Remote de-registration attack
During our experiments, we discovered that operational MMEs have several implementation flaws that cause them to unnecessarily de-register the victim UE without notification. The detailed attack scenario is as below. 1) Adversary model: An adversary should be able to send malicious NAS messages to the MME in which the victim UE is registered. Typically, an MME manages a number of eNBs which are distributed throughout large geographical regions. The adversary also knows the S-TMSI of the victim UE.
Especially, for an attack that exploits message replay, the adversary would have to capture the corresponding message before launching the attack. There are two ways to obtain a control plane message of the victim UE. • An adversary could operate a rogue LTE network to capture the control plane messages of the victim UE while relaying these messages between the UE and the network. • An adversary could install a malicious app with control plane message logging functionality on the UE. We implemented the attack by utilizing a rogue LTE network to capture the control plane messages of the victim UE. In this case, the adversary cannot decrypt the messages. However, we could correctly identify the type of encrypted messages by only checking the order and length of the messages. 2) Attack procedure: As shown in Fig. 8, ➀ an adversary first establishes an RRC Connection spoofed as the victim UE (using the UE’s S-TMSI). ➁ The adversary sends a crafted initial plain request, invalid security protected message, or replayed message to the MME serving the victim6 . In this case, once the adversary sends the message through the spoofed RRC Connection, the serving eNB forwards the message to the MME serving the victim by checking the S-TMSI. ➂ The MME processes the message it receives from the adversary inappropriately. Consequently, the MME de-registers the connection of the victim UE without any notification to them. 3) Implementation: We implemented the adversary using the srsLTE UE stack . She sends the vulnerable NAS messages as soon as the spoofed RRC Connection is established. 4) Validation: We demonstrated the Remote de-register attack against an operational LTE network by exploiting either invalid plain messages, security protected messages or replayed messages. We confirmed that an adversary could perform this attack by connecting to any eNBs able to communicate with the same MME serving the victim UE. An interview with a counterpart in the carrier revealed that an eNB might communicate with any MMEs regardless of the geographical regions and that this depended on the operational policy of the particular carrier. In this case, an adversary would be able to remotely de-register arbitrary users subscribed to the carrier regardless of the user’s location only if the adversary succeeded in obtaining the valid GUTIs. Note that obtaining a valid GUTI is not difficult as discussed previously. The NAS messages that could be used to carry out this attack are listed in Table II. A notable case for message replay is that, once the MME accepts replayed a NAS PDN disconnect request, the adversary can selectively deny the user’s service (e.g., the adversary blindly disconnects the data service of the victim UE whereas the voice service continues to be available).