Vulnerability of LTE to Hostile Interference
Marc Lichtman, Jeffrey H. Reed, T. Charles Clancy, Mark Norton
VVulnerability of LTE to Hostile Interference
Marc Lichtman Jeffrey H. Reed T. Charles Clancy Mark Norton [email protected] [email protected] [email protected] [email protected] Wireless @ Virginia Tech, Virginia Tech, Blacksburg, VA Hume Center for National Security and Technology, Virginia Tech, Arlington, VA Office of the Chief Information Officer, Defense Pentagon, Washington, DC
Abstract —LTE is well on its way to becoming the primarycellular standard, due to its performance and low cost. Overthe next decade we will become dependent on LTE, which iswhy we must ensure it is secure and available when we need it.Unfortunately, like any wireless technology, disruption throughradio jamming is possible. This paper investigates the extent towhich LTE is vulnerable to intentional jamming, by analyzing thecomponents of the LTE downlink and uplink signals. The LTEphysical layer consists of several physical channels and signals,most of which are vital to the operation of the link. By taking intoaccount the density of these physical channels and signals withrespect to the entire frame, as well as the modulation and codingschemes involved, we come up with a series of vulnerabilitymetrics in the form of jammer to signal ratios. The “weakestlinks” of the LTE signals are then identified, and used to establishthe overall vulnerability of LTE to hostile interference.
Index Terms —LTE, LTE security, jamming, interference
I. I
NTRODUCTION
LTE service is widely available in the United States andother countries around the world. LTE is well on its way tobecoming the primary cellular standard, due to its performanceand low cost. In addition to everyday use, cellular networksare often used to broadcast emergency information duringnatural disasters and other crises. Over the next decade wewill become dependent on LTE, which is why we must ensureit is secure and available when we need it. Unfortunately, likeany wireless technology, disruption through radio jamming ispossible.The objective of this paper is to analyze the extent towhich LTE is vulnerable to jamming, and to derive metricsin order to compare possible weak points in the downlinkand uplink signals. In order to derive metrics that representthe effectiveness of different jamming techniques, we willintroduce two different symbols corresponding to the jammer-to-signal ratio (J/S).
J/S RE will correspond to a J/S whenonly taking into account the specific subcarriers and OFDMsymbols (a.k.a. resource elements) being jammed. J/S averagedover an entire frame will be referred to as J/S F . We willlimit the scope of this paper by only analyzing FrequencyDivision Duplex (FDD) configured LTE, due to its widespreaduse. However, much of the analysis included in this paper canbe applied to Time Division Duplex (TDD) as well. The views expressed in the article are views of the authors and do notnecessarily reflect the official policy or position of the Department of Defenseor United States Government.
Attacks on LTE can be grouped into two broad categories;Denial of Service (DOS) and information extracting. Jammingattacks are typically used to cause DOS, while the area of cy-ber security deals with attacks that extract information, causeDOS, or both. There is very little openly available literaturerelated to attacks on LTE. The authors of [1] introduce the non-access-stratum request attack, which causes DOS by floodingthe Home Subscriber Server (HSS). An attack designed tocause degradation of service is described in [2], in whichan attacker sends fake buffer status reports to the eNodeB,which causes the eNodeB to assign excessive resources tousers which don’t exist. The author of [3] analyzes OFDMdenial using barrage jamming, pilot tone jamming, and pilottone nulling. An overview of the security of LTE availabilityis given in [4]. II. B
ACKGROUND OF
