Gerrit Holtrup,William Lacube,Dimitri Percia David,Alain Mermoud,Gérôme Bovet,Vincent Lenders

DOI: https://doi.org/10.48550/arXiv.2108.08700

2021-08-20

Abstract:Fifth generation mobile networks (5G) are currently being deployed by mobile operators around the globe. 5G acts as an enabler for various use cases and also improves the security and privacy over 4G and previous network generations. However, as recent security research has revealed, the standard still has security weaknesses that may be exploitable by attackers. In addition, the migration from 4G to 5G systems is taking place by first deploying 5G solutions in a non-standalone (NSA) manner where the first step of the 5G deployment is restricted to the new radio aspects of 5G, while the control of the user equipment is still based on 4G protocols, i.e. the core network is still the legacy 4G evolved packet core (EPC) network. As a result, many security vulnerabilities of 4G networks are still present in current 5G deployments. This paper presents a systematic risk analysis of standalone and non-standalone 5G networks. We first describe an overview of the 5G system specification and the new security features of 5G compared to 4G. Then, we define possible threats according to the STRIDE threat classification model and derive a risk matrix based on the likelihood and impact of 12 threat scenarios that affect the radio access and the network core. Finally, we discuss possible mitigations and security controls. Our analysis is generic and does not account for the specifics of particular 5G network vendors or operators. Further work is required to understand the security vulnerabilities and risks of specific 5G implementations and deployments.

Networking and Internet Architecture,Cryptography and Security

Tanujay Saha,Najwa Aaraj,Niraj K. Jha

DOI: https://doi.org/10.48550/arXiv.2108.03514

2021-08-08

Abstract:The core network architecture of telecommunication systems has undergone a paradigm shift in the fifth-generation (5G)networks. 5G networks have transitioned to software-defined infrastructures, thereby reducing their dependence on hardware-based network functions. New technologies, like network function virtualization and software-defined networking, have been incorporated in the 5G core network (5GCN) architecture to enable this transition. This has resulted in significant improvements in efficiency, performance, and robustness of the networks. However, this has also made the core network more vulnerable, as software systems are generally easier to compromise than hardware systems. In this article, we present a comprehensive security analysis framework for the 5GCN. The novelty of this approach lies in the creation and analysis of attack graphs of the software-defined and virtualized 5GCN through machine learning. This analysis points to 119 novel possible exploits in the 5GCN. We demonstrate that these possible exploits of 5GCN vulnerabilities generate five novel attacks on the 5G Authentication and Key Agreement protocol. We combine the attacks at the network, protocol, and the application layers to generate complex attack vectors. In a case study, we use these attack vectors to find four novel security loopholes in WhatsApp running on a 5G network.

Networking and Internet Architecture,Artificial Intelligence,Cryptography and Security,Machine Learning

Stavros Eleftherakis,Timothy Otim,Giuseppe Santaromita,Almudena Diaz Zayas,Domenico Giustiniano,Nicolas Kourtellis

DOI: https://doi.org/10.1145/3636534.3690696

2024-09-26

Abstract:Ensuring user privacy remains critical in mobile networks, particularly with the rise of connected devices and denser 5G infrastructure. Privacy concerns have persisted across 2G, 3G, and 4G/LTE networks. Recognizing these concerns, the 3rd Generation Partnership Project (3GPP) has made privacy enhancements in 5G Release 15. However, the extent of operator adoption remains unclear, especially as most networks operate in 5G Non Stand Alone (NSA) mode, relying on 4G Core Networks. This study provides the first qualitative and experimental comparison between 5G NSA and Stand Alone (SA) in real operator networks, focusing on privacy enhancements addressing top eight pre-5G attacks based on recent academic literature. Additionally, it evaluates the privacy levels of OpenAirInterface (OAI), a leading open-source software for 5G, against real network deployments for the same attacks. The analysis reveals two new 5G privacy vulnerabilities, underscoring the need for further research and stricter standards.

