Shinan Liu,Xiang Cheng,Hanchao Yang,Yuanchao Shu,Xiaoran Weng,Ping Guo,Kexiong (Curtis) Zeng,Gang Wang,Yaling Yang

2021-01-01

Abstract:The GPS has empowered billions of users and various critical infrastructures with its positioning and time services. However, GPS spoofing attacks also become a growing threat to GPS-dependent systems. Existing detection methods either require expensive hardware modifications to current GPS devices or lack the basic robustness against sophisticated attacks, hurting their adoption and usage in practice. In this paper, we propose a novel GPS spoofing detection framework that works with off-the-shelf GPS chipsets. Our basic idea is to rotate a one-side-blocked GPS receiver to derive the angle-of-arrival (AoAs) of received signals and compare them with the GPS constellation (consists of tens of GPS satellites). We first demonstrate the effectiveness of this idea by implementing a smartphone prototype and evaluating it against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%-100%) in 5 seconds. Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method and actively modulates the spoofing signals accordingly. We study this adaptive attack and propose enhancement methods (using the rotation speed as the "secret key") to fortify the defense. Further experiments are conducted to validate the effectiveness of the enhanced defense.

Yubo Song,Kan Zhou,Bingxin Yao,Chen Xi

DOI: https://doi.org/10.1109/MINES.2010.172

2010-01-01

Abstract:This paper presents a new GSM/UMTS jamming system which is intended to be placed in a restricted area for security purpose. A pseudo base station was constructed to attempt connecting with mobile terminals. While the terminals are trying to access, the system will get the unique identity, such as IMSI and IMEI, and further check these identities in the repository. The system will selectively block the communication of these mobile terminals. We will analyze the GSM protocol which is relevant to the interception system and later present the performance of such a system by real tests and demonstrate its feasibility.

Geng LI,Yu-ping ZHAO,Chun-lai SUN,Hui ZHAO

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.09.003

2014-01-01

Abstract:This paper starts with introducing GSM fake base station system, describes system architecture, attack procedure and its bad influence in detail, then proposes a new fake base station restraining scheme based on pseudo signal. With the two phases of target recognition and interference attack on fake base station with pseudo signal, the scheme can efifciently lessen the illegal attack from fake base station and protect wireless infrastructure and users. Based on the promising prospect, a new technical proposal for information security of mobile communication is explored.

Yubo Song,Xili Hu,Zhiling Lan

DOI: https://doi.org/10.1109/MINES.2011.153

2011-11-04

Abstract:For the individual privacy protection, the GSM system transmits the IMSI or TMSI number over the air instead of the phone number which will leak the identity of the users. The MSC, HLR/VLR will translate the IMSI/TMSI to the phone number in the core network. This paper proposed an idea about catching the GSM/UMTS Phone Number over the air by man-in-the-middle attack. The GSM/UMTS phone number catcher proposed in this paper was implemented on a pseudo base station with a mobile terminal which can transmit any frames we wanted. While the legal terminals are trying to access, the phone number catcher will relay all its frame to the operator's network and try to break the shared authentication key Ki. Then the system will get the phone number by pretending the legal terminal to call a designated phone. We will analyze the GSM protocol which is relevant to the phone number catcher and later present the performance of such a system by real tests and demonstrate its feasibility.

Engineering,Computer Science

Taimin Zhang,Xiaoyu Ji,Zhou Zhuang,Wenyuan Xu

DOI: https://doi.org/10.3390/s19040909

IF: 3.9

2019-01-01

Sensors

Abstract:As the core component of the smart grid, advanced metering infrastructure (AMI) is responsible for automated billing, demand response, load forecasting, management, etc. The jamming attack poses a serious threat to the AMI communication networks, especially the neighborhood area network where wireless technologies are widely adopted to connect a tremendous amount of smart meters. An attacker can easily build a jammer using a software-defined radio and jam the wireless communications between smart meters and local controllers, causing failures of on-line monitoring and state estimation. Accurate jammer localization is the first step for defending AMIs against jamming attacks. In this paper, we propose JamCatcher, a mobile jammer localization scheme for defending the AMI. Unlike existing jammer localization schemes, which only consider stationary jammers and usually require a high density of anchor nodes, the proposed scheme utilizes a tracker and can localize a mobile jammer with sparse anchor nodes. The time delay of data transmission is also considered, and the jammer localization process is divided into two stages, i.e., far-field chasing stage and near-field capturing stage. Different localization algorithms are developed for each stage. The proposed method has been tested with data from both simulation and real-world experiment. The results demonstrate that JamCatcher outperforms existing jammer localization algorithms with a limited number of anchor nodes in the AMI scenario.

