research-article

Lost traffic encryption: fingerprinting LTE/4G traffic on layer two

Authors:

Katharina Kohls,

David Rupprecht,

Christina PöpperAuthors Info & Claims

WiSec '19: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks

Pages 249 - 260

https://doi.org/10.1145/3317549.3323416

Published: 15 May 2019 Publication History

Abstract

Long Term Evolution (LTE) provides the communication infrastructure for both professional and private use cases and has become an integral part of our everyday life. Even though LTE/4G overcomes many security issues of previous standards, recent work demonstrates several attack vectors on the physical and network layers of the LTE stack. We do, however, have only limited insights into the security and privacy aspects of the second layer.

In this work, we investigate the impact of fingerprinting attacks on encrypted LTE/4G layer-two traffic. Traffic fingerprinting enables an adversary to exploit the metadata side-channel of transmissions---with severe consequences for the user's privacy. In multiple lab and commercial network experiments, we demonstrate the feasibility of passive and active fingerprinting attacks. First, passive website fingerprinting allows the attacker to learn a user's accessed website from encrypted transmissions. While being a well-known attack in other contexts, we provide an extensive performance baseline of state-of-the-art website fingerprinting attacks of encrypted LTE traffic in a lab setup and successfully repeat the experiments in a commercial network. Second, in an active identity-mapping attack, we inject watermarks and localize users within a radio cell. Our attacks succeed for the current LTE/4G specification and exploit features that also persist in the upcoming 5G standard.

References

[1]

3GPP. 2009. Evolved Universal Terrestrial Radio Access (E-UTRA); Medium Access Control (MAC) protocol specification. TR TR36.321. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/ftp/Specs/html-info/36321.htm

[2]

3GPP. 2009. Rationale and track of security decisions in Long Term Evolution (LTE) RAN / 3GPP System Architecture Evolution (SAE). TRTR33.821. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/ftp/Specs/html-info/33821.htm

[3]

Farhan F M. Aziz, Jeff S. Shamma, and Gordon L. Stüber. 2015. Resilience of LTE Networks Against Smart Jamming Attacks: Wideband Model. In Annual International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC '15). IEEE, Hong Kong, China, 1344--1348.

[4]

Alex Biryukov, Ivan Pustogarov, and Ralf-Philipp Weinmann. 2013. Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization. In IEEE Symposium on Security and Privacy (SP '13). IEEE, San Francisco, CA, USA, 80--94.

Digital Library

[5]

Nicola Bui. 2017. IMDEA's Online Watcher for LTE (OWL) control channel. https://git.networks.imdea.org/nicola_bui/imdeaowl. (2017). {Online; accessed 15-Nov-2018}.

[6]

Nicola Bui and Joerg Widmer. 2016. OWL: A Reliable Online Watcher for LTE Control Channel Measurements. In Workshop on All Things Cellular: Operations, Applications and Challenges (ATC '16). ACM, New York, USA, 25--30.

Digital Library

[7]

Heyning Cheng and Ron Avnur. 1998. Traffic Analysis of SSL Encrypted Web Browsing. (1998).

[8]

Crowd Supply. {n. d.}. LimeSDR Mini. https://www.crowdsupply.com/lime-micro/limesdr-mini. ({n. d.}). {Online; accessed 15-Nov-2018}.

[9]

George Danezis. 2003. Statistical Disclosure Attacks: Traffic Confirmation in Open Environments. In Security and Privacy in the Age of Uncertainty: IFIP TC11 International Conference on Information Security (SEC '03). Kluwer, Athens, Greece, 421--426.

[10]

George Danezis, Claudia Diaz, and Carmela Troncoso. 2007. Two-Sided Statistical Disclosure Attack. In International Workshop on Privacy Enhancing Technologies (PET '07). Springer, Ottawa, ON, Canada, 30--44.

Digital Library

[11]

fgsect. 2018. SCAT: Signaling Collection and Analysis Tool. https://github.com/fgsect/scat. (2018). {Online; accessed 15-Nov-2018}.

[12]

Xinwen Fu and Zhen Ling. 2009. One Cell is Enough to Break Tor's Anonymity. Technical Report. Black Hat USA.

[13]

Guardian Project. {n. d.}. Orbot: Tor for Android. https://guardianproject.info/apps/orbot/. ({n. d.}). {Online; accessed 15-Nov-2018}.

[14]

Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. 2009. Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-Bayes Classifier. In ACM Workshop on Cloud Computing Security (CCSW '09). ACM, Chicago, IL, USA, 31--42.

