulating the TTL field, we exploit the
Fig. 6. Overview of A LTE R attack: We manipulate the destination IP address identification field of the IP packet. This field is used for
of a DNS request using a specific manipulation mask. While maintaining the the fragmentation of IP packets and is a 16 bit value. Since
header checksums of the packet, the manipulated plaintext m leads to a
redirection of the packet.
we are in control of the malicious DNS server, we set the
identification field of the IP packet to a predetermined value.
Manipulating the source IP address in downlink direction at
keep changes in the original message to a minimum. For the relay, we can now use the identification field to compensate
setting a specific new destination IP address, we benefit from any differences to the original IP address. Consequently, the
the fact that IP addresses of DNS servers in mobile networks IP header checksum remains valid on the downlink path and
are set by the core network, i. e., we can easily obtain the static the UE accepts the packet.
address of the provider’s default DNS server. We emphasize that the above limitation only applies for
IPv4 transmissions, as IPv6 transmissions do not use any
Compensation for Changes. Applying the manipulation mask
header checksums. Consequently, we do not face any limi-
results in bit flips within the ciphertext of the packet. Even
tations in the choice of the target host for IPv6 and the attack
though we know where to find the IP address field and can
can be performed without restrictions.
determine an exact mask for the desired address update, this
still results in changes of the original payload. Consequently, UDP Header Checksum. Similar to the IP header checksum,
we compromise the validity of any checksum in the packet altering the IP address also affects the UDP checksum that is
and cause a drop of the packet during the transmission. If we a 16 bit sum over the IP pseudo header and UDP payload [28].
restrict our bit manipulation to the target IP, only addresses While running the malicious servers helps to ignore checksums
of the same 16-bit sum as the original DNS resolver are valid in the uplink direction, we must assure a successful checksum
candidates. validation in downlink direction for the UE to accept the DNS
We can circumvent this when all modifications made to response. For the downlink direction, we benefit from the fact
the header sum up to zero, i. e., when changing additional that UDP checksums set zero should be ignored by the UDP
bits besides the target IP address, we can restore the original stack [28]. Simply setting the UDP checksum of the DNS
checksum and assure its validity. Having these options for response to zero circumvents the checksum validation and the
compensation, we gain more degrees of freedom in setting DNS response remains valid, even in cases where the IP source
the malicious destination IP address. In the following, we address is modified.
introduce the necessary steps for compensating the IP and
C. Experiments
UDP header checksum through additional bit manipulations.
We demonstrate the feasibility of A LTE R in a realistic setup
IP Header Checksum. We benefit from the fact that, besides
using a commercial network, phone, and SIM card. In the
the destination IP address field, all other non-routing fields
following, we describe the experimental setup including details
in the IP header are open to modifications as long as we
can predict or know their contents. A good candidate for
compensation in the uplink is the Time To Live (TTL) field, Original Target
as we can determine the value and a modification has only ip.a ip.b ip.a' ip.b'
minor influence on the routing. We can obtain the default !
∑ ip.c ip.d = ∑ ip.c' ip.d'
value for the UE’s TTL by empirical analyses or by analyzing TTL 00 TTL' 00'
the operating system of the mobile phone. We know that
the TTL is not decremented, when we are manipulating the Fig. 7. Manipulations to the IP address must sum up to zero for maintaining
packet before the first router, hence, we know the exact value. valid checksums. We can modify additional non-routing fields to gain more
Adjusting the TTL field is already sufficient to achieve a valid degrees of freedom for the address manipulation.


of the malicious relay. In our demo exploit, we redirect a UE
eNodeB
Component
UE
Component
Commercial
eNodeB
benign DNS request for the domain example.org to a DNS RRC RRC
Message Message
server under our control, which then replies with a malicious Guessing Guessing
IP address. The technical setup and experimental results are
PDCP Control PDCP
as follows. Data
1) Setup: We use the following components for our exper- U/C
User Data
aLTEr U/C

imental setup, as depicted in Figure 9.

