Keypoints
- LTair is built on SRSran and can emulate a rogue eNodeB, full core network, or UE to target either operators or user equipment over the air.
- The tool captures LTE paging broadcasts to detect exposure of S-TMSIs and IMSIs, which can enable subscriber tracking.
- LTair can verify whether temporary identifiers (e.g., M-TMSI) are refreshed after re-attachment, detecting identifier persistence that risks tracking.
- It implements blind DoS by establishing spoofed RRC connections with a victim’s temporary identifier to force radio connection release and disconnect the real UE.
- LTair sends crafted TAU reject messages (cause 7 to force 4G→3G downgrade, cause 8 to deny all services, or custom causes) to observe UE/core reactions.
- It abuses protocol logic (e.g., UE Detach Request with power-off) to trigger MME processing even when integrity checks fail, causing resource release for the victim.
MITRE Techniques
- [T1040] Network Sniffing – Capturing LTE paging broadcasts to extract temporary and permanent subscriber identifiers: ‘paging messages contain subscriber’s temporary identifiers (S-TMSIs), but they could also contain permanent identifiers (IMSIs).’
- [T1036] Masquerading – Spoofing a victim UE by establishing RRC connections using the victim’s temporary identifier to impersonate the subscriber: ‘establishing RRC connections spoofed as the victim UE, using his/her temporary identifier (in the diagram below, the victim temporary identifier would be “123”).’
- [T1498] Network Denial of Service – Forcing disconnection of a target by creating conflicting radio requests that release the legitimate radio connection: ‘the previous radio connection is released and the victim is blindly disconnected from the network.’
- [T1499] Endpoint Denial of Service – Denying all network services by replying to TAU requests with specific reject causes (e.g., cause 8) to force the UE offline: ‘TAU reject message with cause number 8, which is “LTE and non-LTE services not allowed”.’
- [T1203] Exploitation of Vulnerability – Exploiting protocol logic where UE-initiated Detach (power-off) messages are processed despite failed integrity checks, causing resource release: ‘detach messages with power-off type are processed even if their integrity check fails.’
- [T1557] Adversary-in-the-Middle – Using a rogue eNodeB to inject unauthenticated TAU reject messages (cause 7) to force protocol-level downgrade from LTE to older radio access technologies: ‘TAU reject message, with cause number 7 which corresponds to “LTE services not allowed”.’
Indicators of Compromise
- [Identifiers] subscriber identifiers observed in broadcasts – IMSI (permanent identifier), S-TMSI / M-TMSI (temporary identifiers)
- [TAU Causes] TAU reject responses used as attack signals – cause 7 (LTE services not allowed), cause 8 (LTE and non-LTE services not allowed), and custom cause codes
- [Tooling] software/framework names involved – LTair, SRSran
- [Procedure examples] spoofed identifier example and M-TMSI change check – example temporary identifier ‘123’, observed M-TMSI value changes (and other M-TMSI values)
LTair uses the SRSran framework and an SDR transceiver to emulate LTE elements (eNodeB, MME/core, and UE) and perform control-plane tests directly over the air. Operators or devices under test can be targeted by configuring LTair either as a rogue operator (eNodeB/core) or as a UE; traffic can be captured and inspected (for example, with Wireshark) to analyze paging messages and protocol exchanges.
Key test procedures include: passive capture of paging broadcasts to detect S-TMSI/IMSI leakage; performing re-attachment sequences to verify M-TMSI rotation and identify identifier persistence; establishing spoofed RRC connections using a victim’s temporary identifier to trigger blind disconnects (denial-of-service); and sending crafted TAU reject messages (cause 7 to trigger LTE→3G downgrade, cause 8 to deny all services, or custom causes to observe UE behavior). These tests rely on unauthenticated control-plane messages and do not always require SIM-derived keys, since many TAU and RRC messages lack mutual authentication.
Additional protocol abuses demonstrated by LTair include sending a UE-initiated Detach Request with a power-off action containing the victim’s S-TMSI; because some MMEs process power-off detach types even when integrity checks fail, this causes immediate resource release for the victim. The tool’s capability to replay, craft, and monitor TAU/Detach/RRC message flows enables verification of operator and device implementations against known LTE control-plane weaknesses.
Read more: https://research.nccgroup.com/2024/03/14/ltair-the-lte-air-interface-tool/