Digital Library

[15]

Andrew Hintz. 2002. Fingerprinting Websites Using Traffic Analysis. In International Workshop on Privacy Enhancing Technologies (PET '02). Springer, San Francisco, CA, USA, 171--178.

Digital Library

[16]

Byeongdo Hong, Sangwook Bae, and Yongdae Kim. 2018. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Network and Distributed System Security Symposium (NDSS '18). Internet Society, San Diego, CA, USA.

[17]

Amir Houmansadr and Nikita Borisov. 2011. SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In Network and Distributed System Security Symposium (NDSS '11). Internet Society, San Diego, CA, USA.

[18]

Amir Houmansadr and Nikita Borisov. 2013. The Need for Flow Fingerprints to Link Correlated Network Flows. In International Symposium on Privacy Enhancing Technologies Symposium (PETS '13). Springer, Bloomington, IN, USA, 205--224.

[19]

Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov. 2013. The Parrot Is Dead: Observing Unobservable Network Communications. In IEEE Symposium on Security and Privacy (SP '13). IEEE, San Francisco, CA, USA, 65--79.

Digital Library

[20]

Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. 2019. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information. (2019).

[21]

Rob Jansen, Marc Juarez, Rafael Galvez, Tariq Elahi, and Claudia Diaz. 2017. Inside Job: Applying Traffic Analysis to Measure Tor from Within. In Network and Distributed System Security Symposium (NDSS '17). Internet Society, San Diego, CA, USA.

[22]

Roger Piqueras Jover. 2013. Security Attacks Against the Availability of LTE Mobility Networks: Overview and Research Directions. In International Symposium on Wireless Personal Multimedia Communications (WPMC '13). IEEE, Atlantic City, NJ, USA.

[23]

Roger Piqueras Jover. 2016. LTE Security and Protocol Exploits. http://rogerpiquerasjover.net/ShmooCon_talk_final_01162016.pdf. (Jan. 2016).

[24]

Roger Piqueras Jover. 2016. LTE Security, Protocol Exploits and Location Tracking Experimentation with Low-Cost Software Radio. arXiv (1607.05171) (2016). arXiv:1607.05171 http://arxiv.org/abs/1607.05171

[25]

Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. 2014. A Critical Evaluation of Website Fingerprinting Attacks. In ACM Conference on Computer and Communications Security (CCS '14). ACM, Scottsdale, AZ, USA, 263--274.

Digital Library

[26]

Denis Foo Kune, John Koelndorfer, Nicholas Hopper, and Yongdae Kim. 2012. Location leaks on the GSM air interface. In Network and Distributed System Security Symposium (NDSS '12). Internet Society, San Diego, CA, USA.

[27]

Albert Kwon, Mashael AlSabah, David Lazar, Marc Dacier, and Srinivas Devadas. 2015. Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services. In USENIX Security Symposium (USENIX '15). USENIX Association, Washington, D.C., USA, 287--302.

Digital Library

[28]

Brian N. Levine, Michael K. Reiter, Chenxi Wang, and Matthew Wright. 2004. Timing Attacks in Low-Latency Mix Systems. In International Conference on Financial Cryptography (FC '04). Springer, Key West, FL, USA, 251--265.

[29]

Marc Liberatore and Brian Neil Levine. 2006. Inferring the Source of Encrypted HTTP Connections. In ACM Conference on Computer and Communications Security (CCS '06). ACM, Alexandria, VA, USA, 255--263.

Digital Library

[30]

Marc Lichtman, Roger Piqueras Jover, Mina Labib, Raghunandan Rao, Vuk Marojevic, and Jeffrey H. Reed. 2016. LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation. IEEE Communications Magazine 54, 4 (April 2016), 54--61.

Digital Library

[31]

Marc Lichtman, Jeffrey H. Reed, T. Charles Clancy, and Mark Norton. 2013. Vulnerability of LTE to Hostile Interference. In IEEE Global Conference on Signal and Information Processing (GlobalSIP '13). IEEE, Austin, TX, USA, 285--288.

[32]

Zhen Ling, Junzhou Luo, Wei Yu, Xinwen Fu, Dong Xuan, and Weijia Jia. 2009. A New Cell Counter Based Attack Against Tor. In ACM Conference on Computer and Communications Security (CCS '09). ACM, Chicago, IL, USA, 578--589.

Digital Library

[33]

Stig F. Mjølsnes and Ruxandra F. Olimid. 2017. Easy 4G/LTE IMSI Catchers for Non-Programmers. In Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS '17). Springer, Warsaw, Poland, 235--246.