• UE. We use a COTS mobile phone (LG Nexus 5) isolated
RLC RLC
from outside radio connections using a shielding box
with a commercial SIM card, capable of connecting to MAC Parameter Guessing Parameter Setting MAC

a legitimate real-world LTE network. To operate the UE PHY PHY

in a deterministic way within the shielding box, we use Uplink Downlink

the Android Debug Bridge (ADB). Furthermore, we use Logic Altered

SIMtrace [29] to extract the session key so that we can

later analyze the traces recorded by the malicious relay. Fig. 8. Implementation of the malicious relay that we use for the A LTE R
• Malicious Relay. Our malicious relay consists of two attack. Message guessing and parameter guessing/setting are crucial for
maintaining a correct protocol behavior and a stable connection. User data
SDRs with a modified version of the srsLTE v17.09 manipulation is applied on DNS requests.
stack implementation [14]. The first SDR emulates an
eNodeB towards the UE, while the second SDR emulates
the UE towards the commercial network. component, where the first triggers the parameter guessing on
• Commercial eNodeB and Network. We connect to a MAC layer. The user data is simply forwarded on the PDCP
commercial network and use a SIM card according to layer and passed on the downlink and uplink into the A LTE R
the analyzed commercial network. component of the UE component. The A LTE R component
• Malicious DNS Server. To operate our rogue DNS server, first distinguishes DNS traffic from other traffic and, second,
we use a virtual Ubuntu v16.04 server entity in the modifies the message by applying the manipulation mask if
Amazon AWS cloud running a DNS server. We use a needed. The A LTE R component returns the modified and the
modified configuration of the DNS server for redirecting unmodified packets to the normal packet path. Especially,
requests to the malicious HTTP server. The DNS server packets in the uplink direction are sent to the network and
can be reached via an IP address matching the require- packets in the downlink direction are sent to the UE. For our
ments described in Figure 7. example, we use hard-coded values of the PDCP length for
• Malicious HTTP Server. The rogue HTTP server uses identifying the DNS requests of the domain example.org
the same Amazon AWS instance as the malicious DNS to our malicious DNS server.
server and hosts an Apache web server in standard
configuration. D. Results
While the DNS and HTTP server function as proof-of-
concept destinations for the redirection of DNS packets and For the preparation of the experiments, we set the victim
do not depend on any characteristic configurations, the speci- phone into flight mode, delete all caches (DNS and HTTP) via
fication of the malicious relay is crucial for the A LTE R attack. an ADB command, and place it in the shielding box. After
Our implementation of this relay is as follows. starting the malicious relay, we disable the flight mode and
Malicious Relay. Figure 8 depicts the architecture of the wait for the successful radio layer connection to our relay.
malicious relay based upon the open source srsLTE stack [14]. From then on, our malicious relay forwards all messages on
Towards the victim UE, the relay emulates a genuine eNodeB
(left side) by broadcasting the identifiers for the corresponding
network. This is represented by the eNodeB component of the
relay. Towards the network, the relay acts as a UE (right side).
Both components (eNodeB and UE) forward control plane and
user plane messages in up- and downlink direction. UE (in shielding box)
We leave the physical layer of the UE and the eNodeB
component unaltered according to the original implementa- Relay
Implementation
tions of srsUE and srsENB, respectively. On the MAC layer of
UE Component
the eNodeB, we add a component for guessing the encrypted eNodeB
Component
configuration parameters (scheduling requests, channel quality
indicator), as introduced in Section IV-B1. The RLC layer
simply passes messages to the PDCP layer, which then distin- Fig. 9. Experimental lab setup. We use a shielding box for enforcing the
UE’s connection to the malicious relay; the eNodeB and UE components are
guishes user and control plane messages. We add a message deployed in two SDRs; the relay implementation runs on an Ubuntu 17.10
guessing module on the RRC layer for the eNodeB and the UE with Intel Core i7-7700.


the RRC layer and PDCP layer to and from the commercial incorrect protocol behavior, e. g., rogue base stations enforce
network. the downgrade to insecure mobile generations [3]. In contrast,
Over an ADB command, we instruct the phone to visit the the malicious relay of A LTE R forwards all messages between
website example.org. The following transmissions trigger the UE and the benign eNodeB. Hence, the proper functioning
the message classifier in our malicious relay and we identify of all protocols (including the correct integrity protection of
a DNS request according to its PDCP length. In the next step, control messages) is assured at all times. Consequently, the
we apply the manipulation mask for replacing the original transmission behavior is as expected and the attack cannot be
DNS server address with the malicious destination and emit detected due to protocol anomalies. We argue that the relay
the altered packet. Consequently, the DNS request is redirected integrates—to the best of our knowledge—in a non-detectable
to our rogue DNS server, which accepts the request despite its way into the existing network infrastructure.
invalid UDP checksum. The malicious DNS server performs While the malicious relay acts according to the specification
the DNS spoofing attack and responds with the wrong IP on the radio layer, our alteration of destination IP addresses
address for example.org. On the downlink, we identify the might induce anomalies in overlying levels of the network
DNS response and apply the manipulation mask to change stack. In particular, our injected addresses differ from common
the source IP address, thus it matches the original IP of DNS servers. One possible way of detection would be the use
the DNS server. Finally, the phone receives the reply packet of Deep Packet Inspection (DPI), even though this also holds
and connects to the spoofed IP address to perform a HTTP the risk for false positive detections since a user might have
GET request, resulting in loading the wrong website content. set a custom DNS server.
