Blind DoS attack
Unlike the aforementioned attack that denies multiple users in an eNB, the Blind DoS attack denies a targeted UE by establishing RRC Connections spoofed as the victim UE. 1) Attack model: The attacker performs the attack within the area covered by the victim’s serving eNB. The attacker also knows the victim’s S-TMSI that can be obtained in three ways: • An adversary who has knowledge of the victim’s phone number or accounts on social media (such as Facebook and Whatsapp) could obtain the victim’s S-TMSI by performing a silent Paging attack.
• An adversary located in the vicinity of the target user could operate a rogue eNB to obtain the NAS TAU request of the victim UE. This request contains the S-TMSI of the victim UE. As soon as this message is received, the adversary turns off the rogue eNB to enable the victim UE to recover the LTE service by connecting to a carrier network. • The adversary sniffs the RRC Connection procedure of the target UE to obtain the S-TMSI of the target UE as specified in the RRC Connection setup . 2) Attack procedure: The adversary carries out the attack by establishing an RRC Connection spoofed as the victim UE (Fig 5(b)). This can be achieved by inserting the S-TMSI of a victim UE in the ueIdentity field of the RRC Connection request. This attack can be launched with no special efforts to circumvent the deployed security measures because, by design, the RRC Connection procedure has no security mechanisms to conceal the content or authenticate the message sender. 3) Implementation: We used one USRP B210 for the software radio transceiver, and srsUE for the software LTE UE. We slightly modified the srsUE to add the S-TMSI of the target UE to the ueIdentity field of the RRC Connection request. In addition, for the same reason as for the BTS resource depletion attack, the attacker device does not respond to the NAS Authentication request. 4) Validation: We validated the attack on commercial eNBs located in the vicinity of our laboratory building. To exclude innocent victims, we only utilized the S-TMSI of our mobile phone as the identity of the victim UE. The impact of the attack was assessed by separating it into two types according to the RRC Connection state of the victim UE.
• The victim UE is in the RRC IDLE state: The UE attempts to establish an RRC Connection when Paging notifies the incoming services or the UE has outgoing service traffic. If the adversary establishes an RRC Connection spoofed as the victim UE, the serving eNB saves the RRC state of the victim as RRC CONNECTED and notifies the serving MME of this change. Thus, the MME does not trigger Paging to any eNBs, despite the existence of incoming services for the victim. In this case, the victim is blindly disconnected from the serving eNB until it attempts to establish a new RRC Connection for outgoing traffic from the application services. From the user’s perspective, both incoming data and voice are blocked without any notifications of disconnection. • The victim UE is in RRC CONNECTED state: When the adversary establishes a spoofed RRC Connection, the existing RRC Connection of the victim UE is released on the eNB without any notifications to the victim. In this case, the UE continues to communicate with the serving eNB but it fails because the radio bearer was already released. Once communication has failed several times, the UE falls into the Radio Link Failure (RLF) state, thus it sends an RRC Connection reestablishment request. However, the serving eNB rejects this request because it is already released. Upon receiving the reject message, the UE attempts to carry out the NAS TAU procedure and reestablishes the connection by sending an NAS Service request. Eventually, the UE is disconnected from the network during the re-registration procedure explained above. The time required for re-registration was approximately 0.5 s, thus if the adversary was to continuously establish the spoofed RRC Connection every 0.5 s, the victim would remain in the disconnected state permanently. Note that we validated this attack on three different eNB vendors. When the victim UE is in RRC IDLE, the attack succeeded for all eNBs. However, when the victim UE is in RRC CONNECTED, two of our target eNBs were affected by the attack whereas the other eNB was not. To summarize, a Blind DoS attack could block incoming services of a victim UE in RRC IDLE state by deceiving a serving eNB, which believes that the UE is in RRC CONNECTED state. In addition, the victim UE was permanently prevented from using the LTE service by two vendors because those eNBs only maintain a single RRC Connection for a single S-TMSI of a UE.