New vulnerabilities in 4G and 5G cellular access network

protocols : exposing device capabilities

Altaf Shaik Ravishankar Borgaonkar
Technische Universität Berlin SINTEF Digital
[email protected] [email protected]

Shinjo Park Jean-Pierre Seifert

Technische Universität Berlin Technische Universität Berlin
[email protected] [email protected]

ABSTRACT fifth generation networks in short 4G (also called Long Term Evolu-
Cellular devices support various technical features and services for tion (LTE)) and 5G respectively, are built to support a wide range of
2G, 3G, 4G and upcoming 5G networks. For example, these tech- applications including smart homes, critical infrastructure, indus-
nical features contain physical layer throughput categories, radio try processes, HD media delivery, automated cars, and etc. Besides,
protocol information, security algorithm, carrier aggregation bands low-cost and low-energy mobile devices referred as Narrow Band -
and type of services such as GSM-R, Voice over LTE etc. In the Internet of Things (NB-IoT) and and LTE - Machine type communi-
cellular security standardisation context, these technical features cations (LTE-M)1 are redefining the IoT market with a brand new
and network services termed as device capabilities and exchanged LTE protocol suite tailored for IoT applications.
with the network during the device registration phase. In this paper, The standard body 3rd Generation Partnership project (3GPP)
we study device capabilities information specified for 4G and 5G has designed several capabilities in 4G and 5G specifications to
devices and their role in establishing security association between address these applications and control them via mobile networks.
the device and network. Our research results reveal that device These capabilities are communicated to the network by mobile
capabilities are exchanged with the network before the authentica- devices during the registration process. The device capabilities play
tion stage without any protection and not verified by the network. an essential role in defining the communication model between
Consequently, we present three novel classes of attacks exploiting the device and the network. For instance, they define the speed,
unprotected device capabilities information in 4G and upcoming frequency bands, security parameters, application specific param-
5G networks – identification attacks, bidding down attacks, and eters such as telephony capabilities of the device. This allows the
battery drain attacks against cellular devices. We implement proof- network to recognise the application type and accordingly offer
of-concept attacks using low-cost hardware and software setup to the appropriate service. For example, a automated car indicates its
evaluate their impact against commercially available 4G devices Vehicle-2-Vehicle (V2V) support to the network and receives the
and networks. We reported identified vulnerabilities to the relevant required parameters to establish communication with surrounding
standardisation bodies and provide countermeasure to mitigate vehicles. Similarly, high end smartphones indicate their support
device capabilities attacks in 4G and upcoming 5G networks. for carrier aggregation and Multiple-Input and Multiple-Output
(MIMO) techniques to receive high data rates from the network.
ACM Reference Format:
Also, low-powered and light weight IoT devices indicate their sup-
Altaf Shaik, Ravishankar Borgaonkar, Shinjo Park, and Jean-Pierre Seifert.
2019. New vulnerabilities in 4G and 5G cellular access network protocols :
port for power consumption techniques and accordingly activate
exposing device capabilities. In 12th ACM Conference on Security and Privacy them after negotiating with the network. Hence, capability infor-
in Wireless and Mobile Networks (WiSec ’19), May 15–17, 2019, Miami, FL, USA. mation of device plays an essential role for the right operation of
ACM, New York, NY, USA, 12 pages. https://doi.org/10.1145/3317549.3319728 the device with respect to its application.
In this paper, we analyse device capabilities specified in 4G and
1 INTRODUCTION 5G network standards with respect to security aspects. Our research
As mobile network generations advance, new technologies and in- study reveals that device capability information is exchanged with
novative applications come into existence. From tiny low-powered the network without any protection during the device registration
sensors to vehicular networks everything can be now controlled phase. Consequently, the device capability information can be mis-
and managed via mobile networks. Current fourth generation and used by an adversary to perform several attacks against the mobile
subscriber. We present three classes of attacks – a) Identifica-
Permission to make digital or hard copies of all or part of this work for personal or tion attacks allow an adversary to discover devices on the mobile
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
network and reveal their hardware and software characteristics
on the first page. Copyrights for components of this work owned by others than ACM (such as model, manufacturer, version) and applications running on
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, them; b) Bidding down attacks that hijack the device capabilities
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from [email protected]. exposed on the LTE air-interface and degrade the data-rate of a
WiSec ’19, May 15–17, 2019, Miami, FL, USA device from 27 Mbps to 3.7 Mbps and further deny Voice Over LTE
© 2019 Association for Computing Machinery.
1 LTE-M is the term for the LTE-MTC low power wide area (LPWA) technology standard
ACM ISBN 978-1-4503-6726-4/19/05. . . $15.00
https://doi.org/10.1145/3317549.3319728 published by 3GPP in the Release 13 specification.
(VoLTE) services to LTE subscribers and downgrade them to 3G/2G 2.2 LTE Registration
networks; c) Battery draining attacks that target NB-IoT and A typical registration procedure in LTE network is performed using
LTE-M devices to breakdown their power saving abilities and drain control plane messages as shown in Figure 1. To begin, upon turning
their battery life 5 times faster than the expected lifetime. ON, a UE sends an attach request message to the MME indicating
We have implemented all our attacks and tested them using its request for voice/data services or both. It primarily consists of
commercial LTE devices and also on real LTE networks. As the subscriber identities such as International Mobile Subscriber Identity
vulnerabilities we identified are present in the 3GPP standards, all (IMSI) or Temporary Mobile Subscriber Identity (TMSI) and UE’s
the devices supporting LTE (and upcoming 5G as well) standards core network capabilities. Since Attach Request is a first message to
are affected. Moreover our attacks are silent and persistent for the network it is sent in plaintext. Upon identifying the subscriber,
several days and fortunately require minor fixes to mitigate them. both UE and network perform mutual authentication and estab-
Our research results are reported to the cellular standardisation lish the first level of security. In particular, Non-Access Stratum
bodies (SA3), network operators and remedial actions are underway. (NAS) security is established between the UE and the MME to en-
We hope to see changes to the 3GPP 5G specifications to address able encryption and integrity protection of the messages hereafter
the shortcomings we outlined in this paper. Our contributions in exchanged between them.
this paper are the following:
• A new vulnerability in the LTE and 5G specifications that en-
ables device identification attacks. As a consequence of this
specification vulnerability, an implementation vulnerability
is found in network operator equipment that is exploited
during LTE device registration procedure. Further, a protocol
vulnerability in the first release of LTE NB-IoT protocols that
compromises the battery life of low-powered devices.
• A low cost experimental setup built using off-the-shelf hard-
ware and openly available software. Implementation of var-
ious proof-of-concept attacks and their evaluation using
commercial devices and cellular networks.
• Countermeasures to mitigate the attacks that can be included
into 4G protocols and also as recommendations to the ongo-
ing second phase 5G security standard design.

