Gabriel Karl Gegenhuber,Florian Holzbauer,Philipp Frenzel,Edgar Weippl,Adrian Dabrowski

2024-08-07

Abstract:Voice over Wi-Fi (VoWiFi) uses a series of IPsec tunnels to deliver IP-based telephony from the subscriber's phone (User Equipment, UE) into the Mobile Network Operator's (MNO) core network via an Internet-facing endpoint, the Evolved Packet Data Gateway (ePDG). IPsec tunnels are set up in phases. The first phase negotiates the cryptographic algorithm and parameters and performs a key exchange via the Internet Key Exchange protocol, while the second phase (protected by the above-established encryption) performs the authentication. An insecure key exchange would jeopardize the later stages and the data's security and confidentiality. In this paper, we analyze the phase 1 settings and implementations as they are found in phones as well as in commercially deployed networks worldwide. On the UE side, we identified a recent 5G baseband chipset from a major manufacturer that allows for fallback to weak, unannounced modes and verified it experimentally. On the MNO side -- among others -- we identified 13 operators (totaling an estimated 140 million subscribers) on three continents that all use the same globally static set of ten private keys, serving them at random. Those not-so-private keys allow the decryption of the shared keys of every VoWiFi user of all those operators. All these operators deployed their core network from one common manufacturer.

Cryptography and Security,Networking and Internet Architecture

Zang Li,Wenyuan Xu,Robert D. Miller,Wade Trappe

DOI: https://doi.org/10.1145/1161289.1161297

2006-01-01

Abstract:Although conventional cryptographic security mechanisms are essential to the overall problem of securing wireless networks, these techniques do not directly leverage the unique properties of the wireless domain to address security threats. The properties of the wireless medium are a powerful source of domain-specific information that can complement and enhance traditional security mechanisms. In this paper, we propose to utilize the fact that the radio channel decorre-lates rapidly in space, time and frequency in order to to establish new forms of authentication and confidentiality that operate at the physical layer and can be used to facilitate cross-layer security paradigms. Specifically, for authentication services, we illustrate two channel probing techniques that can be used to verify the authenticity of a transmitter. Similarly, for confidentiality, we examine several strategies for establishing shared secrets/keys between two communicators using the wireless medium. These strategies range from extracting keys from channel state information, to utilizing the channel variability to secretly disseminate keys. We then validate the feasibility of using physical layer techniques for securing wireless systems by presenting results from experiments involving the USRP/GNURadio software defined radio platform.

Norbert Ludant,Marinos Vomvas,Guevara Noubir

DOI: https://doi.org/10.48550/arXiv.2403.06717

2024-03-11

Abstract:Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Cryptography and Security

Zhiwei Cui,Baojiang Cui,Junsong Fu,Renhai Dong

DOI: https://doi.org/10.1155/2022/7395128

IF: 1.968

2022-09-05

Security and Communication Networks

Abstract:With the rapid development of 5G SA (standalone) networks, increasing subscribers are motivated to make calls through 5G. To support voice services critical to mobile users, 5G SA networks adopt two solutions: VoNR (Voice Over New Radio) and EPS (Evolved Packet System) fallback. At this stage, 5G SA networks provide voice services through EPS fallback, which leverages 4G networks to support voice calls for 5G users. This switch between cellular network systems may expose vulnerabilities to adversaries. However, there is a lack of security research on voice services in the 5G SA network. In this paper, we analyze the security of EPS fallback and its closely related IMS from the perspective of the protocol and the practices of the carriers. We uncover two protocol design vulnerabilities and two implementation flaws. In addition, we exploit them to design three attacks: voice DoS, voice monitoring, and SMS spoofing and interception. We validated these vulnerabilities and attacks using SDR (software-defined radio) tools and a set of open-source software in three mobile carriers. Our analysis reveals that the problems stem from both specifications and carrier networks. We finally propose several potential countermeasures to defend these attacks.

computer science, information systems,telecommunications

Tian Xie,Guan-Hua Tu,Bangjie Yin,Chi-Yu Li,Chunyi Peng,Mi Zhang,Hui Liu,Xiaoming Liu