LTEOrthogonal Frequency-Division Multiple Access (OFDMA)is the multiple access scheme used in the LTE downlink [5].OFDMA uses multiple carriers, which makes it effective in afrequency selective channel. Each subcarrier carries a separatestream of information, causing information to be mappedin both the time and frequency domain. This leads to theOrthogonal Frequency-Division Multiplexing (OFDM) time-frequency lattice, which is a two-dimensional grid used torepresent how information is mapped to both the subcarrierand the OFDM symbol. In LTE, one subcarrier over oneOFDM symbol is called a resource element, and 12 con-secutive subcarriers over 7 OFDM symbols are combined toform a resource block, as shown in Figure 1. This methodof information mapping allows a jammer to selectively jaminformation in both the time and frequency domain. SingleCarrier-Frequency Division Multiple Access (SC-FDMA) isthe multiple-access scheme selected for the LTE uplink [5].LTE user devices are known as User Equipment (UE). TheUE accesses the LTE network by connecting to the eNodeB,which acts as a base station.III. V
ULNERABILITY OF
LTE P
HYSICAL C HANNELS
The following subsections investigate the various LTEphysical channels with the goal of finding the minimumJ/S required to cause the physical channel to be corruptedbeyond functionality. The J/S thresholds associated with thephysical channels are largely based on the modulation and a r X i v : . [ c s . OH ] M a r ub ca rr i e r OFDM Symbol Resource
Element
Resource
Block
Fig. 1. A Single LTE Resource Block coding scheme used in each channel, and in each subsectionwe approximate the Bit Error Rate (BER) or Block ErrorRate (BLER) required to cause a corrupt channel. The actualBER/BLER threshold is based off of numerous factors onmany different layers, and would be best acquired empirically.Table I highlights the parameters associated with each physicalchannel [5], [6].
A. PDSCH and PUSCH (User Data)
The Physical Downlink Shared Channel (PDSCH) andPhysical Uplink Shared Channel (PUSCH) are used to transmituser data to and from the eNodeB. These two channels utilizeadaptive modulation and coding, and undergo either QPSK,16-QAM, or 64-QAM depending on the channel quality [5].Both channels use turbo coding for forward error correction,with a coding rate as low as 0.076 (when using rate-matching)[7]. In the presence of an interferer, we will assume that themodulation ratchets down to QPSK at 0.076 rate coding. Theauthors of [8] analyze low-rate turbo codes using OFDM andSC-FDMA in a typical urban channel. At a coding rate of / ,an average SNR of around -7 dB results in a BLER of 0.1 [8].Determining the exact effects of a 0.1 BLER on the PDSCHand PUSCH is beyond the scope of this paper; however it ispredicted that this BLER will lead to an overwhelming amountof retransmissions. We will therefore estimate the J/S RE threshold for these physical channels to be 7 dB. B. PCFICH (Downlink Control Format Indicator)
The Physical Control Format Indicator Channel (PCFICH)is used to send the UE information regarding where thePhysical Downlink Control Channel (PDCCH) is located in
TABLE IP
HYSICAL C HANNEL M ODULATION AND C ODING S CHEMES
Channel Modulation Coding Coding Rate
PDSCH { } -QAM Turbo AdaptivePBCH QPSK Convolutional 1/48PCFICH QPSK Block 1/16PDCCH QPSK Convolutional 1/3PHICH BPSK Repetition 1/3PUSCH { } -QAM Turbo AdaptivePUCCH BPSK, QPSK Convolutional 1/3PRACH ZC Sequences N/A N/A the time-frequency lattice. Without successful decoding of thisinformation, the UE will not be able to decode the PDCCH.The PDCCH contains information regarding UE resourceallocation, which is vital to the LTE service. Although it ispossible to jam the PDCCH directly, we will first analyze theJ/S threshold of the PCFICH.The PCFICH appears in only one symbol per subframe,and occupies 16 subcarriers. Jamming the PCFICH consists oftransmitting on top of the 16 subcarriers. The location of the16 subcarriers is not static; it is determined by the