Roger Piqueras Jover

DOI: https://doi.org/10.48550/arXiv.1904.08394

2019-04-17

Cryptography and Security

Abstract:The first release of the 5G protocol specifications, 3rd Generation Partnership Project (3GPP) Release 15, were published in December 2017 and the first 5G protocol security specifications in March 2018. As one of the technology cornerstones for Vehicle-to-Vehicle (V2X), Vehicle-to-Everything (V2E) systems and other critical systems, 5G defines some strict communication goals, such as massive device connectivity, sub-10ms latency and ultra high bit-rate. Likewise, given the firm security requirements of certain critical applications expected to be deployed on this new cellular communications standard, 5G defines important security goals. As such, 5G networks are intended to address known protocol vulnerabilities present in both legacy GSM (Global System for Mobile Communications) networks as well as current LTE (Long Term Evolution) mobile systems. This manuscript presents a summary and analysis of the current state of affairs in 5G protocol security, discussing the main areas that should still be improved further before 5G systems go live. Although the 5G security standard documents were released just a year ago, there is a number of research papers detailing security vulnerabilities, which are summarized in this manuscript as well.

Gerrit Holtrup,William Lacube,Dimitri Percia David,Alain Mermoud,Gérôme Bovet,Vincent Lenders

DOI: https://doi.org/10.48550/arXiv.2108.08700

2021-08-20

Abstract:Fifth generation mobile networks (5G) are currently being deployed by mobile operators around the globe. 5G acts as an enabler for various use cases and also improves the security and privacy over 4G and previous network generations. However, as recent security research has revealed, the standard still has security weaknesses that may be exploitable by attackers. In addition, the migration from 4G to 5G systems is taking place by first deploying 5G solutions in a non-standalone (NSA) manner where the first step of the 5G deployment is restricted to the new radio aspects of 5G, while the control of the user equipment is still based on 4G protocols, i.e. the core network is still the legacy 4G evolved packet core (EPC) network. As a result, many security vulnerabilities of 4G networks are still present in current 5G deployments. This paper presents a systematic risk analysis of standalone and non-standalone 5G networks. We first describe an overview of the 5G system specification and the new security features of 5G compared to 4G. Then, we define possible threats according to the STRIDE threat classification model and derive a risk matrix based on the likelihood and impact of 12 threat scenarios that affect the radio access and the network core. Finally, we discuss possible mitigations and security controls. Our analysis is generic and does not account for the specifics of particular 5G network vendors or operators. Further work is required to understand the security vulnerabilities and risks of specific 5G implementations and deployments.

Networking and Internet Architecture,Cryptography and Security

Stavros Eleftherakis,Domenico Giustiniano,Nicolas Kourtellis

2024-09-10

Abstract:Ensuring user privacy remains a critical concern within mobile cellular networks, particularly given the proliferation of interconnected devices and services. In fact, a lot of user privacy issues have been raised in 2G, 3G, 4G/LTE networks. Recognizing this general concern, 3GPP has prioritized addressing these issues in the development of 5G, implementing numerous modifications to enhance user privacy since 5G Release 15. In this systematization of knowledge paper, we first provide a framework for studying privacy and security related attacks in cellular networks, setting as privacy objective the User Identity Confidentiality defined in 3GPP standards. Using this framework, we discuss existing privacy and security attacks in pre-5G networks, analyzing the weaknesses that lead to these attacks. Furthermore, we thoroughly study the security characteristics of 5G up to the new Release 19, and examine mitigation mechanisms of 5G to the identified pre-5G attacks. Afterwards, we analyze how recent 5G attacks try to overcome these mitigation mechanisms. Finally, we identify current limitations and open problems in security of 5G, and propose directions for future work.

Cryptography and Security,Networking and Internet Architecture

Norbert Ludant,Marinos Vomvas,Guevara Noubir

DOI: https://doi.org/10.48550/arXiv.2403.06717

2024-03-11

Abstract:Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Cryptography and Security

Mohamad Saalim Wani,Michael Rademacher,Thorsten Horstmann,Mathias Kretschmer

DOI: https://doi.org/10.3390/jcp4010002

2024-01-02

Journal of Cybersecurity and Privacy

Abstract:5G networks, pivotal for our digital mobile societies, are transitioning from 4G to 5G Stand-Alone (SA) networks. However, during this transition, 5G Non-Stand-Alone (NSA) networks are widely used. This paper examines potential security vulnerabilities in 5G NSA networks. Through an extensive literature review, we identify known 4G attacks that can theoretically be applied to 5G NSA. We organize these attacks into a structured taxonomy. Our findings reveal that 5G NSA networks may offer a false sense of security, as most security and privacy improvements are concentrated in 5G SA networks. To underscore this concern, we implement three attacks with severe consequences and successfully validate them on various commercially available smartphones. Notably, one of these attacks, the IMSI Leak, consistently exposes user information with no apparent security mitigation in 5G NSA networks. This highlights the ease of tracking individuals on current 5G networks.