DOI: https://doi.org/10.48550/arXiv.1811.11274

2018-11-29

Abstract:Since 2016, all of four major U.S. operators have rolled out nationwide Wi-Fi calling services. They are projected to surpass VoLTE (Voice over LTE) and other VoIP services in terms of mobile IP voice usage minutes in 2018. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS (IP Multimedia Subsystem) technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrustful Wi-Fi networks and the Internet. This exposure to insecure networks may cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA (Authentication and Key Agreement), IPSec (Internet Protocol Security), etc. However, are they sufficient to secure Wi-Fi calling services? Unfortunately, our study yields a negative answer. We conduct the first study of exploring security issues of the operational Wi-Fi calling services in three major U.S. operators' networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof and uncover four vulnerabilities which stem from improper standard designs, device implementation issues and network operation slips. By exploiting the vulnerabilities, together with several state-of-the-art computer visual recognition technologies, we devise two proof-of-concept attacks: user privacy leakage and telephony harassment or denial of voice service (THDoS); both of them can bypass the security defenses deployed on mobile devices and the network infrastructure. We have confirmed their feasibility and simplicity using real-world experiments, as well as assessed their potential damages and proposed recommended solutions.

Cryptography and Security

Su, Li,Du, Haitao

DOI: https://doi.org/10.1007/s00500-023-09486-x

IF: 3.732

2024-01-11

Soft Computing

Abstract:The security context, generally stored in the universal subscriber identity module card or the baseband chip, is the critical information applied by the subscriber to access the 5G network during the fast authentication procedure. Once exposed or illegally used, the security context can be exploited to derive various keys for authentication and encryption. Despite its importance, challenges and questions still remain in the previous relevant research. To fill this gap, by adopting the security protocol verification tool ProVerif, we provide a comprehensive formal model of the fast authentication procedure based on the security context to analyze whether security goals can be met. Unfortunately, we uncover two vulnerabilities, including one never reported before. Our analysis shows that these vulnerabilities stem from fundamental design flaws in the cellular network protocol and thus apply to the 4G network. These vulnerabilities could be exploited to launch several attacks, including impersonation and eavesdropping. We have validated these attacks using 5 mobile phones from 5 different baseband manufacturers through experimentation in three mobile carriers. We find an insecure implementation of one of these phones, which exposed it to replay attacks. And we further discuss the security threats posed by the impersonation attack, such as location spoofing and one-tap authentication bypass, which is verified on 10 popular apps. We finally propose several countermeasures to eliminate these security issues. Actually, we have reported the novel vulnerability to the GSM Association and received a confirmation in the form of a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

computer science, artificial intelligence, interdisciplinary applications

Gabriel Karl Gegenhuber,Philipp Frenzel,Edgar Weippl

DOI: https://doi.org/10.1145/3643832.3661883

2024-05-02

Abstract:In current cellular network generations (4G, 5G) the IMS (IP Multimedia Subsystem) plays an integral role in terminating voice calls and short messages. Many operators use VoWiFi (Voice over Wi-Fi, also Wi-Fi calling) as an alternative network access technology to complement their cellular coverage in areas where no radio signal is available (e.g., rural territories or shielded buildings). In a mobile world where customers regularly traverse national borders, this can be used to avoid expensive international roaming fees while journeying overseas, since VoWiFi calls are usually invoiced at domestic rates. To not lose this revenue stream, some operators block access to the IMS for customers staying abroad.