Zhenhua Li,Weiwei Wang,Christo Wilson,Jian Chen,Chen Qian,Taeho Jung,Lan Zhang,Kebin Liu,Xiangyang Li,Yunhao Liu

DOI: https://doi.org/10.14722/ndss.2017.23098

2017-01-01

Abstract:Base stations constitute the basic infrastructure of today’s cellular networks. Unfortunately, vulnerabilities in the GSM (2G) network protocol enable the creation of fake base stations (FBSes) that are not authorized by network operators. Criminal gangs are using FBSes to directly attack users by sending spam and fraud SMS messages, even if the users have access to 3G/4G networks. In this paper, we present the design, deployment, and evolution of an FBS detection system called FBS-Radar, based on crowdsourced data of nearly 100M users. In particular, we evaluate five different metrics for identifying FBSes in the wild, and find that FBSes can be precisely identified without sacrificing user privacy. Additionally, we present a novel method for accurately geolocating FBSes while incurring negligible impact on end-user devices. Our system protects users from millions of spam and fraud SMS messages per day, and has helped the authorities arrest hundreds of FBS operators.

Sourav Purification,Jinoh Kim,Jonghyun Kim,Sang-Yoon Chang

DOI: https://doi.org/10.3390/electronics13173474

IF: 2.9

2024-09-03

Electronics

Abstract:Fake base stations comprise a critical security issue in mobile networking. A fake base station exploits vulnerabilities in the broadcast message announcing a base station's presence, which is called SIB1 in 4G LTE and 5G NR, to get user equipment to connect to the fake base station. Once connected, the fake base station can deprive the user of connectivity and access to the Internet/cloud. We discovered that a fake base station can disable the victim user equipment's connectivity for an indefinite period of time, which we validated using our threat prototype against current 4G/5G practices. We designed and built a defense scheme which detects and blacklists a fake base station and then, informed by the detection, avoids it through link routing for connectivity availability. For detection and blacklisting, our scheme uses the real-time information of both the time duration and the number of request transmissions, the features of which are directly impacted by the fake base station's threat and which have not been studied in previous research. Upon detection, our scheme takes an active measure called link routing, which is a novel concept in mobile/4G/5G networking, where the user equipment routes the connectivity request to another base station. To defend against a Sybil-capable fake base station, we use a history–reputation-based link routing scheme for routing and base station selection. We implemented both the base station and the user on software-defined radios using open-source 5G software (srsRAN v23.10 and Open5GS v2.6.6) for validation. We varied the base station implementation to simulate legitimate vs. faulty but legitimate vs. fake and malicious base stations, where a faulty base station notifies the user of the connectivity disruption and releases the session, while a fake base station continues to hold the session. We empirically analyzed the detection and identification thresholds, which vary with the fake base station's power and the channel condition. By strategically selecting the threshold parameters, our scheme provides zero errors, including zero false positives, to avoid blacklisting a temporarily faulty base station that cannot provide connectivity at the time. Furthermore, our link routing scheme enables the base station to switch in order to restore the connectivity availability and limit the threat impact. We also discuss future directions to facilitate and encourage R&D in securing telecommunications and base station security.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ivan Palamà,Francesco Gringoli,Giuseppe Bianchi,Nicola Blefari-Melazzi

DOI: https://doi.org/10.1016/j.comnet.2021.108137

IF: 5.493

2021-07-01

Computer Networks

Abstract:IMSI catching attacks are a type of privacy threats designed to locate and track specific users by gathering their long-term identifiers, i.e., their International Mobile Subscriber Identity (IMSI). In order to understand how different mobile phone brands respond to different attack methods, this article makes a twofold contribution. We first address the feasibility and practicality of IMSI Catchers using off-the-shelf Software-Defined-Radio (SDR) platforms and two open source frameworks - OpenAirInterface and srsLTE. Second, we evaluate the behavior of different mobile phone brands/modems, when they are under attack. Specifically, we performed experiments on 26 4G devices and four more recent ones also supporting 5G. In each experiment we performed two different attack types, and we tested the attacks when using/not using a radio-frequency jammer specifically designed for our purposes. Our tests show that the sheer majority of the devices under test (also the last ones 3GPP Release 15 compliant) surrender even without any jamming. Finally, we have verified that network deployments have no impact — we repeated tests on four different operator's networks —, and we also developed a portable IMSI Catcher using a Raspberry Pi4 so as to test the attacks over early 5G Non Stand-Alone deployments we could find in our cities.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Stig F. Mjølsnes,Ruxandra F. Olimid