2 BACKGROUND
We first present different type of capabilities defined for mobile Figure 1: LTE Registration Procedure
devices and then discuss the standardized registration procedure Next, the MME instructs the eNodeB to fetch UE’s radio access
as defined by the 3GPP. Next, we introduce cellular IoT devices capabilities. Thus upon receiving a UE Capability Enquiry message
and their operate in LTE networks. In 3GPP terminology a mo- from eNodeB, UE transfers the requested radio access capabilities
bile device, a base station and a core network are referred to as using UE Capability Information message. eNodeB forwards these
User Equipment (UE), evolved NodeB (eNodeB) and Mobility Man- capabilities to MME and are stored there until the UE de-registers
agement Entity (MME) respectively. A UE (phone, router, or IoT from the network. Further, eNodeB and UE establish a second level
gateway, etc) with a valid SIM card can register to a mobile network of security called Radio Resource Control (RRC) security. Hereafter
and receive access to call/data services. A eNodeB is responsible the messages exchange between UE and eNodeB are encrypted and
for the radio transmission and reception with the UEs and a MME integrity-protected. In the coming sections we highlight that the
handles administrative tasks such as the authentication, security sequence of radio access capability transaction and the RRC security
and management of the subscribers. Hereafter we refer to a device setup varies among operators. Following this, the registration is
as a UE. successfully completed when the UE receives an Attach Accept
message. Now the UE can utilize voice and data services offered by
2.1 UE Capabilities the network.
A UE supports several capabilities for various LTE services and LTE network deployments divide a geographical location into
operations. They are classified into core network capabilities [9, 15] Tracking Areas (TAs) and each TA is assigned with an identifier
and radio access capabilities [6, 8] and are exercised by the MME called TA Code (TAC). While moving from one TA to other, a regis-
and the eNodeB respectively. The core network capabilities contain tered UE should perform a Tracking Area Update (TAU) procedure
non-radio related capabilities, e.g. security algorithms, telephony in order to update its current location to the network. UE initiates
features and etc whereas radio access capabilities provide radio this procedure by sending a TAU Request message to MME and its
aspects of the UE, such as supported frequency bands, receive and contents are similar to Attach request message. Next, UE, eNodeB
transmit capabilities and etc. Further, a UE can support various radio and MME follow a similar procedure like in Figure 1 and complete
access technologies such as LTE, 3G, 2G, and CDMA and reports the update procedure with a TAU Accept message. Note that UE
its capabilities to the network during the registration procedure. reports its core network capabilities during the TAU procedure. A
2
similar update procedure known as periodic TAU is also performed
(even though UE did not change its location) by the UE upon the
expiry of a timer T3412. T3412 is sent to the UE in Attach Accept
and TAU Accept messages.

2.3 Cellular IoT UEs

Two new categories of UEs known as NB-IoT and LTE-M are de-
fined by the 3GPP in LTE Release 13 specifications to support low-
powered, battery constrained IoT devices in mobile networks. An
optimized registration procedure is defined for these categories in
which these UEs are required to establish only the NAS level of secu-
rity and eliminate RRC security setup. Moreover, data transmission Figure 2: Experimental setup
is facilitated using secure NAS control plane messages [15].
if the integrity verification fails at the MME. In such a case
3 VULNERABILITIES AND THREAT MODEL the content of the Attach Request message is vulnerable to
injection or modification attacks. In particular, the core net-
This section uncovers the vulnerabilities we discovered LTE pro- work capabilities inside this message can be hijacked by an
tocols and implementations. First, we present a threat model and adversary. We discovered that modifying certain core net-
discuss the vulnerabilities. Next, we build an experimental setup to work capabilities can cause power drain attacks on NB-IoT
exploit the vulnerabilities using commercial devices and networks. devices and are demonstrated in section 6.
3.1 Threat Model 3.3 Experimental Setup
We define a threat model and characterize two type of adversaries: We build an experimental setup as shown in Figure 2 to demon-
passive and active. Both have the knowledge of LTE protocols, strate and validate our attacks. Our hardware elements consist of
and access to software and hardware elements required to listen two host i7 PCs using Linux OS and two radio modules made of
and decode LTE control channel messages over the air-interface. Universal Software Radio Peripheral B210 [18]. B210 is a software
Additionally the active one has the capability to mount a rogue LTE defined radio that is controlled by a host-based software via a USB3
network in two ways. The first type of active adversary can operate port to perform transmit and receive operations. Next, our software
a rogue eNodeB and exchange LTE control plane messages with the elements are created using the open source project srsLTE [38].
victim UE(s). The second type of active adversary can act as a Man Precisely, we leverage srsUE software and srseNB to operate as a
in the Middle (MitM) and relay the traffic between a victim UE and UE and eNodeB respectively. Further, we used a testbed offered
a legitimate network, and can further modify/inject information by a vendor to perform NB-IoT experiments. On this testbed, we
into the unencrypted LTE control plane messages. have access to configure, modify and visualize LTE control plane
messages. For confidentiality reasons we do not exhibit this testbed
3.2 Vulnerabilities in this paper. As highlighted in Figure 2 the software is executed
We identified three vulnerabilities in the LTE registration proce- on the host PC which controls the B210 to transmit and receive
dure. They exploit the UE capabilities sent to the network during LTE signals. To perform our attacks we design and operate a rogue
registration or TAU procedures and are described as follows. eNodeB and a relay which are detailed below.
• (V1) First, both core network and radio access capabilities
can be acquired from a UE without establishing authentica- Rogue eNodeB Operation. A rogue eNodeB impersonates a
tion [6, 15]. This allows an active or passive adversary to real eNodeB by spoofing the frequency and network codes of a real
obtain all the capabilities of a UE. We exploit this vulnera- network operator. Further, to attract UEs in the operating region, we
bility and demonstrate device type identification attacks in use a TAC that is different from the current TA. Most importantly,
section 4. we surpass a legitimate eNodeB by transmitting relatively higher
power to automatically receive a TAU Request message from the
• (V2) Second, mobile network operators are requesting the ra- UEs. To achieve this we modified the srseNB software and present a
dio access capabilities from the UE prior to the RRC security rogue network to the UE. Our rogue eNodeB in Figure 2 exchanges
setup as shown in Figure 1. As a result, UE capabilities are LTE control plane messages with the UE and naively redirects them
transferred in plaintext and an adversary can hijack these to a legitimate network after the attack.
capabilities. We study the threats resulting from this vulner-
able operation and demonstrate device bidding down attacks Relay Operation. A relay consists of a rogue UE and a rogue
in section 5. NodeB. The configuration of the rogue eNodeB is similar to the
eNodeB discussed above and further it is directly connected to the
• (V3) Third, Attach Request message is always sent unen- rogue UE (on a different host) that relays the traffic between the vic-
crypted by the UE to the network [15], but it can be integrity tim UE and the legitimate network. We followed a similar approach
protected in case of an existing NAS security context in the like in [32] to maintain a stable connection between legitimate UE
UE. However, the registration process is not interrupted even and the network. However, we used a frequency number for the
3
operation of rouge eNodeB different from the legitimate operator 4.2 Reference Model
and hence avoiding our rogue UE connecting to our own rogue Device identification is based on the differential analysis of the
eNodeB. For the setup in Figure 2, we use the modified srseNB capabilities that are obtained from a UE. Initially we perform ded-
(like above) and a modified srsUE to receive and relay the control icated experiments to learn the ground truth information about
plane messages (RRC and NAS) between legitimate network and device-types and create a reference model from it. This reference
victim UE. Our major modifications involve the integration of srsUE model is a huge database of capabilities and techniques to iden-
and srseNB segments. Moreover, we used directional antennas and tify device-types. We used 40 devices for our experiment including
power amplifiers to improve the signal conditions between rogue mobile phones, cars, tablets, routers, USB data sticks, e-bikes, cel-
UE and legitimate network. Similar to this relay setup we have a lular IoT devices like trackers, and coffee machine (detailed list
UE segment and eNodeB segment in our NB-IoT testbed and also in Table 3). Device-types are then systematically identified based
refer to them as a relay in our experiments. on a tree-based model shown in Figure 3 consisting of four levels
(marked in different colors). The first level identifies the baseband
Note: We performed all the experiments using our test phones vendor and the model of the device and the second level differen-
and extreme care is taken not to interfere with nearby communica- tiates cellular and cellular IoT devices. The third level determines
tions. Further, we have legitimate permissions from an operator to the device’s application and the fourth level identifies the device
transmit in one of their commercial LTE frequencies. manufacturer and application provider.
By using our eNodeB setup, we acquire both the core network
and radio access capabilities from the test devices and analyze them.
4 DEVICE-TYPE IDENTIFICATION In particular, UE initiate a registration process with our eNodeB and
This section presents techniques to identify the type of devices we extract the capabilities from the Attach Request and UE Capa-
on a mobile network and intellectually estimate the underlying bility Information messages. We then compare the implementation
applications. We start by understanding UE capabilities and their differences of specific capabilities listed in Appendix B to identify
usage in commercial devices and applications. Next, we discuss the right baseband vendor and model. Further, we investigate the
our reference model using a set of known devices and techniques presence/absence of one or more capabilities listed in table Appen-
to distinguish various devices and applications. Lastly, we use our dix C, Appendix D and Appendix E to determine the right device
reference model to perform Mobile Network Mapping (MNmap) level and further deduce the device-type details. We define each
attack and discuss the impacts of such an attack. of the levels and corresponding identification techniques as follows:

