In the developing 3rd Generation Partnership Project (3GPP) Long Term Evolution (LTE) wireless communication protocol, the Random Access Channel (RACH) procedure consists of a UE sending a random access (RA) preamble to the eNB in a RACH occasion and receiving a random access response from the eNB. The RA response includes the RACH preamble used, a Cell-Radio Network Temporary (C-RNTI) assignment, and an uplink (UL) resource assignment. The UE transmits “message 3” on the resource assigned in the RA response. The RA response is addressed on the Physical Downlink Control Channel (PDCCH) to the Random Access-Radio Network Temporary Identifier (RA-RNTI) corresponding to the RACH occasion that was used by the UE to transmit the RA preamble. In the contention based RACH procedure, message 3 can be a Radio Resource Control (RRC) Connection establishment request or an RRC Connection Re-establishment request. Below we show that the RACH procedure has a loophole that a malicious UE can exploit to deny service to other UEs.
The LTE random access procedure according to 3GPP TS 36.321 is illustrated in FIG. 1. In the contention based RA procedure, the UE selects a RA preamble identifier, to transmit to the network, from a set of RA preamble identifiers supported by the eNB. The UE also selects a RA time-frequency resource (physical random access channel) to transmit the RA preamble from a set of available RA time-frequency resources. The UE then transmits the selected RA preamble identifier using the selected RA time-frequency resource (MSG 1). The UE then receives a RA response message (MSG 2), which includes a temporary C-RNTI and an uplink resource assignment (UL grant). The UE then transmits message 3 which includes a unique identifier of the UE. Examples of message 3 include RRC connection establishment request and RRC connection re-establishment request. It is possible that contention occurs during message 3 transmission, i.e., another UE (e.g., UE2) transmitting its message 3 using the UL grant provided in MSG 2 due to UE2 having transmitted the same RA preamble identifier in the same RA time-frequency resource as the UE. If the eNB is able to resolve the contention in favor of the UE, it transmits a message 4 to the UE indicating successful resolution of contention. The RACH procedure is then considered complete.
In the non-contention based RA procedure, the eNB transmits a message (MSG 0) indicating an assigned RA preamble identifier. The UE then selects a RA time-frequency resource (physical random access channel) to transmit the RA preamble, from a set of available RA time-frequency resources. The UE then transmits the assigned RA preamble identifier using the selected RA time-frequency resource (MSG 1). The UE then receives a RA response message (MSG 2), which includes a temporary C-RNTI and an uplink resource assignment (UL grant). The RACH procedure is then considered complete.
FIG. 2 illustrates a known procedure for exploiting a RACH loophole. The malicious UE can simply listen for RA responses (e.g., by searching for valid RA-RNTIs on the PDCCH) and acquire the UL grants. The malicious UE can then use the resource assigned in the UL grant to send a fake message 3. For example, the malicious UE may send an RRC Connection Re-establishment request as message 3 including in it a randomly chosen Message Authentication Code-I (MAC-I), any C-RNTI and Physical Cell Identifier (PCI). The eNB cannot identify the UE requesting the re-establishment; therefore the eNB rejects the RRC connection establishment. The legitimate UE may have started the RACH procedure for an RRC connection re-establishment or an RRC connection establishment. In both cases the legitimate UE's attempt to send message 3 fails and the legitimate UE re-attempts the procedure. The malicious UE repeats the procedure and this leads to a denial of service to the legitimate UE.
Even with the non-contention RACH procedure, a malicious UE can deny service to the legitimate UE. For example, when the legitimate UE performs a RACH for UL synchronization to a target cell during a handover, the malicious UE can capture the RA response and use the resource indicated in the UL grant to send an RRC connection re-establishment request indicating a handover failure. This leads the legitimate UE eventually to a handover failure.
The current LTE MAC specification TS 36.321 lists the structure of the random access response message as illustrated in FIGS. 3-6. It shows that the RA preamble used by a UE is echoed in the MAC sub-header corresponding to the random access response protocol data unit (PDU) intended for the UE. Note that an RA response message can contain multiple RA responses. That is, the RA response message can respond to multiple UEs that send RA preambles in a particular RACH occasion. Also note that the RA response message is addressed to a “RA-RNTI”. There is a one to one association between the RA-RNTIs and the RACH occasions in each radio frame.
The various aspects, features and advantages of the disclosure will become more fully apparent to those having ordinary skill in the art upon a careful consideration of the following Detailed Description thereof with the accompanying drawings described below. The drawings may have been simplified for clarity and are not necessarily drawn to scale.