Simon Erni


Last Name

Erni

First Name

Simon

ORCID

0000-0002-0740-701X

Organisational unit

Filters

2020 - 20256
Reset filters

Search Results

Publications 1 - 6 of 6
  • LTRACK: Stealthy Tracking of Mobile Phones in LTE
    Item type: Conference Paper
    Kotuliak, Martin; Erni, Simon; Leu, Patrick; et al. (2022)
    Proceedings of the 31st USENIX Security Symposium
    We introduce LTrack, a new tracking attack on LTE that allows an attacker to stealthily extract user devices' locations and permanent identifiers (IMSI). To remain stealthy, the localization of devices in LTrack is fully passive, relying on our new uplink/downlink sniffer. Our sniffer records both the times of arrival of LTE messages and the contents of the Timing Advance Commands, based on which LTrack calculates locations. LTrack is the first to show the feasibility of a passive localization in LTE through implementation on software-defined radio. Passive localization attacks reveal a user's location traces but can at best link these traces to a device's pseudonymous temporary identifier (TMSI), making tracking in dense areas or over a long time-period challenging. LTrack overcomes this challenge by introducing and implementing a new type of IMSI Catcher named IMSI Extractor. It extracts a device's IMSI and binds it to its current TMSI. Instead of relying on fake base stations like existing IMSI Catchers, which are detectable due to their continuous transmission, IMSI Extractor relies on our uplink/downlink sniffer enhanced with surgical message overshadowing. This makes our IMSI Extractor the stealthiest IMSI Catcher to date. We evaluate LTrack through a series of experiments and show that in line-of-sight conditions, the attacker can estimate the location of a phone with less than 6m error in 90% of the cases. We successfully tested our IMSI Extractor against a set of 17 modern smartphones connected to our industry-grade LTE testbed. We further validated our uplink/downlink sniffer and IMSI Extractor in a test facility of an operator.
  • AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks
    Item type: Conference Paper
    Erni, Simon; Kotuliak, Martin; Leu, Patrick; et al. (2022)
    MobiCom '22: Proceedings of the 28th Annual International Conference on Mobile Computing And Networking
    In cellular networks, attacks on the communication link between a mobile device and the core network significantly impact privacy and availability. Up until now, fake base stations have been required to execute such attacks. Since they require a continuously high output power to attract victims, they are limited in range and can be easily detected both by operators and dedicated apps on users' smartphones. This paper introduces AdaptOver---a MITM attack system designed for cellular networks, specifically for LTE and 5G-NSA. AdaptOver allows an adversary to decode, overshadow (replace) and inject arbitrary messages over the air in either direction between the network and the mobile device. Using overshadowing, AdaptOver can cause a persistent (≥ 12h) DoS or a privacy leak by triggering a UE to transmit its persistent identifier (IMSI) in plain text. These attacks can be launched against all users within a cell or specifically target a victim based on its phone number. We implement AdaptOver using a software-defined radio and a low-cost amplification setup. We demonstrate the effects and practicality of the attacks on a live operational LTE and 5G-NSA network with a wide range of smartphones. Our experiments show that AdaptOver can launch an attack on a victim more than 3.8km away from the attacker. Given its practicability and efficiency, AdaptOver shows that existing countermeasures that are focused on fake base stations are no longer sufficient, marking a paradigm shift for designing security mechanisms in cellular networks.
  • AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks
    Item type: Working Paper
    Erni, Simon; Kotuliak, Martin; Leu, Patrick; et al. (2021)
    arXiv