eNodeB’scomplete cell ID [5]. This ID is carried in the PSS andSSS, and therefore selectively jamming the PCFICH requiresthe jammer to synchronize to both downlink synchronizationsignals. This also limits a PCFICH jamming attack to a singlecell. Figure 2 includes an example FDD downlink frame(left and center graphics), by displaying the color-coded time-frequency lattice. The resource elements used for the PCFICHare shown in blue.The information carried on the PCFICH is a two bit indi-cator, which is encoded using a block code of rate / . Dueto the function of the PCFICH, successful jamming requirestransmitting at a high enough power to cause a BER near 0.5.The authors of [9] use BPSK in an Additive White GaussianNoise (AWGN) channel to show that a soft-decision decodedblock code with rate / can be decoded at an SNR down to-1.5 dB. C. PUCCH (Uplink Control Channel)
The Physical Uplink Control Channel (PUCCH) is used tosend the eNodeB a variety of control information, includ-ing scheduling requests, Hybrid Automatic Repeat Request(HARQ) acknowledgements, and channel quality indicators.The PUCCH is mapped to the resource blocks on the edgesof the system bandwidth, as shown in Figure 2. This allowsPUCCH jamming to be possible when the only a prioriknowledge is the LTE system bandwidth and center frequency.For an uplink BW of 10 MHz, roughly 16 resource blocks (or192 subcarriers) are allocated to the PUCCH [5]. Therefore,PUCCH jamming requires jamming about 25% - 30% of theuplink system bandwidth. The PUCCH is modulated with amix of BPSK and QPSK, and uses / rate convolutionalcoding. It can be shown that BPSK under an AWGN channelreaches a BER of 0.1 at around 2 dB of SNR, when usingsoft-decision decoding at rate / [10]. D. PBCH (Downlink Broadcast Channel)
After synchronizing with the PSS and SSS, the UE receivesmore information about the cell by decoding the MasterInformation Block (MIB), which is transmitted on the PhysicalBroadcast Channel (PBCH). The MIB contains informationessential for initial access to a cell [11]. It consists of 14bits that contain the downlink system bandwidth, the PHICHsize, and information allowing frame synchronization. It ismapped to the center 72 subcarriers, and appears in the firstsubframe of every frame. The PBCH is transmitted usingQPSK, and uses a 16-bit CRC as a form of error detection. rimary Synchronization Signal (PSS) Secondary Synchronization Signal (SSS)
Broadcast Channel (PBCH)
Reference Signals (a.k.a. Pilots) Unused Control Format Indicator Channel (PCFICH) Hybrid ARQ Indicator Channel (PHICH) Downlink Control Channel (PDCCH)
Downlink Shared Channel (a.k.a. Data)
Time F r e qu e n c y PUSCH (Data)
PUCCH PRACH PRACH PUCCH Time F r e qu e n c y Fig. 2. LTE Downlink Frame (Left/Center) and Uplink Frame (Right)
It also uses a special channel coding scheme that creates fourindividually self-decodable units, each with rate / , but allfour units can be decoded together for a coding rate of / .This is accomplished using a mixture of repetition coding andconvolutional coding. An uncoded QPSK signal reaches a BERof 0.1 at roughly 0 dB of SNR in an AWGN channel, and thePBCH coding scheme does not provide a significant gain atthis value of SNR [9]. We will therefore estimate the J/S RE threshold for the PBCH to be 0 dB. E. PHICH (Hybrid-ARQ Indicator Channel)
Downlink acknowledgements (ACK/NACK) are sent onthe Physical Hybrid-ARQ Indicator Channel (PHICH). ThePHICH uses BPSK with repetition-3 coding [5]. BPSK usingrepetition-3 coding in a fading channel reaches a BER of 0.1at about 2 dB of SNR [9], leading to a
J/S RE threshold ofroughly -2 dB.IV. V ULNERABILITY OF
LTE P
HYSICAL L AYER S IGNALS
A. Primary and Secondary Synchronization Signals
