ATTACKS EXPLOITING UE: AKA BYPASS ATTACK
1) Adversary model: The adversary is located sufficiently close to the victim UE to trigger handover from an existing eNB to the adversary’s rogue LTE network. To this end, the rogue LTE network transmits an LTE signal with higher transmission power than commercial eNBs. Additionally, the adversary would have to know the list of Tracking Areas (TAs) to masquerade the rogue LTE network as a commercial one. A valid TA Code (TAC) can easily be captured in two ways: • If the adversary is subscribed to the same carrier as the victim, the list of TAs can be obtained by checking control plane messages such as Attach Accept. • If the adversary only owns a rogue LTE network, she first chooses a TA randomly. Once the target UE connects to the rogue LTE network, it sends a TAU request as the TA of the connecting network is not on its list of TAs. Upon receiving the TAU request from the UE, the adversary can obtain the previous TAC of the UE by parsing the request. Note that the TAU request is only integrity protected. 2) Attack procedure: As shown in Fig. 9, the adversary builds the rogue LTE network and configures its operating parameters such that they are identical to the victim’s operational network. ➀ If the transmitting power of the rogue eNB is higher than the serving eNBs, the victim in the RRC IDLE state resynchronizes to the adversary’s eNB. In this case, the UE does not trigger the NAS TAU procedure as the TAC of the rogue eNB is contained in the TA list of the victim UE7 . Thus, ➁ when the UE is transmitting outgoing data (i.e., by calling someone or browsing the Web) or is receiving Paging from the rogue LTE network, it establishes an RRC Connection and sends an NAS Service request. Upon receiving a valid integrity protected Service request from the UE, the normal eNBs perform an RRC Security mode procedure to regenerate the cryptographic keys for the RRC layer and user data. However, ➂ our rogue LTE network omits this procedure and immediately prepares to create a radio tunnel (also known as a Data Radio Bearer (DRB)) by sending a plain RRC Connection reconfiguration. Upon receiving this request, ➃ the UE creates the DRB and also replies with a plain RRC Connection reconfiguration complete message. Finally, ➄ the UE transmits and receives unprotected user data through this tunnel with the rogue LTE network without receiving any notification.
3) Implementation: We used one USRP B210 for the radio transceiver, and openLTE for the rogue LTE network. The adversary’s rogue LTE network does not negotiate the security algorithm for the RRC layer and user data in response to a connection request from the victim UE. Further, the RRC Reconfiguration procedure is performed without security protection, which is against the security guidelines noted in the standard. 4) Validation: We validated that the AKA Bypass attack can nullify the existing encryption of the user data of an existing UE on multiple smartphone models (e.g., the LG G2 and Samsung Galaxy S4/S5, all of which use Qualcomm basebands). Because our rogue LTE network configured the TAC as in the TA list of the victim UE, this UE did not trigger a TAU request when it first synchronized with our eNB. Interestingly, some models frequently initiated the NAS TAU request during the attack period. However, if the rogue LTE network does not reply upon receiving the request from the UE, the victim UE reconnects by sending the NAS Service request. This proves that our attack is still effective even in that situation.