computer science, information systems, interdisciplinary applications, software engineering

Zhiwei Cui,Baojiang Cui,Li Su,Haitao Du,Hongxin Wang,Junsong Fu

2023-03-20

Abstract:The security context used in 5G authentication is generated during the Authentication and Key Agreement (AKA) procedure and stored in both the user equipment (UE) and the network sides for the subsequent fast registration procedure. Given its importance, it is imperative to formally analyze the security mechanism of the security context. The security context in the UE can be stored in the Universal Subscriber Identity Module (USIM) card or in the baseband chip. In this work, we present a comprehensive and formal verification of the fast registration procedure based on the security context under the two scenarios in ProVerif. Our analysis identifies two vulnerabilities, including one that has not been reported before. Specifically, the security context stored in the USIM card can be read illegally, and the validity checking mechanism of the security context in the baseband chip can be bypassed. Moreover, these vulnerabilities also apply to 4G networks. As a consequence, an attacker can exploit these vulnerabilities to register to the network with the victim's identity and then launch other attacks, including one-tap authentication bypass leading to privacy disclosure, location spoofing, etc. To ensure that these attacks are indeed realizable in practice, we have responsibly confirmed them through experimentation in three operators. Our analysis reveals that these vulnerabilities stem from design flaws of the standard and unsafe practices by operators. We finally propose several potential countermeasures to prevent these attacks. We have reported our findings to the GSMA and received a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

Cryptography and Security

Su, Li,Du, Haitao

DOI: https://doi.org/10.1007/s00500-023-09486-x

IF: 3.732

2024-01-11

Soft Computing

Abstract:The security context, generally stored in the universal subscriber identity module card or the baseband chip, is the critical information applied by the subscriber to access the 5G network during the fast authentication procedure. Once exposed or illegally used, the security context can be exploited to derive various keys for authentication and encryption. Despite its importance, challenges and questions still remain in the previous relevant research. To fill this gap, by adopting the security protocol verification tool ProVerif, we provide a comprehensive formal model of the fast authentication procedure based on the security context to analyze whether security goals can be met. Unfortunately, we uncover two vulnerabilities, including one never reported before. Our analysis shows that these vulnerabilities stem from fundamental design flaws in the cellular network protocol and thus apply to the 4G network. These vulnerabilities could be exploited to launch several attacks, including impersonation and eavesdropping. We have validated these attacks using 5 mobile phones from 5 different baseband manufacturers through experimentation in three mobile carriers. We find an insecure implementation of one of these phones, which exposed it to replay attacks. And we further discuss the security threats posed by the impersonation attack, such as location spoofing and one-tap authentication bypass, which is verified on 10 popular apps. We finally propose several countermeasures to eliminate these security issues. Actually, we have reported the novel vulnerability to the GSM Association and received a confirmation in the form of a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

computer science, artificial intelligence, interdisciplinary applications

S. Sullivan,Alessandro Brighente,S. A. P. Kumar,M. Conti

DOI: https://doi.org/10.1109/access.2021.3105396

IF: 3.9

2021-01-01

IEEE Access

Abstract:The Fifth Generation of Communication Networks (5G) envisions a broader range of services compared to previous generations, supporting an increased number of use cases and applications. The broader application domain leads to increase in consumer use and, in turn, increased hacker activity. Due to this chain of events, strong and efficient security measures are required to create a secure and trusted environment for users. In this paper, we provide an objective overview of 5G security issues and the existing and newly proposed technologies designed to secure the 5G environment. We categorize security technologies using Open Systems Interconnection (OSI) layers and, for each layer, we discuss vulnerabilities, threats, security solutions, challenges, gaps and open research issues. While we discuss all seven OSI layers, the most interesting findings are in layer one, the physical layer. In fact, compared to other layers, the physical layer between the base stations and users' device presents increased opportunities for attacks such as eavesdropping and data fabrication. However, no single OSI layer can stand on its own to provide proper security. All layers in the 5G must work together, providing their own unique technology in an effort to ensure security and integrity for 5G data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xinsheng Ji,Kaizhi Huang,Liang Jin,Hongbo Tang,Caixia Liu,Zhou Zhong,Wei You,Xiaoming Xu,Hua Zhao,Jiangxing Wu,Ming Yi