Further details and results of the attack are provided at the Potential Countermeasure. Even though the LTE Authen-
website http://www.alter-attack.net. tication and Key Agreement (AKA) is formally proven se-
cure [31], this attack is still possible due to the lack of
E. Discussion
integrity protection of user plane data. We argue that the only
A LTE R exploits the specification flaw of missing integrity way to mitigate this attack sustainably is to use authenticated
protection of user data and has consequences for all LTE users. encryption for the user plane. While different suitable schemes
In the following, we discuss the real-world applicability of exist like AES-GCM (AES-Galois/Counter Mode), we focus
A LTE R and possible countermeasures. on the MAC-then-Encrypt scheme that is already used for
Real-World Application. We have demonstrated the feasibil- the integrity protection of the control plane. We assume that
ity of A LTE R using a controlled experimental lab setup. We this scheme has the highest potential for being adopted in the
use a shielding box to prevent our relay from interfering with specification.
the commercial network in the licensed spectrum, following In prior decisions, this was neglected in the specification
ethics guidelines. Further, the shielding box stabilizes the UE’s process due to the additional overhead on the radio layer [12].
radio connection and prevents non-deterministic behavior of The considered worst case scenario assumes small packet
the relay. In other words, the shielding box setup assures that lengths of 45 byte on average, the corresponding 4 byte
the UE does not connect to any other available cell and the Message Authentication Code (MAC) would, therefore, lead
malicious relay does not interfere with itself. While we use to an overhead of 8.9 %.
this to simplify the experimental procedure, the setup is com- Our empirical measurements conducted in the context of
parable to IMSI catcher attacks when considering the victim’s the website fingerprinting attack reveal an overhead of 0.63 %
perspective. Such attacks were conducted successfully in real- for an average packet length of 634.15 byte for over 18
world environments, i. e., without shielding equipment [2], [4]. billion packets. In practice, packet lengths hence seem to differ
Furthermore, the DNS redirection attack is limited to plain significantly from the above assumption for the use case of
IP traffic. All security measures taken by upper layer protocols web browsing. The overhead for integrity protection seems
cannot be circumvented, e. g., the proper use of DNSSEC or to be acceptable when considering the security and privacy
TLS assures the authenticity of the requested server. While impact of A LTE R. In the light of the next mobile generation,
DNS spoofing attacks are well-known in different contexts, we hope that we can influence the specification process to add
e. g., DNS spoofing on the Internet depends on the adversarial mandatory user plane integrity protection to 5G.
control of one router, we emphasize the impact of an LTE Disclosure Process and Integrity Protection in 5G. As stated
instantiation. We argue it is even easier to conduct the attack before, we have contacted the GSMA following the guidelines
because the accessible radio link is fundamentally more vul- of responsible disclosure. The GSMA informed the network
nerable to interception than other media [30]. providers and issued a liaison statement to inform the 3GPP
Detection Methods. We discuss two perspectives for potential specification body about the problem [32]. The 3GPP security
countermeasures: A LTE R can either be detected on the UE group evaluated possible actions for LTE and the upcoming
side or within the commercial network. 5G specification and composed a statement regarding the
As A LTE R deploys a malicious relay on layer two, the attack [33], [34].
general attack setup is comparable to classical rogue base The security group “feels that 5G standalone security ar-
station attacks. However, such attacks are detectable through chitecture is in reasonable shape in respect of this attack,


but early implementations may have limited support for UP work, we identify the following differences. First, we have
integrity.” [34]. More precisely, the 5G specifies user plane demonstrated the attack on a commercial network. Further,
integrity protection as optional [35]. However, for a successful we found out that a simple downlink sniffer is in 91.75 % the
protection against A LTE R, the network needs to be configured cases sufficient to map the more volatile RNTI with a TMSI.
correctly and the UE must support it. We argue that only Also, we cannot only identify and localize users within a cell
mandatory integrity protection in 5G is a sustainable coun- but use the scheduling information of the mapped RNTI as a
termeasure. starting point for the website fingerprinting attack.