Networking and Internet Architecture,Cryptography and Security

Mohsin Khan,Philip Ginzboorg,Kimmo Järvinen,Valtteri Niemi

DOI: https://doi.org/10.48550/arXiv.1811.02293

2018-11-06

Cryptography and Security

Abstract:3GPP Release 15, the first 5G standard, includes protection of user identity privacy against IMSI catchers. These protection mechanisms are based on public key encryption. Despite this protection, IMSI catching is still possible in LTE networks which opens the possibility of a downgrade attack on user identity privacy, where a fake LTE base station obtains the identity of a 5G user equipment. We propose (i) to use an existing pseudonym-based solution to protect user identity privacy of 5G user equipment against IMSI catchers in LTE and (ii) to include a mechanism for updating LTE pseudonyms in the public key encryption based 5G identity privacy procedure. The latter helps to recover from a loss of synchronization of LTE pseudonyms. Using this mechanism, pseudonyms in the user equipment and home network are automatically synchronized when the user equipment connects to 5G. Our mechanisms utilize existing LTE and 3GPP Release 15 messages and require modifications only in the user equipment and home network in order to provide identity privacy. Additionally, lawful interception requires minor patching in the serving network.

Chi-Yu Li,Guan-Hua Tu,chunyi peng,zengwen yuan,yuanjie li,songwu lu,xinbing wang

DOI: https://doi.org/10.1145/2810103.2813618

2015-01-01

Abstract:VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

Zhiwei Cui,Baojiang Cui,Li Su,Haitao Du,Hongxin Wang,Junsong Fu

2023-03-20

Abstract:The security context used in 5G authentication is generated during the Authentication and Key Agreement (AKA) procedure and stored in both the user equipment (UE) and the network sides for the subsequent fast registration procedure. Given its importance, it is imperative to formally analyze the security mechanism of the security context. The security context in the UE can be stored in the Universal Subscriber Identity Module (USIM) card or in the baseband chip. In this work, we present a comprehensive and formal verification of the fast registration procedure based on the security context under the two scenarios in ProVerif. Our analysis identifies two vulnerabilities, including one that has not been reported before. Specifically, the security context stored in the USIM card can be read illegally, and the validity checking mechanism of the security context in the baseband chip can be bypassed. Moreover, these vulnerabilities also apply to 4G networks. As a consequence, an attacker can exploit these vulnerabilities to register to the network with the victim's identity and then launch other attacks, including one-tap authentication bypass leading to privacy disclosure, location spoofing, etc. To ensure that these attacks are indeed realizable in practice, we have responsibly confirmed them through experimentation in three operators. Our analysis reveals that these vulnerabilities stem from design flaws of the standard and unsafe practices by operators. We finally propose several potential countermeasures to prevent these attacks. We have reported our findings to the GSMA and received a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

Cryptography and Security

Keyvan Ramezanpour,Jithin Jagannath,Anu Jagannath

DOI: https://doi.org/10.1016/j.comnet.2022.109515

IF: 5.493

2022-12-14

Computer Networks

Abstract:Spectrum scarcity has been a major concern for achieving the desired quality of experience (QoE) in next-generation (5G/6G and beyond) networks supporting a massive volume of mobile and IoT devices with low-latency and seamless connectivity. Hence, spectrum sharing systems have been considered as a major enabler for next-generation wireless networks in meeting QoE demands. Specifically, the 3rd generation partnership project (3GPP) has standardized coexistence of 4G LTE License Assisted Access (LAA) network with WiFi in the unlicensed 5 GHz bands, and the 5G New Radio Unlicensed (NR-U) with WiFi 6/6E in 6 GHz bands. While most current coexistence solutions and standards focus on performance improvement and QoE optimization, the emerging security challenges of such network environments have been ignored in the literature. The security framework of standalone networks (either 5G or WiFi) assumes the ownership of entire network resources from spectrum to core functions. Hence, all accesses to the network shall be authenticated and authorized within the intra-network security system and is deemed illegal otherwise. However, coexistence network environments can lead to unprecedented security vulnerabilities and breaches as the standalone networks shall tolerate unknown and out-of-network accesses, specifically in the medium access. In this paper, for the first time in literature, we review some of the critical and emerging security vulnerabilities in the 5G/WiFi coexistence network environment which have not been observed previously in standalone networks. Specifically, independent medium access control (MAC) protocols and the resulting hidden node issues can result in exploitation such as service blocking, deployment of rogue base-stations, and eavesdropping attacks. We study potential vulnerabilities in the perspective of physical layer authentication, network access security, and cross-layer authentication mechanisms. This study opens a new direction of research in the analysis and design of a security framework that can address the unique challenges of coexistence networks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Li Song,Qiongxiao Wang,Shijie Jia,Jingqiang Lin,Linli Lu,Yanduo Fu

