LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call. This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack.
Haiqi Shan, currently a wireless/hardware security researcher in Unicorn Team. He focuses on GSM system, router/switcher hacking etc. Other research interests include reverse engineering on embedded devices such as femto-cell base station. He has gave presentations about GSM devices hacking and wireless hacking suit on DEF CON, Cansecwest, Syscan
Wanqiao Zhang, is a communication security researcher, from Unicorn Team of Qihoo 360 China. She received her master degree in electronic information engineering form Nanjing University of Aeronautics and Astronautics in 2015. Fascinated by the world of wireless security, she is currently focus on the security research of the GPS system and the cellular network