V. R ELATED W ORK B. Website Fingerprinting
In the following, we discuss related work in the context of Website fingerprinting attacks are especially known from
identity mapping attacks, website fingerprinting, and user data anonymity networks such as Tor, where the attacker learns
manipulation attacks. the destination of connections through Tor from analyzing
encrypted user traffic. Recent attacks utilize Naive Bayes
A. Identity Mapping
classifiers [41] or Support Vector Machines [19], [42] and
Prior attacks in the context of identity mapping either link achieve high classification success rates, especially for closed-
the user’s TMSI to public identities like phone numbers or world scenarios. While website fingerprinting on Tor traffic is
decode the more volatile RNTI of a session. Learning such a well-established research field, we are the first to present a
individual identities enables an adversary to track and localize comparable attack on radio layer LTE traffic. Consequently, we
users within a cell, harming especially their privacy. provide the first proof of concept in a closed-world scenario
TMSI Linking. Paging attacks exploit the broadcast wake- and leave more sophisticated setups [9] to future work.
up procedure of mobile networks towards idle user devices. Furthermore, traffic analysis attacks were analyzed in the
Such broadcasts include the individual TMSI of a user, context of wireless sensor networks, where traffic patterns
they can be eavesdropped easily, and actively triggering the might leak the geographical locations of nodes in the networks.
procedure helps the attacker to learn sensitive information. Attackers can exploit this information for launching attacks
Kune et al. [15] presented a paging attack in the context against base stations of the networks [43]. Countermeasures
of GSM, where the attacker learns the user’s TMSI from against traffic analysis attacks comprise network coding and
repeatedly calling the known phone number. The calls trigger homomorphic encryption [44], random path selection [45],
the transmission of the TMSI and the attacker can recognize or classical countermeasures like mixing and dummy packet
the repeated occurrence of one TMSI. Shaik et al. [2] port the injection [46].
paging attack to LTE and exploit Facebook and Whatsapp typ- In our website fingerprinting attack, we exploit the PDCP
ing notifications rather than the phone number as a trigger for lengths using dynamic time warping. Classical countermea-
the paging procedure. One potential countermeasure against sures like dummy packet injection and mixing would induce
paging attacks is a frequent TMSI reallocation. While this re- an enormous performance overhead, as they add a high rate
allocation should protect from the identification and location of of additional traffic or add artificial delays to a transmission.
users, Hong et al. [16] showed that lack of randomness in the Encryption is applied in LTE, but it does not obfuscate the
reallocation scheme renders this countermeasure insufficient. PDCP lengths meta information that we exploit in our attack.
The work above focuses solely on the TMSI, which is an
upper layer identifier. In contrast, we map the radio layer C. A LTE R : User Data Manipulation
identity (RNTI) to the TMSI and, therefore, let the identity The challenges for conducting the user data manipulation
mapping attack serve as a stepping stone for follow-up attacks. attack are related to three individual research areas. First,
RNTI Decoding. While TMSIs can be exploited for the we depend on a malicious relay, e. g., acting as a rogue
identification and localization of users, RNTI decoding by base station towards the user. Second, our relay acts as an
now was only proposed in the context of performance and unauthenticated user towards the commercial network. Finally,
interference optimizations. Kumar et al. [36] showed that they we break the confidentiality aim of LTE as we are able to
could passively decode the RNTI, map it to radio resource eavesdrop DNS requests and following connections.
allocations, and locate a phone by using radar techniques for Attacking the User. Rogue Base Stations simulate a benign
optimizing the LTE radio layer. Commercial LTE downlink network and try to lure a victim into its cell, e. g., for deploying
sniffers [37], [38] are capable of decoding a list of all active an IMSI catcher. Such IMSI catchers help to learn the long-
RNTIs and monitoring the downlink traffic. Bui et al. [39], term identifier of a user, perform a Man-in-the-Middle attack,
[40] presented an open source downlink sniffer also based and localize the user’s phone within the cell. In the context of
on the srsLTE stack. While those approaches are technically LTE, Mjølsnes et al. [4] demonstrated how to build a rogue
comparable to ours, our contribution focuses on showing the base station using existing open-source software stacks and
vulnerability of the LTE downlink traffic. performed an IMSI catching attack. Nevertheless, LTE offers
Most similar to the presented attack is the work by Jover [3] mutual authentication and prevents the UE from continuing
in which the author describes the possibility of mapping a the connection to a malicious node after the authentication
phone number or TMSI to an RNTI. In compaarison to this procedure was performed. Hussain et al. [47] describe the


possibility of an authentication relay attack, in which the More specifically, we presented three individual attacks on the
AKA procedure is relayed between a commercial phone data link layer of LTE. The identity mapping attack passively
and network. Similar to the authentication relay attack, the matches two temporary identifiers, reveals the location and
presented malicious LTE Man-in-the-Middle relays the LTE the radio layer identity of users within the mobile cell, and
AKA messages in a first step to establish mutual authentication thereby serves as a starting point for further attacks. One
between the commercial phone and network. Another way of example for this is the website fingerprinting attack, in which
deploying a MitM was presented by Rupprecht et al. [48], we exploit the scheduling information for resource allocation
where an implementation flaw of the baseband let the UE in LTE. On the basis of unencrypted metadata information,
connect to a malicious network despite mutual authentication. we demonstrate how an adversary can derive the accessed
The activity of rogue base stations can be detected through websites with severe privacy implications for the user. Finally,
dedicated static or mobile sensor networks [10], [11], [49]. we present the user data manipulation attack A LTE R. We
Rogue base station detection apps, like Snoopsnitch [50], are perform a chosen-ciphertext attack by deploying a malicious
unable to identify certain attacks, as the baseband hides crucial relay and exploiting the missing integrity protection of LTE
information for the detection [51]. user data. As a result, we can redirect DNS requests and spoof
The malicious relay in our A LTE R attack differs from the DNS responses. We demonstrate the real-world feasibility
conventional rogue base stations in one fundamental charac- of all three attacks in realistic setups.