Baseband Vendor Name and Model. We primarily identify

4.1 Understanding UE Capabilities the baseband vendor and model of the UE. As the number of active
The term device-type in our work represents device specifics such baseband vendors are limited, we can distinguish them using a
as the combination of the maker, model, software and the applica- few implementation differences in the capabilities. We consider
tion(s) on the device. The manufacturing of cellular-enabled devices the following popular baseband vendors with a significant market
involves multiple entities: a baseband vendor producing the mo- share: Qualcomm, Samsung, MediaTek, Intel and Huawei. We dis-
dem, a device manufacturer integrating the modem with other covered a set of capabilities as shown in table Appendix B that are
components such as sensors or displays, and an application devel- (de)activated in each of these basebands and allow us to identify
oper providing lightweight firmware or full-stack operating system. the vendor. For instance, Qualcomm based UEs by default do not
Baseband vendors define UE capabilities according to the 3GPP support the NULL integrity algorithm EIA0 [11]. EIA0 is particu-
standards [6] and make them adjustable for device manufacturers larly used for emergency calling and Qualcomm baseband dynami-
and application providers according to their specifications and re- cally activates it, unlike other vendors. Hence any UE lacking the
quirements. Due to a large number of optional capabilities (several support for EIA0 can be considered as a Qualcomm baseband. Simi-
hundred), each baseband manufacturer may implement a subset larly, Huawei basebands support all the listed capabilities. Further,
of the whole capabilities in a distinct way. Similarly, device and Samsung, Intel, and MediaTek can be differentiated based on the
application providers can also adjust the UE capabilities. Based on combination of other capabilities.
these distinct implementations, we discovered that it is possible to Next, every baseband model is designed to support a particular
identify a device-type and its corresponding application. LTE specification release and a corresponding set of capabilities. By
Each target application requires different UE capabilities. For referring and comparing a baseband model to our reference model,
example, a mobile phone requires telephony capability. A tracking the model name (or number) of the baseband can be determined. For
device requires persistent GPS access, while telephony is not always e.g., release 9 specifications support only LTE technology whereas
required. Cars require multiple capabilities: GPS for navigation, V2X 10 specifications support LTE-advanced features. Hence in the case
for self-driving car [13]. All these capabilities are defined in the of Qualcomm the former is found in MDM9615 baseband model
modem and are enabled/disabled according to the target application. and the latter in MDM9625 (or higher) models. Upon revealing
Thus, there is a direct correlation between a UE capability and a the model, the corresponding list of devices using this baseband
target application. We now continue to analyze the UE capabilities model can be obtained from various sources on the internet such as
(both core and radio) and create a reference model that enables us GSMArena [2] and WikiDevi [3]. This information is later used in
to identify the device-type details of any cellular-enabled device. other levels as assistance to identify the device manufacturer and

4
 Figure 3: Device type identification levels

also the application. they have different operational aspects. NB-IoT uses different ra-
dio channels compared to LTE-M and hence easily distinguishable
Cellular vs Cellular IoT. 3GPP defines various UE Categories from each other. The separation of these two categories assists in
(Cat) depending on their LTE specifications and the supporting identifying the underlying IoT application.
technical capabilities [8], between 0 and 19. Further, NB-IoT and
LTE-M are different categories and features defined especially for Android vs iOS. iPhones have constantly been using basebands
IoT applications. These categories do not support voice calling fea- from either Qualcomm or Intel. Thus, devices using other basebands
tures and instead support power saving features. As shown in table are not considered as an iOS device. Although an Android devices
Appendix C, timers T3324 and T3412 ext are included in Attach Re- can use Qualcomm or Intel baseband, we noticed multiple differ-
quest message to indicate power saving features [15]. Hence when ences between Android and iOS devices with the same baseband as
these timers are active we can accurately make a decision at level shown in tableAppendix E. MS assisted GPS is a capability that we
two that they are a certain type of cellular IoT devices. found disabled in all tested iPhone models but whereas it is always
enable across android models using Qualcomm and Intel baseband.
Phone vs Others. The primary use of a mobile phone is to make Note that we did not consider phones with other operating systems
voice calls, therefore voice capability is activated by default. In con- such as Windows and Firefox due to their low market share.
trast, there are cellular modems dedicated to data-only purposes
without voice calls, hence we categorize them as “others”. These Android Device Manufacturers. Based on our analysis An-
include data sticks, cars, hotspots, wearables like watches, and etc. droid device manufacturers have certain preferences in choosing
The device capabilities in table Appendix D clearly distinguish UEs their basebands. Huawei and Samsung basebands are exclusively
that are phones from all other UEs that are not phones. Unlike used in-house. Other manufacturers such as LG, Nokia, HTC use
“others”, a phone indicates its UE Usage Setting, Voice Domain Pref- basebands from multiple vendors such as MediaTek, Qualcomm
erences and voice codec support to the network and activates voice and Intel. Hence, by referring to the device list [2, 3] it is possible to
calling capabilities. iPhone models can be distinguished based on narrow down the possible options and determine the right phone
the specification release and also UE category whereas we have a manufacturer.
different approach to distinguish various android manufacturers.
A UE fixed in a car requires GPS features to be constantly turned Application. Cellular types devices are multi-purpose devices
ON. Further, in LTE and 5G networks, UE capabilities indicate V2X with moderate to high computing capabilities and can be identified
or V2V support. When such a capability is detected it can be re- based on above techniques. For example, upon detecting a router its
ferred to as a vehicle. A railway specific modem has special features operating system can be inferred from various internet sources. In
that support frequencies dedicated to railways such as GSM-R [20]. contrast, cellular IoT type devices have less computing power and
Differently, USB dongles and routers (also hotspots) are purely are dedicated to single application usage. LTE-M provides better
data-oriented and lacks any voice codec facilities. These distinct latency than NB-IoT, making it suitable for mission-critical applica-
capabilities can distinguish different devices at level 3. tions such as those involving emergency data and precision tracking
data. A wide range of applications and the appropriate category is
NB-IoT vs LTE-M. While both NB-IoT and LTE-M are targeting defined in [22] as a recommendation to the device manufacturers.
low-powered IoT applications with 10 years of battery life [7, 22], Similarly, the application can be inferred based on the requested