[34]

Steven J. Murdoch and George Danezis. 2005. Low-Cost Traffic Analysis of Tor. In IEEE Symposium on Security and Privacy (SP '05). IEEE, Oakland, CA, USA, 183--195.

Digital Library

[35]

Steven J. Murdoch and Piotr Zielinski. 2007. Sampled Traffic Analysis by Internet Exchange-Level Adversaries. In International Workshop on Privacy Enhancing Technologies (PET '07). Springer, Ottawa, ON, Canada, 167--183.

Digital Library

[36]

Andriy Panchenko, Fabian Lanze, Andreas Zinnen, Martin Henze, Jan Pennekamp, Klaus Wehrle, and Thomas Engel. 2018. Website Fingerprinting at Internet Scale. In Network and Distributed System Security Symposium (NDSS '16). Internet Society, San Diego, CA, USA.

[37]

Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, and Wouter Joosen. 2018. Automated Website Fingerprinting through Deep Learning. In Network and Distributed System Security Symposium (NDSS '18). Internet Society, San Diego, CA, USA.

[38]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2019. Breaking LTE on Layer Two. In IEEE Symposium on Security and Privacy (SP '19). IEEE, San Francisco, CA, USA.

[39]

Sanjole Inc. 2012. WaveJudge 4900A LTE analyzer. Technical Report.

[40]

Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. In Network and Distributed System Security Symposium (NDSS '16). Internet Society, San Diego, CA, USA.

[41]

Vitaly Shmatikov and Ming-Hsiu Wang. 2006. Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses. In European Symposium on Research in Computer Security (ESORICS '06). Springer, Hamburg, Germany, 18--33.

Digital Library

[42]

Software Radio Systems. {n. d.}. AirScope. http://www.softwareradiosystems.com/products/. ({n. d.}). {Online; accessed 15-Nov-2018}.

[43]

srsLTE. 2018. Open source SDR LTE software suite. https://github.com/srsLTE/srsLTE. (2018). {Online; accessed 15-Nov-2018}.

[44]

Qixiang Sun, Daniel R. Simon, Yi-Min Wang, Wilf Russell, Venkata N. Padmanabhan, and Lili Qiu. 2002. Statistical Identification of Encrypted Web Browsing Traffic. In IEEE Symposium on Security and Privacy (SP '02). IEEE, Berkeley, CA, USA, 19--30.

Digital Library

[45]

Z.H. Talukder, S.S. Islam, D. Mahjabeen, A. Ahmed, S. Rafique, and M.A. Rashid. 2013. Cell Coverage Evaluation for LTE and WiMAX in Wireless Communication System. World Applied Sciences Journal 22, 10 (Jan. 2013), 1486--1491.

[46]

The Tor Project. {n. d.}. The Onion Router. https://www.torproject.org. ({n. d.}). {Online; accessed 15-Nov-2018}.

[47]

Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. 2014. Effective Attacks and Provable Defenses for Website Fingerprinting. In USENIX Security Symposium (USENIX '14). USENIX Association, Washington, D.C., USA, 271--286.

Digital Library

[48]

Tao Wang and Ian Goldberg. 2017. Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. In USENIX Security Symposium (USENIX '17). USENIX Association, Washington, D.C., USA, 1375--1390.

Digital Library

[49]

Xinyuan Wang, Shiping Chen, and Sushil Jajodia. 2005. Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet. In ACM Conference on Computer and Communications Security (CCS '05). ACM, Alexandria, VA, USA, 81--91.

Digital Library

[50]

Xinyuan Wang, Shiping Chen, and Sushil Jajodia. 2007. Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. In IEEE Symposium on Security and Privacy (SP '07). IEEE, Oakland, CA, USA, 116--130.

Digital Library

[51]

Zhanyi Wang. 2015. The Applications of Deep Learning on Traffic Identification. Technical Report. Black Hat USA.

[52]

Charles V. Wright, Scott E. Coull, and Fabian Monrose. 2009. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In Network and Distributed System Security Symposium (NDSS '09). Internet Society, San Diego, CA, USA.

