Non-Access-Stratum Request Attack in E-UTRAN

Da Yu Wushao Wen*
School of Software
Sun Yat-Sen University
Guangzhou, Guangdong 510006, PR China
*wenwsh@mail.sysu.edu.cn

AbstractLong Term Evolution (LTE) is the evolution of present the network architecture, protocols, and security
Universal Mobile Telecommunications System (UMTS). LTE architecture in E-UTRAN and some vulnerabilities in
revises and improves system architecture from UMTS to E-UTRAN in Section II. In section III, we describe an
provide services that are more efficient. Evolved-UTRAN illustrative attack scheme. And we will show an illustrative
(E-UTRAN) is the air interface of 3GPP and it is on the
study to demonstrate efficiency of our attack in Section IV.
upgrade path for LTE mobile networks. E-UTRAN specifies
better security architecture to protect users information. Section V is the concluding remark for this article.
However, E-UTRAN is still not perfect. This article studies
vulnerabilities of non-access-stratum (NAS) of E-UTRAN. II. E-UTRAN AND ITS VULNERABILITIES
We present illustrative attacks to exploit such vulnerabilities
and demonstrate the effectiveness and the impact of such
attacks on normal users by using our self-developed simulation
tool.
Keywords: E-UTRAN, LTE, DoS attack

I. INTRODUCTION
The 3rd Generation Partnership Project (3GPP) has been
exploring how to meet new requirements for mobile
networks since 2004. LTE is considered as the successor of

Fig. 1 System and Security Architecture [7]
3GPPs UMTS Terrestrial Radio Access Network
(UTRAN). LTE is designed with better architecture and Fig. 1 shows system and security architecture of
new air interface system. It also includes many E-UTRAN [7]. E-UTRAN includes four kinds of entities:
improvements for faster and safer mobile network services. User Equipment (UE), Evolved Node B (eNodeB), Mobile
In LTE, the new access networks air interface is called Management Entity (MME), and Service Architecture
E-UTRAN in which many improvements were included. Evolution Gateway (SAE-GW) [3]. UEs are connected to
E-UTRAN solved most problems exposed in UTRAN. It is eNodeBs. ENodeBs are connected to one or multiple
a radio-access-network standard in LTE that will replace MMEs and SAE-GW through many-to-many S1 interfaces.
the UMTS, HSDPA and HSUPA technologies specified in ENodeBs send user plane data to SAE-GWs, which work as
3GPP releases 5 and beyond. gateway in the Internet. ENodeBs also send control-plane
In term of network security, E-UTRAN faces various data to MMEs to provide mobility management services,
threats, such as UEs tracking, false buffer-status-report, etc. such as paging, security procedure, SAE bearer
As we know, mobile networks are more fragile than wire establishment, NAS signaling confidentiality and integrity
line networks. Attackers can utilize the vulnerabilities in protection, etc. [5]. MME and SAE-GW reside in Evolved
wireless protocols to exploit signal attacks, which are more Packet Core network (EPC).
efficient and harmful than traditional network attacks. P.
Lee showed a good example illustrating this kind of attack
[1]. In that paper, attackers need very small bandwidth to
destroy the network of a big city.
In this article, we introduce efficient Denial of Service
(DoS) attacks that exploit the vulnerability in E-UTRAN.
These attacks may overload entities in E-UTRAN with
manipulated control-signals with relative limited resources.
The rest of this paper is organized as following. We will

978-1-4577-1719-2/12/$26.00 2012 IEEE 48

 are distributed. Inputs and procedures to generate key are
shown in Fig.3 [7]. Keys are outlined in Table 1.

Name Usage
K Private key of UE. K should
have the highest security level.
And it is stored in USIM and
HSS/Auc.
CK/IK CK (Cipher Key) and IK
(Integrity Key) are generated in
authentication procedure by K.
They should be stored in USIM
Fig. 2 Control Plane Protocol Stacks [3]
and HSS/Auc.
LTE treats security with high priority. Many security KASME KASME is calculated by
improvements were included in E-UTRAN. E-UTRAN has CK/IK in UE and MME. It is
two security layers as shown in Fig. 1. The first layer is used for generate other keys.
Access-Stratum (AS) security layer that provides access KNASint /KNASenc KNASint/KNASenc is calculated
security protection. The second layer is NAS security layer by KASME. It is used for
that protects NAS signals and interactive procedures confidentiality and integrity
between entities. We will focus on NAS security layer and protection of NAS signals.
control-plane signals in this article. KeNB KeNB is calculated by KASME
Fig. 2 shows the protocol stack of control plane in in UE and MME. It is used to
E-UTRAN. UTRAN does not have a similar protocol stack. generate keys in AS.
In E-UTRAN, NAS signals terminate in MME and UE. KRRCint/KRRCenc KRRCint/KRRCenc is calculated
NAS signals are in RRC messages between UEs and by KeNB in UE and eNodeB. It
eNodeBs. They are transmitted in S1-AP-protocol packets is used for confidentiality and
between eNodeBs and MME. Even though eNodeBs integrity protection of RRC
received packets from UEs or MME, they cannot interpret signals.
content of NAS signals. Therefore, NAS signals logically KUpenc KUpenc is calculated by KeNB
control entities such as EPS bearer management, in UE and eNodeB. It is used
authentication, etc. for encryption of user plane
data.
Table 1: E-UTRAN keys

