Attack Demos

In this demo, through automatically detecting PAGING messages using a sniffer and then issuing attack messages, an attacker performs an end-to-end attack. Specifically, exploiting the PoC that the MME disrupts the victim UE's network service when it receives an ATTACH REQUEST message while the paging procedure is ongoing, the attack successively sends ATTACH REQUEST message with the victim UE's GUTI once he sniffs a PAGING message.

In this demo, an attacker performs an end-to-end attack also through detecting PAGING message with GUTI using a sniffer and then issuing ATTACH REQUEST message with the victim UE's GUTI. On the other hand, the demo exploits another PoC that the MME terminates a victim UE's network service when it receives an ATTACH REQUEST message with the victim's GUTI at the state after he receives a SERVICE REQUEST message from the victim and before he replies a SERVICE ACCEPT/REJECT message.

Notably, an end-to-end attack on the discovered vulnerabilities just needs to roughly estimate time windows at the procedure level: once the attack UE identifies the ongoing procedures with such vulnerabilities, it can continuously probe the MME with attack messages. For the vulnerabilities related to attach procedure (including identification, authentication, and security mode control procedure), their attack window can be identified by sniffing a PAGING message with IMSI. However, all our simulators do not implement such a message. Hence, for these vulnerabilities, we give a PoC recorded in our testing environment to illustrate it.

Under T2, a fake base station utilizes its elevated signal power to attach UE and can strategically send messages to the UEs, instructing them to disconnect from the network unless the devices move into a new place covered by another eNB with a different PLMN identity or TAI, or have been rebooted. This demo shows an end-to-end attack by sending a DETACH REQUEST message with EMM cause #3 when a legitimate UE attaches it.