DOI: https://doi.org/10.1109/TrustCom56396.2022.00045

2022-01-01

Abstract:WPA2-Enterprise networks offer access to the Internet widely for multifarious client devices. Certificate-based authentication is adopted on the client-side to authenticate the server during network connection. Due to a lack of professional knowledge, client users commonly fully trust the devices, which may result in insecure network connection and user credential leakage. Previous works commonly focus on the security vulnerabilities due to the design weaknesses of the user interfaces from mainstream operating systems, while the built-in certificate validation implementations, which act as a block box for users to validate the received certificates, are not taken into consideration. In this paper, we design a series of comprehensive testings to evaluate the built-in certificate validation implementations of mainstream client devices for the first time. Moreover, we investigate the configuration options provided by the devices from different vendors, which may downgrade the security of the certificate validation. We select both Windows and Android (from vendors with the largest five market share) devices as our empirical study target. The results show that more than one security vulnerability exists in the built-in certificate validation implementations of the selected devices, and all the selected devices provide a certain option which may downgrade the security of certificate validation. We also conduct a real Evil Twin attack, which reveals that the user credentials can be cracked due to the discovered security vulnerabilities. Our findings have been responsibly disclosed to the relevant device vendors, and we received an assortment of responses, meanwhile many vendors (e.g., Huawei) have already positively acknowledged our findings.

Guan-Hua Tu,Min-Yue Chen,Chunyi Peng,Sihan Wang,Jingwen Shi,Chi-Yu Li,Tian Xie,Man-Hsin Chen,Yiwen Hu

DOI: https://doi.org/10.1145/3636534.3649377

2024-05-29

Abstract:IMS (IP Multimedia Subsystem) is vital for delivering IP-based multimedia services in mobile networks. Despite constant upgrades by 3GPP over the past two decades to support heterogeneous radio access networks (e.g., 4G LTE, 5G NR, and Wi-Fi) and enhance IMS security, the focus has primarily been on cellular infrastructure. Consequently, IMS security measures on mobile equipment (ME), such as smartphones, lag behind rapid technological advancements. Our study reveals that mandated IMS security measures on ME fail to keep pace, resulting in new vulnerabilities and attack vectors, including denial of service (DoS) across all networks, named SMS source spoofing, and covert communications over Video-over-IMS attacks. All vulnerabilities and proof-of-concept attacks have been experimentally validated in operational 5G/4G networks across various phone models and network operators. Finally, we propose and prototype standard-compliant remedies for these vulnerabilities.

Computer Science,Engineering

Kaigui Bian,Jung-Min Park

DOI: https://doi.org/10.4108/icst.wicon2008.4976

2008-01-01

Abstract:Cognitive Radio (CR) is seen as one of the enabling technologies for realizing a new spectrum access paradigm, viz. Opportunistic Spectrum Sharing (OSS). IEEE 802.22 is the world's first wireless standard based on CR technology. It defines the air interface for a wireless regional area network (WRAN) that uses fallow segments of the licensed (incumbent) TV broadcast bands. CR technology enables unlicensed (secondary) users in WRANs to utilize licensed spectrum bands on a non-interference basis to incumbent users. The coexistence between incumbent users and secondary users is referred to as incumbent coexistence. On the other hand, the coexistence between secondary users in different WRAN cells is referred to as self-coexistence. The 802.22 draft standard prescribes several mechanisms for addressing incumbent- and self-coexistence issues. In this paper, we describe how adversaries can exploit or undermine such mechanisms to degrade the performance of 802.22 WRANs and increase the likelihood of those networks interfering with incumbent networks. The standard includes a security sublayer to provide subscribers with privacy, authentication, and confidentiality. Our investigation, however, revealed that the security sublayer falls short of addressing all of the key security threats. We also discuss countermeasures that may be able to address those threats.