Fig. 3 Key architecture [7]
Security keys are important in E-UTRAN. Data of both
user plane and control plane must be protected with
confidentiality and integrity. In E-UTRAN, key generations

49

C-RNTI is assigned by the network via RRC control signals.
Fig. 4 NAS Security Procedure
Before accessing to a network, a UE must finish the
attachment procedure. The purpose of attachment procedure
is to register the UE. More specifically, the procedure
requests EPC to allocate resources and IP addresses for the
UE [7]. NAS security procedure is critical to ensure that
both UEs and MME are reliable. Fig. 4 summarizes this
procedure. In this procedure, the UE sends an
RRCConnectionSetupComplete message to the eNodeB
after the RRC connection has established and the RRC
protocol entities (the UE and the eNodeB) have finished
their configurations. This message may contain NAS
signals, such as AttachRequest
PDNConnectivityRequest. Once the MME received this
message via the eNodeB, it sends an Authentication
Information Request (AIR) [10] to HSS/Auc to get
authentication information of the UE, including UEs IMSI,
PLMN Identity, etc. [9]. When HSS/Auc receives AIR from
MME, it verifies the UE and calculates Authentication
Vectors (AVs). Authentication Information Answer (AIA)
will be sent back to MME by HSS/Auc after generating
AVs. Then, MME and UE finish the rest of the procedure
through NAS interaction. Once this procedure is completed,
NAS protection will have been set up.
3GPP has figured out some threats exposed in E-UTRAN
[2]. However, some other threats still exist. In the following,
well show some vulnerabilities that can be exploited to
launch DoS attacks easily.
A. Unprotected RRC messages
The RRC messages are considered vital for the normal
operation of AS in E-UTRAN [12]. Therefore, RRC signals
are protected by integrity and confidentiality mechanisms,
such as message encryption, etc. However, some RRC
messages are not protected as shown in Table 2. Resources
and efficiency consideration may be the reason of using
RRC messages without security protection. Moreever, some
messages are exchanged before the AS security procedure.
Hence, NAS Security has not yet completed and thus
CK/IK is not present. Unprotected RRC messages are
vulnerable to manipulation.
RRCConnectionRequest
RRCConnectionSetup
RRCConnectionSetupComplete
RRCConnectionReject
RRCConnectionRelease
Table 2: List of some unprotected RRC messages
B. Tracking Based on C-RNTI
As D. Forsberg et. al. mentioned [8], Cell Radio Network
Temporary Identifier(C-RNTI) is used as a unique and
temporary identifier when a UE is associated with the cell.
It is transmitted with other scheduling information in layer
1 in plain text. Hence, C-RNTI is readable. A passive
attacker can know the UEs behaviors in the cell by
associating the UEs C-RNTI and its corresponding
messages without protection.
We can illustrate a case that attackers can get the C-RNTI
easily. Fig. 5 shows the handover procedure in E-UTRAN.
Once the UE moved from one eNodeB to another, a new
C-RNTI is assigned and transmitted in the handover
command message. A passive attacker can obtain new
C-RNTI in handover procedure because of the plaintext in
layer 1, enabling him to correlate the new C-RNTI with the
and old one and to track the UE over cells.
Fig.5 Handover Procedure
50
C. Reveal the UES IMSI
Although E-UTRAN uses Temporary Mobile Subscriber
Identity (TMSI) to reduce transmissions of IMSI, it offers
little to protect IMSI. In addition, it is necessary to transmit
IMSI in some occasions, such as in the early stage of a
connection establishment, HSS/VLR database crash, etc. [4].
IMSI is attractive to attackers because of its importance in
many situations. There has been lots of research for
obtaining IMSI during a connection. M. Khan et. al. [4]
introduced a simple scenario to obtain IMSI in E-UTRAN
as shown in Fig. 6. The attackers can impersonate as an
MME to cheat the UE. When the victim sends an
RRCConnectionSetupComplete message, it may use its
TMSI. The attackers will ignore this message and send back
an IdentityRequest message. In such case, the UE has to
send its IMSI to attackers in plain text. Once the attackers
get the IMSI, they may disconnect this connection.
Fig. 6 Obtaining IMSI
