Yaru Yang,Yiming Zhang,Tao Wan,Chuhan Wang,Haixin Duan,Jianjun Chen,Yishen Li

DOI: https://doi.org/10.1145/3643833.3656131

2024-01-01

Abstract:5G messaging services, based on Global System for Mobile Communications Association (GSMA) Rich Communication Service (RCS) and 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS), have been deployed globally by more than 90 mobile operators serving over 421 million monthly active users via 1.2 billion devices. Despite the widespread use, security research of 5G messaging remains sparse. In this paper, we present a comprehensive security analysis and measurement of 5G messaging services, assisted by a semi-automated testing tool we developed. We considered both carrier-side deployment and phone-side software implementations by testing against three large operators, each with hundreds of millions of subscribers, and six popular 5G messaging-enabled devices. We uncovered 4 categories of vulnerabilities, allowing for a wide range of attacks, including Man-In-The-Middle (MITM) attacks, zero-click remote information leakage, phone storage exhaustion and mobile data consumption, and Denial-of-Services (DoS) attacks. Our study underscores the need for further security enhancements in security specifications, implementation, and deployment of 5G messaging services.

Oscar Lasierra,Gines Garcia-Aviles,Esteban Municio,Antonio Skarmeta,Xavier Costa-Pérez

DOI: https://doi.org/10.48550/arXiv.2305.08635

2023-05-15

Abstract:5G cellular systems are slowly being deployed worldwide delivering the promised unprecedented levels of throughput and latency to hundreds of millions of users. At such scale security is crucial, and consequently, the 5G standard includes a new series of features to improve the security of its predecessors (i.e., 3G and 4G). In this work, we evaluate the actual deployment in practice of the promised 5G security features by analysing current commercial 5G networks from several European operators. By collecting 5G signalling traffic in the wild in several cities in Spain, we i) fact-check which 5G security enhancements are actually implemented in current deployments, ii) provide a rich overview of the implementation status of each 5G security feature in a wide range of 5G commercial networks in Europe and compare it with previous results in China, iii) analyse the implications of optional features not being deployed, and iv) discuss on the still remaining 4G-inherited vulnerabilities. Our results show that in European 5G commercial networks, the deployment of the 5G security features is still on the works. This is well aligned with results previously reported from China [16] and keeps these networks vulnerable to some 4G attacks, during their migration period from 4G to 5G.

Cryptography and Security

Xinsheng Ji,Kaizhi Huang,Liang Jin,Hongbo Tang,Caixia Liu,Zhou Zhong,Wei You,Xiaoming Xu,Hua Zhao,Jiangxing Wu,Ming Yi

DOI: https://doi.org/10.1007/s11432-017-9426-4

2018-01-01

Science China Information Sciences

Abstract:The 5th-generation mobile communication system (5G) has higher security requirements than previous systems. Accordingly, international standard organizations, operators, and equipment manufacturers are focusing extensively on 5G security technology. This paper analyzes the security requirements of 5G business applications, network architecture, the air interface, and user privacy. The development trends of 5G security architecture are summarized, with a focus on endogenous defense architecture, which represents a new trend in 5G security development. Several incremental 5G security technologies are reviewed, including physical layer security, lightweight encryption, network slice security, user privacy protection, and block chain technology applied to 5G.

Chuan Yu,Shuhui Chen,Ziling Wei,Fei Wang

DOI: https://doi.org/10.1016/j.cose.2023.103361

2023-06-25

Abstract:Although 5G security has been further improved with the evolution of the standard, it remains to be checked whether 5G cellular devices ( i.e. , User Equipment or UE) have correctly implemented the designed security features following the specification. In this work, we present SecChecker , a security inspection system, to examine the security implementation of 5G devices. Firstly, to determine which security items to check, we extract 11 general Security Requirements (SRs) for 5G UEs after a comprehensive study of the 3GPP standard. Then we design corresponding Inspection Cases (ICs) for testing the UE implementation of these SRs. We implemented a prototype of SecChecker based on open-source 5G projects and utilized it to inspect 7 Commercial Off-The-Shelf (COTS) devices using 5G baseband chips from the top five vendors. The results indicate that most of the required key security features in the specification are securely implemented by the tested 5G devices. However, we also found several UE security implementations that do not meet the extracted SRs or that are vulnerable to exploits, as well as some protocol mismatches. To show the implications on mobile users using the affected 5G devices, we implement two proof-of-concept attacks including the 5G redirection attack and the 5G user plane Man-in-the-Middle attack, to exploit the identified security flaws. Finally, the mitigations are discussed.