teristic: As we relay all messages except for DNS requests, Based on our findings, we urgently demand the imple-
the relay does not interfere with any protocol and a stable mentation of effective countermeasures in the upcoming 5G
connection is maintained during the attack. specification to assure the security and privacy of future mobile
Attacking the Network. In contrast to the use of rogue base communication.
stations, attacks can also target the LTE network itself. One ACKNOWLEDGMENT
example for this is the circumvention of a provider’s billing
This work was supported by the Franco-German BERCOM
mechanism, where the attacker sends malicious data to the
Project (FKZ: 13N13741) co-funded by the German Federal
network, e. g., by performing IP spoofing [52]. Other attacks
Ministry of Education and Research (BMBF). In addition, this
emphasize the unreliability of the VoLTE billing mechanism
work was supported in part by Intel (ICRI-CARS). We would
and vulnerabilities in its routing mechanisms [53], [54]. Both
like to thank G Data Software AG for supporting our experi-
classes of attacks depend on a successful authentication to-
ments with the shielding box and Software Radio Systems for
wards the LTE network and only interfere with the IP layer
giving us insights into their LTE software stack. Further, we
and above; however, these limitations do not apply to the set of
thank our shepherd Michael Bailey for the guidance towards
layer two attacks presented in this work. Other active attacks
the camera-ready version.
exploit the pre-authentication traffic towards the network and
deny the service for a victim. In particular, Raza et al. describe ACRONYMS
an attack allowing an attacker to detach a victim from the 3GPP 3rd Generation Partnership Project
ADB Android Debug Bridge
network as soon as he knows the user identity [55]. We do AKA Authentication and Key Agreement
not depend on a similar exploit of pre-authentication traffic, C-RNTI Cell Radio Network Temporary Identity
as we successfully relay all layer two messages of the original COTS Commercial Off-The-Shelf
DCI Downlink Control Information
transmission. EEA EPS Encryption Algorithm
Eavesdropping. Mobile networks, and GSM in particular, eNodeB Evolved NodeB
EPC Evolved Packet Core
are subject to passive attacks on weak encryption algorithms. GUTI Globally Unique Temporary Identity
Ciphertext-only attacks [56]–[58] enable an attacker to break GSM Global System for Mobile Communications
standard algorithms like A5/1 and A5/2 within a few minutes, GSMA GSM Association
IMSI International Mobile Subscriber Identity
just using ordinary hardware and rainbow tables [59]. As a LTE Long Term Evolution
consequence, the attacker can eavesdrop the communication. MAC Medium Access Control
In the context of our user data manipulation attack we do MitM Man-in-the-Middle
NAS Non-Access Stratum
not exploit any weaknesses in the cryptographic algorithms PDCP Packet Data Convergence Protocol
of LTE but benefit from the malleability of the cipher, e. g., RA-RNTI Random Access RNTI
we perform a chosen-ciphertext attack. This approach has a RAND Random Number
RAP Random Access Preamble
neglectable overhead and allows to break the data link layer RAR Random Access Response
security despite the presence of state-of-the-art encryption. RLC Radio Link Control
RNTI Radio Network Temporary Identity
VI. C ONCLUSION RRC Radio Resource Control
TTL Time To Live
While lots of research effort in LTE security focuses on TMSI Temporary Mobile Subscriber Identity
SDR Software Defined Radio
the physical and network layers, the data link layer has UE User Equipment
remained unexplored until now. We present a comprehensive
layer two security analysis and reveal open attack vectors.


 R EFERENCES Conference on Computer and Communications Security (CCS). ACM,
2012, pp. 605–616.
