RU2832597C1 - Method of countering attacks aimed at listening to paging messages by introducing a pseudorandom delay on the core of a mobile network - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: invention relates to information security in wireless communication networks. When initiating the paging procedure, the mobility control unit generates, buffers and sends a paging message with a certain delay calculated by the software towards all base stations belonging to the defined tracking area TA, wherein the time delay is calculated by the number generator in a pseudorandom way in the established range of values, the base station transmits a paging message to the subscriber device with a pseudorandom time delay.

EFFECT: high efficiency of counteracting malicious attacks based on listening to paging messages by a subscriber device in wireless communication networks.

1 cl

Description

The invention relates to the field of information security in wireless communication networks [H04W 4/00, H04W 12/00, H04W 12/02, H04W 12/12, H04W 12/121, H04W 12/122, H04W 12/128, H04W 12/30, H04W 12/40, H04W 12/60, H04W 12/61, H04W 12/63, H04W 12/64H04W 12/80, H04W 60/00, H04W 60/04]. It can be used in 2, 3, 4 and 5 generation mobile communication networks (GSM, UMTS, LTE, NR).

There are various known possible attacks on subscriber devices of cellular communication, which are carried out by intruders with various goals, such as obtaining various information (personal data, location data, Internet resources used, etc.) transmitted by subscriber devices, causing communication failures (deterioration of communication, reduction of communication speed, limitation of services provided), etc.

One of the most dangerous attacks, widely described in open sources, is aimed at identifying the location of a subscriber device (and therefore, with a high degree of probability, the owner) in a certain area. To determine the location of a subscriber device, attackers most often use receiving devices to "eavesdrop" on the channels transmitting paging messages. Such eavesdropping is possible, since the physical and MAC levels (in particular, LTE and NR) are transmitted in plain text. "Eavesdropping" is carried out using receivers with special software. For example, a USRP B 210 receiver with openLTE-based software can be used. By eavesdropping on service messages from base stations (as already mentioned, MAC-level messages are transmitted without encryption), you can find out a lot of service information (for example, time intervals, frequencies intended for the transmission of a particular subscriber device, as well as the delay time for a specific subscriber transmission device - TA). In wireless communications, the time advance (TA) parameter value corresponds to the length of time it takes for a signal to travel from a subscriber unit to a base station. For example, GSM uses TDMA technology on the air interface to share a single frequency among multiple users, assigning successive time slots to individual users sharing the same frequency. Each user transmits periodically for less than one-eighth of the time within one of the eight time slots. Since users are at different distances from the base station and radio waves travel at a finite speed, the exact time of arrival in a slot can be used by the base station to determine the distance to the subscriber unit. The time during which the subscriber unit is allowed to transmit a traffic packet within a time slot must be adjusted accordingly to prevent collisions with neighboring users. Timing Advance (TA) is a variable that controls the timing synchronization of the subscriber unit with the base station.

In wireless communication protocols, including LTE and NR, it is envisaged that a subscriber device in the RRC_idle state (“sleep mode”) does not exchange messages with base stations, but only “listens” from time to time to service messages from the base station, assuming that the subscriber device can receive a call (SMS message, call, message in a messenger, in a social network, application update, etc.). It should be added that it is in the “RRC_idle” mode that subscriber devices spend the overwhelming majority of their time.

Service messages for a specific subscriber device with the purpose of switching it to an active state to receive information from the base station are called "paging". At the same time, the periods when the subscriber device needs to "wake up" and "listen" to the radio are called "paging occasions". Depending on the settings of the subscriber device, it can perform such "listening" after 32, 64, 128 or 256 frames (the frame duration in LTE is 10 ms, in NR the frame duration varies), and the number of a specific subframe for listening is calculated based on its temporary (TMSI) or permanent (IMSI) identifier.

Upon receiving a paging message, the subscriber device switches from the sleep mode RRC_idle to the active mode RRC_connected. The device will also switch to the active mode with the RRC_connected connection if the transmission is carried out according to some unique schedule.

One such attack, based on eavesdropping on service information and, in particular, paging, is described in several sources. Thus, in the article by Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. arXiv:1510.07563 [cs], August 2017. arXiv: 1510.07563, it is stated that by “eavesdropping” exclusively on paging messages, an attacker can determine the location of the victim with an accuracy of 20-30 km to 2-3 km (if the base station uses intelligent paging).

The paging occasion may coincide for several subscriber devices at once, therefore the subscriber device will enter the active mode to receive information only if it “sees” the paging message in its paging occasion with its TMSI (in some cases, a permanent IMSI identifier is used).