computer science, information systems

Gerrit Holtrup,William Lacube,Dimitri Percia David,Alain Mermoud,Gérôme Bovet,Vincent Lenders

DOI: https://doi.org/10.48550/arXiv.2108.08700

2021-08-20

Abstract:Fifth generation mobile networks (5G) are currently being deployed by mobile operators around the globe. 5G acts as an enabler for various use cases and also improves the security and privacy over 4G and previous network generations. However, as recent security research has revealed, the standard still has security weaknesses that may be exploitable by attackers. In addition, the migration from 4G to 5G systems is taking place by first deploying 5G solutions in a non-standalone (NSA) manner where the first step of the 5G deployment is restricted to the new radio aspects of 5G, while the control of the user equipment is still based on 4G protocols, i.e. the core network is still the legacy 4G evolved packet core (EPC) network. As a result, many security vulnerabilities of 4G networks are still present in current 5G deployments. This paper presents a systematic risk analysis of standalone and non-standalone 5G networks. We first describe an overview of the 5G system specification and the new security features of 5G compared to 4G. Then, we define possible threats according to the STRIDE threat classification model and derive a risk matrix based on the likelihood and impact of 12 threat scenarios that affect the radio access and the network core. Finally, we discuss possible mitigations and security controls. Our analysis is generic and does not account for the specifics of particular 5G network vendors or operators. Further work is required to understand the security vulnerabilities and risks of specific 5G implementations and deployments.

Networking and Internet Architecture,Cryptography and Security

Dongfeng Fang,Yi Qian,Rose Qingyang Hu

DOI: https://doi.org/10.1145/3229316.3229322

2018-05-25

Abstract:In this article, we give an overview on the security requirements and standards for the fourth generation (4G) long term evolution (LTE) and the fifth generation (5G) wireless systems. Compared with the third generation (3G) universal mobile telecommunication system (UMTS), the LTE system not only improves the network capacity and coverage but also provides better performance of data rate, access latency, energy efficiency (EE), and spectrum efficiency (SE) [1]. With the increasing data usage and the new multimedia applications, LTE technologies have been proposed by the 3rd generation partnership project (3GPP) as the broadband mobile wireless networks with packet switched, IP-based technology solely, fully inter-working with different access technologies, different types of base stations and relay nodes. To support more use cases with unique service requirements, 5G wireless systems are developed. There are eight advanced features for 5G wireless systems, 1-10 Gbps connections to end points in the field, 1 millisecond latency, 1000x bandwidth per unit area, 10-100x number of connected devices, 99.999% availability, 100% coverage, 90% reduction of network energy usage and up to ten years battery life for low power devices [2]. These advanced features make 5G wireless systems capable of supporting many new use cases, new industry applications, a multitude of devices and applications to connect society at large. Due to the introduction of new characteristics, there are many new security requirements in the design of the security architectures of the 4G LTE and 5G wireless systems.

Roger Piqueras Jover

DOI: https://doi.org/10.48550/arXiv.1904.08394

2019-04-17

Cryptography and Security

Abstract:The first release of the 5G protocol specifications, 3rd Generation Partnership Project (3GPP) Release 15, were published in December 2017 and the first 5G protocol security specifications in March 2018. As one of the technology cornerstones for Vehicle-to-Vehicle (V2X), Vehicle-to-Everything (V2E) systems and other critical systems, 5G defines some strict communication goals, such as massive device connectivity, sub-10ms latency and ultra high bit-rate. Likewise, given the firm security requirements of certain critical applications expected to be deployed on this new cellular communications standard, 5G defines important security goals. As such, 5G networks are intended to address known protocol vulnerabilities present in both legacy GSM (Global System for Mobile Communications) networks as well as current LTE (Long Term Evolution) mobile systems. This manuscript presents a summary and analysis of the current state of affairs in 5G protocol security, discussing the main areas that should still be improved further before 5G systems go live. Although the 5G security standard documents were released just a year ago, there is a number of research papers detailing security vulnerabilities, which are summarized in this manuscript as well.