DOI: https://doi.org/10.1007/s11432-017-9426-4

2018-01-01

Science China Information Sciences

Abstract:The 5th-generation mobile communication system (5G) has higher security requirements than previous systems. Accordingly, international standard organizations, operators, and equipment manufacturers are focusing extensively on 5G security technology. This paper analyzes the security requirements of 5G business applications, network architecture, the air interface, and user privacy. The development trends of 5G security architecture are summarized, with a focus on endogenous defense architecture, which represents a new trend in 5G security development. Several incremental 5G security technologies are reviewed, including physical layer security, lightweight encryption, network slice security, user privacy protection, and block chain technology applied to 5G.

Shari-Ann Smith-Haynes

2024-07-24

Abstract:Advances in fifth-generation (5G) networks enable unprecedented reliability, speed, and connectivity compared to previous mobile networks. These advancements can revolutionize various sectors by supporting applications requiring real-time data processing. However, the rapid deployment and integration of 5G networks bring security concerns that must be addressed to operate these infrastructures safely. This paper reviews penetration testing approaches for identifying security vulnerabilities in 5G networks. Penetration testing is an ethical hacking technique used to simulate a network's security posture in the event of cyberattacks. This review highlights the capabilities, advantages, and limitations of recent 5G-targeting security tools for penetration testing. It examines ways adversaries exploit vulnerabilities in 5G networks, covering tactics and strategies targeted at 5G features. A key topic explored is the comparison of penetration testing methods for 5G and earlier generations. The article delves into the unique characteristics of 5G, including massive MIMO, edge computing, and network slicing, and how these aspects require new penetration testing methods. Understanding these differences helps develop more effective security solutions tailored to 5G networks. Our research also indicates that 5G penetration testing should use a multithreaded approach for addressing current security challenges. Furthermore, this paper includes case studies illustrating practical challenges and limitations in real-world applications of penetration testing in 5G networks. A comparative analysis of penetration testing tools for 5G networks highlights their effectiveness in mitigating vulnerabilities, emphasizing the need for advanced security measures against evolving cyber threats in 5G deployment.

Cryptography and Security

Michal Harvanek,Jan Bolcek,Jan Kufa,Ladislav Polak,Marek Simka,Roman Marsalek

DOI: https://doi.org/10.3390/s24175523

IF: 3.9

2024-08-28

Sensors

Abstract:With the expansion of wireless mobile networks into both the daily lives of individuals as well as into the widely developing market of connected devices, communication is an increasingly attractive target for attackers. As the complexity of mobile cellular systems grows and the respective countermeasures are implemented to secure data transmissions, the attacks have become increasingly sophisticated on the one hand, but at the same time the system complexity can open up expanded opportunities for security and privacy breaches. After an in-depth summary of possible entry points to attacks to mobile networks, this paper first briefly reviews the basic principles of the physical layer implementation of 4G/5G systems, then gives an overview of possible attacks from a physical layer perspective. It also provides an overview of the software frameworks and hardware tool-software defined radios currently in use for experimenting with 4G/5G mobile networks, and it discusses their basic capabilities. In the final part, the paper summarizes the currently most promising families of techniques to detect illegitimate base stations—the machine-learning-based, localization-based, and behavior-based methods .

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Elisa Bertino,Syed Rafiul Hussain,Omar Chowdhury

DOI: https://doi.org/10.48550/arXiv.2003.13604

2020-03-31

Abstract:Cellular networks represent a critical infrastructure and their security is thus crucial. 5G - the latest generation of cellular networks - combines different technologies to increase capacity, reduce latency, and save energy. Due to its complexity and scale, however, ensuring its security is extremely challenging. In this white paper, we outline recent approaches supporting systematic analyses of 4G LTE and 5G protocols and their related defenses and introduce an initial security and privacy roadmap, covering different research challenges, including formal and comprehensive analyses of cellular protocols as defined by the standardization groups, verification of the software implementing the protocols, the design of robust defenses, and application and device security.

