長期演進技術（Long Term Evolution, LTE）在現代社會中已經是非常重要且不可或缺的行動通訊科技。相較於早期的版本：全球行動通訊系統（Global System for Mobile Communications, GSM）以及通用行動通訊系統（Universal Mobile Telecommunications System, UMTS），LTE提供了更好的訊號覆蓋率、頻譜資源利用率、系統容量、較低延遲、更高的資料傳輸速率以及最重要的是更加強的系統安全性。目前已經有很多國家使用LTE作為主要的大眾無線寬頻傳輸技術。儘管LTE已經改善了很多在GSM以及UMTS上的安全問題，還是有某些協定上的漏洞像是資訊洩露攻擊以及阻斷服務攻擊是很難預防的。我們使用資訊安全領域的CIA（機密性、完整性以及可用性）來檢視LTE安全上的議題，同時也提出了新的分類觀點：攻擊手法與效果分析現有的相關論文。有鑒於大多數的論文皆討論LTE安全問題如何被利用於對使用者裝置造成永久及半永久的傷害，驅使我們著手研究如何對使用者裝置進行更精準可控的攻擊，並且降低使用者發現已成為攻擊目標的可能性，同時也不容易產生其他預料外的副作用。我們也展示了這些攻擊手法可以很容易的透過開放原始碼專案以及低成本軟體定義無線電平台實作。在實驗中，我們亦發現在現實環境中實作此類攻擊可能會發生的問題，在其他相關的論文中鮮少被提出討論。

As a significant 4G communication technology in modern society, Long Term Evolution (LTE) provides better coverage, spectral efficiency, system capacity, lower latency, higher data rates, and enhanced security, comparing with previous generations, Global System for Mobile Communications and Universal Mobile Telecommunications System. The mutual authentication feature of LTE with cyphering communications basically prevent user equipment (UE) from being attacked by a rogue base station (BS), such as sniffing and spoofing. However, with a rogue BS, a malicious attacker could still leverage unencrypted and essential signaling messages to launch a Denial of Service (DoS) attack to a target UE. By examining all unencrypted signalings initialized before a mutual authentication procedure, this paper proposes a novel availability attack by exploiting reject messages for attach and tracking area update procedures. In particular, the victim UE will be enforced to disconnect with all BSs in the tracking area specified by the rogue BS. Please note that during our attack, the victim UE still searches for another allowed tracking area for connection, which makes our attack more unawareness comparing with existing availability attacks. We practically implement the attack by using open source project, OpenAirInterface (OAI) and low-cost software defined radio, Universal Software Radio Peripheral (USRP). From the observations of experimental results, we offer some suggestions to make such DoS attack more effective.

[1] J. Cao, M. Ma, H. Li, Y. Zhang, and Z. Luo, “A survey on security aspects for LTE and LTE-A networks,” IEEE Commun. Surveys Tuts., vol. 16, pp. 283–302, Jan. 2014.
[2] S.Mavoungou,G.Kaddoum,M.Taha,andG.Matar,“Surveyonthreats and attacks on mobile networks,” IEEE Access, vol. 4, pp. 4543–4572, Aug. 2016.
[3] GSA: Evolution to LTE report January 2017. [Online]. Available: https://gsacom.com/paper/gsa-evolution-lte-report-january-2017/
[4] R.P.Jover,“LTEsecurity,protocolexploitsandlocationtrackingexper- imentation with low-cost software radio,” CoRR, vol. abs/1607.05171, July 2016.
[5] M. Labib, V. Marojevic, and J. H. Reed, “Analyzing and enhancing the resilience of LTE/LTE-A systems to RF spoofing,” in Proc. CSCN, Oct. 2015, pp. 315–320.
[6] Technical Specifications; Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) procedures in idle mode (Release 12), 3rd Generation Partnership Project (3GPP) Std. TS 36.304, Mar. 2015. [Online]. Available: http://www.3gpp.org/dynareport/36304.htm
[7] S. Sesia, I. Toufik, and M. Baker, Eds., LTE - The UMTS Long Term Evolution: From Theory to Practice, 2nd Edition. John Wiley & Sons Ltd., 2011.
[8] Universal Mobile Telecommunications System (UMTS) - LTE Non- Access-Stratum (NAS) protocol for Evolved Packet System (EPS) - Stage 3, 3rd Generation Partnership Project (3GPP) Std. TS 24.301, Rev. 14.3.0, Mar. 2017.
[9] M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. Reed, “LTE/LTE-A jamming, spoofing, and sniffing threat assessment and mitigation,” IEEE Commun. Mag., vol. 54, pp. 54–61, Apr. 2016.
[10] M. Labib, V. Marojevic, J. H. Reed, and A. I. Zaghloul, “Enhancing the robustness of lte systems: Analysis and evolution of the cell selection process,” IEEE Commun. Mag., vol. 55, no. 2, pp. 208–215, Feb. 2017.
[11] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practical attacks against privacy and availability in 4G/LTE mobile communication systems,” CoRR, vol. abs/1510.07563, Feb. 2016.
[12] S. F. Mjølsnes and R. F. Olimid, “Easy 4G/LTE IMSI catchers for non- programmers,” CoRR, vol. abs/1702.04434, Feb. 2017.