Shari-Ann Smith-Haynes

2024-07-24

Abstract:Advances in fifth-generation (5G) networks enable unprecedented reliability, speed, and connectivity compared to previous mobile networks. These advancements can revolutionize various sectors by supporting applications requiring real-time data processing. However, the rapid deployment and integration of 5G networks bring security concerns that must be addressed to operate these infrastructures safely. This paper reviews penetration testing approaches for identifying security vulnerabilities in 5G networks. Penetration testing is an ethical hacking technique used to simulate a network's security posture in the event of cyberattacks. This review highlights the capabilities, advantages, and limitations of recent 5G-targeting security tools for penetration testing. It examines ways adversaries exploit vulnerabilities in 5G networks, covering tactics and strategies targeted at 5G features. A key topic explored is the comparison of penetration testing methods for 5G and earlier generations. The article delves into the unique characteristics of 5G, including massive MIMO, edge computing, and network slicing, and how these aspects require new penetration testing methods. Understanding these differences helps develop more effective security solutions tailored to 5G networks. Our research also indicates that 5G penetration testing should use a multithreaded approach for addressing current security challenges. Furthermore, this paper includes case studies illustrating practical challenges and limitations in real-world applications of penetration testing in 5G networks. A comparative analysis of penetration testing tools for 5G networks highlights their effectiveness in mitigating vulnerabilities, emphasizing the need for advanced security measures against evolving cyber threats in 5G deployment.

Cryptography and Security

Xinjie Yuan,Mingzhou Wu,Zhi Wang,Yifei Zhu,Ming Ma,Junjian Guo,Zhi-Li Zhang,Wenwu Zhu

DOI: https://doi.org/10.1145/3544216.3544219

2022-01-01

Abstract:5G has seen rapid growth recently, attracting several measurement studies on its coverage, connectivity and quality of service. However, there is still a lack of understanding of 5G's capabilities and potential impacts from a content provider (CP)'s perspective. This paper fills in this gap by studying 5G networks used by over 23 million users in one year in Kuaishou, a popular crowdsourced live streaming platform. Our measurements provide the following discoveries. i) Standalone (SA) 5G generally provides end-to-end performance improvement as compared with 4G or non-SA (NSA) 5G, but its advantage depends on both the number of cellular users and CP-level configurations. ii) In the radio access network, SA 5G is more sensitive to access density but has better handover tolerance. iii) Controlled experiments with 29 mobile device models on energy consumption refute some "conventional wisdom," including that 5G always consumes more power. iv) Traceroute-based active experiments in over 300 cities show that although users are "closer" to the internet in SA 5G, their end-to-end latency may not benefit from that. Furthermore, we show new design space for 5G participants and provide a 5G-aware rebuffer strategy tested by 9 million viewers in Kuaishou, with a 7% reduction in rebuffer proportion.

Mohammed Mahyoub,AbdulAziz AbdulGhaffar,Emmanuel Alalade,Ezekiel Ndubisi,Ashraf Matrawy

DOI: https://doi.org/10.1109/comst.2024.3377161

IF: 35.6

2024-01-01

IEEE Communications Surveys & Tutorials

Abstract:Interfaces play a crucial role in the Fifth Generation (5G) architecture as they interconnect Network Functions (NFs) to exchange data and services. Certain interfaces are particularly critical because they are involved in the exchange of sensitive data or are exposed externally. To the best of our knowledge, no literature work analyzes the 5G security from a network architecture or interface perspective. Therefore, existing research on 5G security may not be helpful when considering a certain component of the network or a specific interface. This paper reviews the security measures recommended by the selected Standardization Development Organizations (SDOs) for critical interfaces and classifies them based on security goals. It also identifies vulnerabilities and threats to these interfaces in the absence of security measures and categorizes them based on STRIDE model and impacted traffic types.

computer science, information systems,telecommunications

Roger Piqueras Jover,Vuk Marojevic

DOI: https://doi.org/10.48550/arXiv.1809.06925

2018-11-29

Abstract:The Third Generation Partnership Project (3GPP) released its first 5G security specifications in March 2018. This paper reviews the 5G security architecture, requirements and main processes and evaluates them in the context of known and new protocol exploits. Although the security has been enhanced when compared to previous generations to tackle known protocol exploits, our analysis identifies some potentially unrealistic system assumptions that are critical for security as well as a number protocol edge cases that could render 5G systems vulnerable to adversarial attacks. For example, null encryption and null authentication are supported and can be used in valid system configurations, and certain key security functions are still left outside of the scope of the specifications. Moreover, the prevention of pre-authentcation message exploits appears to rely on the implicit assumption of impractical carrier and roaming agreements and the management of public keys from all global operators. In parallel, existing threats such as International Mobile Subscriber Identity (IMSI) catchers are prevented only if the serving network enforces optional security features and if the UE knows the public key of the home network operator. The comparison with 4G LTE protocol exploits reveals that the 5G security specifications, as of Release 15, do not fully address the user privacy and network availability concerns, where one edge case can compromise the privacy, security and availability of 5G users and services.