Computers and Society,Cryptography and Security,Networking and Internet Architecture

Shiyue Nie,Yiming Zhang,Tao Wan,Haixin Duan,Song Li

DOI: https://doi.org/10.1145/3507657.3528559

2022-01-01

Abstract:The fifth-generation(5G) cellular network is entering an era of rapid development. Not only is 5G supposed to be fast, it also offers enhanced security based on 5G security specifications developed by the 3rd Generation Partnership Project (3GPP). However, little is known about 5G security in real world deployment. This paper analyzes 5G security features and measures their implementation in commercial 5G networks. By collecting and analyzing signaling messages between a cell phone and several commercial 5G networks, we measured multiple aspects of 5G security in real world deployment including, crypto algorithms used in the control plane, user plane (UP) security activation, subscriber identifier protection, and initial None-Access Stratum(NAS) message protection. We evaluated the compliance of commercial 5G networks with 5G security specifications. The results show that major discrepancy exists between 5G security standards and real world deployment, especially in the areas of UP protection and subscriber identifier protection. Therefore, well-known security risks, such as user data leakage, location exposure and Denial-of-Service(DoS) attacks, still apply to 5G commercial networks.

David Basin,Jannik Dreier,Lucca Hirschi,Saša Radomirović,Ralf Sasse,Vincent Stettler

DOI: https://doi.org/10.48550/arXiv.1806.10360

2018-06-27

Cryptography and Security

Abstract:Mobile communication networks connect much of the world's population. The security of users' calls, SMSs, and mobile data depends on the guarantees provided by the Authenticated Key Exchange protocols used. For the next-generation network (5G), the 3GPP group has standardized the 5G AKA protocol for this purpose. We provide the first comprehensive formal model of a protocol from the AKA family: 5G AKA. We also extract precise requirements from the 3GPP standards defining 5G and we identify missing security goals. Using the security protocol verification tool Tamarin, we conduct a full, systematic, security evaluation of the model with respect to the 5G security goals. Our automated analysis identifies the minimal security assumptions required for each security goal and we find that some critical security goals are not met, except under additional assumptions missing from the standard. Finally, we make explicit recommendations with provably secure fixes for the attacks and weaknesses we found.

Oscar Lasierra,Gines Garcia-Aviles,Esteban Municio,Antonio Skarmeta,Xavier Costa-Pérez

DOI: https://doi.org/10.48550/arXiv.2305.08635

2023-05-15

Abstract:5G cellular systems are slowly being deployed worldwide delivering the promised unprecedented levels of throughput and latency to hundreds of millions of users. At such scale security is crucial, and consequently, the 5G standard includes a new series of features to improve the security of its predecessors (i.e., 3G and 4G). In this work, we evaluate the actual deployment in practice of the promised 5G security features by analysing current commercial 5G networks from several European operators. By collecting 5G signalling traffic in the wild in several cities in Spain, we i) fact-check which 5G security enhancements are actually implemented in current deployments, ii) provide a rich overview of the implementation status of each 5G security feature in a wide range of 5G commercial networks in Europe and compare it with previous results in China, iii) analyse the implications of optional features not being deployed, and iv) discuss on the still remaining 4G-inherited vulnerabilities. Our results show that in European 5G commercial networks, the deployment of the 5G security features is still on the works. This is well aligned with results previously reported from China [16] and keeps these networks vulnerable to some 4G attacks, during their migration period from 4G to 5G.

Cryptography and Security

Stavros Eleftherakis,Timothy Otim,Giuseppe Santaromita,Almudena Diaz Zayas,Domenico Giustiniano,Nicolas Kourtellis

DOI: https://doi.org/10.1145/3636534.3690696

2024-09-26

Abstract:Ensuring user privacy remains critical in mobile networks, particularly with the rise of connected devices and denser 5G infrastructure. Privacy concerns have persisted across 2G, 3G, and 4G/LTE networks. Recognizing these concerns, the 3rd Generation Partnership Project (3GPP) has made privacy enhancements in 5G Release 15. However, the extent of operator adoption remains unclear, especially as most networks operate in 5G Non Stand Alone (NSA) mode, relying on 4G Core Networks. This study provides the first qualitative and experimental comparison between 5G NSA and Stand Alone (SA) in real operator networks, focusing on privacy enhancements addressing top eight pre-5G attacks based on recent academic literature. Additionally, it evaluates the privacy levels of OpenAirInterface (OAI), a leading open-source software for 5G, against real network deployments for the same attacks. The analysis reveals two new 5G privacy vulnerabilities, underscoring the need for further research and stricter standards.