Zishuai Cheng,Mihai Ordean,Flavio Garcia,Baojiang Cui,Dominik Rys

DOI: https://doi.org/10.56553/popets-2023-0053

2023-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Voice over LTE (VoLTE) and Voice over NR (VoNR), are two similar technologies that have been widely deployed by operators to provide a better calling experience in LTE and 5G networks, respectively. The VoLTE/NR protocols rely on the security features of the underlying LTE/5G network to protect users' privacy such that nobody can monitor calls and learn details about call times, duration, and direction. In this paper, we introduce a new privacy attack which enables adversaries to analyse encrypted LTE/5G traffic and recover any VoLTE/NR call details. We achieve this by implementing a novel mobile-relay adversary which is able to remain undetected by using an improved physical layer parameter guessing procedure. This adversary facilitates the recovery of encrypted configuration messages exchanged between victim devices and the mobile network. We further propose an identity mapping method which enables our mobile-relay adversary to link a victim's network identifiers to the phone number efficiently, requiring a single VoLTE protocol message. We evaluate the real-world performance of our attacks using four modern commercial off-the-shelf phones and two representative, commercial network carriers. We collect over 60 hours of traffic between the phones and the mobile networks and execute 160 VoLTE calls, which we use to successfully identify patterns in the physical layer parameter allocation and in VoLTE traffic, respectively. Our real-world experiments show that our mobile-relay works as expected in all test cases, and the VoLTE activity logs recovered describe the actual communication with 100% accuracy. Finally, we show that we can link network identifiers such as International Mobile Subscriber Identities (IMSI), Subscriber Concealed Identifiers (SUCI) and/or Globally Unique Temporary Identifiers (GUTI) to phone numbers while remaining undetected by the victim.

English Else

Hui Gao,Yiming Zhang,Tao Wan,Jia Zhang,Haixin Duan

DOI: https://doi.org/10.1109/globecom46510.2021.9685173

2021-01-01

Abstract:In 5G networks, base stations, namely gNBs (5G NodeB, as per 3GPP nomenclature) periodically broadcast the system information messages including network identifiers to facilitate User Equipment (UE) to connect to the network. As in prior generations, the system information messages in 5G are transmitted in clear text without any security protection. Therefore, an adversary could spoof a legitimate gNB to become a man-on-the-side (MOTS) or man-in-the-middle (MITM) attacker. This vulnerability is being studied by 3GPP and a number of solutions have been proposed in the Technical Report (TR 33.809), including a promising solution namely Digital Signing Network Function (DSnF). In this paper, we provided an evaluation of DSnF, including the practicality of its assumption, feasibility of its certificate trans-mission within the system information message, and quantitative analysis of its performance. Our evaluation results show that DSnF is practical in general. Initial results from this paper have been provided to 3GPP and incorporated into TR 33.809.

Christian Miranda,Georges Kaddoum,Elias Bou-Harb

DOI: https://doi.org/10.48550/arXiv.1802.01719

2018-02-06

Abstract:Creating a secure environment for communications is becoming a significantly challenging task in 5G Heterogeneous Networks (HetNets) given the stringent latency and high capacity requirements of 5G networks. This is particularly factual knowing that the infrastructure tends to be highly diversified especially with the continuous deployment of small cells. In fact, frequent handovers in these cells introduce unnecessarily recurring authentications leading to increased latency. In this paper, we propose a software-defined wireless network (SDWN)-enabled fast cross-authentication scheme which combines non-cryptographic and cryptographic algorithms to address the challenges of latency and weak security. Initially, the received radio signal strength vectors at the mobile terminal (MT) is used as a fingerprinting source to generate an unpredictable secret key. Subsequently, a cryptographic mechanism based upon the authentication and key agreement protocol by employing the generated secret key is performed in order to improve the confidentiality and integrity of the authentication handover. Further, we propose a radio trusted zone database aiming to enhance the frequent authentication of radio devices which are present in the network. In order to reduce recurring authentications, a given covered area is divided into trusted zones where each zone contains more than one small cell, thus permitting the MT to initiate a single authentication request per zone, even if it keeps roaming between different cells. The proposed scheme is analyzed under different attack scenarios and its complexity is compared with cryptographic and non-cryptographic approaches to demonstrate its security resilience and computational efficiency.