Cryptography and Security

Zhiwei Cui,Baojiang Cui,Junsong Fu,Renhai Dong

DOI: https://doi.org/10.1155/2022/7395128

IF: 1.968

2022-09-05

Security and Communication Networks

Abstract:With the rapid development of 5G SA (standalone) networks, increasing subscribers are motivated to make calls through 5G. To support voice services critical to mobile users, 5G SA networks adopt two solutions: VoNR (Voice Over New Radio) and EPS (Evolved Packet System) fallback. At this stage, 5G SA networks provide voice services through EPS fallback, which leverages 4G networks to support voice calls for 5G users. This switch between cellular network systems may expose vulnerabilities to adversaries. However, there is a lack of security research on voice services in the 5G SA network. In this paper, we analyze the security of EPS fallback and its closely related IMS from the perspective of the protocol and the practices of the carriers. We uncover two protocol design vulnerabilities and two implementation flaws. In addition, we exploit them to design three attacks: voice DoS, voice monitoring, and SMS spoofing and interception. We validated these vulnerabilities and attacks using SDR (software-defined radio) tools and a set of open-source software in three mobile carriers. Our analysis reveals that the problems stem from both specifications and carrier networks. We finally propose several potential countermeasures to defend these attacks.

computer science, information systems,telecommunications

Zhiwei Cui,Baojiang Cui,Li Su,Haitao Du,Hongxin Wang,Junsong Fu

2023-03-20

Abstract:The security context used in 5G authentication is generated during the Authentication and Key Agreement (AKA) procedure and stored in both the user equipment (UE) and the network sides for the subsequent fast registration procedure. Given its importance, it is imperative to formally analyze the security mechanism of the security context. The security context in the UE can be stored in the Universal Subscriber Identity Module (USIM) card or in the baseband chip. In this work, we present a comprehensive and formal verification of the fast registration procedure based on the security context under the two scenarios in ProVerif. Our analysis identifies two vulnerabilities, including one that has not been reported before. Specifically, the security context stored in the USIM card can be read illegally, and the validity checking mechanism of the security context in the baseband chip can be bypassed. Moreover, these vulnerabilities also apply to 4G networks. As a consequence, an attacker can exploit these vulnerabilities to register to the network with the victim's identity and then launch other attacks, including one-tap authentication bypass leading to privacy disclosure, location spoofing, etc. To ensure that these attacks are indeed realizable in practice, we have responsibly confirmed them through experimentation in three operators. Our analysis reveals that these vulnerabilities stem from design flaws of the standard and unsafe practices by operators. We finally propose several potential countermeasures to prevent these attacks. We have reported our findings to the GSMA and received a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

Cryptography and Security

Fei Pan,Yixin Jiang,Hong Wen,Runfa Liao,Aidong Xu

DOI: https://doi.org/10.1109/VTCFall.2017.8288343

2017-01-01

Abstract:After 4G network becomes a global commercial success, the researchers are now looking at the future 5G technologies, both in standardization bodies and in research projects. Researchers find that the security architecture used in 4G can not satisfy the needs of 5G. Some researchers proposed a kind of unified network security architecture which we find it inflexible. In this paper, we will propose a more flexible hierarchical security architecture which can be adjusted to the needs of the application scenarios of 5G-eMBB, mMTC and URLLC. Under this architecture, we will introduce a cross-layer light weight authentication scheme and a novel physical layer security assisted encryption scheme which is based on both the key streams and the channel information in f-OFDM system.

Norbert Ludant,Marinos Vomvas,Guevara Noubir

DOI: https://doi.org/10.48550/arXiv.2403.06717

2024-03-11

Abstract:Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Cryptography and Security

S. Sullivan,Alessandro Brighente,S. A. P. Kumar,M. Conti

DOI: https://doi.org/10.1109/access.2021.3105396

IF: 3.9

2021-01-01

IEEE Access

Abstract:The Fifth Generation of Communication Networks (5G) envisions a broader range of services compared to previous generations, supporting an increased number of use cases and applications. The broader application domain leads to increase in consumer use and, in turn, increased hacker activity. Due to this chain of events, strong and efficient security measures are required to create a secure and trusted environment for users. In this paper, we provide an objective overview of 5G security issues and the existing and newly proposed technologies designed to secure the 5G environment. We categorize security technologies using Open Systems Interconnection (OSI) layers and, for each layer, we discuss vulnerabilities, threats, security solutions, challenges, gaps and open research issues. While we discuss all seven OSI layers, the most interesting findings are in layer one, the physical layer. In fact, compared to other layers, the physical layer between the base stations and users' device presents increased opportunities for attacks such as eavesdropping and data fabrication. However, no single OSI layer can stand on its own to provide proper security. All layers in the 5G must work together, providing their own unique technology in an effort to ensure security and integrity for 5G data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Stavros Eleftherakis,Timothy Otim,Giuseppe Santaromita,Almudena Diaz Zayas,Domenico Giustiniano,Nicolas Kourtellis