5
timer values. A UE can request lower T3412 values such as 15 sec- on the reference model and publicly available databases to infer
onds or less to save more power. This could be translated to a device the device-type information. Hence a bigger and diverse reference
or a sensor like smart-meter that only pushes data to a server and model is required for an accurate device-type identification.
do not expect any responses. Differently, a vending machine or an Phones, tablets, routers and automotive devices are easily identi-
asset trackers require up to 1 minute active state depending on the fied using our reference model whereas determining the application
requirements. However, this heavily depends on the settings of the of cellular IoT device is challenging due to its limited set of capabili-
application. Some device may use the default value supplied by the ties and similarities among several applications. Another challenge
baseband manufacturer, which may not be optimal for their specific is to determine the application OS version since the baseband model
use case. and mobile OS versions are not linked and not synchronously up-
dated. Besides, in certain UEs (especially phones) a USIM card can
4.3 Mobile Network Mapping (MNmap) activate/deactivate certain capabilities. For e.g., frequency bands
are enabled and disabled according to certain settings by the net-
The primary goal of this attack is to identify devices on a mobile
work operator. Hence, identification is affected by the USIM card
network by analyzing their capabilities. Since a UE transfers its ca-
setting and should be considered during MNmap attack.
pabilities to the network without performing authentication [6], an
active adversary can acquire these capabilities (both core and radio)
by operating a rogue eNodeB as described in our setup. Besides, a 5 DEVICE BIDDING DOWN
passive adversary can also acquire UE’s core network capabilities This section presents a bidding down attack performed on a UE by
but not the radio capabilities (provided they are exchanged after hijacking its capabilities. We first discuss the capabilities that are
RRC security setup). In this section we perform the attack being exploited and followed by an experimental attack and its evaluation
an active adversary as we require both core and radio capabilities on commercial networks. We finally present the feasibility and
to perform a granular identification. We perform an experiment impact related issues of this attack.
with an unknown UE and apply our reference model to determine
its device-type. Upon receiving a TAU Request message from the 5.1 LTE Radio Access Capabilities
UE, we extract the core network capabilities and send a UE Ca-
A UE communicates its radio access capabilities [6] with the eNodeB
pability Enquiry message. The UE responds with a UE Capability
and indicate its support for specific radio operations. A eNodeB
Information message and we extract the radio capabilities from it
needs to respect the received UE radio access capabilities when
and release the UE to a legitimate network using a RRC Release
configuring and scheduling data/signaling for the UE [8, 26]. We
message.
now explain these capabilities that are exploited in our attacks
In our experiment, an unknown device was identified to use Intel
along with their usage in LTE network.
XMM7480 baseband based on our model, due to its Cat 6 support. It
is determined as a phone/tablet since the device has voice support
UE Category. It is used to set the number of bits allocated by
(ref table) and reports itself as a voice centric device. By searching
the eNodeB over the radio channels for a UE in both downlink and
the smartphones and tablets with Intel XMM7480 baseband, we
uplink transmissions [8]. The higher the category the higher the
could identify that this is an iPhone 8.
number of bits allocated. This directly translates to the data rate
The secondary goal of this attack is to determine potential vul-
of the UE over the air-interface. For instance, theoretically, a Cat
nerabilities applicable to the identified device. Precisely, MNmap
6 UE is entitled to receive a maximum of 300 Mbps speed on the
can be supplemented with vulnerability information from the ex-
downlink whereas a Cat 1 UE has a peak of 10 Mbps.
ternal sources such as vulnerability databases from baseband ven-
dors (Huawei [25], Qualcomm [29]), OS developers (Google [19],
Carrier Aggregation (CA) and Multi Input and Multi Out-
Apple [16]) and device manufacturers (Samsung [33]) and per-
put (MIMO). To boost the capacity of the network and offer higher
form targeted attacks. Further, these device fingerprints can be
bit rates, 3GPP introduced CA and MIMO technologies. Both CA
combined with the permanent identifier IMSI to track subscribers.
and MIMO increases the bitrate, but CA increases the bandwidth
While 5G prohibited the plaintext transmission of IMSI in any situ-
while MIMO uses multi-antenna techniques. A UE supporting these
ation [12, 14], fingerprinting of a device and user is still possible
technologies is entitled to receive higher bit rate provided that the
when the device-type information is unique among the nearby
network also supports it.
devices.
Bands. Bands refer to a set of radio frequencies supported by
4.4 Evaluation and Challenges the UE. Support of multiple bands are required for inter-frequency
While we only consider 5 major baseband manufacturers, our ref- handovers and facilitates international roaming across multiple
erence model is also expandable to other baseband manufacturers. regions. Most commercial UEs will normally support multiple fre-
Identifying the baseband vendor and chipset model is a biggest quency bands depending on the region they are sold. For instance,
achievement and can be easily accomplished with the set of param- band 3, 7 and 20 are operated in Europe whereas band 2, 4 and 12
eters we mentioned in the appendix. We evaluate our fingerprinting are widely used in the North America.
techniques with 10 other unknown UEs and could successfully deter-
mine their type up to the fourth level. These 10 devices are similar to Voice Over LTE (VoLTE). As LTE is an all-IP network, the
the devices registered in our reference model. The MNmap depends standard procedure for making voice calls is using Voice over LTE
6
(VoLTE) technology. The mandatory radio access capabilities re- allocated to the subscriber (based on USIM data plan). We discuss
quired [21] to support VoLTE are Robust Header Compression more on our experiments and evaluation with different UEs in the
(RoHC), Unacknowledge Mode (UM), Semi-Persistent Scheduling next subsection.
(SPS), and Transmission Time Interval (TTI) bundling. A UE that is
not supporting these capabilities is not entitled to receive VoLTE
operations but instead use the traditional circuit switched (2G/3G)
approach to making voice calls.