Cited By

Pacherkar HYan GKim YKim JKoushanfar FRasmussen K(2024)PROV5GC: Hardening 5G Core Network Security with Attack Detection and Attribution Based on Provenance GraphsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656129(254-264)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656129
zhang hzhuang lwei dhuang wli j(2024)Passive traffic analysis based on resource occupancy of mobile communication uplink control channelThird International Conference on Algorithms, Microchips, and Network Applications (AMNA 2024)10.1117/12.3031911(9)Online publication date: 8-Jun-2024
https://doi.org/10.1117/12.3031911
Hoang TPark CSon MOh TBae SAhn JOh BKim YBoureanu ISchneider SReaves BTippenhauer N(2023)LTESniffer: An Open-source LTE Downlink/Uplink EavesdropperProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590196(43-48)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3558482.3590196
Show More Cited By

Index Terms

Lost traffic encryption: fingerprinting LTE/4G traffic on layer two
1. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

Toward enhancing web privacy on HTTPS traffic: A novel SuperLearner attack model and an efficient defense approach with adversarial examples
Abstract
Web privacy-enhancing technologies have been grown to preserve the users' privacy against sophisticated traffic analysis attacks aimed at inferring sensitive information. An especially concerning form of traffic analysis attacks is website ...
Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Website fingerprinting enables a local eavesdropper to determine which websites a user is visiting over an encrypted connection. State-of-the-art website fingerprinting attacks have been shown to be effective even against Tor. Recently, lightweight ...
Signaling oriented denial of service on LTE networks
MobiWac '12: Proceedings of the 10th ACM international symposium on Mobility management and wireless access

Long Term Evolution (LTE) is seen as the key enabler for delivering the fourth generation of mobile broadband and is the first cellular network primarily designed based on IP. Thus, telecom operators must support the diverse IP-based mobile applications ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '19: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks

May 2019

359 pages

ISBN:9781450367264

DOI:10.1145/3317549

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WiSec '19

Sponsor:

SIGSAC

WiSec '19: 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 15 - 17, 2019

Florida, Miami

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
666
Total Downloads

Downloads (Last 12 months)120
Downloads (Last 6 weeks)11

Reflects downloads up to 11 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pacherkar HYan GKim YKim JKoushanfar FRasmussen K(2024)PROV5GC: Hardening 5G Core Network Security with Attack Detection and Attribution Based on Provenance GraphsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656129(254-264)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656129
zhang hzhuang lwei dhuang wli j(2024)Passive traffic analysis based on resource occupancy of mobile communication uplink control channelThird International Conference on Algorithms, Microchips, and Network Applications (AMNA 2024)10.1117/12.3031911(9)Online publication date: 8-Jun-2024
https://doi.org/10.1117/12.3031911
Hoang TPark CSon MOh TBae SAhn JOh BKim YBoureanu ISchneider SReaves BTippenhauer N(2023)LTESniffer: An Open-source LTE Downlink/Uplink EavesdropperProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590196(43-48)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3558482.3590196
Shao YHernandez KYang KChan-Tin EAbuhamad M(2023)Lightweight and Effective Website Fingerprinting Over Encrypted DNS2023 Silicon Valley Cybersecurity Conference (SVCC)10.1109/SVCC56964.2023.10165086(1-8)Online publication date: 17-May-2023
https://doi.org/10.1109/SVCC56964.2023.10165086
Reyes DDynowski EChovan TMikos JChan-Tin EAbuhamad MKennison S(2023)WebTracker: Real Webbrowsing Behaviors2023 Silicon Valley Cybersecurity Conference (SVCC)10.1109/SVCC56964.2023.10164930(1-8)Online publication date: 17-May-2023
https://doi.org/10.1109/SVCC56964.2023.10164930
Ross AReaves B(2023)Towards Simultaneous Attacks on Multiple Cellular Networks2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00040(394-405)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00040
Ludant NRobyns PNoubir G(2023)From 5G Sniffing to Harvesting Leakages of Privacy-Preserving Messengers2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179353(3146-3161)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179353
Baek JSoundrapandian PKyung SWang RShoshitaishvili YDoupé AAhn G(2023)Targeted Privacy Attacks by Fingerprinting Mobile Apps in LTE Radio Layer2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00035(261-273)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00035
Tan ZDing BZhao JGuo YLu S(2022)Breaking Cellular IoT with Forged Data-plane Signaling: Attacks and CountermeasureACM Transactions on Sensor Networks10.1145/353412418:4(1-26)Online publication date: 29-Nov-2022
https://dl.acm.org/doi/10.1145/3534124
Lakshmanan NBentaleb AChoi BZimmermann RHan JKang M(2022)On Privacy Risks of Watching YouTube over Cellular Networks with Carrier AggregationProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35172616:1(1-22)Online publication date: 29-Mar-2022
https://dl.acm.org/doi/10.1145/3517261
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents