What is an availability attack on the eNodeB and core network, and how does it relate to fake handsets?
A large number of simultaneous requests may prevent eNodeBs and core network components (e.g. the HSS) from functioning properly — for example by simulating large numbers of fake handsets. Mitigation is unclear.
* Signalling storm: fake handsets exhaust the core control plane. *
The threat:
- A large number of simultaneous requests can overwhelm eNodeBs and core components (e.g., the HSS) so they can't function properly
- A concrete vector: simulating large numbers of fake handsets — each fake UE triggers attach/authentication signaling, and enough of them exhaust the network's signaling capacity
The mitigation:
- Unclear (as the NIST analysis candidly states)
Why the signaling plane is the soft target: every attach, location update, and authentication consumes control-plane resources at the MME and HSS. The data plane may have plenty of bandwidth, but the control plane can be exhausted by many devices each doing a little signaling — a "signaling storm." This is the mobile-network analogue of a DDoS, aimed at the brain (control plane) rather than the muscles (data plane).
Tip: Note how many of these LTE threats end in "Mitigation: Unclear" — jamming and availability attacks especially. Availability is the hardest property to guarantee against a determined attacker.
Go deeper:
Denial-of-service attack (Wikipedia) — the flooding/resource-exhaustion model applied to the mobile control plane.
Storms in Mobile Networks (Gelenbe et al., arXiv 2014) — how RRC/attach signaling from many devices overloads the control plane (MME/HSS).