Detecting the PSS is the first step a UE takes in accessinga cell. The PSS signal is constructed from a Zadoff-Chu(ZC) sequence, which are complex-valued sequences that haveconstant amplitude. An odd-length ZC sequence is given by x q [ k ] = exp (cid:20) − j πqk ( k + 1) N (cid:21) (1)where N is the length of the sequence and q is the ZCsequence root index [12]. The PSS uses a sequence lengthof 63, and there are three PSS sequences used in LTE, usuallycorresponding to one of three sectors.A jamming attack against the PSS would require a fairlyhigh J/S RE , because the PSS is designed to be detectedat high interference levels, so that the UE can also detectneighboring cells. A more effective method of corrupting thePSS would be to simply transmit all three PSS sequences, thusspoofing the synchronization signal. If the jammer’s receivedpower at the UE is greater than the eNodeB’s (a J/S RE over0 dB), then the UE is most likely going to synchronize to thebogus PSS. The actual detection algorithm is left up to thevendor, so we will assume that a J/S RE of 3 dB is enough to cause the PSS subsystem to fail nearly all of the time. PSSspoofing will not immediately cause DOS; it will prevent newUEs from accessing the cell(s) and cause UEs in idle mode toreselect a bogus cell. While it is possible for the blacklistingmechanism implemented in the UE to effectively ignore thebogus signals, we will assume the system gets “confused”when it detects a valid PSS with no associated SSS and doesnot know how to deal with it.Detecting the SSS is the second required step in accessingan LTE cell. The SSS provides frame timing information, cellgroup ID, cyclic prefix length, and TDD/FDD configuration. Itis a BPSK modulated signal made up of m-sequences. Simplyjamming the SSS is not effective for the same reason as jam-ming the PSS, and spoofing the SSS requires synchronizingwith the target cell, because the UE expects the SSS to be in acertain location. For these reasons, SSS jamming and spoofingis left out of the final comparison. B. Downlink Reference Signals
In order for an OFDM receiver to estimate the channel andperform frequency-domain equalization, there must be knownsymbols periodically transmitted. Although these known sym-bols are often referred to as pilots or reference symbols,in the LTE specification they are called Reference Signals(RSs). In the downlink, RSs are multiplexed in both time andfrequency, as shown in Figure 2. RSs occupy roughly 14%of the resource elements in a frame. The location of the RSsin time and frequency is based on the cell ID. All RSs areQPSK modulated, and use a length-31 Gold sequence that isinitialized with a value based on the cell ID.It is shown in [13] and [3] that jamming a subcarrierthat contains RSs leads to a higher BER than one that onlycontains data. A RS jamming attack requires detecting thetarget eNodeB’s PSS and SSS in order to retrieve the cell ID.However, it does not require estimating the channels involved,due to the long symbol duration (71 microseconds). Even ifthere is 5 miles between the jammer and UE, there would onlybe a propagation delay of 27 microseconds. To compensate forthis delay, the jammer would only have to start transmitting afraction of a symbol early.
ABLE IIC
OMPARISON OF V ULNERABILITIES
Jamming Method
J/S RE Synch. Required Complexity
J/S F Barrage Jamming 84000 100% -2 dB No Very Low -2 dBRS Jamming 4000 5% 4 dB Yes High -9 dBCenter 6 Resource Blocks Jamming 10080 12% -2 dB No Very Low -11 dBPSS Spoofing 378 0.45% 3 dB No Medium -20 dBPCFICH Jamming 160 0.2% 1.5 dB Yes High -25 dBPUCCH Jamming 21000 25% -2 dB No Low -8 dB
A RS jamming simulation performed in [3] shows thatwhen using a QPSK signal and an SNR of 10 dB, an overallJ/S (
J/S F ) of -5 dB causes a BER of 0.1. The simulatedsystem uses a pilot density of 1/8, resulting in a J/S of 4 dBwhen only considering the jammed resource elements (i.e. thevalue of J/S RE ). An 8-tap channel is used, and the signal isgenerated with a cyclic prefix length of 1/8 and a 256-pointFFT. Although the simulated system is not exactly the sameas LTE, it provides a reasonable approximation of J/S RE .V. C OMPARISON OF V ULNERABILITIES
