The goal of this project was to provide a method for improving LTE’s security by reducing the gap between the security goals defined in the standards and practical implementations.
In doing so, we have developed a language design and compiler for representing the encoding formats of the NAS protocol and generating source that can encode NAS messages. Our work provides an example of how the formalism provided by a language can helping connect a protocol’s specification with a practical implementation, which can help ensure that the security requirements defined by a standard are upheld in practice. In addition, we provide recommendations based on our work implementing the NAS protocol for how future protocol designs can more easily utilize formal descriptions. We hope that our work helps to raise awareness on how formal languages can be used in other standards to help improve their security.
References
[1] I. T. Union, “The world in 2014: Ict facts and figures,” 2014. [Online]. Available: http:
//www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2014-e.pdf [2] A. Germano, “The impact of femtocells on next generation lte mobile networks,”
Femto-Forum 3GPP, 2010.
[3] A. R. Doug DePerry, Tom Ritter, “Traffic interception and remote mobile phone cloning with a compromised cdma femtocell,” DEF CON, 2013.
[4] N. Golde, K. Redon, and R. Borgaonkar, “Weaponizing femtocells: The effect of rogue devices on mobile telecommunications.” in NDSS, 2012.
[5] G. Association, “History,” 2015. [Online]. Available: http://www.gsma.com/aboutus/
history
[6] 3GPP, “Gprs and edge,” 2015. [Online]. Available: http://www.3gpp.org/technologies/
keywords-acronyms/102-gprs-edge
[7] ——, “Umts,” 2015. [Online]. Available: http://www.3gpp.org/technologies/
keywords-acronyms/103-umts
[8] M. Nohrborg, “Lte,” 2015. [Online]. Available: http://www.3gpp.org/technologies/
keywords-acronyms/98-lte
[9] J. Wannstrom, “Lte,” 2015. [Online]. Available: http://www.3gpp.org/technologies/
keywords-acronyms/97-lte-advanced
[10] 3GPP, “About 3gpp home,” 2015. [Online]. Available: http://www.3gpp.org/
about-3gpp/about-3gpp
[11] ATIS, “Atis - north american organizational partner: 3gpp,” 2015. [Online]. Available:
http://www.atis.org/3gpp/
[12] D. Terdiman, “Unlocking ma bell: How phone phreaks came to be,” CNET, 2013. [Online]. Available: http://www.cnet.com/news/
unlocking-ma-bell-how-phone-phreaks-came-to-be/
[13] M. Green, “On cellular encryption,” A Few Thoughts on Cryptography En-gineering. [Online]. Available: http://blog.cryptographyengineering.com/2013/05/
a-few-thoughts-on-cellular-encryption.html
[14] M. Rahnema, “Overview of the gsm system and protocol architecture,” Communications Magazine, IEEE, vol. 31, no. 4, pp. 92–100, 1993.
[15] M. Olawski, “Security in the gsm network,” IPSec. pl. Stream ciphers.
[16] E. Barkan, E. Biham, and N. Keller, “Instant ciphertext-only cryptanalysis of gsm encrypted communication,” in Advances in Cryptology-CRYPTO 2003. Springer, 2003, pp. 600–616.
[17] C. Mulliner, N. Golde, and J.-P. Seifert, “Sms of death: From analyzing to attacking mobile phones on a large scale.” in USENIX Security Symposium, 2011.
[18] S. K. Pell and C. Soghoian, “Your secret stingray’s no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy,” Harvard Journal of Law and Technology, Forthcoming, 2014.
[19] A. Soltani and C. Timberg, “Tech firm tries to pull back cur-tain on surveillance efforts in washington,” Washington Post. [On-line]. Available: http://www.washingtonpost.com/world/national-security/
researchers-try-to-pull-back-curtain-on-surveillance-efforts-in-washington/2014/
09/17/f8c1f590-3e81-11e4-b03f-de718edeb92f story.html
[20] M. Richtel, “A police gadget tracks phones? shhh! its secret,” New York Times, 2015.
