LTE Security
What is LTE Security?
LTE SecurityThe security architecture for 4G/LTE mobile networks, defined in 3GPP TS 33.401, covering EPS-AKA authentication and ciphering of RRC, NAS, and user-plane traffic.
LTE security is specified in 3GPP TS 33.401 and centres on EPS-AKA, a challenge-response protocol between the UE and the home subscriber server (HSS) via the MME. Successful authentication derives a hierarchy of keys (K, CK/IK, KASME, KeNB, KNASenc/int, KRRCenc/int, KUPenc) that protect signalling and user traffic with the EEA1/2/3 cipher suites (SNOW 3G, AES-128, ZUC) and EIA1/2/3 integrity algorithms. Unlike 5G, the IMSI is sent in clear during initial attach, which made IMSI-catcher and Stingray attacks feasible. The S6a Diameter interface between MME and HSS is supposed to be carried over secure transport (TLS or DTLS, per RFC 6733), though many operators historically relied on private SS7/Diameter networks.
● Examples
- 01
An LTE phone running EPS-AKA challenge-response with the HSS to derive KASME and attach to a tracking area.
- 02
An IMSI catcher exploiting the cleartext IMSI in the LTE initial Attach Request before NAS encryption is established.
● Frequently asked questions
What is LTE Security?
The security architecture for 4G/LTE mobile networks, defined in 3GPP TS 33.401, covering EPS-AKA authentication and ciphering of RRC, NAS, and user-plane traffic. It belongs to the Network Security category of cybersecurity.
What does LTE Security mean?
The security architecture for 4G/LTE mobile networks, defined in 3GPP TS 33.401, covering EPS-AKA authentication and ciphering of RRC, NAS, and user-plane traffic.
How does LTE Security work?
LTE security is specified in 3GPP TS 33.401 and centres on EPS-AKA, a challenge-response protocol between the UE and the home subscriber server (HSS) via the MME. Successful authentication derives a hierarchy of keys (K, CK/IK, KASME, KeNB, KNASenc/int, KRRCenc/int, KUPenc) that protect signalling and user traffic with the EEA1/2/3 cipher suites (SNOW 3G, AES-128, ZUC) and EIA1/2/3 integrity algorithms. Unlike 5G, the IMSI is sent in clear during initial attach, which made IMSI-catcher and Stingray attacks feasible. The S6a Diameter interface between MME and HSS is supposed to be carried over secure transport (TLS or DTLS, per RFC 6733), though many operators historically relied on private SS7/Diameter networks.
How do you defend against LTE Security?
Defences for LTE Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for LTE Security?
Common alternative names include: EPS-AKA, 4G security, TS 33.401.
● Related terms
- network-security№ 004
5G Security
The security architecture for 5G mobile networks, defined in 3GPP TS 33.501, covering subscriber privacy, mutual authentication, and protection of signalling and user-plane traffic.
- network-security№ 314
Diameter Protocol
An AAA (authentication, authorisation, accounting) protocol standardised in RFC 6733 that replaced RADIUS in IMS, LTE EPC, and roaming/IPX networks.
- network-security№ 1211
VoLTE Security
Voice-over-LTE security: the set of IMS authentication, signalling, and media protections that secure voice calls carried as SIP/RTP over 4G or 5G data bearers.
- attacks№ 521
IMSI Catcher
A fake cell-site that tricks nearby phones into revealing their IMSI/IMEI and, on weak networks, intercepting calls and SMS.
- cryptography№ 020
AES (Advanced Encryption Standard)
A NIST-standardized 128-bit block cipher with 128-, 192- or 256-bit keys, designed by Daemen and Rijmen and used as the dominant symmetric cipher worldwide.
- network-security№ 1209
VoIP Security
The set of controls protecting Voice-over-IP calls (SIP signalling and RTP media) from eavesdropping, fraud, denial of service, and identity spoofing.