UCLA

Today 4G mobile networked systems provide anywhere and anytime Internet access to billions of mobile users. These systems have built-in security mechanisms that protect against disclosure of information exchanged between users and the network. Despite these existing security mechanisms, an attacker is still capable of impersonating a user by forging control-plane packets and causing the service outage. My key finding is that the attacker breaks 4G LTE encryption and integrity protection without relying on the knowledge of security key. The root causes lie on the missing binding between different LTE protocol identities and the disjoint security establishment procedures. We have found that the LTE security association setup procedures, which establish security between the device and the network, are disconnected. The security keys are installed through one procedure, whereas their associated parameters (such as uplink and downlink counters) are reset through a different procedure. The adversary can thus exploit the disjoint security setup procedures, and launch the keystream reuse attacks. He consequently breaks the message encryption, when he tricks the victim into using the same pair of key and counter value to encrypt multiple messages. This control-plane attack hijacks the location update procedure, thus rendering the device to be unreachable from the Internet. Moreover, it may also deregister the victim from the LTE network.

Motivated by these attacks, we advocate for an efficient and exhaustive vulnerability analysis on 4G LTE mobile networks to discover security loopholes previously unknown.

In this effort, we design algorithms that can extract new vulnerabilities and enable exhaustive security analysis in polynomial time. Our idea is to introduce multi-protocols conformance testing for validating/invalidating the interaction between the device and the network. We find that validating such interactions that require us to check all possible device states in the device finite state machine is challenging as it leads to the state explosion problem. We solve this challenge by minimizing the device states in a finite state machine by using the LTE domain knowledge. Once we get the compact representation of finite state machine, then we traverse all device states to find valid interactions between the device and the network. These interactions are then checked against the LTE standard documents to discover new undefined device operational conditions and scenarios.

My results show that the security weaknesses also arise due to accidental systems faults, design errors, and unexpected operating conditions hence compromising 4G network availability. The core of LTE network is being redesigned because it handles the devices' control-plane and data-plane traffic and becomes susceptible to network resource constraints. To ease these constraints, Network Function Virtualization (NFV) provides high scalability and flexibility by enabling dynamic allocation of LTE core network resources. NFV achieves this by decomposing LTE Network Functions (NF) into multiple instances. However, LTE core network architecture which is designed considering fewer NF boxes does not fit well where the decomposed NF instances incur delays while executing the device events (e.g., registration, mobility, service access, and other events). The delayed execution of time-critical control-plane events brings network service unavailability. To address LTE core network limitations on its virtualization, we propose Fat-Proxy which acts as a stand-alone execution engine of critical network events. Through space uncoupling, we execute several signaling messages in parallel while skipping unnecessary messages to reduce event execution time and signaling overhead. We build our system prototype of open source LTE core network over the virtualized platform. Our results show that we can reduce event execution time and signaling overhead up to 50% and 40%, respectively.

Looking forward, this dissertation provides a new dimension for jointly solving security and availability problems in 5G and various related fields including Internet of Things (IoT), multimedia subsystems, and network analytics.