Networking and Internet Architecture

Mohammed Mahyoub,AbdulAziz AbdulGhaffar,Emmanuel Alalade,Ezekiel Ndubisi,Ashraf Matrawy

DOI: https://doi.org/10.1109/comst.2024.3377161

IF: 35.6

2024-01-01

IEEE Communications Surveys & Tutorials

Abstract:Interfaces play a crucial role in the Fifth Generation (5G) architecture as they interconnect Network Functions (NFs) to exchange data and services. Certain interfaces are particularly critical because they are involved in the exchange of sensitive data or are exposed externally. To the best of our knowledge, no literature work analyzes the 5G security from a network architecture or interface perspective. Therefore, existing research on 5G security may not be helpful when considering a certain component of the network or a specific interface. This paper reviews the security measures recommended by the selected Standardization Development Organizations (SDOs) for critical interfaces and classifies them based on security goals. It also identifies vulnerabilities and threats to these interfaces in the absence of security measures and categorizes them based on STRIDE model and impacted traffic types.

computer science, information systems,telecommunications

Ta-Hao Ting,Tsung-Nan Lin,Shan-Hsiang Shen,Yu-Wei Chang

DOI: https://doi.org/10.48550/arXiv.1912.10318

2019-12-22

Abstract:Hackers target their attacks on the most vulnerable parts of a system. A system is therefore only as strong as its weakest part, similar to the Cannikin Law, which states that the capacity of a barrel of water depends on the height of the shortest rather than the longest piece of wood. To ensure the security of 5G networks, we first need to understand the overall 5G architecture and examine the potential threats instead of merely setting up a firewall. However, 5G networks will have tremendous coverage. The development of 5G techniques require extensive resources, leading to intense competition between countries attempting to develop 5G networks. Many outstanding papers discuss the techniques for developing specific aspects of the 5G architecture, but to the best of our knowledge, few provide an overview of a complete 5G network. This presents us with a difficult situation because we need to consider the overall architecture to ensure the security of 5G networks. To address that problem, in this paper we provide essential guidelines for understanding the architecture of 5G. We introduce 5G scenarios, outline the network architecture, and highlight the potential security issues for the various components of a 5G network. This paper is intended to facilitate a preliminary understanding of the 5G architecture and the possible security concerns of the various components. The end to end (E2E) 5G network architecture is composed of a next-generation radio access network (NG-RAN), multi-access edge computing (MEC), virtual evolved packet core (vEPC), a data network (DN) and a cloud service. Network slicing (NS), network function virtualization (NFV), NFV Management and Orchestration (MANO) and software-defined networking (SDN) are also important techniques for achieving 5G network architectures.

Networking and Internet Architecture

Yaru Yang,Yiming Zhang,Tao Wan,Chuhan Wang,Haixin Duan,Jianjun Chen,Yishen Li

DOI: https://doi.org/10.1145/3643833.3656131

2024-01-01

Abstract:5G messaging services, based on Global System for Mobile Communications Association (GSMA) Rich Communication Service (RCS) and 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS), have been deployed globally by more than 90 mobile operators serving over 421 million monthly active users via 1.2 billion devices. Despite the widespread use, security research of 5G messaging remains sparse. In this paper, we present a comprehensive security analysis and measurement of 5G messaging services, assisted by a semi-automated testing tool we developed. We considered both carrier-side deployment and phone-side software implementations by testing against three large operators, each with hundreds of millions of subscribers, and six popular 5G messaging-enabled devices. We uncovered 4 categories of vulnerabilities, allowing for a wide range of attacks, including Man-In-The-Middle (MITM) attacks, zero-click remote information leakage, phone storage exhaustion and mobile data consumption, and Denial-of-Services (DoS) attacks. Our study underscores the need for further security enhancements in security specifications, implementation, and deployment of 5G messaging services.

Zhiwei Cui,Baojiang Cui,Junsong Fu,Renhai Dong

DOI: https://doi.org/10.1155/2022/7395128

IF: 1.968

2022-09-05

Security and Communication Networks

Abstract:With the rapid development of 5G SA (standalone) networks, increasing subscribers are motivated to make calls through 5G. To support voice services critical to mobile users, 5G SA networks adopt two solutions: VoNR (Voice Over New Radio) and EPS (Evolved Packet System) fallback. At this stage, 5G SA networks provide voice services through EPS fallback, which leverages 4G networks to support voice calls for 5G users. This switch between cellular network systems may expose vulnerabilities to adversaries. However, there is a lack of security research on voice services in the 5G SA network. In this paper, we analyze the security of EPS fallback and its closely related IMS from the perspective of the protocol and the practices of the carriers. We uncover two protocol design vulnerabilities and two implementation flaws. In addition, we exploit them to design three attacks: voice DoS, voice monitoring, and SMS spoofing and interception. We validated these vulnerabilities and attacks using SDR (software-defined radio) tools and a set of open-source software in three mobile carriers. Our analysis reveals that the problems stem from both specifications and carrier networks. We finally propose several potential countermeasures to defend these attacks.

computer science, information systems,telecommunications