[21] C. Tang, D. A. Naumann, and S. Wetzel, “Analysis of authentication and key estab-lishment in inter-generational mobile telephony,” in High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing (HPCC EUC), 2013 IEEE 10th International Conference on. IEEE, 2013, pp. 1605–1614.
[22] L. Miras, “Baseband playground,” Ekoparty,, 2011.
[23] R.-P. Weinmann, “Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks.” in WOOT, 2012, pp. 12–21.
[24] Z. Lackey and L. Miras, “Attacking sms,” BlackHat 2009, 2009.
[25] W. Enck, P. Traynor, P. McDaniel, and T. La Porta, “Exploiting open functionality in sms-capable cellular networks,” in Proceedings of the 12th ACM conference on Computer and communications security. ACM, 2005, pp. 393–404.
[26] C. Mulliner and J.-P. Seifert, “Rise of the ibots: Owning a telco network,” in Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on. IEEE, 2010, pp. 71–80.
[27] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta,
“On cellular botnets: measuring the impact of malicious devices on a cellular network core,” in Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009, pp. 223–234.
[28] R. B. Borgaonkar, “Security analysis of femtocell-enabled cellular network architecture,”
Ph.D. dissertation, Universit¨atsbibliothek der Technischen Universit¨at Berlin, 2013.
[29] J. Ravi, “Cell phone tower,” Wikimedia Commons, 2011. [Online]. Available:
https://commons.wikimedia.org/wiki/File:Cell Phone Tower.jpg
[30] P. Team, “Verizon network extender review,” PhoneArena, 2009. [Online]. Available:
http://www.phonearena.com/reviews/Verizon-Network-Extender-Review id2110 [31] “Samsung network extender,” Verizon Wireless, 2015. [Online]. Available: http:
//www.verizonwireless.com/accessories/samsung-network-extender-scs-2u01/
[32] 3GPP, “Security of home node b (hnb) / home evolved node b (henb),” 3GPP Technical Specification 33.320, Release 12, 2013.
[33] I. Bilogrevic, M. Jadliwala, and J.-P. Hubaux, “Security issues in next generation mobile networks: Lte and femtocells,” in 2nd international femtocell workshop, no. EPFL-POSTER-149153, 2010.
[34] N. Golde, K. Redon, and J.-P. Seifert, “Let me answer that for you: Exploiting broadcast information in cellular networks,” in Proceedings of the 22nd USENIX conference on Security. USENIX Association, 2013, pp. 33–48.
[35] R. Borgaonkar, N. Golde, and K. Redon, “Femtocells: a poisonous needle in the oper-ator’s hay stack,” Black Hat Las Vegas, 2011.
[36] Alcatel-Lucent, “The lte network architecture: A comprehensive tutorial,” 2009.
[37] H. Welte, “Anatomy of contemporary gsm cellphone hardware,” Unpublished paper, c, 2010.
[38] J. B. Postel, “Rfc 821: Simple mail transfer protocol,” IETF, 1982. [Online]. Available:
https://tools.ietf.org/html/rfc821
[39] Google, “Transparency report: Email encryption in transit,” 2015. [Online]. Available:
https://www.google.com/transparencyreport/saferemail/
[40] 3GPP, “Non access stratum (nas) protocol for evolved packet system (eps),” 3GPP Technical Specification 24.301, Release 12, 2014.
[41] ——, “Mobile radio interface signalling layer 3; general aspects,” 3GPP Technical Spec-ification 24.007, Release 12, 2013.
[42] T. Parr, “Antlr,” 2014. [Online]. Available: http://antlr.org
[43] W. Foundation, “Wireshark,” 2015. [Online]. Available: https://wireshark.org
[44] D. Grune, K. van Reeuwijk, H. E. Bal, C. J. Jacobs, and K. Langendoen, Modern compiler design. Springer Science & Business Media, 2012.
Appendix A: Project source code
The source code for our design will be published as an open-source project and maintained at: http://github.com/ndemarinis.