DOI: https://doi.org/10.48550/arXiv.1702.04434

2017-02-15

Abstract:IMSI Catchers are tracking devices that break the privacy of the subscribers of mobile access networks, with disruptive effects to both the communication services and the trust and credibility of mobile network operators. Recently, we verified that IMSI Catcher attacks are really practical for the state-of-the-art 4G/LTE mobile systems too. Our IMSI Catcher device acquires subscription identities (IMSIs) within an area or location within a few seconds of operation and then denies access of subscribers to the commercial network. Moreover, we demonstrate that these attack devices can be easily built and operated using readily available tools and equipment, and without any programming. We describe our experiments and procedures that are based on commercially available hardware and unmodified open source software.

Cryptography and Security

Yuwei Zheng,Lin Huang,Haoqi Shan,Jun Li,Qing Yang,Wenyuan Xu

DOI: https://doi.org/10.1109/CNS.2017.8228629

2017-01-01

Abstract:LTE is a globally deployed standard. CSFB (Circuit Switched Fallback) is one of the major voice solutions in LTE network. We found one vulnerability in CSFB where the authentication step is missing. This allows an attacker to impersonate a victim. We named this attack as `Ghost Telephonist'. The consequence of this attack include: (1) The attacker can impersonate the callee and obtain the content of incoming calls or SMSs. (2) The attacker can impersonate the caller and initiate a call/SMS to others. (3) The attacker can obtain the victim's phone number and then use the phone number to launch further attack, e.g. reseting the victim's Internet account. These exploitations can randomly choose victims, or target a given victim. The victim will not detect the attacks since no fake base station is used and no cell re-selection happens. We implemented our own baseband based on OsmocomBB and verified the vulnerability with our own phones in two operators' network. The experiments validate the vulnerability really exists. We've already reported the vulnerability to the operators and proposed the countermeasures.

Guan-Hua Tu,Chi-Yu Li,Chunyi Peng,Yuanjie Li,Songwu Lu

DOI: https://doi.org/10.1145/2976749.2978393

2016-01-01

Abstract:SMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the underlying technology of SMS evolves from the legacy circuit-switched network to the IMS (IP Multimedia Subsystem) system over packet-switched network. In this work, we study the insecurity of the IMS-based SMS. We uncover its security vulnerabilities and exploit them to devise four SMS attacks: silent SMS abuse, SMS spoofing, SMS client DoS, and SMS spamming. We further discover that those SMS threats can propagate towards SMS-powered services, thereby leading to three malicious attacks: social network account hijacking, unauthorized donation, and unauthorized subscription. Our analysis reveals that the problems stem from the loose security regulations among mobile phones, carrier networks, and SMS-powered services. We finally propose remedies to the identified security issues.

Demin Gao,Shuai Wang,Yunhuai Liu,Wenchao Jiang,Zhijun Li,Tian He

DOI: https://doi.org/10.1016/j.comcom.2021.06.017

IF: 5.047

2021-09-01

Computer Communications

Abstract:<p>Cross-Technology Communication(CTC) enables that WiFi devices can talk to ZigBee devices directly without any hardware changes or gateway equipment, and WiFi occupies a much wider bandwidth (20MHz) than ZigBee (2MHz), which sheds the light on spoofing-jamming attack based on CTC, where a WiFi device, as a sophisticated attacker spoofs or jams an area in which multiple-channels sensor network operating. In this work, we attempt to emulate two ZigBee frames under different frequencies within a single WiFi frame by controlling non-continuous bands of subcarriers. In other words, a WiFi device can independently communicate with the ZigBee devices operating in two channels. In a different perspective, the application based on CTC will be significantly impaired when CTC suffers from malicious attacks such as spoofing or jamming. In our work, we implement a parallel spoofing system, called SamBee, that can spoof the ZigBee devices operating in two different channels or jam the ZigBee devices operating in five distinct channels simultaneously only using a single WiFi frame, which causes maximum damage to the network in term of corrupted communication links with low cost. We implement our design based on a USRP-N210 and MICAz hybrid platform, the results show that parallel spoofing attacks and multiple-channels jamming attacks based on CTC is feasible, and our results also provide valuable insights about the associated defense mechanisms on achieving desirable performance.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic

Ke-Wen Huang,Hui-Ming Wang

DOI: https://doi.org/10.1109/lcomm.2018.2843334

IF: 3.5529

2018-01-01

IEEE Communications Letters

Abstract:Fake base station (FBS) attack is a great security challenge to wireless user equipment (UE). During the cell selection stage, the UE receives multiple synchronization signals (SSs) from multiple nearby base stations (BSs) and then synchronizes itself with the strongest SS. An FBS also can transmit an SS with sufficient power to confuse the UE, which makes the UE connect to the FBS, and may lead to the leakage of private information. In this letter, countermeasure to the FBS attack by utilizing the location information is investigated. Two location awareness based FBS-resistance schemes are proposed by checking the received signal strength according to the position of the UE and a legitimate BS map. The successful cheating rate (SCR) defined as the probability that the UE will connect to the FBS is investigated. Numeric results show that with the two proposed schemes, the SCR can be greatly reduced especially when the transmit power of the FBS is large. Beyond that, a cooperation-aided method is further proposed to improve the performance, and we show that the cooperation-aided method can further suppress the SCR when the signal strength from the FBS is similar to that from the legitimate BS.

Chi Zhang,Jun-Rong Liu,Da-Wu Gu,Wei-Jia Wang,Xiang-Jun Lu,Zheng Guo,Hai-Ning Lu

DOI: https://doi.org/10.1007/s11390-019-1961-5

2019-01-01

Abstract:Time-division multiple access (TDMA) and code-division multiple access (CDMA) are two technologies used in digital cellular networks. The authentication protocols of TDMA networks have been proven to be vulnerable to side-channel analysis (SCA), giving rise to a series of powerful SCA-based attacks against unprotected subscriber identity module (SIM) cards. CDMA networks have two authentication protocols, cellular authentication and voice encryption (CAVE) based authentication protocol and authentication and key agreement (AKA) based authentication protocol, which are used in different phases of the networks. However, there has been no SCA attack for these two protocols so far. In this paper, in order to figure out if the authentication protocols of CDMA networks are sufficiently secure against SCA, we investigate the two existing protocols and their cryptographic algorithms. We find the side-channel weaknesses of the two protocols when they are implemented on embedded systems. Based on these weaknesses, we propose specific attack strategies to recover their authentication keys for the two protocols, respectively. We verify our strategies on an 8-bit microcontroller and a real-world SIM card, showing that the authentication keys can be fully recovered within a few minutes with a limited number of power measurements. The successful experiments demonstrate the correctness and the effectiveness of our proposed strategies and prove that the unprotected implementations of the authentication protocols of CDMA networks cannot resist SCA.

Prajwol Kumar Nakarmi,Mehmet Akif Ersoy,Elif Ustundag Soykan,Karl Norrman

DOI: https://doi.org/10.48550/arXiv.2102.08780

2021-02-17

Abstract:In recent years, there has been an increasing interest in false base station detection systems. Most of these rely on software that users download into their mobile phones. The software either performs an analysis of radio environment measurements taken by the mobile phone or reports these measurements to a server on the Internet, which then analyzes the aggregated measurements collected from many mobile phones. These systems suffer from two main drawbacks. First, they require modification to the mobile phones in the form of software and an active decision to participate from users. This severely limits the number of obtained measurements. Second, they do not make use of the information the mobile network has regarding network topology and configuration. This results in less reliable predictions than could be made. We present a network-based system for detecting false base stations that operate on any 3GPP radio access technology, without requiring modifications to mobile phones, and that allows taking full advantage of network topology and configuration information available to an operator. The analysis is performed by the mobile network based on measurement reports delivered by mobile phones as part of normal operations to maintain the wireless link. We implemented and validated the system in a lab experiment and a real operator trial. Our approach was adopted by the 3GPP standardization organization.

Cryptography and Security

Renato Ferreira,João Gaspar,Pedro Sebastião,Nuno Souto

DOI: https://doi.org/10.3390/s22041487

IF: 3.9

2022-02-15

Sensors

Abstract:The number of incidents between unmanned aerial vehicles (UAVs) and aircrafts at airports and airfields has been increasing over the last years. To address the problem, in this paper we describe a portable system capable of protecting areas against unauthorized UAVs, which is based on the use of low-cost SDR (software defined radio) platforms. The proposed anti-UAV system supports target localization and integrates effective jamming techniques with the generation of global positioning system (GPS) spoofing signals aimed at the drone. Real-life tests of the implemented prototype have shown that the proposed approach is capable of stopping the reliable reception of radionavigation signals and can also divert or even take control of unauthorized UAVs, whose flight path depends on the information obtained by the GPS system.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Si Chen,Kui Ren,Sixu Piao,Cong Wang,Qian Wang,Jian Weng,Lu Su,Aziz Mohaisen

