SMS phishing attack

1) Adversary model: In this scenario, the adversary sends an SMS message to victim UE1 by spoofing the message sender using the phone number of victim UE2. To this end, the adversary knows the S-TMSI of UE2 to spoof the sender. The phone number of UE1, to which the actual SMS message is sent, is also known. In addition, we assume that the target LTE network provides the SMS through the NAS layer. 2) Attack procedure: ➀ The adversary starts by establishing a spoofed RRC Connection using the S-TMSI of UE2. Then, ➁ SMS content is generated and included on an NAS Uplink NAS transport. ➂ Immediately after the RRC Connection is established, the adversary sends the generated NAS Uplink NAS transport to the serving MME. ➃ Upon receiving the message, the MME transmits this manipulated SMS to UE1. 3) Implementation: We implemented this attack by modifying the srsLTE implementation. In particular, we simply added the functionality to support SMS over NAS. 4) Validation: Our test results confirmed that we successfully carried out this attack on the carrier as MME1 does not verify the sequence number of the NAS Uplink NAS transport message, whereas MME2 accepts all invalid messages (plain, invalid MAC, and replay).