(A) Study on fault detection in LTE network: a black-box testing for LTE network components

Abstract

Long-Term Evolution (LTE), which is the latest mobile communication network technology, has been deployed for 10 years and many LTE vulnerabilities have been studied. Although much research on the vulnerability of control plane managing user mobility and sessions were also conducted, most of the studies focused on finding User Equipment (UE) vulnerabilities. In recent years, a few studies published that found vulnerabilities in LTE network components but these studies have at least one of the following limitations. First, only LTE standard analysis was performed, so it could not identify vulnerabilities in implementation flaws. Second, the security analysis was performed only on a few of the many states that could occur on the protocol.By complementing limitations of existing research, in this thesis, we present a fault detector that can identify unknown faults in LTE network components by performing security analysis in various states that could occur during control plane procedures of actual components' implementation. While performing the control plane procedure as UE, the fault detector identifies faults by sending variants of the message to LTE network components and checking subsequent messages coming down from the network. The detector sent message variants for the 8 uplink message types used in LTE attach procedure and produced a total of 171 variants. Testing two environments that were set up the same as the commercial environment found that 11 and 12 ineffective message variants in each environment were not handled properly. The invalid messages found are the messages that cause the fault, and by chaining these messages, we were able to construct the impersonation attack that an attacker who is not subscribed to the carrier can use LTE service by impersonating a normal subscriber.