Abstract
Phone number is a unique identity code of a mobile subscriber, which plays a more important role in the mobile social network life than another identification number IMSI. Unlike the IMSI, a mobile device never transmits its own phone number to the network side in the radio. However, the mobile network may send a user’s phone number to another mobile terminal when this user initiating a call or SMS service. Based on the above facts, with the help of an IMSI catcher and 2G man-in-the-middle attack, this paper implemented a practicable and effective phone number catcher prototype targeting at LTE mobile phones. We caught the LTE user’s phone number within a few seconds after the device camped on our rogue station. This paper intends to verify that mobile privacy is also quite vulnerable even in LTE networks as long as the legacy GSM still exists. Moreover, we demonstrated that anyone with basic programming skills and the knowledge of GSM/LTE specifications can easily build a phone number catcher using SDR tools and commercial off-the-shelf devices. Hence, we hope the operators worldwide can completely disable the GSM mobile networks in the areas covered by 3G and 4G networks as soon as possible to reduce the possibility of attacks on higher-generation cellular networks. Several potential countermeasures are also discussed to temporarily or permanently defend the attack.
Highlights
We demonstrated that the phone number catcher can be set up by using available SDR (Software-Defined Radio) tools and commercial off-the-shelf devices only requiring basic coding skills and the knowledge of Global System for Mobile Communications (GSMs)/ Long Term Evolution (LTE) specifications
What happened could be described as follow procedures according to the results: (i) e victim UE initiated a Location Update Request (LUR) to the Rogue GSM Network (RGN) after camping in our cell (ii) e RGN caught the IMSI and IMEI(SV) of the victim UE, and sent them to the malicious MS to start an IMSI-type LUR to the commercial GSM network (iii) e malicious MS relayed the authentication parameter Rand received from the operator to the RGN
The M5 Note received a call after the malicious MS initiating a mobile originating call and displayed the phone number of the victim UE in Figure 10, which confirmed the practicability of our LTE phone number catcher model
Summary
E 2G mobile communication system has many security and privacy problems due to its inherent aws in technical speci cations, e.g., lack of mutual authentication between MSs (Mobile Stations) and the networks, di culty to upgrade the weak cryptographic algorithms, and the MS always camps on the cell with the strongest radio signal power. With the help of the accessible open source radio software tools, wireless security workers have disclosed more and more security and privacy vulnerabilities in LTE mobile networks such as protocol aws and implementation aws. One of the potential protocol aws in LTE is that, the UE (User Equipment) may accept and process some signalling messages before the security context is established, according to 3GPP ( ird Generation Partnership Project) speci cation [2], which can be exploited by the Security and Communication Networks stakeholders to attack both the UEs and the networks. We briefly describe their network structures and basic concepts which are helpful for understanding the paper
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
