On Key Reinstallation Attacks over 4G LTE Control-Plane: Feasibility and Negative Impact

This paper studies the feasibility of key reinstallation attacks in the 4G LTE network. It is well known that LTE uses session keys for confidentiality and integrity protection of its control-plane signaling packets. However, if the keys are not updated and counters are reset, key reinstallation attacks may arise. In this paper, we show that several design choices in the current LTE security setup are vulnerable to key reinstallation attacks. Specifically, on the control plane, the LTE security association setup procedures, which establish security between the device and the network, are disconnected. The keys are installed through one procedure, whereas their associated parameters (such as uplink and downlink counters) are reset through another different procedure. The adversary can thus exploit the disjoint security setup procedures, and launch the key stream reuse attacks. He consequently breaks message encryption, when he tricks the victim to use the same pair of keys and counter value to encrypt multiple messages. This control-plane attack hijacks the location update procedure, thus rendering the device to be unreachable from the Internet. Moreover, it may also deregister the victim from the LTE network. We have confirmed our findings with two major US operators, and found that such attacks can be launched with software-defined radio devices that cost about $299. We further propose remedies to defend against such threats.