5.2 Capability Hijacking

We perform a MitM attack using our experimental setup to hijack
the radio access capabilities of a UE during its registration proce-
dure. Due to the mobile network operators configuration or vendor
implementations the eNodeB requests UE’s radio access capabil-
ities prior to RRC security setup. This allows a MitM adversary
to alter the UE Capability Information sent by the UE. To exploit
this vulnerability on a commercial network we use an iPhone 8
as a victim UE in our experiment. It is a Cat 12 device and houses
an Intel XMM7480 baseband and can boost speeds upto 600 Mbps
and further also support CA, MIMO and several LTE bands. The
flow of the attack is pictured in Figure 4. To trigger the attack, our
Figure 4: MITM Capability Hijacking attack
relay is configured with a TAC that is different from the iPhone
8’s current registration area. This will lure it to initiate a TAU pro-
cedure, which is rejected by the relay with a TAU Reject message. 5.3 Experiments and Evaluation
As a result, this will delete the current security context and other In normal conditions, the iPhone 8 offers a data rate (with an elite
temporary identities in the iPhone 8 and initiate a new registration USIM plan) of 27 Mbps on the downlink Under the attack, the data
procedure by sending an Attach Request message to our relay. rate of the iPhone 8 as measured using Speedtest [1] reduced to 3.7
We simply forward this message to the legitimate network using Mbps. We tested this on two commercial networks and discovered
our rogue UE segment and allow the iPhone 8 to successfully finish that maximum speed we received is 5 Mbps. We repeated the ex-
the NAS security setup. Since this is a new registration and not a periments with other Gigabyte LTE Cat 16 devices that can boost
TAU procedure, MME requests the eNodeB to acquire UE capabili- up to 1 Gbps speeds: a Nighthawk M1 Mobile router [4] and Sam-
ties. Our relay forwards the UE Capability Enquiry message received sung Galaxy S8 phone. During our tests, although a Cat 16 device
from legitimate eNodeB to iPhone 8 and retrieves the capabilities in supports a theoretical downlink speed of 1 Gbps, we observe 35
the UE capability Information message in a plain-text format. Upon to 38 Mbps in practice during low-traffic hours (after 21:00). How-
receiving them we alter these capabilities in the following way: ever, after the attack the downlink speed is reduced to 2.9 Mbps.
UE Category is changed from Cat 12 to Cat 1, CA and MIMO are Differently, in peak hours (10:00) the speed is further reduced to
disabled, VoLTE required capabilities are disabled and all the sup- 1 Mbps. Although our test SIM is entitled to receive high quality
ported bands are disabled except the current operational band. Next, of service and data rate, the bottleneck persists at the radio layer.
we forward the modified UE Capability Information message to the Hence, when a UE’s radio cannot support higher speed, having an
legitimate network and allow the iPhone 8 to successfully establish elite subscriber profile is useless.
RRC security and complete the registration procedure with Attach
Accept being delivered to iPhone 8. Subsequently, we release the UE 5.4 Feasibility and Impact
to the legitimate network using a RRC release message. Note that The attack is practically feasible due to the following reasons. As per
eNodeB forwards these (modified) capabilities to MME which are the standard [6] UE’s radio access capabilities can be requested with-
then stored for future transactions i.e., when UE reconnects to the out establishing security and is reflected in the operator’s network
eNodeB to send/receive data, the capabilities are transferred from configurations. Furthermore, we recorded registration procedure
MME to eNodeB without repeating the UE capability transaction traces of 30 network operators from 20 countries worldwide. We
procedure. discovered that 20 out of 30 operators are affected with the vulner-
Hereafter when the iPhone 8 connects to any legitimate eNodeB, ability V2, i.e., UE’s radio access capabilities are requested prior
it is treated as a Cat 1 device and receives downlink data rate to RRC security. Hence, an adversary can perform a MitM attack
according to what a Cat 1 device is entitled to receive [8]. Thus on these networks and downgrade subscriber’s services. However,
the e iPhone 8’s speed and quality of service are downgraded after the remaining 10 networks perform RRC security prior to the UE
this attack. Further, during a voice call operation, due to lack of 4G capability transaction procedure i.e., the radio access capabilities
band support iPhone 8 is handed over to a 3G base station for call are transferred in a encrypted and integrity protected message. As
continuity. As a result, the UE will lose access to certain services a result, any MitM operation will be detected on the eNodeB and
and also cannot receive the elite QoS and data rate as originally aborted.
7
 The attack is silent since neither the UE nor the eNodeB can state UE monitors the eNodeB channels for incoming messages
detect the modification of the radio access capabilities. It is also per- from the network.
sistent because these capabilities received during the registration As per 3GPP and certain vendor documents [15, 17], network
procedure are stored at the MME for a configured period of time activates PSM only when the UE requests T3324 in Attach Request or
(until UE is turned off as observed). During this period, the altered TAU Request messages and further if the network has PSM support.
radio access capabilities are used to configure the data rate and ser- Similarly, a UE can activate PSM only if the network has provided
vices for the UE. We also observed that the majority of the networks the T3324 value IE during the last registration procedure with a
do not request UE’s radio access capabilities during periodic TAU value different from "deactivated" [15]. Hence UE and network
or normal TAU procedures in order to preserve radio resources are equally responsible for the activation/deactivation of the PSM.
because the size of these capabilities accounts to 8188 octets [10] Upon the expiry of T3412 UE leaves PSM and initiates a periodic
and is the longest radio message. Further, our experiments with TAU procedure. Additionally an extended version of T3412 called
a UE that is registered and roaming inside a city, the network did T3412 ext is defined to further lower power consumption, and can
not request radio access capabilities for a week which means that optionally be used with T3324. When T3412 ext is included, UE
the MME retained UE capabilities for several days. Besides, we also chooses it over T3412 since the former can specify longer sleep
observed that the some networks repeatedly ask only for UE’s 3G durations. In this way a device that transmits once per day in PSM
radio access capabilities when UE performs data transmission [5]. could last well over 10 years on 2 AA batteries [7].
Hence, the UE’s LTE capabilities are retained at the network for a
longer period and also the UE remains affected even if the attacker
deactivates the relay.
6.2 Battery Draining
We drain the battery of low-powered NB-IoT devices by being a
• Data rate of the UE is adversely affected and depends on
MitM on the LTE air-interface. To demonstrate this attack we mount
the UE category chosen by the MitM adversary. UE’s speed
our NB-IoT testbed as a MitM (relay) and Quectel BC68 Evaluation
cannot be upscaled by the attack since there is a maximum
Kit [30] (referred as BC68 hereafter) as a victim UE. As BC68 is a
data rate supported by each category but not a minimum.
development board we have access to its diagnostic ports and can
• By removing VoLTE capabilities, if UE or network does not
monitor its LTE signalling messages and internal activity logs. In
support 2G/3G technologies, calls will be denied to UE.
the attack, our relay modifies the contents of the Attach Request
• UE will be handed over to 3G/2G base station in case UE is
message as shown in Figure 5. In specific, the relay is configured
moving and does not support operated bands in that region.
in such a way that it lures the BC68 to trigger a TAU procedure.
A downgrade to lower generations of network will make UE
Upon receiving a TAU Request message, our relay acknowledges
vulnerable to more attacks.
it with TAU reject message which causes the BC68 to delete its
• UE should to be restarted and/or re-registered to recover
previously stored context and temporary identifiers and start a
from the attack. A subscriber affected with the attack would
new registration by sending Attach Request message to our relay.
potentially launch a complaint with the customer service or
Subsequently, our relay removes the T3324 from the message and
switch to another operator.
forwards it to the legitimate network without modifying any other
• Future technologies such as V2V and other industrial ve-
contents. Further, as overseen by the relay both legitimate MME and
hicles that require low latencies are severely affected with
BC68 perform authentication and establish NAS security. Finally,
poor speeds and low quality of service. Further, by disabling
an Attach Accept message is delivered to BC68 and is released
V2V capabilities UE is completely denied of those services.
to the legitimate network. Note that the Attach Accept message
does not contain T3324 since, the MME did not receive it in the
6 DEVICE POWER DRAIN Attach Request message. Thus, BC68 cannot activate PSM and does
We first understand the power saving features defined for IoT de- not power OFF. Instead, it decodes broadcast messages from the
vices and then exploit the vulnerability V3 in the registration pro- eNodeB and perform cell measurement activities leading to power
cedure of NB-IoT and LTE-M UEs. Next, we perform a power drain consumption. Besides, the network assigns T3412 ext to BC68 with
attack on them and study the related feasibility and impact issues. a value of 310 hours which indicates that it should perform the next
TAU procedure after approximately 13 days.
6.1 Power Saving Feature in LTE
Certain IoT devices are deployed only to send/receive small amounts
6.3 Feasibility and Impact
of data intermittently and are basically battery-operated. Hence, to
significantly lower power consumption in such devices the 3GPP The vulnerability is present in the 3GPP LTE registration procedure
introduced Power Saving Mode (PSM) into LTE specifications in defined especially to benefit the low-powered IoT devices. Hence
2015 [15]. PSM is a state where UE is powered-OFF, but still remains all manufacturers implementing the LTE release 12 standards are
registered with the network. Precisely, the 3GPP indicates to turn affected with this vulnerability. The attack persists even when the
off the baseband and thus the radio operations but however, applica- attacker turns off the relay and holds until the T3412 or (T3412 ext)
tions (or sensors) can still operate depending on the device settings. expires in the UE. In our experiments we observed that certain
A UE can request the use of PSM by including a timer T3324 in the networks implement 10 to 15 days as a periodic TAU timer. It
Attach or TAU Request messages. T3324 defines the time period that can heavily vary depending on the subscription of the SIM, IoT
the UE stays active before entering into PSM. During this active application and configuration of the operator. To recover from
8
 7 DISCUSSION AND COUNTERMEASURES
An overview of the vulnerabilities, attacks and countermeasures
is presented in Table 1. In this section we propose two counter-
measures to prevent these attacks in LTE and 5G networks. Our
solutions can be easily integrated into current LTE ecosystem and
can be considered for future 5G networks.

