(A) study on the protocol vulnerability of LTE radio access network

Abstract

Compare to previous cellular network generation, Long Term Evolution (LTE) has achieved significant improvements in terms of security aspect. Especially in the Radio Access Network (RAN), even though LTE RAN is designed with security awareness, there have been a number of previous researches that try to uncover under-explored vulnerabilities that could exist across the entire LTE RAN. However, while there have been many previous researches analyzing the security requirements on the protocols used in LTE RAN, some limitations still exist. First, while many previous researches have been focused on vulnerabilities in the network layer (Layer 3) and physical layer (Layer 1), there have been a few studies focusing on data link layer (Layer 2). The second limitation is that even in the previous security analysis of layer 3, while most of the studies focus on protocol (e.g., RRC, NAS) conformance tests which check whether the LTE components handle the abnormal inputs properly, there is no systematic security analysis awaring the entire flow of the control plane protocol.

Motivated by the fact that systematic approach on both layer 2 and layer 3 of the control protocol in RAN is still under-explored, we investigated potential vulnerabilities across the layer with awareness of the flow of the control plane procedure. We use an empirical approach to examine the vulnerabilities on LTE layer 2 protocol, and perform a stateful downlink fuzzing to find misimplementation issues for LTE layer 3 protocol. As a result, we found several vulnerabilities in each layer which are either previously discovered or unknown. Next, based on the results, we could successfully conduct PoC attacks in realistic setup which are not shown in previous researches.