LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE
Primary Investigator:
Elisa Bertino
Syed Rafiul Hussai, Omar Chowdhury, Shagufta Mehnaz, Elisa Bertino
Abstract
We investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a model-based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, categorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed. Finally, we argue that our model-based testing framework can also be effective to automate the process of vulnerability discovery for the 5G standard which a lot of network providers are planning on rolling out in the near future.