HeNB - eNB handover...
 
Notifications
Clear all

HeNB - eNB handover breach

5 Posts
3 Users
0 Likes
438 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Who did investigate a case of LTE Rel. 11 HeNB (enterprise deployment) handover breach? The HeNB can either by int S1 (HeNB GW or MME/S-GW) or X2 (nHeNB [n=neidgbour] or X2 GW) handovering.

A suspect was able spoof access control and jumped by MITM into a session with spoofed IMEI/AirInterfaceMAC. Not a mobile but an appliance like LTE modem.

Highly confusing case as only Cat. 8 (LTE-A) on the market. Cracy sophisticated probably.

DFCs! by answering pls.

 
Posted : 15/07/2017 1:09 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

JFYI the LTE Positioning Protocol LPP terminates at a HeNB and not at the Mobile Station MS which causes the well known problem for emergency services to find the MS (person) if originated over HeNB.

 
Posted : 15/07/2017 2:43 pm
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

Sorry, I only understand train station. 😯

 
Posted : 17/07/2017 2:47 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Sorry, I only understand train station. 😯

That would probably be a FS Fixed Station, not a MS Mobile Station, where the MS (person) should be found. wink

jaclaz

 
Posted : 17/07/2017 3:42 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

@SamBrown

A suspect was able to hack into a running handover process of a HeNB (aka FemtoCell). On the HeNB a machine data transmitting over LTE-A up to a Packet Data Network PDN. The data upload broke down but in the MNOs session the upload continued by a MITM attack.

As the suspect did not proper authenticate by his USIM it is actually unknown who the suspect was but he missused the running session of the regularly authenticated machine (user).

Have to mention the HeNB was not stationary but in a vehicle.

 
Posted : 18/07/2017 12:45 pm
Share: