In the second group, the connection management or mobility management layer is responsible for the connection management. Other vulnerabilities in the access domain security, which can be exploited to threaten the operation of mobile networks, are discussed in [63]–[65] in relation to the lack of data and signal coding. In the AS, different features and procedures can be targeted based on the protocol layer (Physical, MAC/RLC and RRC layers).
For example, in the CS domain, threats may focus on connection management (CM) and mobility management (MM), as opposed to the PS domain, where threats may focus on session management (SM) and GPRS mobility management (GMM).
THREATS AND ATTACKS IN 4G NETWORKS
Traffic modification: focuses on different types of data traffic in the radio interface, backhaul, C-plane and U-plane. Data modification on a network element: can be performed by exploiting an implementation error in a protocol or application. Compromise of a network element: can be achieved through a flaw in the implementation of a protocol or application, or through a management interface.
Using a compromised network element such as an MS, an attacker can perform user impersonation by sending signaling and user data into the network to make the network believe that they originate from the target user. Similarly, an attacker using a modified BS can perform network spoofing by sending signaling and/or user data to a target user in order to make the target user believe that he or she originates from a genuine network. Malicious Insider: Consists of a user who inadvertently uses a malicious application or an administrator with authorized network access.
This can be achieved by exploiting a flaw in the authentication and authorization mechanisms or in the billing processes to use the services without being billed.
ATTACKS AGAINST SECURITY AND CONFIDENTIALITY Attacks against security and confidentiality are presented
Similarly, [50] proposed an improved EPS-AKA scheme to overcome user identity privacy-related vulnerabilities by introducing UE-borne DMSI instead of IMSI. The DMSI is updated based on the random number received at each successful EPS-AKA procedure, and can achieve user identity privacy by limiting the knowledge of the IMSI by the UE and HSS. In particular, these threats can lead to identity disclosure sent in plain text, a DoS associated with.
As a countermeasure, the proposed solution is a new LTE-AKA scheme that does not allow clear transmission of IMSI and uses WiFi APs connected to the Internet to establish a secure side channel. These vulnerabilities can also lead to attacks against the Cipher Mode Command (CMC) message between the 2G BS and the MS due to the lack of integrity protection of the CMC message. Another weakness of 4G mobile networks is related to the wireless converged networks, especially in WiMAX.
To mitigate this threat, the authors proposed the generalization of phase encryption to any communication system independent of the underlying modulation scheme. LTE cellular security: improvement is needed in the EPS AKA scheme, as well as a design of secure access authentication mechanisms to be used during UE access to EPC via non-3GPP networks, in order to protect against user identity disclosure, DoS attacks and other malicious attacks. MTC security: the design of MTC security mechanisms in LTE/Long Term Evolution-Advanced (LTE-A) is an ongoing research work.
IP-BASED ATTACKS
IP-BASED ATTACKS AGAINST THE BACKHAUL
In addition, in [24] the authors rather proposed to extend the authentication mechanism to all management frameworks, as well as RRC encryption and user plane protection, in order to mitigate the threats related to the vulnerable UE ID on LTE. Their solution is based on digital authentication and signature against spoofing and MITM, and uses encryption to combat eavesdropping, spread spectrum and strong scheme techniques for protection against physical layer attacks. This solution can resist the traffic analysis attack, which cannot be prevented by any security primitives in the upper layers.
LTE system architecture: more security mechanisms should be designed to protect the communication against traditional protocol attacks and physical intrusion in the LTE networks. LTE handover security: further improvement is needed in the key management mechanisms and handover verification procedures to prevent protocol attacks, desynchronization attacks and reply attacks. IMS Security: design of fast and robust IMS access authentication mechanisms is required to simplify the authentication process and also prevent DoS attacks and other malicious attacks in the LTE networks.
HeNB Security: The design of simple and robust mutual authentication mechanisms between the UEs and the HeNBs is required to prevent various protocol attacks. This protocol provides protection of the system against possible abuse of anonymity by retaining the ability to block malicious traffic, as well as the protection of the privacy of the requester from all parties involved in a communication. It is used to create IPsec BEET (Bound End-to-End Tunnel) based VPNs that are overlaid on the backhaul network.
GTP-BASED ATTACKS
As a result, the proposed VPN solution can provide protection from user authentication and authorization, payload encryption, and privacy protection against IP-based attacks on LTE backhaul. In [99], authors provided a comprehensive overview of security mechanism related to the implementation of VoLTE in commercial mobile network. They outlined several vulnerabilities such as: the possibility for a malicious software to change a SIP source port and thus initiate VoLTE sessions on different source port, which are not rejected by SIP server; the lack of Media proxy in mobile network cannot prevent the UE from directly transmitting media data; the possibility to send data through a VoLTE carrier, and manipulate QoS negotiation.
