Escolar Documentos
Profissional Documentos
Cultura Documentos
Abstract
To meet government requirements for positioning
emergency services, Long Term Evolution (LTE), the latest
generation of mobile communications popular in North
America and Europe, incorporates the ability to ascertain the
position of the user equipment via the network. This additional
signaling means that there is also the chance that the user
position may be vulnerable to being intercepted by
unauthorized
parties.
Several
different
potential
vulnerabilities are explored in this paper and is a proof of
concept for three vulnerabilities, including the presence of
location data on the network when there is no authorized
request for that data active. A series of simulations were
constructed to analyze and test the logical flow of messages
through the LTE core network and to see what vulnerabilities
existed. The first simulation established a baseline, and each
additional simulation examined a possible vulnerability.
Index Terms3GPP, LTE, Vulnerability Assessment, mobile
positioning
1. Introduction
The consumer demand for higher data rates on mobile
devices has been pushing the suppliers of wireless service and
wireless equipment to the development of ever-evolving
mobile wireless standards to meet the demand. The leading
standard in North America and Europe is developed by Third
Generation Partnership Project (3GPP), a collection of
government
bodies
(e.g.,
Federal
Communications
Commission), telecommunications companies, and equipment
suppliers. The 3GPP standard for the high speed mobile
communications is Long Term Evolution (LTE) Release 10
and later, known as LTE-Advanced [1].
LTE has undergone several different releases. In Release 9,
the 3GPP started to introduce positioning of individual mobile
devices, known in LTE as user equipment (UE) via the core
network [2]. This was to meet various United States and
European regulations regarding emergency services,
collectively known as Enhanced 911 (E911) [3]. When a user
of this system dials 911 for emergency services, the users
location will be sent by the phone to the network to aid in quick
emergency response. Alternatively, if a person is known to be
in trouble the authorities may initiate a query of the phones
location by sending it a request through the network.
978-1-4799-2504-9 2014
U.S. Government Work Not Protected by U.S. Copyright
DOI 10.1109/HICSS.2014.635
2. Related Work
Work in three separate areas is related in this work. The
first is geolocation of the user equipment using LTE. The
second is the use of Diameter as an Authentication,
Authorization, and Accounting (AAA) protocol. Finally, there
is the work on network vulnerability analysis in general. While
there is work in each of these areas, there is a paucity of work
relating the three areas, and to the authors knowledge there is
no related work in the area of vulnerability analysis of
Diameter messages on an LTE network.
The physical layer of LTE requires accurate timing of
arrival information to ensure proper transmission of data. This
information in contained in the timing advance field sent by the
eNB to the UE. With only timing advance measurements, it is
possible to generate a series of range bins from different towers
and get a fairly accurate location estimate for the UE [4].
The Diameter protocol [5] has been examined for use in
several areas as a replacement for RADIUS [6] or other
security schemes. Diameter has been proposed for use in
Internet Protocol version 6 (IPv6) networks [7], charging
mobile users for use of services from a different network
operator (e.g., wireless hot-spot) [8], and as the authentication
piece of a peer-to-peer session initiation protocol (SIP) voice
service [9]. There is an absence of published work on any
vulnerabilities of the Diameter protocol itself. This work
partially fills this gap in the research.
There has been a lot of work done on network
vulnerabilities. Work by Hill [10] has looked at Diameters
predecessor protocol, RADIUS. In it he identifies nine different
attacks and vulnerabilities in RADIUS. Some of these
vulnerabilities are addressed by the Diameter base protocol,
5162
3. Background
A. LTE Location Services
The LTE core network is composed of several different
logical devices operating on an internet protocol (IP) based
network. Each of these has specified functions and links on the
network. The LTE standard does not specify that each logical
device will be a unique physical device. The logical functions
as if they are separate units in keeping with the logical flow of
information as specified or implied in the standard are covered
in this section. Also, the LTE standard is extensive and only
how the units relate to LTE Location Services (LCS) are
focused on in this section. Other aspects of LTE, such as the
radio access network and the routing of user data (i.e., web
requests) are not covered. A high-level network topography for
LTE LCS is shown in Fig. 1.
The Gateway Mobile Location Centre (GMLC) is
fundamental to the operation of LCS on the network. All
routing data for the location request is handled by the GMLCs.
Since several GMLCs are involved in handling a single
request, they are further designated by their function in relation
to a specific request. The location request is transmitted to the
GMLC servicing the requestor and becomes the RequestingGMLC (R-GMLC). The R-GMLC then determines which
GMLC is acting as the home base for the user (i.e., which is the
Home-GMLC or H-GMLC) and forwards the request to that
server. The H-GMLC then determines which GMLC is
servicing the part of the network where the user is visiting (the
Visited-GMLC or V-GMLC) and forwards the request. Once
determined the location data flows back using the same path.
The Privacy Profile Register (PPR) is where the privacy
preferences of the subscriber are stored. These preferences are
checked to ensure the entity requesting the users location has
the right to know that location. The technical specifications
allow this functionality to be incorporated into the H-GMLC
[12]. The technical specifications also describe a Privacy
Override Indicator (POI) that allows for the privacy settings of
5163
Fig. 2.
5164
6. Conclusions
The Long Term Evolution Location Services handling of
requests for location data and the transmission of that data on
the core network were analyzed in this thesis. The LCS
Location Requests and LCS Location Responses are in the
form of Diameter messages. Java code was written to simulate
the flow of Diameter messages from one logical LCS network
element to another. The software limited communication
between network elements to the transmission of Diameter
messages. Using the simulation software and the technical
specifications, we discovered five vulnerabilities. Three were
simulated using the software developed.
A. Significant Contributions
Three major contributions were made in this work. First, a
software package was developed to simulate the flow of
Diameter messages on the LTE LCS network. The software
was written in Java and made full use of object oriented
programming. Consequently, the software is able to be
extended to simulate other behaviors of LCS on the core
network
Additionally, we provided a basic proof of concept for three
of five vulnerabilities. Preforming a privacy check only on the
return of the location data means that a compromised node can
exfiltrate that location data without the request for it ever being
validated. The Privacy Override Indicator is a feature of LCS,
but the technical specifications do not outline or require the
authentication of a POI. This leads to the possibility of an
attacker spoofing a POI to get at location data he would
otherwise not be able to access. Finally, the need for each node
in the network to keep list of active LCS Service Requests
meant that it is vulnerable to alteration of that list.
5165
References
[1] 3GPP. (2010, October) Lteportal.com. [Online].
http://lteportal.com/MediaChannel/Articles/LTE__LTEAdvanced;6/Regulation,_Standards,_Spectrum;31/ITUR_Confers_IMTAdvanced_%284G%29_Status_to_3GPP_LTE;1735?2
[2] 3GPP, "3GPP activities on Location Services," V0.0.1,
March 2012.
[3] 47 U.S.C. 615. (2011) Support for universal emergency
telephone
number.
[Online].
http://www.gpoaccess.gov/uscode/
[4] L. Jarvis, "Geolocation of LTE subscriber stations based
5166