Scribd Logo
Upload

Welcome to Scribd!

  • 8 views

    HAXPO D1 - Hacking LTE Public Warning Systems - Weiguang Li

    Uploaded by

    Para
    The document discusses vulnerabilities in the public warning system in LTE networks that could allow an attacker to trigger false emergency alerts on user devices. It describes how to build a fake LTE base station, forge fake warning messages, and trigger the vulnerability on example mobile phones and devices. Potential risks of causing public panic are discussed as well as mitigations like adding authentication to public warning messages.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    HAXPO D1 - Hacking LTE Public Warning Systems - Weiguang Li

    Uploaded by

    Para
    8 views31 pages
    The document discusses vulnerabilities in the public warning system in LTE networks that could allow an attacker to trigger false emergency alerts on user devices. It describes how to build a fake LTE base station, forge fake warning messages, and trigger the vulnerability on example mobile phones and devices. Potential risks of causing public panic are discussed as well as mitigations like adding authentication to public warning messages.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses vulnerabilities in the public warning system in LTE networks that could allow an attacker to trigger false emergency alerts on user devices. It describes how to build a fake LTE base station, forge fake warning messages, and trigger the vulnerability on example mobile phones and devices. Potential risks of causing public panic are discussed as well as mitigations like adding authentication to public warning messages.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    8 views31 pages

    HAXPO D1 - Hacking LTE Public Warning Systems - Weiguang Li

    Uploaded by

    Para
    The document discusses vulnerabilities in the public warning system in LTE networks that could allow an attacker to trigger false emergency alerts on user devices. It describes how to build a fake LTE base station, forge fake warning messages, and trigger the vulnerability on example mobile phones and devices. Potential risks of causing public panic are discussed as well as mitigations like adding authentication to public warning messages.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 31

    Hacking Public Warning System in LTE

    Mobile Network

    Li, Weiguang
    weelight.li@gmail.com

    UnicornTeam@360 Technology
    Agenda
    01 About Public Warning System in LTE Network

    02 The Vulnerability in LTE Protocol

    03 Trigger the Vulnerability

    a. Build a Fake LTE Base Station

    b. Forge the Fake Warning Messages

    04 Conclusion
    01
    About Public Warning System in LTE Network
    Alert the Public to Such Disasters
    PWS Warning System All Over the World

    EU-ALERT
    KPAS

    CMAS
    ETWS
    Press Release
    • Hawaiian Missile Alert in January 2018
    Press Release
    • Hawaiian Missile Alert in January 2018
    02
    The Vulnerability in LTE Protocol
    Vulnerabilities in LTE Protocol

    Attack vector

    1. The warning messages over the air are not encrypted or


    intergity protected.
    2. UE doesn’t authenticate the base station during reselection
    03
    Trigger the vulnerability
    How to Build a Fake LTE Network

    Hardware
    USRP B210
    ThinkPad

    Software
    srsLTE /srsENB
    Configuration in srsENB

    LTE Discovery App srsLTE config file


    Cell Reselection

    Increase the success rate for the mobile phone


    to access the false base station

    1. Larger signal power


    2. Same radio frequency
    3. Same PCI
    PWS Message's Carrier—System Information Block

    SIB Type 1 SIB Type 2 SIB Type 3


    SIB scheduling information Common and shared channel Cell re-selection information
    information

    SIB Type 4 SIB Type 5 SIB Type 6


    Cell re-selection information Cell re-selection information Cell re-selection information
    intra-frequency neighbor Intra-frequency neighbor for UTRA
    information information

    SIB Type 7 SIB Type 8 SIB Type 9


    Cell re-selection information Cell-re-selection information Home eNB identifier
    for GERAN for CDMA2000

    SIB Type 10 SIB Type 11 SIB Type 12


    ETWS primary notification ETWS Secondary Notification EU-Alert (Europe)
    (Japan) (Japan) KPAS (South Korea)
    CMAS notification(USA)
    Forge the ETWS Message

    Four main components getting involved in sending ETWS

    • SIB 10 : Primary Notification


    • SIB 11 : Secondary Notification
    • Paging : ETWS indication
    • SIB 1: Schedule SIB 10 and SIB 11
    ETWS Primary Notification
    • ETWS Primary Notification message can not contain
    specific message content.

    main source code to send ETWS primary notification


    ETWS Primary Notification OTA Log

    SystemInformationBlockType1 SystemInforamtionBlcokType10
    Indication of PWS Notification in Paging
    • The paging procedure is used to alert UEs quickly to PWS Notifications
    • The length of the paging cycle will determine how promptly users obtain
    the warning message

    Source code of adding etws indication in rrc::is_paging_opportunity

    Paging message log


    Fake Earthquake Warning Demo
    ETWS Secondary Notification

    • Custom content
    • ETWS secondary notification supports message
    segmentation.
    • It supports GSM-7 and UCS-2 character encoding
    standard.
    ETWS Secondary Notification

    Source code to send ETWS secondary notification


    Not Just Warning Message

    • Set Message Identifier to 0x1104 instead of 0x1102


    • No loud alarm sound, just mild bells
    • Warning messages can be disguised as spam messages which
    may contain advertisements, phishing site or fraud messages.
    Google Pixel’s Response
    (a) Earthquake warning message in English (b) Earthquake warning message in Chinese
    (c) Spam message contains phishing site (d) Spam message contains fraud phone number

    (a) (b) (c) (d)


    Phishing Warning Message Demo
    iPhone’s Response

    l As the PWS is not a mandatory specification to all


    countries, different models of mobile phones may
    react differently.
    l The iPhone that we test doesn’t respond to the
    Primary ETWS Warning message, but it can
    respond to the Secondary ETWS Warning
    message.
    l The iPhone that we test only respond to the test
    PLMN(MCC: 001 MNC: 01)

    iPhone’s Response
    iPhone’s Response
    Conclusion
    Risk & Mitigation
    Potential Risk

    ‘WARNING: Magnitude 10 Earthquake Is Coming in One Minute’

    What will happen?


    It may cause serious population panic
    Mitigation

    • Verification of authenticity of the false base station

    • Add authentication procedure after cell selection

    • Add signature to the broadcast system information


    Mitigation
    Network signs the PWS messages

    System
    System Info
    Info K-SIG
    K-SIG Time
    Time Counter
    Counter

    Security
    Security Algorithm
    Algorithm

    LSBs
    LSBs of
    of Time
    Time Digital
    Digital
    System
    System Info
    Info
    Count
    Count Signature
    Signature

    Protected System Info


    Q/A
    Thank You

    You might also like