Cryptography and Security,Networking and Internet Architecture

Yunjie Yi,Guang Gong,Kalikinkar Mandal

DOI: https://doi.org/10.48550/arXiv.1909.11707

2021-10-01

Abstract:With the rapid deployment of Internet of Things (IoT) devices in applications such as smarthomes, healthcare and industrial automation, security and privacy has become a major concern. Recently, National Institute of Standards and Technology (NIST) has initiated a lightweight cryptography (LWC) competition to standardize new cryptographic algorithm(s) for providing security in resource-constrained environments. In this context, measuring the suitability of new algorithms with existing communication and authentication protocols is an important problem. This paper investigates the performance of three NIST lightweight authenticated ciphers in round 2 namely ACE, SPIX and WAGE in the WiFi and CoAP handshaking authentication protocols. We implement the WiFi and CoAP handshake protocols and the IEEE802.11a physical layer communication protocol in software defined radio (SDR) and embed these two handshaking protocols into the IEEE802.11a OFDM communication protocol to measure the performance of three ciphers. We present the construction of KDF and MIC used in the handshaking authentication protocols and provide optimized implementations of ACE, SPIX and WAGE including KDF and MIC on three different (low-power) microcontrollers. The performance results of these three ciphers when adopted in WiFi and CoAP protocols are presented. Our experimental results show that the cryptographic functionalities are the bottleneck in the handshaking and data protection protocols.

Cryptography and Security,Signal Processing

Mohamad Saalim Wani,Michael Rademacher,Thorsten Horstmann,Mathias Kretschmer

DOI: https://doi.org/10.3390/jcp4010002

2024-01-02

Journal of Cybersecurity and Privacy

Abstract:5G networks, pivotal for our digital mobile societies, are transitioning from 4G to 5G Stand-Alone (SA) networks. However, during this transition, 5G Non-Stand-Alone (NSA) networks are widely used. This paper examines potential security vulnerabilities in 5G NSA networks. Through an extensive literature review, we identify known 4G attacks that can theoretically be applied to 5G NSA. We organize these attacks into a structured taxonomy. Our findings reveal that 5G NSA networks may offer a false sense of security, as most security and privacy improvements are concentrated in 5G SA networks. To underscore this concern, we implement three attacks with severe consequences and successfully validate them on various commercially available smartphones. Notably, one of these attacks, the IMSI Leak, consistently exposes user information with no apparent security mitigation in 5G NSA networks. This highlights the ease of tracking individuals on current 5G networks.

computer science, information systems, interdisciplinary applications, software engineering

Yaru Yang,Yiming Zhang,Tao Wan,Chuhan Wang,Haixin Duan,Jianjun Chen,Yishen Li

DOI: https://doi.org/10.1145/3643833.3656131

2024-01-01

Abstract:5G messaging services, based on Global System for Mobile Communications Association (GSMA) Rich Communication Service (RCS) and 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS), have been deployed globally by more than 90 mobile operators serving over 421 million monthly active users via 1.2 billion devices. Despite the widespread use, security research of 5G messaging remains sparse. In this paper, we present a comprehensive security analysis and measurement of 5G messaging services, assisted by a semi-automated testing tool we developed. We considered both carrier-side deployment and phone-side software implementations by testing against three large operators, each with hundreds of millions of subscribers, and six popular 5G messaging-enabled devices. We uncovered 4 categories of vulnerabilities, allowing for a wide range of attacks, including Man-In-The-Middle (MITM) attacks, zero-click remote information leakage, phone storage exhaustion and mobile data consumption, and Denial-of-Services (DoS) attacks. Our study underscores the need for further security enhancements in security specifications, implementation, and deployment of 5G messaging services.