Vuk Marojevic

LTE/LTE-a jamming, spoofing, and sniffing: threat assessment and mitigation

LTE is currently being proposed for use in a nationwide wireless broadband public safety network in the United States as well as for other critical applications where reliable communication is essential for safety. Unfortunately, like any wireless technology, disruption of these networks is possible through radio jamming. This article investigates the extent to which LTE is vulnerable to RF jamming, spoofing, and sniffing, and assesses different physical layer threats that could affect next-generation critical communication networks. In addition, we examine how sniffing the LTE broadcast messages can aid an adversary in an attack. The weakest links of LTE are identified and used to establish an overall threat assessment. Lastly, we provide a survey of LTE jamming and spoofing mitigation techniques that have been proposed in the open literature.

Next generation public safety networks: A spectrum sharing approach

Wireless communications play a critical role in national security and disaster relief and are extensively utilized by first responder teams, such as police officers, firefighters, and ambulances. The first responders in emergency situations need to always be connected with one another and with the remote service centers for effective cooperation and coordination. However, the existing public safety (PS) services fail to satisfy the PS user requirements in many emergency scenarios, which usually leads to exceptionally high traffic loads. As a result, increasing the network capacity is one of the primary concerns, and spectrum sharing has been deemed the key solution. With appropriate spectrum sharing partnerships among PS agencies and commercial networks, PS users can access licensed PS spectrum, shared spectrum, as well as commercial networks when the need arises. In this article we present different initiatives undertaken by Wireless @ Virginia Tech toward the next generation PS network. We also discuss our vision of a flexible, rapidly deployable, and reconfigurable PS system to meet imminent and future demands on critical communications infrastructure and discuss the value of spectrum sharing for supporting this long-term vision.

How to enhance the immunity of LTE systems against RF spoofing

Long Term Evolution (LTE) networks offer high-speed wireless access to meet the increasing demand in user traffic. LTE technology is also considered for mission-critical networks. Hence, it is critical to ensure that the LTE system performs effectively even in harsh signaling environments. This paper analyzes the effect of different levels of radio frequency (RF) spoofing applied to LTE. The simplest form of spoofing is LTE synchronization signal spoofing, where standard-compliant primary and secondary synchronization sequences are transmitted by a fake cell. More sophisticated RF spoofing attacks include transmitting some of the LTE control messages, without the ability to exchange the authentication keys. The experimental results show that LTE control channel spoofing can cause permanent denial of service for user equipment during the cell selection process. We provide the technical explanation for this using the LTE specifications. Mitigation techniques are proposed to effectively enhance the immunity of LTE systems against targeted interference and ensure that it is secure and available when and where needed.

Analyzing and enhancing the resilience of LTE/LTE-A systems to RF spoofing

The long-term evolution (LTE) is cellular communications standard that is widely adopted and deployed around the world. It offers high-speed wireless services to meet the increasing demand on user data traffic. LTE technology is also considered for public safety networks. Hence, it is mandatory to ensure that the LTE system can operate in interference-prone environments including targeted interference. We introduce the term LTE control channel spoofing, which refers to transmitting a partial LTE downlink frame, created by a fake eNodeB which does not possess the registration keys nor offers any service. We have built a testbed to demonstrate that this can cause permanent denial of service for UEs that are in cell selection process. This is achieved by sending fake control channel messages rather than authentication attacks. The failure of attachment that is caused by LTE control channel spoofing can be explained in conjunction with the 3GPP specifications. Mitigation techniques are proposed to effectively enhance the robustness of LTE systems and ensure that it is secure and available when and where needed. The recommended modifications to the specifications only require simple changes to UE message handling and are backward compatible with currently deployed LTE networks.

Analysis and Mitigation of Interference to the LTE Physical Control Format Indicator Channel

In LTE, the Physical Control Format Indicator Channel (PCFICH) is a downlink control channel that indicates the number of OFDM symbols used by the primary downlink control channel in each sub frame. Even though the PCFICH only carries two bits of control information, it is essential to the operation of LTE. Since the PCFICH is a vital physical channel that only occupies a small fraction of the downlink signal, it acts as a weak link in terms of vulnerability to targeted interference. Due to recent interest in using LTE for military and public safety applications, it would be beneficial to better understand this vulnerability. This paper investigates the performance of the PCFICH under various harsh wireless conditions and proposes strategies to prevent interference against the PCFICH from causing link degradation.