Other vulnerabilities are related to UE permission model mismatch, direct SIP communication between UEs related to inadequate default bearer access control for SIP signaling in the P-GW, lack of SIP message authentication, and lack of of session management in SIP Servers. This can be exploited to perform in-call DoS attack by blocking the victim's mobile phone and overcharging using malicious software. In fact, exploiting VoLTE vulnerabilities related to the abuse of signaling bearer for call placement and Circuit-.
DIAMETER-BASED ATTACKS
As a countermeasure, filtering of outgoing packets by P-GW, except for SIP messages, is proposed, as well as strict session management that can prevent SIP tunneling, DoS, and cellular peering. Another proposed solution includes UE verification to protect against call spoofing and DPI used on the P-GW to detect when the VoLTE bearer is in use.
SIGNALING ATTACKS
Upon receiving a congestion-marked packet, the TCP receiver informs the sender in the subsequent acknowledgment (ACK) message of impending congestion, which in turn will trigger the congestion avoidance algorithm at the sender. As previously mentioned, LTE has introduced a sharp increase in video traffic in mobile networks, which can be used for network congestion. To address signaling overhead related to high volume of video traffic streaming, which can raise the OPEX of mobile operators, authors in [105] proposed a Content-Aware (CA) priority marking and layering scheme to enable highly efficient quality of experience - ence (QoE)-based layer dropping at eNB.
In LTE, this scheme can be applied in two modules: a CA priority marking module that marks each video layer packet with the corresponding priority, and a descending CA layer, which in turn drops the received packet at the eNB based on their priority. This scheme can be performed at the application layer, depending on where the video is available. Finally, another typical signaling attack is related to the NAS request attack targeting the HSS/AuC.
This attack can be performed by exploiting vulnerabilities in NAS E-UTRAN due to unprotected RRC message exchanges during the attachment process: RRCConnectionRequest, RRCConnectionSetup, RRCConnectionSetupComplete, RRCConnectionReject and RRCConnectionRelease. Since the C-RNTI is actually a temporary mobile phone identifier in the cellular radio network assigned by the network through RRC control signals, this vulnerability can be exploited to cause a DoS attack by flooding the HSS/AuC [14]. However, they highlighted how to exploit weaknesses in E-UTRAN to carry out effective DoS attacks.
JAMMING-BASED ATTACKS
- SMART JAMMING
- NOISE JAMMING
- CORRELATED JAMMING
- JAMMING OVER THE CONTROL CHANNEL
- OPEN RESEARCH PROBLEMS
Smart blocking: this typically exploits weaknesses in upper layer protocols in order to block legitimate transmission. Typical attacks include MAC control packet jamming in WiFi, which can be grouped into ready-to-send (RTS) jamming attack, Clear to Send (CTS) jamming attack, and ACK jamming attack [112]. Performing such an attack requires prior knowledge of the Physical Resource Block (PRB) assigned to an uplink control channel at the physical layer, which can be obtained from unprotected SIB messages carried by the PBCH and the Physical Downlink Shared Channel (PDSCH). [18].
It can be done by attacking the frequency domain structure of the preamble by destroying the correlation between the two halves of the first preamble symbol. As a result, the original pilot tone is canceled, leading to network performance degradation. In the case of MIMO (Multiple Input Multiple Output), this attack is also referred to as the singularity attack and consists of a multi-antenna jammer that attempts to manipulate the pilot tone to distort the Channel State Information (CSI) at the receiver.
Cyclic Prefix Jamming Attacks: This attack targets the cyclic prefix and can cause out-of-correlation and jamming of the received signal. Therefore, jamming the spectrum allocated to the PUCCH may cause a decrease in LTE link availability in one or more cells due to the effects of this attack. By flooding the channel with random access, this attack can make the base station unable to allow the user to initiate communication.
MITIGATING 4G AVAILABILITY AND SECURITY ATTACKS DoS and DDoS attacks in 4G mobile are still an open issue
MITIGATING LTE BACKHAUL ATTACKS
CONCLUSION
Kumar, ‘‘A Simple and Efficient Mechanism to Detect and Avoid Wormhole Attacks in Mobile Ad Hoc Networks,’’ inProc.
![FIGURE 4. PDP context activation with GTP source [101].](https://thumb-us.123doks.com/thumbv2/9docorg/12341717.0/18.864.64.803.100.492/figure-4-pdp-context-activation-gtp-source-101.webp)