Device Capability Protection. 3GPP should consider to man-

date security protection for UE capabilities. In particular, UE Ca-
pability Enquiry message carrying radio access capabilities should
be accessible/requested by the eNodeB only after establishing RRC
Figure 5: MitM Power drain attack on NB-IoT devices security. This will prevent a MitM from hijacking those capabilities.
Although changing current LTE standards is considered challenging
the attack the UE should reconnect to the network and perform a and unappealing to the 3GPP body this mitigation can be consid-
registration procedure (or TAU) in the adversary’s absence. ered in the ongoing second phase of 5G development. Even though
if our fix is implemented into LTE standards, baseband vendors
300 50 need longer periods to update their basebands and hence attackers
Energy w/o PSM can still exploit this vulnerability.
250 Energy w/ PSM 40 On the network operator side eNodeB configuration or imple-
Current w/o PSM mentation should be changed such that a eNodeB should request
Energy (mWh)

Current (mA)

200 Current w/ PSM

30 UE Capability Information only after establishing RRC security. This
150 is a very easy fix and can be implemented by the operators either
20 as a software update or a configurational change on their eNodeBs.
100 Nevertheless, in practice only a minor number of operators are
50 10 acquiring capabilities after security setup. The difference among
various operators we tested clearly indicates that this could be
0 0 either an implementation or configuration problem.
00 02 04 06 08 10 12 14 Besides, core network capabilities are accessible by both active
Time Passed (Hours) and passive adversaries as they are sent in plain-text Attach Re-
quest message. Even if the radio access capabilities are protected
Figure 6: Current and power consumption of BC68 with and as discussed above, an attacker could still perform MNmap attack.
without PSM However, currently no specific protection exists for core network
During our experiments, in a scenario without the attacker, capabilities and hence their protection can be considered for future
T3324 is configured to 30 seconds and T3412 ext to 13 days. Thus work.
BC68 enters into PSM 30 seconds after it completes registration and
performs a periodic TAU after 13 days. But, under the influence of Verification of Device Capabilities. We propose to provide
the attack, UE is constantly ON for 13 days and performs periodic protection for UE capabilities in addition to the UE security al-
TAU after 13 days. We measured the current and power consump- gorithms. Although a similar approach is mentioned in [35], we
tion of BC68 for several days with and without the attacker and propose a customized approach that can be implemented with less
plotted in the Figure 6. The initial peak of current drawn in both effort. Along with the security algorithms, the capabilities such as
cases is caused by the initial registration with the network. Without timers and UE requested services should be sent back to the UE
PSM, BC68 performs power measurements of neighbouring cells in an integrity protected NAS Security Mode Command message to
which consumes power. This is reflected as constant fluctuations confirm if they are the same capabilities that are originally sent by
in the current consumption. In contrast, when PSM is active, the the UE. This will prevent any type of bidding down attacks and
baseband is OFF and consumes almost negligible current. service downgrade. When a mismatch is found UE can renegotiate
3GPP [7] promises 10+ years of battery life for NB-IoT devices with the network with right services (assuming attacker is disabled).
when powered with 5Wh battery. When we extrapolate our results Recently, 3GPP has introduced a hash based mechanism into LTE
for 5 Wh battery (assuming no losses), with PSM, BC68 consumed release 14 specifications [11] that protects LTE core network capa-
0.65 mA of average current, making 1538 hours ( 64 days) to draw bilities but all the older release versions including NB-IoT are still
the whole power. In contrast, under the attack, BC68 consumed 3 vulnerable to our attacks. However, the radio capabilities are still at
mA of average current with 5 V input, making 333 hours ( 13 days) risk and we hope they will addressed in the upcoming 5G release.
to draw the whole power. Hence, a power drain attack reduces the
battery life by a factor of 5. Note that the total battery life decrease Responsible Disclosure. We have reported our research to
depends on other factors, such as sensors attached to it and how GSMA organization through their CVD programme. We also dis-
often the communication is performed. In our experiments with closed our vulnerabilities to 3GPP SA3 body and several affected
BC68, no sensors are attached and no messages were exchanged operators worldwide. All the informed parties have successfully
and all the current is explicitly used by the baseband.
9
acknowledged our findings and have initiated measures to pre- C. Service availability threats: Attacks targeting LTE service
vent these attacks. We are currently in discussion with network availability fall into DoS and downgrade of service categories. Re-
operators to propose modifications to the upcoming 5G releases. cently, rogue base station attacks on LTE self organizing networks
is presented in [36]. Majorly, the paper uncovers vulnerabilities
8 RELATED WORK existing in the measurement reporting procedure, where the net-
work internal data can be poisoned with malicious information
We study and discuss a set of wireless security research papers
causing call drops and service downgrades. Unlike ours the attacks
related to our work. We focus on three categories primarily – MitM,
are not persistent and UEs can recover once the attacker shuts
identification, and service availability.
down the rogue eNodeB. Moreover, our work targets UEs rather
than eNodeBs and hence we require less effort and cost to cause
A. MitM threats: Recent literature has witnessed several attacks
a heavy damage. Next, in [35] perform denial of service attacks
targeting LTE subscribers privacy using rogue base stations. In [32]
by using dedicated LTE control plane messages. Further, we learn
authors perform DNS hijacking attack on HTTP based DNS traffic.
that authors have discussed a vulnerability like V3 but lack any
The cause for such an attack is due to lack of integrity protection for
experiments to justify their attack in real networks. In contrast, we
data traffic on LTE air-interface. Although our experimental setup is
exploit the latest NB-IoT protocols to cause power drain attacks
similar, our attacks do not involve any cryptanalysis and are easier
and have tested and evaluated them on commercial UEs.
to perform. Also, this problem is addressed and fixed in 5G net-
works hence they are not applicable to 5G networks. Whereas, the 9 CONCLUSION
vulnerabilities we raised prevail in 5G phase 1 release and require We presented three vulnerabilities that exploit UE capabilities ex-
immediate correction. MitM capability modification attacks are posed on an LTE network and evaluated them using an experimen-
proposed in low-powered wireless networks. Capability exchange tal setup. We demonstrated that hardware and software character-
during Bluetooth pairing procedure is presented in [23, 24, 39] and istics of any device with cellular capabilities can be determined
LoRa has spreading factor which changes bit rate and power con- using our reference model. Next, we highlighted an LTE network
sumption [34], but unlike LTE it is static configuration. Besides, misconfiguration among 20 operators that causes several service
Sigfox [37] has a different security model where MitM is not feasi- downgrades and affects subscriber experience. Further, we also
ble, and are not affected by this attack unless a cellular network is discussed the battery draining attacks on cellular IoT device. Lastly,
used as a backhaul link. we presented mitigations to prevent our attacks and also recom-
mendations to consider for the 5G phase 2 development.
B. Identification threats: IMSI transmission in plaintext over-the-
Impact. Several operators are reported on implementation vul-
air is possible in LTE networks and can reveal subscriber identity
nerabilities and remedial actions are underway. Further, the 3GPP
to active and passive adversaries. However, the transmission of
SA3 body is considering to add protection for UE capabilities.
International Mobile Equipment Identity (IMEI) in plaintext is re-
stricted over LTE networks by the 3GPP to enable device privacy. Acknowledgements. This research was partly performed within
But certain baseband implementations reveal [31] the device IMEI the SerIOT project (seriot-project.eu) the EU Framework Programme
to rogue base stations. In our work, the problem persists in the for Research and Innovation Horizon 2020 under grant agreement
3GPP standard rather than the implementation and hence all LTE no. 780139. We would like to thank anonymous reviewers for their
devices all vulnerable to our attack. Differently, in [27, 28] authors valuable inputs and suggestions.
present device type identification techniques using MAC layer in-
formation and network interactions for IP-enabled IoT devices or REFERENCES
cellular devices connected over wired ethernet or WLAN inter- [1] [n. d.]. SPEEDTEST. http://speedtest.net/. ([n. d.]).
[2] [n. d.]. GSMArena.com. https://www.gsmarena.com/team.php3. ([n. d.]).
faces. Further, they also pinpoint vulnerable devices based on the [3] [n. d.]. WikiDevi. https://wikidevi.com/wiki/Main_Page. ([n. d.]).
information from vulnerability databases. They perform numerous [4] 2018. NighthawkÂő M1 Mobile Router . http://www.za.netgear.com/landings/
experiments with real-world off-the-shelf IoT devices. Unlike theirs nighthawk-mr1100-mobile-router/. (2018).
[5] 3GPP. 2013. Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved
our research focuses on devices with cellular capabilities and hence Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; Stage
applies to latest cellular IoT technologies introduced in last couple 2. TS 36.300. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/
of years. Moreover we do not use private identifiers such as IMEI DynaReport/36300.htm
[6] 3GPP. 2013. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource
or MAC addresses for identification but determine the device type Control (RRC); Protocol specification. TS 36.331. 3rd Generation Partnership Project
using its features. Most importantly our identification technique (3GPP). http://www.3gpp.org/DynaReport/36331.htm
[7] 3GPP. 2015. Technical Specification Group GSM/EDGE Radio Access Network;
also detects wide range of devices on 5G networks. Next, in [35] au- Cellular system support for ultra-low complexity and low throughput Internet of
thors identify LTE subscribers and their location using temporary Things (CIoT) (Release 13). TS 45.820. 3rd Generation Partnership Project (3GPP).
identifiers. However, sufficient randomization of these temporary http://www.3gpp.org/DynaReport/45820.htm
[8] 3GPP. 2016. 3rd Generation Partnership Project; Technical Specification Group
identifiers eliminate the tracking issue and is already implemented Radio Access Network; Evolved Universal Terrestrial Radio Access (E-UTRA); User
by several operators worldwide. Besides, our methods fingerprint Equipment (UE) radio access capabilities (Release 13). TS 36.306. 3rd Generation
devices based on their capabilities that are mostly remain static. Partnership Project (3GPP). http://www.3gpp.org/DynaReport/36306.htm
[9] 3GPP. 2017. Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Further, we can also link these fingerprints to IMSI and track users Mobile Telecommunications System (UMTS); LTE; Mobile radio interface Layer 3
on LTE networks. specification; Core network protocols; Stage 3 (3GPP TS 24.008 version 14.4.0 Release
14). TS 24.008. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/
DynaReport/24008.htm
10
 Vulnerability Problem in Attack Attack Mode Impact Mitigation
UE capabilities
3GPP LTE Mobile Network Identification of
accessible without Rogue eNodeB Mandatory security
protocols [6] Mapping (MNmap) devices (Model, OS)
authentication (V1) protection for
UE radio capabilities operator’s eNodeB Decline of data rate, UE capabilities
Bidding
accessed before Configuration or downgrade to 3G/2G
Down MitM Relay
security setup (V2) implementation for voice calls
UE (NB-IoT) Core network capabilities
3GPP LTE Battery Excess power
core capabilities mutually verified
protocols [15] Draining consumption on device
not protected (V2) after NAS security setup
Table 1: Overview of the attacks and vulnerabilities