In order to compare the extent of each vulnerability, we usea system bandwidth of 10 MHz (this equates to 50 resourceblocks). Table II lists the various forms of jamming, alongwith key metrics. Jamming techniques that do not performbetter than barrage jamming are left off this table. Note thatjamming the center 6 resource blocks means jamming thePBCH without time synchronization, using a 100% duty cyclewaveform.The second and third columns of Table II show the numberand percent of resource elements per frame that must bejammed in each attack. The minimum
J/S RE column showsthe J/S RE required to cause immediate denial of the channelor signal, which is a value estimated in the analysis of eachsection, and is meant to be a rough estimate. Two of the attacksrequire the jammer to maintain time domain synchronizationwith target cells, using the PSS and SSS. The complexitymetric is based on the amount of synchronization required andthe transmitted waveform. The “very low” complexity attackssimply involve transmitting AWGN into a continuous band.The J/S F metric is the overall J/S when taking into accountthe entire LTE frame, and is given by J/S F = J/S RE N RE N symb N sc N RB (2)where N RE is the number of resource elements associatedwith the physical channel or signal, N RB is the number ofresource blocks used in the downlink or uplink signal, N symb is the number of OFDM symbols in a slot, and N sc is thenumber of subcarriers per resource block. This calculationassumes a uniform power spectral density across the LTEdownlink or uplink signal. From the perspective of the jammer,a lower J/S F is better.VI. C ONCLUSION
In this paper we analyzed the vulnerability of LTE tojamming by investigating the various physical channels and signals within LTE. Using barrage jamming as a baseline,we have shown that much more effective jamming methodscan be realized by exploiting the protocols of LTE. In orderto compare several methods, we derived metrics related toeffectiveness and complexity for each one. When consideringhow many forms of jamming are more effective than barragejamming, it is clear that LTE is extremely vulnerable toadversarial jamming. In particular, the PCFICH and PUCCHare weak points in the downlink and uplink signal respectively.This is not a surprising result, considering LTE was notdesigned to be a military communication system. However,with the rapid growth of mobile devices, LTE is going to bea highly relied upon technology.R
EFERENCES[1] D. Yu and W. Wen, “Non-access-stratum request attack in e-utran,”in
Computing, Communications and Applications Conference (Com-ComAp), 2012 , Jan 2012, pp. 48 – 53.[2] D. Forsberg, H. Leping, K. Tsuyoshi, and S. Alanara, “Enhancingsecurity and privacy in 3gpp e-utran radio interface,” in
Personal, Indoorand Mobile Radio Communications, 2007. PIMRC 2007. IEEE 18thInternational Symposium on , Sept 2007, pp. 1 –5.[3] T. Clancy, “Efficient ofdm denial: Pilot jamming and pilot nulling,” in
Communications (ICC), 2011 IEEE International Conference on
Vehicular Technology Conference (VTC Spring),2012 IEEE 75th , 2012, pp. 1–5.[9] J. G. Proakis,
Digital communications , 4th ed. New York, New York:McGraw Hill, 2000.[10] E. Malkamaki and H. Leib, “Evaluating the performance of convolu-tional codes over block fading channels,”
Information Theory, IEEETransactions on , vol. 45, no. 5, pp. 1643–1646, 1999.[11] M. Baker and T. Moulsley, “Downlink physical data and controlchannels,” in
LTE, The UMTS Long Term Evolution: From Theory toPractice , 2nd ed., S. Sesia, I. Toufik, and M. Baker, Eds. Chichester,West Sussex, United Kingdom: John Wiley & Sons Ltd, 2011, ch. 9.[12] F. Tomatis and S. Sesia, “Synchronization and cell search,” in
LTE,The UMTS Long Term Evolution: From Theory to Practice , 2nd ed.,S. Sesia, I. Toufik, and M. Baker, Eds. Chichester, West Sussex, UnitedKingdom: John Wiley & Sons Ltd, 2011, ch. 7.[13] C. Patel, G. Stuber, and T. Pratt, “Analysis of ofdm/mc-cdma underchannel estimation and jamming,” in