sets the UE transmission gain, and –ue-rxgain sets the UE reception gain. The remaining parameters should always be included as they provide logs used to analyze the results. Moreover, the approach in Section 4.4.4 describes how to determine the parameter values for the target cell.
Results
OpenAirInterface-UE catches, decodes, and outputs the result in XML format. Fig-ure 4.9 provides an excerpt of the gathered SIB messages, while Appendix F provides the complete output of the decoded SIB messages. As described in Section 4.3.3, SIB type 1 is scheduled once every 80th millisecond. From the results gathered in Appendix F, one can observe that SIB type 2 and 3 are scheduled once every 80th millisecond and SIB type 3-7 are scheduled once every 640th millisecond. Hence, the SIB Catcher only had to run for a few second to catch and decode all SIB messages5.
The results given in Appendix F shows that catching SIB type 1-7 from commercial eNodeBs is feasible.
Figure 4.9: SIB messages gathered by the SIB Catcher.
4.5 Paging Analysis of Commercial PLMNs in Norway
This section analyzes the data gathered in Section 4.4.4 and explains how the data can be used to disclose the location of a subscriber.
4.5.1 Overview
As described in Section 4.2.1, LTE supports the smart paging feature which limits the paging to a cell. Consequently, this implies that the position of a subscriber can be mapped to the coverage area of a particular cell, which is typically 2 km2 in
5 How often UEs interprets SIB messages depends on the configurations of the UE.
urban areas. Moreover, this feature is not exploitable in GSM networks as the paging messages are sent to an entire location area (typically 100 km2) [Kun12]. Table 4.3 provides an overview of all the collected paging messages sorted by message type.
Table 4.3: Collected paging messages, sorted by message type.
PLMN
From Table 4.3 one can observe that most of the collected paging messages in this experiment arePagingRecord messages. Notably, 384 Telenor messages had the systemInfoModificationindication, whereas 101 of these messages were destined for a specific subscriber. ThesystemInfoModification indicates that the core network has made some modifications to the BCCH [3GP16b]. Expectedly, none of the messages had theetws-Indication.
4.5.2 Using Social Media for Subscriber Mapping
Most of the paging messages include theue-Identity field, which uniquely identifies a subscriber. Commonly, theue-Identity contain the temporary identity S-TMSI.
Consequently, mapping temporary identities to social identities is needed.
Previous Research
Previous research has discovered several techniques for mapping the temporary identity and the social identity; however, none of them are as effective anymore.
Kune et al. proposed to initiate a phone call, and abort before the first ring [Kun12].
The phone call triggers paging but terminates before it displays on the UE. However, applications for detecting such activity have emerged [Uda]. Furthermore, Shaik et al. proposed to use Facebook Messenger to send a message to a person who is not in the friend list [SBA+15]. The message triggers paging but does not appear in the regular inbox folder. However, Facebook has changed this feature; users now see messages from persons not in the friend list as "Message Requests" [Fac].
Facebook Messenger Experiment
This experiment is inspired by the Facebook technique proposed by Shaik et al.
[SBA+15]. The technique introduced by Shaik et al. is considered applicable; how-ever, the technique described in this experiment is considered harder to detect and
4.5. PAGING ANALYSIS OF COMMERCIAL PLMNS IN NORWAY 63 hence improved. Notably, this attack will only work if the victim has the Facebook application installed on his/her LTE device.
This technique exploits the"Filtered Requests" feature in Facebook’s messaging system. The"Filtered Requests" feature prevents spam and other unwanted messages from persons who are not in your friend list [Fac]. The"Filtered Requests" menu is buried under four menus, making it hard to locate and most people do not even know it exists6. Facebook have not publicly published which messages maps to the
"Message Requests"and the"Filtered Requests". However, experiments conducted in this thesis have revealed that messages from persons previously marked as spammers, maps to the "Filtered Requests" folder. Figure 4.10 depicts the buried location for the"Filtered Requests" folder.
Figure 4.10: The hidden "Filtered Requests" feature in Facebook’s messaging system.
6To get to the"Filtered Requests"menu click Messenger, then Settings, then Message Requests, and click "See Filtered Requests".
Two Facebook accounts are required to exploit the"Filtered Requests" feature:
account1 used to send Facebook messages (paging messages), and account2 used to mark account 1 as a spammer. After account1 has been marked as a spammer, all subsequent messages to users not in the friend list redirects to the "Filtered Requests"
folder. As a result, account1 can send paging messages to a specific subscriber with a low probability of the subscriber noticing the messages.
Figure 4.11 shows that by triggering five consecutive paging messages to the same subscriber, a mapping between the GUTI and the subscriber is determined. The figure highlights that the hex string "40 02 9c 20 ac 18 d0" is the only paging message repeated five times, and hence contains the GUTI of the subscriber.
Figure 4.11: Five consecutive paging messages maps the GUTI to subscriber’s social identity.