[10] 3GPP. 2017. LTE;Evolved Universal Terrestrial Radio Access (E-UTRA); Packet Data [31] R.Borgaonkar, A.Shaik, N.Asokan ,V.Niemi, J.P.Seifert . 2015. LTE and IMSI
Convergence Protocol (PDCP) specification (3GPP TS 36.323 version 14.3.0 Release catcher myths; Blackhat EU. https://www.blackhat.com/docs/eu-15/materials/
14). TS 36.323. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/ eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths.pdf. (Nov. 2015).
DynaReport/36323.htm [32] David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2019.
[11] 3GPP. 2018. 3GPP System Architecture Evolution (SAE); Security architecture. Breaking LTE on Layer Two. In IEEE Symposium on Security & Privacy (SP). IEEE.
Technical Specification (TS) 33.401. 3rd Generation Partnership Project (3GPP). [33] Samsung Electronics. [n. d.]. Android Security Updates - Samsung Mobile Secu-
http://www.3gpp.org/DynaReport/33401.htm rity. https://security.samsungmobile.com/securityUpdate.smsb. ([n. d.]).
[12] 3GPP. 2018. Security architecture and procedures for 5G System. Technical [34] Semtech Corporation. 2015. LoRa Modulation Basics - AN1200.22. (2015).
Specification (TS) 33.501. 3rd Generation Partnership Project (3GPP). http: [35] Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre
//www.3gpp.org/DynaReport/33501.htm Seifert. 2016. Practical attacks against privacy and availability in 4G/LTE mobile
[13] 3GPP. 2018. Service requirements for V2X services. Technical Specification communication systems. In 23rd Annual Network and Distributed System Security
(TS) 22.185. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/ Symposium. The Internet Society, Reston, VA, USA.
DynaReport/22185.htm [36] Altaf Shaik, Ravishankar Borgaonkar, Shinjo Park, and Jean-Pierre Seifert. 2018.
[14] 3GPP. 2018. System architecture for the 5G System (5GS). Technical Specification On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks. In
(TS) 23.501. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/ Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and
DynaReport/23501.htm Mobile Networks (WiSec ’18). ACM, New York, NY, USA, 75–86. https://doi.org/
[15] 3GPP. 2018. Universal Mobile Telecommunications System (UMTS);LTE; 5G; Non- 10.1145/3212480.3212497
Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 Release 15 [37] Sigfox S.A. 2017. Sigfox Technical Overview. (2017).
. TS 24.301. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/ [38] srsLTE. [n. d.]. ([n. d.]). https://github.com/srsLTE/srsLTE
DynaReport/24301.htm [39] Da-Zhi Sun, Yi Mu, and Willy Susilo. 2018. Man-in-the-middle Attacks on
[16] Apple Inc. [n. d.]. Apple security updates. https://support.apple.com/en-us/ Secure Simple Pairing in Bluetooth Standard V5.0 and Its Countermeasure. Per-
HT201222. ([n. d.]). sonal Ubiquitous Computing. 22, 1 (Feb. 2018), 55–67. https://doi.org/10.1007/
[17] Cisco. 2018. Power Saving Mode (PSM) in UEs, MME Administra- s00779-017-1081-6
tion Guide, StarOS Release 21. Technical Report. Cisco. https:
//www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21/MME/b_21_MME_ A LIST OF ACRONYMS
Admin/b_21_MME_Admin_chapter_0111010.pdf
[18] Ettus. [n. d.]. USRP B210. ([n. d.]). http://www.ettus.com/product/details/
UB210-KIT Acronyms
[19] Google Inc. [n. d.]. Android Security Bulletin. https://source.android.com/ 3GPP Third Generation Partnership Project
security/bulletin. ([n. d.]). CA Carrier Aggregation
[20] GSM-R. [n. d.]. ([n. d.]). https://en.wikipedia.org/wiki/GSM-R
[21] GSMA. 2015. IMS Profile for Voice and SMS Version 9.008. Technical Report. GSMA.
DoS Denial-of-Service
https://www.gsma.com/newsroom/wp-content/uploads/IR.92-v9.0.pdf E-UTRAN Evolved Universal Terrestrial Radio Access Network
[22] GSMA. 2016. 3GPP Low Power Wide Area Technologies, GSMA white paper. Tech- eNodeB evolved NodeB
nical Report. GSMA. https://www.gsma.com/iot/wp-content/uploads/2016/10/ GSMA GSM Association
3GPP-Low-Power-Wide-Area-Technologies-GSMA-White-Paper.pdf
[23] K. Haataja and P. Toivanen. 2010. Two practical man-in-the-middle attacks on
LTE Long Term Evolution
Bluetooth secure simple pairing and countermeasures. IEEE Transactions on IMSI International Mobile Subscriber Identity
Wireless Communications 9, 1 (January 2010), 384–392. https://doi.org/10.1109/ IMEI International Mobile Equipment Identity
TWC.2010.01.090935 MitM Man in the Middle
[24] K. M. J. Haataja and K. Hypponen. 2008. Man-In-The-Middle attacks on bluetooth:
a comparative analysis, a novel attack, and countermeasures. In 2008 3rd Interna-
MIMO Multi Input Multi Output
tional Symposium on Communications, Control and Signal Processing. 1096–1102. MME Mobility Management Entity
https://doi.org/10.1109/ISCCSP.2008.4537388 MNmap Mobile Network mapping
[25] Huawei Technologies Co., Ltd. [n. d.]. All Bulletins - PSIRT. https://www.huawei. NAS Non Access Stratum
com/en/psirt/all-bulletins. ([n. d.]).
[26] HUAWEI TECHNOLOGIES CO., LTD. 2010. eRAN2.0 Fea-
NB-IoT Narrow Band - Internet of Things
ture Description. https://www.scribd.com/document/132066434/ PSM Power Saving Mode
Huawei-LTE-eRAN2-1-Feature-Description-doc. (Sept. 2010). RRC Radio Resource Control
[27] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A. Sadeghi, and S. Tarkoma. 2017. TAU Tracking Area Update
IoT SENTINEL: Automated Device-Type Identification for Security Enforcement
in IoT. In 2017 IEEE 37th International Conference on Distributed Computing Systems
TAC Tracking Area Code
(ICDCS), Vol. 00. 2177–2184. https://doi.org/10.1109/ICDCS.2017.283 UE User Equipment
[28] P. OâĂŹHanlon, R. Borgaonkar, and L. Hirschi. 2017. Mobile Subscriber WiFi USIM Universal Subscriber Identity Module
Privacy. In 2017 IEEE Security and Privacy Workshops (SPW). 169–178. https: VoLTE Voice over LTE
//doi.org/10.1109/SPW.2017.14
[29] Qualcomm Technologies, Inc. [n. d.]. Qualcomm Technologies, Inc. Security
V2V Vehicle to Vehicle
Bulletin. https://www.qualcomm.com/company/product-security/bulletins. ([n. Table 2: Summary of Acronyms
d.]).
[30] Quectel. [n. d.]. LTE BC68 NB-IoT Module. https://www.quectel.com/product/
bc68.htm. ([n. d.]).