DOI: https://doi.org/10.1145/3636534.3690696

2024-09-26

Abstract:Ensuring user privacy remains critical in mobile networks, particularly with the rise of connected devices and denser 5G infrastructure. Privacy concerns have persisted across 2G, 3G, and 4G/LTE networks. Recognizing these concerns, the 3rd Generation Partnership Project (3GPP) has made privacy enhancements in 5G Release 15. However, the extent of operator adoption remains unclear, especially as most networks operate in 5G Non Stand Alone (NSA) mode, relying on 4G Core Networks. This study provides the first qualitative and experimental comparison between 5G NSA and Stand Alone (SA) in real operator networks, focusing on privacy enhancements addressing top eight pre-5G attacks based on recent academic literature. Additionally, it evaluates the privacy levels of OpenAirInterface (OAI), a leading open-source software for 5G, against real network deployments for the same attacks. The analysis reveals two new 5G privacy vulnerabilities, underscoring the need for further research and stricter standards.

Networking and Internet Architecture

Su, Li,Du, Haitao

DOI: https://doi.org/10.1007/s00500-023-09486-x

IF: 3.732

2024-01-11

Soft Computing

Abstract:The security context, generally stored in the universal subscriber identity module card or the baseband chip, is the critical information applied by the subscriber to access the 5G network during the fast authentication procedure. Once exposed or illegally used, the security context can be exploited to derive various keys for authentication and encryption. Despite its importance, challenges and questions still remain in the previous relevant research. To fill this gap, by adopting the security protocol verification tool ProVerif, we provide a comprehensive formal model of the fast authentication procedure based on the security context to analyze whether security goals can be met. Unfortunately, we uncover two vulnerabilities, including one never reported before. Our analysis shows that these vulnerabilities stem from fundamental design flaws in the cellular network protocol and thus apply to the 4G network. These vulnerabilities could be exploited to launch several attacks, including impersonation and eavesdropping. We have validated these attacks using 5 mobile phones from 5 different baseband manufacturers through experimentation in three mobile carriers. We find an insecure implementation of one of these phones, which exposed it to replay attacks. And we further discuss the security threats posed by the impersonation attack, such as location spoofing and one-tap authentication bypass, which is verified on 10 popular apps. We finally propose several countermeasures to eliminate these security issues. Actually, we have reported the novel vulnerability to the GSM Association and received a confirmation in the form of a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

computer science, artificial intelligence, interdisciplinary applications

Lei Shi

DOI: https://doi.org/10.1051/shsconf/202214402007

2022-08-27

SHS Web of Conferences

Abstract:In today's society, 5G network technology has gradually entered everyone's life, from the simplest communication to smart cars, artificial intelligence, traffic signals to the medical field, military industry and so on. All aspects of 5G network technology can be used to greatly improve the convenience of people's lives and the technological transformation of human society. However, there are many countries, companies and people who are not so sure about 5G technology, and who may even abandon its use because of concerns about its security. As a result, this thesis focuses on the benefits and drawbacks of 5G technology's security in networks, as well as its application in everyday life and potential security threats, as well as whether its security will escalate from a cyber-level attack to physical harm to humans or facilities when combined with the Internet of Things. The analysis of current articles, data, and expert opinion will help to produce findings that will address the concerns of those who are sceptical about the security of 5G. In this regard, it is concluded that the safety of 5G network technology requires a warning, but at this stage, its convenience and safety are within human control and can be used with confidence.

Zhihong Tian,Yanbin Sun,Shen Su,Mohan Li,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.48550/arXiv.1902.04009

2019-02-12

Abstract:The 5th generation (5G) network adopts a great number of revolutionary technologies to fulfill continuously increasing requirements of a variety of applications, including ultra-high bandwidth, ultra-low latency, ultra-massive device access, ultra-reliability, and so on. Correspondingly, traditional security focuses on the core network, and the logical (non-physical) layer is no longer suitable for the 5G network. 5G security presents a tendency to extend from the network center to the network edge and from the logical layer to the physical layer. The physical layer security is also an essential part of 5G security. However, the security of each layer in 5G is mostly studied separately, which causes a lack of comprehensive analysis for security issues across layers. Meanwhile, potential security threats are lack of automated solutions. This article explores the 5G security by combining the physical layer and the logical layer from the perspective of automated attack and defense, and dedicate to provide automated solution framework for 5G security.

Networking and Internet Architecture