DoS attack
Previous studies introduced DoS attacks that exploit vulnerabilities in LTE control plane procedures. Shaik et al. presented DoS attacks using plain reject messages (NAS TAU reject, Service reject and Attach reject). Raza et al. demonstrated two types of DoS attacks that were able to detach a user from the network: the first uses a plain NAS Detach request message and the other uses Paging with the user’s IMSI. Both studies showed that certain unprotected plain messages may cause denial of service to users. In this paper, we defined the desired security properties in an LTE network and systematically crafted the messages that can pose a threat to each property. Consequently, we tested (almost) all RRC and NAS uplink/downlink messages and showed that DoS attacks are possible with other message types that were previously unknown. Unlike these two studies, Hussain et al. formally modeled the control plane procedures based on the LTE standard and inspected the model to identify LTE design problems. Among the vulnerabilities introduced, they presented several DoS attacks using plain NAS messages. However, as they inspected the LTE standard (focusing on NAS), their model cannot disclose the vulnerabilities resulting from design bugs in the RRC layer or incorrect implementations in operational networks. In contrast, our approach can be used to uncover the vulnerabilities resulting from both the design flaws and incorrect implementations in the control plane protocols. Prior to these studies, investigations of DoS attacks in 2G and 3G networks were reported.