LTE PHY layer vulnerability analysis and testing using open-source SDR tools

This paper provides a methodology to study the PHY layer vulnerability of wireless protocols in hostile radio environments. Our approach is based on testing the vulnerabilities of a system by analyzing the individual subsystems. By targeting an individual subsystem or a combination of subsystems at a time, we can infer the weakest part and revise it to improve the overall system performance. We apply our methodology to 4G LTE downlink by considering each control channel as a subsystem. We also develop open-source software enabling research and education using software-defined radios. We present experimental results with open-source LTE systems and shows how the different subsystems behave under targeted interference. The analysis for the LTE downlink shows that the synchronization signals (PSS/SSS) are very resilient to interference, whereas the downlink pilots or Cell-Specific Reference signals (CRS) are the most susceptible to a synchronized protocol-aware interferer. We also analyze the severity of control channel attacks for different LTE configurations. Our methodology and tools allow rapid evaluation of the PHY layer reliability in harsh signaling environments, which is an asset to improve current standards and develop new and robust wireless protocols.

Visualizing real-time radio spectrum access with CORNET3D

Modern web technology enables the 3D portrayal of real-time data. WebSocket connections provide data over the web without the time-consuming overhead of HTTP requests. The server-side push paradigm is particularly useful for creating novel tools such as CORNET3D, where real-time 3D visualization is required. CORNET3D is an innovative Web3D interface to a research and education test bed for Dynamic Spectrum Access (DSA). Our system can drive several 2D and 3D portrayals of spectral data and radio performance metrics from a live, online system. The testbed can further integrate the data portrayals into a multi-user serious game to teach students about strategies for the optimal use of spectrum resources by providing them with real-time scoring based on their choices of radio transmission parameters. This paper describes the web service architecture and Webd3D front end for our DSA testbed, detailing new methods for spectrum visualization and the applications they enable.

Hypergraph matching for MU-MIMO user grouping in wireless LANs

This paper investigates the user grouping problem of downlink wireless local area networks (WLANs) with multi-user MIMO (MU-MIMO). Particularly, we focus on the problem of whether single user transmit beamforming (SU-TxBF) or MU-MIMO should be utilized, and how many users and which users should be in a multi-user (MU) group. We formulate the problem for maximizing the system throughput subject to the multi-user air time fairness (MU-ATF) criterion. We show that hypergraphs provide a suitable mathematical model and effective tool for finding the optimal or close to optimal solution. We show that the optimal grouping problem can be solved efficiently for the case where only SU-TxBF and 2-user MU groups are allowed in the system. For the general case, where any number of users can be assigned to groups of different sizes, we develop an efficient graph matching algorithm (GMA) based on graph theory principles. We evaluate the proposed algorithm in terms of system throughput using an 802.11ac emulator, which is created using collected channel measurements from an indoor environment and simulated channel samples for outdoor scenarios. We show that our GMA achieves at least 93% of the optimal system throughput in all considered test cases.

Role of receiver performance data in efficient spectrum utilization

This paper elaborates on the importance of including receiver performance characteristics to optimize for efficient spectral usage. Futuristic heterogeneous wireless networks are expected to be diverse and dynamic. Knowledge of receiver spectral performance enables the spectrum management system not only to provide adequate protection from harmful interference, but also provides an effective way to maximize the network level spectrum efficiency for networks with diverse and dynamic environments. We formulate the problem for such an inclusive optimization with several constraints and demonstrate using numerical simulations that using receiver performance characteristics for spectrum management has the potential to considerably improve the network level spectrum efficiency.

Software-Defined LTE Evolution Testbed Enabling Rapid Prototyping and Controlled Experimentation

The long-term evolution (LTE) has spread around the globe for deploying 4G cellular networks for commercial use. These days, it is gaining interest for new applications where mobile broadband services can be of benefit to society. Whereas the basic concepts of LTE are well understood, its long-term evolution has just started. New areas of Ramp;amp;D look into operation in unlicensed and shared bands, where new versions of LTE need to coexist with other communication systems and radars. Virginia Tech has developed an LTE testbed with unique features to spur LTE research and education. This pa-per introduces Virginia Techs LTE testbed, its main features and components, access and configuration mechanisms, and some of the research thrusts that it enables. It is unique in several aspects, including the extensive use of software-defined radio technology, the combination of industry-grade hardware and software-based systems, and the remote access feature for user- defined configurations of experiments and radio frequency paths.