    In cellular networks, attacks on the communication link between a mobile device and the core network significantly impact privacy and availability. Up until now, fake base stations have been required to execute such attacks. Since they require a continuously high output power to attract victims, they are limited in range and can be easily detected both by operators and dedicated apps on users' smartphones. This paper introduces AdaptOver -- a MITM attack system designed for cellular networks, specifically for LTE and 5G-NSA. AdaptOver allows an adversary to decode, overshadow (replace) and inject arbitrary messages over the air in either direction between the network and the mobile device. Using overshadowing, AdaptOver can cause a persistent ($\geq$ 12h) DoS or a privacy leak by triggering a UE to transmit its persistent identifier (IMSI) in plain text. These attacks can be launched against all users within a cell or specifically target a victim based on its phone number. We implement AdaptOver using a software-defined radio and a low-cost amplification setup. We demonstrate the effects and practicality of the attacks on a live operational LTE and 5G-NSA network with a wide range of smartphones. Our experiments show that AdaptOver can launch an attack on a victim more than 3.8km away from the attacker. Given its practicability and efficiency, AdaptOver shows that existing countermeasures that are focused on fake base stations are no longer sufficient, marking a paradigm shift for designing security mechanisms in cellular networks.
  • GLaDoS: Location-aware Denial-of-Service of Cellular Networks
    Item type: Conference Paper
    Erni, Simon; Kotuliak, Martin; Baker, Richard; et al. (2025)
    Proceedings of the 34th USENIX Conference on Security Symposium
    Cellular communication is ubiquitous, but must be controlled in sensitive industrial and government areas. Existing cellular jamming systems rely on high-power, wide-band transmissions, which are non-selective and can cause interference in neighboring areas, e.g., blocking emergency calls. Also, meeting both the health limits of radio emissions and installation constraints while achieving effective coverage is highly challenging and sometimes even impossible. Recent work introduced more power-efficient uplink protocol-level DoS attacks, which can effectively neutralize a connection from anywhere in the area covered by a base station. However, these attacks still need to be made selective to block communication only within a defined area and need to be able to detect all connections for all cells in the vicinity. In practice, this detection can be difficult if the cells are far away or under adverse channel effects. In contrast, a phone might be positioned in a strong radio path, allowing it to connect to such a cell. To address the above challenges, we propose GLaDoS, a system that improves existing uplink protocol-level overshadowing approaches and combines them with low-power wide-band noise jamming to resolve weak cell issues. GLaDoS further limits DoS to the controlled area by integrating overshadowing with an off-the-shelf localization system. We deployed and evaluated our system in an 62500m2 area, close to an urban area, where the use of cellular phones is not allowed, but is fully covered by over 100 commercial operator cells. Our deployment made use of 4 protocol-level DoS units, approximately 40 outdoor and 100 indoor low-power jamming units, along with corresponding antennas and front end units. We evaluated our system within this area against different phone models and measured that our system neutralizes 99.3% of all connections, while being able to track over 100 cells simultaneously. This is the first full-scale deployment of an overshadowing-based cellular communication control system.
  • Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic
    Item type: Conference Paper
    Tucker, Tyler; Bennett, Nathaniel; Kotuliak, Martin; et al. (2025)
    Network and Distributed System Security (NDSS) Symposium 2025
    IMSI-Catchers allow parties other than cellular network providers to covertly track mobile device users. While the research community has developed many tools to combat this problem, current solutions focus on correlated behavior and are therefore subject to substantial false classifications. In this paper, we present a standards-driven methodology that focuses on the messages an IMSI-Catcher textit{must} use to cause mobile devices to provide their permanent identifiers. That is, our approach focuses on causal attributes rather than correlated ones. We systematically analyze message flows that would lead to IMSI exposure (most of which have not been previously considered in the research community), and identify 53 messages an IMSI-Catcher can use for its attack. We then perform a measurement study on two continents to characterize the ratio in which connections use these messages in normal operations. We use these benchmarks to compare against open-source IMSI-Catcher implementations and then observe anomalous behavior at a large-scale event with significant media attention. Our analysis strongly implies the presence of an IMSI-Catcher at said public event ($p << 0.005$), thus representing the first publication to provide evidence of the statistical significance of its findings.
Publications 1 - 6 of 6