III. DOS BY FLOODING THE HSS/AUC
Control-signals based attack to compromise E-UTRAN
can be done in three phases.
Phase 1: Attackers build a big database to collect
C-RNTIs and track victims behaviors. Although the
C-RNTIs are allocated by the eNodeB dynamically, they
are used as unique indicators to identify the UEs in the cell.
Once the UEs left the cell, the C-RNTIs become invalid.
Phase 2: Attackers get victims IMSI. Using the method
mentioned in section II, attackers can obtain their IMSI and
save them with their corresponding C-RNTI in the database
that the attackers built in phase 1.
Phase 3: Attackers carry out active attack process as
shown in Fig. 7. Attackers impersonate as other UEs to
generate RRCConeectionSetupComplete messages for each
C-RNTI and IMSI using an automatic procedure and send
them to the MME. Even though some UEs leave the cell
that may lead to invalid C-RNTIs, the attackers still use all
C-RNTIs and IMSIs to generate requests to overload the
entities in E-UTRAN. Since attackers have collected all
C-RNTIs and the corresponding IMSIs in phase 1 and phase
2, eNodeB may transmit the requests to the MME. When
the MME received the request, it will generate an AIR
message in response to an RRCConeectionSetupComplete
51
message and send it to the HSS/Auc. The HSS/Auc checks
the validity of IMSIs. Moreover, the IMSIs can pass the
authentication test in HSS/Auc. After passing the test,
HSS/Auc may generate Authentication Vectors (includes
RAND, XRES, CK, IK, AK) and put them into AIR and
send it back to MME. Once the MME received the AIR, the
MME will cache it for preventing packet loss in
transmission and generate an Authentication Request.
Attackers use Authentication Respond message [11] to
answer this Request. However, the generation of
Authentication Response has to use CK/IK as mentioned in
section II. This is the stage that the attackers will not be
authenticated. Actually, the attackers might not care about
the failure at all at this stage since they might have already
finished their attack. They do not care to complete the
authentication procedure. Their goal is to exhaust the
computing resources of HSS/Auc by generating large
amount of RRCConeectionSetupComplete messages to
make HSS/Auc repeatedly calculate AVs, which is a
complicated and resource consuming procedure. To make
things worse, too many AIA and AIR messages may waste
bandwidth between the HSS/Auc and the MME. This attack
may cause DoS to new users who attempt to access the
E-UTRAN.
Generally speaking, the characteristics of this kind of
attack can be listed as follows:
This attack uses control-signals, unlike traditional DoS
attacks;
This attack can be launched before the NAS security
mechanisms established. So it can easily bypass the
NAS security mechanisms;
Materials needed by the attack are easy to obtain.
Attackers can get information from bottom readable
layers or use specific cases to cheat the entities of their
sensitive information;
It is not necessary for the attackers to know CK/IK. So
they dont need to finish the whole authentication
procedure. They just use parts of the procedure to
overload the entity;
Lots of invalid messages may not only overload entities
in E-UTRAN, but also congest the network.
IV. ILLUSTRATIVE STUDY OF FLOODING THE
HSS/AUC
The attack mentioned in section III is simulated
according to protocols [5, 6, 9, 10, 11, 12]. Fig. 8 Fig. 11
show illustrative results of our study. These figures show
the effectiveness of our attacks and the impact of the attacks
on normal users from different aspects.
 continuously. Once CPU had enough time to deal with
requests in the buffer, the system returns to the normal
status gradually after 70 second. Therefore, the HSS/Auc is
compromised by large amount of requests generated by the
attackers. MME also exhausts storage resources and
computing resources for the HSS/Auc. Our Attack is
effective to achieve the expected results.

Fig. 7 Attack Process
In our study, we generate normal user requests whose
Fig. 9 Buffer Value in the MME
distribution follows Poisson Process. Attackers generate
500 requests per second. Attackers begin to flood the entity
at 30 second and finish the attack at 70 second. Besides, we
set 1024 as the capacity of the MME.