11
B DIFFERENCES AMONG BASEBAND F LIST OF TEST DEVICES
VENDORS We used the following devices to build the reference model.

Manufacturer Model Baseband Type

Capability Huawei Sam Intel MTK QC
Samsung Galaxy Alpha Intel XMM7260
CM Service Prompt 1 0 0 0 1
Samsung Galaxy S6 Samsung Exynos Modem 333
EIA0 1 1 1 1 0 Samsung Galaxy S7 Samsung Exynos 8890
Access class Samsung Galaxy S8 Samsung Exynos 8895
0 1 0 1 1
control for CSFB Huawei Honor 7 Kirin 935
Extended Measurement Huawei P20 Kirin 970
0 0 0 1 0
Capability HTC One E9 MediaTek X10
LG G Flex 2 Qualcomm MSM8994
Sony Xperia Z5 Qualcomm MSM8994
Sony Xperia X Qualcomm MSM8956
• Sam: Samsung, MTK: MediaTek, QC: Qualcomm Planet Computer Gemini MediaTek X27
• 1: enabled, 0: disabled Apple iPhone 6 Qualcomm MDM9625
• CM Service Prompt: Call waiting Apple iPhone 8 Intel XMM7480
• CSFB: Circuit Switch Fallback (voice call in 2G/3G). Apple iPhone 8 (US) Qualcomm MDM9655
• Extended Measurements: Radio Measurements that can Apple iPhone X (US) Qualcomm MDM9655
Google Nexus 5X Qualcomm MSM8992
be performed for frequency planning purposes.
Nokia 8110 4G Qualcomm MSM8905
Asus ZenFone 2E Intel XMM7160
C CELLULAR VS CELLULAR IOT Huawei E3372 Huawei
Samsung GT-B3740 Samsung CMC220
Sierra Wireless EM7455 Qualcomm MDM9635
Capability Cellular Cellular IoT Fibocom L850-GL Intel XMM7360
Telit LN930 Intel XMM7160
PSM timer: T3324 0 1
AVM FritzBox LTE Intel XMM7160
Extended timer for
0 1 Huawei B310s Huawei
periodic TAU: T3412 ext
Netgear Nighthawk Qualcomm MDM9250
GlocalMe G2 Qualcomm MSM8926
Quectel BC68 Huawei NB-IoT
Quectel BC66 MediaTek NB-IoT
D PHONE VS OTHERS Quectel BG69 Qualcomm MDM9206
Audi A6 Qualcomm MDM9635
Samsung SM-V110K Qualcomm MDM9206
Capability Phone Other Mobile Eco ME-K60KL Qualcomm MDM9206
Voice Centric or Apple Watch Series 3 Qualcomm MDM9635M
UE’s usage setting Not present Huawei MediaPad M5 Kirin 960
Data Centric
Voice domain preference CS Voice or Apple iPad 5th gen Qualcomm MDM9625M
Not present
for E-UTRAN IMS PS Voice Table 3: List of Test Devices
UMTS AMR codec Present Not present

E ANDROID VS IOS

Capability Android iOS

MS assisted GPS 1 0
voiceOverPS-HS-UTRA-FDD-r9 1 0

• MS-Assisted GPS: The phone can use “assistance data” from

the network to improve the accuracy of satellite-based posi-
tioning.
• voiceOverPS-HS-UTRA-FDD: Indicates whether UE sup-
ports IMS voice profile in 3G

12