Papers
Topics
Authors
Recent
Search
2000 character limit reached

Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous

Published 11 Mar 2024 in cs.CR | (2403.06717v1)

Abstract: Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (35)
  1. H. Kim, J. Lee, E. Lee, and Y. Kim, “Touching the untouchables: Dynamic security analysis of the LTE control plane,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019.
  2. C. Yu, S. Chen, Z. Cai, and J. Díaz-Verdejo, “LTE Phone Number Catcher: A Practical Attack against Mobile Privacy,” Security and Comm. Networks, 2019.
  3. A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems,” 2016.
  4. D. Rupprecht, K. Kohls, T. Holz, and C. Pöpper, “Breaking LTE on layer two,” in IEEE Symposium on Security & Privacy (SP), 2019.
  5. S. Hussain, M. Echeverria, A. Singla, O. Chowdhury, and E. Bertino, “Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil,” in Proc. of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, 2019.
  6. “5G; Security architecture and procedures for 5G System (3GPP TS 33.501 version 16.9.0 Release 16),” 2022.
  7. “LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Medium Access Control (MAC) protocol specification (3GPP TS 36.321 Release 17),” 2023.
  8. “5G; NR; Medium Access Control (MAC) protocol specification (3GPP TS 38.321 version 17.3.0 Release 17),” 2023.
  9. N. Bui and J. Widmer, “OWL: A Reliable Online Watcher for LTE Control Channel Measurements,” in Proceedings of the 5th Workshop on All Things Cellular: Operations, Applications and Challenges, 2016.
  10. R. Falkenberg and C. Wietfeld, “FALCON: An Accurate Real-Time Monitor for Client-Based Mobile Network Data Analytics,” in 2019 IEEE Global Communications Conference (GLOBECOM), 2019.
  11. S. Kumar, E. Hamed, D. Katabi, and L. Erran, “LTE Radio Analytics Made Easy and Accessible,” in Proceedings of the ACM Conference on SIGCOMM, 2014.
  12. N. Ludant, P. Robyns, and G. Noubir, “From 5G Sniffing to Harvesting Leakages of Privacy-Preserving Messengers,” in 2023 IEEE Symposium on Security and Privacy (SP), 2023.
  13. S. Erni, M. Kotuliak, P. Leu, M. Roeschlin, and S. Capkun, “Adaptover: Adaptive overshadowing attacks in cellular networks,” in Proceedings of the 28th Annual International Conference on Mobile Computing And Networking, 2022.
  14. M. Kotuliak, S. Erni, P. Leu, M. Roeschlin, and S. Capkun, “LTrack: Stealthy tracking of mobile phones in LTE,” in 31st USENIX Security Symposium, 2022.
  15. H. Yang, S. Bae, M. Son, H. Kim, S. M. Kim, and Y. Kim, “Hiding in plain signal: Physical signal overshadowing attack on LTE,” in 28th USENIX Security Symposium (USENIX Security 19), 2019.
  16. T. D. Hoang, C. Park, M. Son, T. Oh, S. Bae, J. Ahn, B. Oh, and Y. Kim, “LTESniffer: An Open-Source LTE Downlink/Uplink Eavesdropper,” in Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2023.
  17. N. Ludant and G. Noubir, “SigUnder: A Stealthy 5G Low Power Attack and Defenses,” in Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2021.
  18. M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. Reed, “LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation,” IEEE Communications Magazine, 2016.
  19. Z. Tan, B. Ding, J. Zhao, Y. Guo, and S. Lu, “Data-Plane Signaling in Cellular IoT: Attacks and Defense,” in Proceedings of the 27th Annual International Conference on Mobile Computing and Networking, 2021.
  20. R. Sanchez-Mejias, Y. Guo, M. Lauridsen, P. Mogensen, and L. A. Maestro Ruiz de Temino, “Current consumption measurements with a carrier aggregation smartphone,” in 2014 IEEE 80th Vehicular Technology Conference, 2014.
  21. “LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification (3GPP TS 36.331 Release 17),” 2022.
  22. A. Blanco, N. Ludant, P. J. Mateo, Z. Shi, Y. Wang, and J. Widmer, “Performance Evaluation of Single Base Station ToA-AoA Localization in an LTE Testbed,” in 2019 IEEE 30th Annual International Symposium on Personal, Indoor and Mobile Radio Communications, 2019.
  23. D. Forsberg, H. Leping, K. Tsuyoshi, and S. Alanara, “Enhancing Security and Privacy in 3GPP E-UTRAN Radio Interface,” in IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, 2007.
  24. R. P. Jover, “LTE security, protocol exploits and location tracking experimentation with low-cost software radio,” 2016.
  25. Qualcomm, “QxDM Professional Qualcomm eXtensible Diagnostic Monitor.” 2022.
  26. SRS, “Software Radio Systems. Open source SDR 4G/5G software suite,” https://github.com/srsran/srsRAN, 2020.
  27. “5g; nr; physical channels and modulation (3gpp ts 38.211 version 16.4.0 release 16),” 2021.
  28. D. Rupprecht, K. Kohls, T. Holz, and C. Pöpper, “IMP4GT: IMPersonation Attacks in 4G NeTworks,” in ISOC Network and Distributed System Security Symposium (NDSS).   ISOC, Feb. 2020.
  29. S. R. Hussain, O. Chowdhury, S. Mehnaz, and E. Bertino, “LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE,” in Proceedings 2018 Network and Distributed System Security Symposium.   San Diego, CA: Internet Society, 2018.
  30. A. Shaik, R. Borgaonkar, S. Park, and J.-P. Seifert, “New vulnerabilities in 4g and 5g cellular access network protocols: Exposing device capabilities,” in Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, ser. WiSec ’19.   Association for Computing Machinery, 2019.
  31. Z. Tan, J. Zhao, B. Ding, and S. Lu, “CellDAM: User-Space, rootless detection and mitigation for 5g data plane,” in 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23).   Boston, MA: USENIX Association, 2023.
  32. D. F. Kune, J. Kölndorfer, N. Hopper, and Y. Kim, “Location Leaks on the GSM Air Interface,” in Network and Distributed System Security (NDSS) Symposium, 2011.
  33. S. R. Hussain, M. Echeverria, O. Chowdhury, N. Li, and E. Bertino, “Privacy attacks to the 4g and 5g cellular paging protocols using side channel information,” Network and Distributed Systems Security (NDSS) Symposium, 2019.
  34. E. Bitsikas, T. Schnitzler, C. Pöpper, and A. Ranganathan, “Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings,” in 32nd USENIX Security Symposium 2023, 2023.
  35. N. Lakshmanan, N. Budhdev, M. S. Kang, M. C. Chan, and J. Han, “A Stealthy Location Identification Attack Exploiting Carrier Aggregation in Cellular Networks,” in USENIX Security Symposium, 2021.
Citations (4)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up