Fig. 10 Proportion of normal requests

Fig. 8 Round Trip Time
Fig. 8 shows the impact in UEs aspect. The Round Trip
Time (RTT) is the time that a request travels from a UE to
server and then back to the UE. RTT is a good indication on
whether the server can process a request on time. RTT
should be small (less than 10ms) when the E-UTRAN is not
under attack as shown in Fig. 8. Once the attackers begun to
generate requests, the RTT increases dramatically. The
value keeps rising until packet loss. When attackers stop
attacking, RTT decreases to the normal value in 15 seconds.
Fig. 11 CPU Performance
Fig. 9 Fig. 11 show the impact in other aspects. From
the MMEs view, we find that the attack may exhaust
resources and overload the entities. When the network is V. CONCLUSION
under attack, the buffer value does not stop increasing until We analyzed some threats in E-UTRAN in this article.
overflow. In addition, the proportion of normal requests Although E-UTRAN provides some mechanisms to make
(normal requests / all requests) dives in a short time as mobile networks more secure, we found out that additional
shown in Fig. 10. Meanwhile, the CPU rate stabilizes in a vulnerabilities in such networks still exist. Unprotected
high value. The idle time decreases and the user time transmission of RRC messages were used to launch DoS
increases when the attack is in progress as shown in Fig. 11. attacks. Transmission of IMSI in plain text without
CPU was mainly used to calculate Authentication Vectors confidentiality and integrity protection for security

52
command in early stage of a connection provides
information needed for such DoS attacks. C-RNTI
information in layer 1 gives attackers opportunities to track
UE over cells. Exploiting these vulnerabilities can realize
an efficient and effective DoS attack. Our illustrative
studies have shown that these vulnerabilities are vital and
should be solved to avoid these kinds of control-signals
DoS attacks.

ACKNOWLEDGMENT
This research is partly supported by Guangdong Science
Foundations fund with grant number 0072835122030305
and Industry-academic-research fund of Guangdong
Province and Ministry with grant number
2010B090400322.

REFERENCES
[1]. Patrick P. C. Lee, Tian Bu, and Thomas Woo. On the Detection of
Signaling DoS Attacks on 3G Wireless Networks. 26th IEEE
International Conference on Computer Communications. 6-12 May
2007. 1289-1297.
[2]. 3GPP, Rationale and track of security decisions in Long Term
Evolved(LTE) RAN / 3GPP System Architecture Evolution (SAE)
(Release 8), TR 33.821 V1.1.0, 2009-01.
[3]. X. Wei, et.al., 3GPP Long Term Evolution- System architecture
and technical specifications, Peoples post and telecommunication
Press, 2010.
[4]. Muzammil Khan, Attiq Ahmed, Ahmad Raza Cheema.
Vulnerabilities of UMTS Access Domain Security Architecture.
Ninth ACIS International Conference on Software Engineering,
Artificial Intelligence, Networking, and Parallel/Distributed
Computing. 2008. 350-355.
[5]. 3GPP, Evolved universal terrestrial radio access (E-UTRA) and
evolved universal terrestrial radio access network (E-UTRAN);
Overall description; Stage2 (Release 8), TS 36.300 V8.10. 0,
2009-09.
[6]. 3GPP, 3GPP System Architecture Evolution (SAE) Security
architecture (Release 8), TS 33.401 V8.3.1, 2009-03.
[7]. Lte2010, Initial Attachment and Security Procedure,
http://blog.sina.com.cn/lte2010 .
[8]. Dan Forsberg, Huang Leping, Kashima Tsuyoshi, Seppo Alanr.
Enhancing Security And Privacy In 3GPP E-UTRAN Radio
Interface. The 18th Annual IEEE International Symposium on
Personal, Indoor and Mobile Radio Communications. 2007. 1-5.
[9]. 3GPP, Non-Access-Stratum (NAS) protocol for Evolved Packet
System (EPS). TS 24.301 V9.1.0, 2009-12.
[10]. 3GPP, 3rd Generation Partnership ProjectTechnical Specification
Group Radio Access Network Evolved Universal Terrestrial
Radio Access Network (E-UTRAN); S1 Application Protocol
(S1-AP)(Release 10), TS 36413 V10.1.0, 2011-03.
[11]. 3GPP, 3rd Generation Partnership Project, Technical Specification
Group Core Network and Terminals. 3GPP Evolved Packet
System(EPS), Evolved General Packet Radio Service(GPRS).
Tunnelling Protocol for Control plane(GTPv2-C);Stage 3(Release
10), TS 29.274 V9.2.0, 2010-03.
[12]. 3GPP, Evolved universal terrestrial radio access (E-UTRA) radio
resource control (RRC); Protocol specification (Release 8), TS
33.331 V9.0.0, 2009-1

53