Abstract:Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper mainly focuses on the security issues of low - layer (PHY and MAC layers) control procedures in 4G/5G cellular systems. Specifically, the paper attempts to solve the following key problems: 1. **Insufficient protection of low - layer control procedures**: - Although the high - level protocols (such as RRC and NAS) of 3GPP cellular systems have been encrypted and integrity - protected, the low - level protocols (such as PHY and MAC layers) have not been protected to the same extent. These low - level control messages are neither encrypted nor integrity - protected, which makes them vulnerable to attacks. 2. **Increase in the number of low - layer control messages**: - With the development of the 5G standard, the number of low - layer control messages has increased significantly. For example, it has increased from 7 MAC CEs in 2008 to 19 in 2018, and exceeded 50 in the latest 2023 version. This growth brings new security risks. 3. **Possibility of passive and active attacks**: - The paper has discovered several new passive and active attack methods that take advantage of information leakage and lack of protection in low - layer control procedures. For example: - **Passive attack**: By monitoring physical - layer channels (such as PRACH, PUCCH, etc.), user location and tracking can be achieved. - **Active attack**: By injecting forged MAC and PHY - layer control messages, the random access mechanism can be interfered with, network access can be blocked, active user connections can be disconnected, and user devices can be triggered to perform unnecessary broadband uplink transmissions, etc. 4. **Specific attack examples**: - **Beamforming information leakage**: Through information leakage in the beam management process, an attacker can achieve user location and tracking based on fingerprint recognition. - **Reduction of throughput**: By forging DCI (Downlink Control Information), the user's throughput can be reduced by more than 95% within 2 seconds. - **Disconnecting user connections**: By deceiving MAC CE (such as carrier aggregation activation), the battery of the user device can be depleted and the user's throughput can be halved. ### Conclusion By analyzing the security vulnerabilities of low - layer control procedures, the paper reveals the potential threats existing in current 4G/5G systems and demonstrates the practical feasibility of these threats. Through experimental verification on commercial devices and operator configurations, the authors prove the effectiveness and potential impact of these attacks.

Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous

Survey on 5G Physical Layer Security Threats and Countermeasures

5G NR Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation

Security and Protocol Exploit Analysis of the 5G Specifications

Attacks Against Security Context in 5G Network

Vulnerability of LTE to Hostile Interference

Towards Resilient 5G: Lessons Learned from Experimental Evaluations of LTE Uplink Jamming

Security Vulnerabilities in 5G Non-Stand-Alone Networks: A Systematic Analysis and Attack Taxonomy

Detecting IP DDoS Attacks Using 3GPP Radio Protocols

On Securing MAC Layer Broadcast Signals Against Covert Channel Exploitation in 5G, 6G & Beyond

LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools

AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks

SoK: Evaluating 5G Protocols Against Legacy and Emerging Privacy and Security Attacks

5G System Security Analysis

Watching your call: Breaking VoLTE Privacy in LTE/5G Networks

A formal security analysis of the fast authentication procedure based on the security context in 5G networks

Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging Services

Security Threats to Voice Services in 5G Standalone Networks

The current state of affairs in 5G security and the main remaining security challenges

Characterizing Encrypted Application Traffic through Cellular Radio Interface Protocol

5G Security Challenges and Solutions: A Review by OSI Layers