[1] FirstNet, “FirstNet: First Responder Network Authority,” http://www. [25] J. Postel, “Internet Protocol,” Internet Requests for Comments, RFC
firstnet.gov/, [Online; accessed 1-June-2018]. Editor, STD 5, September 1981, http://www.rfc-editor.org/rfc/rfc791.txt.
[2] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, [Online]. Available: http://www.rfc-editor.org/rfc/rfc791.txt
“Practical Attacks Against Privacy and Availability in 4G/LTE Mobile [26] F. Baker, “Requirements for IP Version 4 Routers,” Internet Requests
Communication Systems,” in Symposium on Network and Distributed for Comments, RFC Editor, RFC 1812, June 1995.
System Security (NDSS). ISOC, 2016. [27] 3GPP, “3GPP System Architecture Evolution (SAE); Security architec-
[3] R. P. Jover, “LTE Security, Protocol Exploits and Location ture,” 3rd Generation Partnership Project (3GPP), TS 33.401, 06 2011.
Tracking Experimentation with Low-Cost Software Radio,” [Online]. Available: http://www.3gpp.org/ftp/Specs/html-info/33401.htm
CoRR, vol. abs/1607.05171, 2016. [Online]. Available: http: [28] J. Postel, “User Datagram Protocol,” Internet Requests for Comments,
//arxiv.org/abs/1607.05171 RFC Editor, STD 6, August 1980, http://www.rfc-editor.org/rfc/rfc768.
[4] S. F. Mjølsnes and R. F. Olimid, “Easy 4G/LTE IMSI Catchers for Non- txt. [Online]. Available: http://www.rfc-editor.org/rfc/rfc768.txt
Programmers,” in Mathematical Methods, Models, and Architectures for [29] “Osmocom SIMtrace,” https://osmocom.org/projects/simtrace/wiki/
Computer Network Security (MMM-ACNS). Springer, 2017, pp. 235– SIMtrace, [Online; accessed 1-June-2018].
246. [30] D. Rupprecht, A. Dabrowski, T. Holz, E. R. Weippl, and C. Pöpper,
[5] M. Lichtman, J. H. Reed, T. C. Clancy, and M. Norton, “Vulnerability “On Security Research towards Future Mobile Network Generations,”
of LTE to Hostile Interference,” in IEEE Global Conference on Signal CoRR, vol. abs/1710.08932, 2017. [Online]. Available: http://arxiv.org/
and Information Processing (GlobalSIP). IEEE, 2013, pp. 285–288. abs/1710.08932
[6] M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. [31] S. Alt, P.-A. Fouque, G. Macario-rat, C. Onete, and B. Richard, “A
Reed, “LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat Assessment Cryptographic Analysis of UMTS/LTE AKA,” in Conference on Applied
and Mitigation,” IEEE Communications Magazine, vol. 54, no. 4, pp. Cryptography and Network Security (ACNS). Springer, 2016, pp. 18–
54–61, 2016. 35.
[7] F. M. Aziz, J. S. Shamma, and G. L. Stüber, “Resilience of LTE [32] GSMA CVD Governance Team/Samantha Saad, “Liaison Statement:
Networks Against Smart Jamming Attacks: Wideband Model,” in In- LTE and the upcoming 5G standard (S3-181429),” http://www.3gpp.org/
ternational Symposium on Personal, Indoor and Mobile Radio Commu- ftp/TSG SA/WG3 Security/TSGS3 91 Belgrade/Docs/S3-181429.zip,
nications (PIMRC). IEEE, 2015, pp. 1344–1348. [Online; accessed 1-June-2018].
[8] R. P. Jover, “Security Attacks Against the Availability of LTE Mobility [33] 3GPP Security Group SA3, “Meeting Report 20 April 2018,”
Networks: Overview and Research Directions,” in Symposium on Wire- http://www.3gpp.org/ftp/Meetings 3GPP SYNC/SA3/Report/
less Personal Multimedia Communications (WPMC). IEEE, 2013. MeetingReport 20April.rtf, [Online; accessed 1-June-2018].
[9] M. Juarez, S. Afroz, G. Acar, C. Diaz, and R. Greenstadt, “A Critical [34] Alf Zugenmaier (3GPP Security Group SA3), “Reply to LS on LTE and
Evaluation of Website Fingerprinting Attacks,” in ACM Conference on the upcoming 5G standard (S3-181443),” http://www.3gpp.org/ftp/TSG
Computer and Communications Security (CCS). ACM, 2014. SA/WG3 Security/TSGS3 91 Belgrade/Docs/S3-181443.zip, [Online;
[10] A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. Weippl, accessed 1-June-2018].
