View article

Mobility management in the cellular networks plays a significant role in preserving mobile services with minimal latency while a user is moving. To support this essential functionality the cellular networks rely on the handover procedure. Most often, the User Equipment (UE) provides signal measurements to the network via reports to facilitate the handover decision when it discovers a more suitable base station. These measurement reports are cryptographically protected. In this paper, we examine the cellular specification and illustrate that this crucial functionality has critical security implications. To the best of our knowledge, this is the first work on cellular Man-In-The-Middle attacks based on the handover procedure. In particular, we demonstrate a new type of fake base station attacks in which the handover procedures, based on the encrypted measurement reports and signal power thresholds, are vulnerable. An …