DOI: https://doi.org/10.1109/ICDCS.2017.133

2017-01-01

Abstract:Voice, as a convenient and efficient way of information delivery, has a significant advantage over the conventional keyboard-based input methods, especially on small mobile devices such as smartphones and smartwatches. However, the human voice could often be exposed to the public, which allows an attacker to quickly collect sound samples of targeted victims and further launch voice impersonation attacks to spoof those voice-based applications. In this paper, we propose the design and implementation of a robust software-only voice impersonation defense system, which is tailored for mobile platforms and can be easily integrated with existing off-the-shelf smart devices. In our system, we explore magnetic field emitted from loudspeakers as the essential characteristic for detecting machine-based voice impersonation attacks. Furthermore, we use a state-of-the-art automatic speaker verification system to defend against human imitation attacks. Finally, our evaluation results show that our system achieves simultaneously high accuracy (100%) and low equal error rates (EERs) (0%) in detecting the machine-based voice impersonation attack on smartphones.

D. Orlando,I. Palamà,S. Bartoletti,G. Bianchi,N. Blefari Melazzi,I. Palama

DOI: https://doi.org/10.1109/lwc.2021.3089636

IF: 6.3

2021-09-01

IEEE Wireless Communications Letters

Abstract:In this letter, we propose three schemes designed to detect attacks over the air interface in cellular networks. These decision rules rely on the generalized likelihood ratio test, and are fed by data that can be acquired using common off-the-shelf receivers. In addition to more classical (barrage/smart) noise jamming attacks, we further assess the capability of the proposed schemes to detect the stealthy activation of a rogue base station. The evaluation is carried out through an experimentation of a LTE system concretely reproduced using Software-Defined Radios. Illustrative examples confirm that the proposed schemes can effectively detect air interface threats with high probability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Meng Zhou,Hong Li,Peng Liu,Mingquan Lu

DOI: https://doi.org/10.1007/978-981-10-4588-2_64

2017-01-01

Abstract:Since the Global Navigation Satellite System (GNSS) has been constructed and normally operated, it has been widely applied in aviation, aerospace, navigation, power grid monitoring and communication. However, two factors determine its inherent vulnerability: (1) the navigation signal is prone to be jammed due to the very weak signal strength; (2) The fake signal could be easily generated because the navigation system Interface Control Documents (ICD) is open for the world. Therefore, GNSS receiver is often to be an important spoofing and jamming target for malicious attacks. Hence, when the receivers are once attacked, it can cause huge economic losses; moreover, it could also lead to serious safety problems for users. For the attacking of the receiver-spoofer in tracking stage (receiver-spoofer for short), it can take control of the target virtually without causing the target receiver unlocked, so it could make great hazards and destruction because of the high concealment. To analysis the technique of the receiver-spoofer, it discusses the principle when the attack takes over the control of receiver code loop in tracking stage in this paper. In order to model the spoofing process, the formulas of the key parameters in spoofing process were deduced and the simulation was achieved. Ultimately, the results, using a software receiver, verify the correctness of the simulation algorithm. Using the result in this paper, it cannot only provide a theoretical guide for the subsequent receiver-spoofer attack, but it can also provide a reference for the anti-attacking technique against the receiver-spoofer.

Wentao Bai,Hong Li,Yichen Yang,Mingquan Lu

DOI: https://doi.org/10.33012/2016.13456

2016-01-01

Abstract:The GNSS repeater spoofing scenarios can be classified into two categories, namely all-channel and part-channel attacks. Due to the different navigation environments of the repeater and the victim receiver, it is quite difficult to guarantee that all the authentic signals would be copied by the repeater. Therefore part-channel repeater spoofing is ordinary for most repeater spoofing scenarios.Under part-channel repeater spoofing, we find that the positioning result of the victim receiver not only takes a sudden jump but also appears an approximately linear variation for a period. Based on the properties, a motion state monitoring based detection method is proposed in the paper. The method is more intuitionistic and easier to be implemented than many other detection methods for detecting the part-channel repeater spoofing attack. The proposed method keeps an eye on the change of the motion state depicted by the PVT result of the receiver, comparing the actual motion state of the target receiver with the one depicted by the positioning result. If they are inconsistent, it means there may be a repeater spoofing attack. The method is suitable for many situations, such as for the cellphone towers of 3G, 4G, and future 5G, handheld equipment and other users which roughly know some prior information of themselves. To investigate the performance of the method, many simulations and experiments of GPS signals are conducted. In the simulations, the signals are generated by a GPS signal simulator and a part of them are delayed. In the livesignal experiment, the real GPS signals from the spoofing receiving antenna are delayed by a repeater spoofer and transmitted to the antenna of the receiver. All the signals are processed by a software defined receiver. The results demonstrate the validity of proposed method.