Attackers use the so-called semi-active attack to match a specific phone number or account in social networks and instant messengers [Katharina Kohls, David Rupprecht, Thorsten Holz, and Christina Pöpper. Lost traffic encryption: fingerprinting LTE/4G traffic on laye two. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, pages 249–260, Miami Florida, May 2019]. Its essence is that the attacker performs actions to receive a paging message by the subscriber device (such an action can be a call and/or a message, including in social networks and instant messengers, etc.) and at the same time controls the arrival of paging messages from the base station in a specific area (by listening to service messages on the downlink, for this a receiver with special software is used). By comparing the time of this action and the time of sending the paging message from the base station to the subscriber (obviously, sending the paging message occurs with some delay, which depends on the settings of a specific TA/base station), an attacker can determine the location (confirm the location) of a specific subscriber device in the local area and, in addition, determine its TMSI identifier, which can remain unchanged for up to several days, and in some cases, a constant IMSI identifier. By intercepting the TA parameter of a subscriber device, an attacker can determine the location of the subscriber device with very high accuracy (up to several hundred or even tens of meters).

The TA parameter is created by mobile operators primarily to enable the subscriber device to synchronize with the base station. TA contains two blocks of information: the first block contains information about the distance from the subscriber device to the serving base station, the second block contains the UE transmission time on the uplink, and the TA parameter is transmitted with a reference to the TMSI identifier at the MAC level, which also does not imply its encryption.

It is obvious that localization of a subscriber device (confirmation of presence in a certain local area) can cause significant harm to the interests of the owner of this device. For example, an attacker can track the arrival of a victim in a certain area in order to commit more serious crimes against him (theft, hijacking of personal transport and even an attempt on his life), and also significantly limits the rights of the owner of the subscriber device to privacy.

To solve the above-mentioned problems of information security in wireless telecommunication networks, various methods are used.

Thus, the prior art discloses patent RU 2427103 C2 “HIDDENING TEMPORARY IDENTIFIERS OF USER EQUIPMENT” [published 20.08.2011], for the implementation of which a device is claimed for transmitting a message with a hidden temporary identifier to user equipment, comprising a processor configured to convert a first identifier (ID) assigned to the user equipment (UE) in order to obtain a second ID for the UE, to generate an output message sent to the UE, based on the input message and the second ID, and to send the output message via a common channel shared by the said UE and other UEs, wherein the processor is configured to mask at least part of the input message using the second ID in order to generate the output message; and a memory connected to the processor, and the method in which for transmitting a message with a hidden temporary identifier to the user equipment comprises the steps of converting a first identifier (ID) assigned to the user equipment (UE) to obtain a second ID for the UE, generating an output message sent to the UE based on the input message and the second ID, while masking at least a part of the input message using the second ID to generate the output message; and sending the output message through a common channel shared by said UE and other UEs.

Also known is patent US20200178065A1 [published: 01.03.2022], which claims a method for detecting and responding to paging channel attacks, including the following steps:

• monitoring by the wireless device processor of the common paging channel during a paging occasion in the discontinuous reception (DRX) cycle to detect the first international mobile subscriber identity (IMSI) based on the received paging message in the paging occasion;

• continuation of monitoring by the processor of the paging procedure based on the selected IMSI in subsequent radio subframes of the paging frame after reception of the first paging message;

• continuation of monitoring by the processor of the paging procedure based on the selected IMSI in one or more radio subframes in one or more subsequent radio frames within the DRX cycle;

• continuation of monitoring by the processor of the paging procedure based on the selected IMSI in one or more subsequent DRX cycles;

• determining, based on monitoring, whether one or more subframes that are not paging occasions receive a paging message based on the selected IMSI, which may be an identifier of attacker activity;

• the wireless device is capable of taking measures to protect against the described attack by the attacker (for example, it is ready to prevent the user from connecting to the attacker's VBS) in response to the registered anomalous data.

The main technical problem of the analog and prototype is the need to include an additional device to implement the methods of responding to paging channel attacks described in the analog and prototype, which increases the cost of equipment, complicates the procedure for providing communication, and reduces the reliability of the base station. Another disadvantage is the ability of an intruder to bypass the above methods. This is achieved by the fact that if an intruder knows the paging message settings of the base station TA parameter, which are the same for one telecom operator in one TA, for which the intruder can first connect to the base station with his subscriber device to clarify the paging settings, then the value of the temporary identifier of the subscriber device (TMSI) will not matter to the intruder. For example, an intruder, having previously connected to the base station, learns that, for example, according to the settings, the paging cycle (paging cycle) for this base station is 128 rf, each radio frame is 10 ms, therefore, the subscriber device will turn on to receive a paging message every 1.28 sec. By performing several actions to send paging messages to a specific subscriber device (SMS/call/messengers/social networks, etc.) and comparing the time of the action and the actual sending of the paging messages, the attacker will receive confirmation of the subscriber device being in the local area, since the paging opportunity for one subscriber device will be the same, then the delay between the action to send paging messages and the actual sending of the paging message to the BS will be the same.

The objective of the invention is to eliminate the shortcomings of the analogue and prototype.

The technical result of the invention is to increase the effectiveness of countering malicious attacks based on eavesdropping on paging messages by a subscriber device in wireless communication networks.

The scope of application of the invention is any type of wireless communication (GSM, UMTS, LTE, NR). In the present invention, the subscriber device is understood to be a device that provides communication via one or more mobile communication protocols, for example, a mobile phone, tablet, modem, PDA, laptop, etc.

In the prior art, the S1 interface is understood to be the interface connecting the E-UTRAN base station subsystem and the MME mobility management node. Control data are transmitted via this interface.

The core of the mobile network and/or as it is called in LTE networks - the mobility management node MME (Mobility Management Entity) is the key control module for the LTE access network. It is responsible for the procedures for ensuring mobility, handover, tracking and paging of the subscriber device, participates in the processes of activation/deactivation of network resources and is also responsible for the selection of the servicing gateway of the SGW network for the subscriber device during the initial connection and during handover within LTE with a change of the CN (Core Network) node.

The essence of the technical solution is that the sending by the core (the MME control node in LTE) to the base station of the generated and buffered paging message occurs with a certain time delay, the value of which is set using the SPO, based on the specific goals set (for example, to mislead an intruder), in various ways listed below:

1) is calculated by a number generator in a pseudo-random manner in a set range of values;

2) is calculated on the basis of the existing value of the international IMSI identifier of a specific subscriber;

3) is calculated based on the identifier of the tracking area TAI (Tracking Area Identifier) to which the paging message is directed;

4) is calculated depending on the time or date of formation of the paging message for its transmission to the base station;

Due to the forced time delay, the attacker will not be able to correlate the time of sending information messages and the time of arrival of the paging message (from the base station to the subscriber device) and, accordingly, will not be able to confirm the presence of the subscriber device in a certain location. In addition, the attacker will not be able to correlate the time of arrival of the paging message from its identifier.

This method of counteracting eavesdropping by intruders on paging messages in a wireless communication network is highly effective due to the transmission of a paging message to a subscriber device by a base station with a pseudo-random time delay, which eliminates the possibility of an intruder localizing the subscriber device based on the TA parameter of the base station and the time of sending the paging messages.

In addition, the method may be implemented not in relation to all subscriber devices served by the base station, but only in relation to specific devices (based on its identifier). The introduced measures can be used to increase the level of information security of subscriber devices belonging to specific subscribers or located on a certain territory.

Implementation of the invention.

As an example, let us consider a situation in which an attacker (subscriber #1) is supposed to send a voice call from subscriber device #1 (ED #1) to subscriber device #2 (ED #2), which belongs to subscriber #2, who is being attacked. First, information about the initiated voice call is transmitted from AU #1 to the core of mobile network #1 (in LTE - the MME control node), then sent via the Diameter protocol (a signaling protocol used in telecommunication networks to transmit service data (Diameter protocol vulnerabilities in 4G networks // Positive Technologies URL: https://www.ptsecurity.com/ru-ru/research/analytics/diameter-2018/ (accessed: 04.12.2023)) to the core of mobile network #2. The technical result specified in the invention is achieved due to the fact that a method is proposed according to which the core of mobile network #2 generates a paging message, buffers it and sends it with a certain pseudo-random delay calculated according to a certain algorithm using open source software, via the NAS (Non-Access Stratum) protocol via the S1AP (Application Protocol) interface to all base stations, belonging to a certain tracking area TA (Tracking Area). The location of the UE is usually known to the MME with an accuracy of up to a TA, but in the case of the smart paging procedure - with an accuracy of up to a cell. Due to the forced introduction of a pseudo-random time delay, an attacker will not be able to compare the time of voice call initialization and the time of arrival of the paging message (from the base station to the subscriber device) and, accordingly, will not be able to confirm the location of the subscriber device in a certain area.

Claims (2)

1. A method for transmitting a paging message in a wireless communication network, characterized in that when initializing the paging procedure, the mobility management node generates, buffers and sends a paging message with a certain delay calculated using software, in the direction of all base stations belonging to a certain TA tracking zone, wherein the time delay is calculated by a number generator in a pseudo-random manner in a set range of values, the base station transmits the paging message to the subscriber device with a pseudo-random time delay. 2. The method according to paragraph 1, characterized in that it is carried out not in relation to all subscriber devices served by the base station, but only in relation to specific devices based on their identifier.