“IMSI-Catch Me If You Can: IMSI-Catcher-Catchers,” in ACM Annual [35] 3GPP, “NR; Packet Data Convergence Protocol (PDCP) specification,”
Computer Security Applications Conference (ACSAC). ACM, 2014, pp. 3rd Generation Partnership Project (3GPP), TS TS38.323, 2018.
246–255. [Online]. Available: http://www.3gpp.org/ftp/Specs/html-info/38323.htm
[11] P. Ney, I. Smith, G. Cadamuro, and T. Kohno, “SeaGlass: Enabling [36] S. Kumar, E. Hamed, D. Katabi, and L. Erran Li, “LTE Radio Analytics
City-wide IMSI-Catcher Detection,” Privacy Enhancing Technologies Made Easy and Accessible,” in ACM SIGCOMM Computer Communi-
(PETS), vol. 2017, no. 3, pp. 39–56, 2017. cation Review (SIGCOMM). ACM, 2014, pp. 211–222.
[12] 3GPP, “Rationale and track of security decisions in Long Term [37] “Software Radio Systems - Airscope,” http://www.softwareradiosystems.
Evolution (LTE) RAN / 3GPP System Architecture Evolution (SAE),” com/products/, 2018, [Online; accessed 1-June-2018].
3rd Generation Partnership Project (3GPP), TR 33.821, 06 2009. [38] “Sanjole - WaveJudge4900A,” http://www.sanjole.com/brochures-2/
[Online]. Available: http://www.3gpp.org/ftp/Specs/html-info/33821.htm WaveJudge4900A-LTEHandout-Feb11-2012.pdf, 2018, [Online; ac-
[13] “Ettus Research USRP B210,” https://www.ettus.com/product/details/ cessed 1-June-2018].
UB210-KIT, [Online; accessed 1-June-2018]. [39] N. Bui and J. Widmer, “OWL: A Reliable Online Watcher for LTE
[14] “Open Source SDR LTE Software Suite,” https://github.com/srsLTE/ Control Channel Measurements,” in Workshop on All Things Cellular:
srsLTE, [Online; accessed 1-June-2018]. Operations, Applications and Challenges (ATC). ACM, 2016, pp. 25–
[15] D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim, “Location Leaks 30.
on the GSM Air Interface,” in Symposium on Network and Distributed [40] N. Bui, “IMDEA’s Online Watcher for LTE (OWL) Control Channel,”
System Security (NDSS). ISOC, 2012. https://git.networks.imdea.org/nicola bui/imdeaowl, 2017, [Online; ac-
[16] B. Hong, S. Bae, and Y. Kim, “GUTI Reallocation Demystified: Cellular cessed 1-June-2018].
Location Tracking with Changing Temporary Identifier,” in Symposium [41] D. Herrmann, R. Wendolsky, and H. Federrath, “Website Fingerprinting:
on Network and Distributed System Security (NDSS). ISOC, 2018. Attacking Popular Privacy Enhancing Technologies with the Multino-
[17] 3GPP, “Evolved Universal Terrestrial Radio Access (E-UTRA); mial Naı̈Ve-bayes Classifier,” in Workshop on Cloud Computing Security
Medium Access Control (MAC) protocol specification,” 3rd Generation (CCSW). ACM, 2009, pp. 31–42.
Partnership Project (3GPP), TS 36.321, 06 2010. [Online]. Available: [42] A. Panchenko, L. Niessen, A. Zinnen, and T. Engel, “Website Fin-
http://www.3gpp.org/ftp/Specs/html-info/36321.htm gerprinting in Onion Routing Based Anonymization Networks,” in
[18] “PCSC Lite Project - Middleware to Access a Smart Card using SCard Workshop on Privacy in the Electronic Society (WPES). ACM, 2011,
API (PC/SC).” https://pcsclite.apdu.fr/, [Online; accessed 1-June-2018]. pp. 103–114.
[19] T. Wang and I. Goldberg, “Improved Website Fingerprinting on Tor,” in [43] A. Perrig, J. Stankovic, and D. Wagner, “Security in Wireless Sensor
Workshop on Privacy in the Electronic Society (WPES). ACM, 2013. Networks,” Communications of the ACM, vol. 47, no. 6, pp. 53–57, Jun.
[20] “OpenAirInterface (OAI) - 5G Software Alliance for Democratis- 2004.
ing Wireless Innovation,” http://www.openairinterface.org/, [Online; ac- [44] Y. Fan, Y. Jiang, H. Zhu, J. Chen, and X. S. Shen, “Network Coding
cessed 1-June-2018]. Based Privacy Preservation Against Traffic Analysis in Multi-Hop
[21] “Appium: Mobile App Automation Made Awesome,” http://appium.io/, Wireless Networks,” IEEE Transactions on Wireless Communications,
[Online; accessed 1-June-2018]. vol. 10, no. 3, pp. 834–843, March 2011.
[22] S. Salvador and P. Chan, “Toward Accurate Dynamic Time Warping in [45] J. Deng, R. Han, and S. Mishra, “Countermeasures Against Traffic
Linear Time and Space,” Intelligent Data Analysis, vol. 11, no. 5, pp. Analysis Attacks in Wireless Sensor Networks,” in Security and Privacy
561–580, 2007. for Emerging Areas in Communications Networks (SECURECOMM),
[23] T. Mitsa, Temporal Data Mining. Chapman & Hall/CRC, 2010. 2005, pp. 113–126.
[24] X. Cai, X. C. Zhang, B. Joshi, and R. Johnson, “Touching from [46] X. Luo, X. Ji, and M. S. Park, “Information Science and Applications
a Distance: Website Fingerprinting Attacks and Defenses,” in ACM (ICISA),” in Information Science and Applications. IEEE, 2010.


[47] S. R. Hussain, O. Chowdhury, S. Mehnaz, and E. Bertino, “LTEIn- [53] C.-Y. Li, G.-H. Tu, S. Lu, X. Wang, C. Peng, Z. Yuan, Y. Li, S. Lu,
spector: A Systematic Approach for Adversarial Testing of 4G LTE,” in and X. Wang, “Insecurity of Voice Solution VoLTE in LTE Mobile
Symposium on Network and Distributed System Security (NDSS). ISOC, Networks,” in ACM Conference on Computer and Communications
2018. Security (CCS). ACM, 2015, pp. 316–327.
[48] D. Rupprecht, K. Jansen, and C. Pöpper, “Putting LTE Security Func- [54] H. Kim, D. Kim, M. Kwon, H. Han, Y. Jang, D. Han, T. Kim,
tions to the Test: A Framework to Evaluate Implementation Correctness,” and Y. Kim, “Breaking and Fixing VoLTE : Exploiting Hidden Data
in USENIX Workshop on Offensive Technologies (WOOT). USENIX Channels and Misimplementations,” in ACM Conference on Computer
Association, 2016. and Communications Security (CCS). ACM, 2015, pp. 328–339.
[49] GSMK mbH, “New Security Systems to Protect Mobile Network [55] M. T. Raza, F. M. Anwar, and S. Lu, “Exposing LTE Security Weak-
Operators against Eavesdropping and Fraud,” http://www.cryptophone. nesses at Protocol Inter-Layer, and Inter-Radio Interactions,” in Confer-
de/en/company/news/gsmk-debuts-new-security-systems-to-protect- ence on Security and Privacy in Communication Systems. Springer,
mobile-network-operators-against-eavesdropping-and-fraud/, 2017, 2017, pp. 312–338.
[Online; accessed 1-June-2018]. [56] E. Barkan, E. Biham, and N. Keller, “Instant Ciphertext-only Crypt-
[50] Security Research Labs, “SnoopSnitch - Mobile Network Security analysis of GSM Encrypted Communication,” Journal of Cryptology,
Tests,” https://opensource.srlabs.de/projects/snoopsnitch, 2014, [Online; vol. 21, no. 3, pp. 392–429, Aug. 2008.
accessed 1-June-2018]. [57] J. D. Golić, “Cryptanalysis of Alleged A5 Stream Cipher,” in Theory
[51] S. Park, A. Shaik, R. Borgaonkar, A. Martin, and J.-P. Seifert, “White- and Application of Cryptographic Techniques (EUROCRYPT). Springer,
Stingray: Evaluating IMSI Catchers Detection Applications,” in USENIX 1997, pp. 239–255.
Workshop on Offensive Technologies (WOOT). USENIX Association, [58] A. Biryukov, A. Shamir, and D. Wagner, “Real Time Cryptanalysis
2017. of A5/1 on a PC,” in Workshop on Fast Software Encryption (FSE).
[52] C. Peng, C.-Y. Li, H. Wang, G.-H. Tu, and S. Lu, “Real Threats to Your Springer, 2000.
Data Bills: Security Loopholes and Defenses in Mobile Data Charging,” [59] Security Research Labs, “Kraken: A5/1 Decryption Rainbow Ta-
in ACM Conference on Computer and Communications Security (CCS), bles,” https://opensource.srlabs.de/projects/a51-decrypt, 2010, [Online;
2014, pp. 727–738. accessed 1-June-2018].