Networking and Internet Architecture

Zhiwei Cui,Baojiang Cui,Junsong Fu,Renhai Dong

DOI: https://doi.org/10.1155/2022/7395128

IF: 1.968

2022-09-05

Security and Communication Networks

Abstract:With the rapid development of 5G SA (standalone) networks, increasing subscribers are motivated to make calls through 5G. To support voice services critical to mobile users, 5G SA networks adopt two solutions: VoNR (Voice Over New Radio) and EPS (Evolved Packet System) fallback. At this stage, 5G SA networks provide voice services through EPS fallback, which leverages 4G networks to support voice calls for 5G users. This switch between cellular network systems may expose vulnerabilities to adversaries. However, there is a lack of security research on voice services in the 5G SA network. In this paper, we analyze the security of EPS fallback and its closely related IMS from the perspective of the protocol and the practices of the carriers. We uncover two protocol design vulnerabilities and two implementation flaws. In addition, we exploit them to design three attacks: voice DoS, voice monitoring, and SMS spoofing and interception. We validated these vulnerabilities and attacks using SDR (software-defined radio) tools and a set of open-source software in three mobile carriers. Our analysis reveals that the problems stem from both specifications and carrier networks. We finally propose several potential countermeasures to defend these attacks.

computer science, information systems,telecommunications

Stavros Eleftherakis,Domenico Giustiniano,Nicolas Kourtellis

2024-09-10

Abstract:Ensuring user privacy remains a critical concern within mobile cellular networks, particularly given the proliferation of interconnected devices and services. In fact, a lot of user privacy issues have been raised in 2G, 3G, 4G/LTE networks. Recognizing this general concern, 3GPP has prioritized addressing these issues in the development of 5G, implementing numerous modifications to enhance user privacy since 5G Release 15. In this systematization of knowledge paper, we first provide a framework for studying privacy and security related attacks in cellular networks, setting as privacy objective the User Identity Confidentiality defined in 3GPP standards. Using this framework, we discuss existing privacy and security attacks in pre-5G networks, analyzing the weaknesses that lead to these attacks. Furthermore, we thoroughly study the security characteristics of 5G up to the new Release 19, and examine mitigation mechanisms of 5G to the identified pre-5G attacks. Afterwards, we analyze how recent 5G attacks try to overcome these mitigation mechanisms. Finally, we identify current limitations and open problems in security of 5G, and propose directions for future work.

Cryptography and Security,Networking and Internet Architecture

Roger Piqueras Jover,Vuk Marojevic

DOI: https://doi.org/10.48550/arXiv.1809.06925

2018-11-29

Abstract:The Third Generation Partnership Project (3GPP) released its first 5G security specifications in March 2018. This paper reviews the 5G security architecture, requirements and main processes and evaluates them in the context of known and new protocol exploits. Although the security has been enhanced when compared to previous generations to tackle known protocol exploits, our analysis identifies some potentially unrealistic system assumptions that are critical for security as well as a number protocol edge cases that could render 5G systems vulnerable to adversarial attacks. For example, null encryption and null authentication are supported and can be used in valid system configurations, and certain key security functions are still left outside of the scope of the specifications. Moreover, the prevention of pre-authentcation message exploits appears to rely on the implicit assumption of impractical carrier and roaming agreements and the management of public keys from all global operators. In parallel, existing threats such as International Mobile Subscriber Identity (IMSI) catchers are prevented only if the serving network enforces optional security features and if the UE knows the public key of the home network operator. The comparison with 4G LTE protocol exploits reveals that the 5G security specifications, as of Release 15, do not fully address the user privacy and network availability concerns, where one edge case can compromise the privacy, security and availability of 5G users and services.

Cryptography and Security

Norbert Ludant,Marinos Vomvas,Guevara Noubir

DOI: https://doi.org/10.48550/arXiv.2403.06717

2024-03-11

Abstract:Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Cryptography and Security

Michal Harvanek,Jan Bolcek,Jan Kufa,Ladislav Polak,Marek Simka,Roman Marsalek

DOI: https://doi.org/10.3390/s24175523

IF: 3.9

2024-08-28

Sensors

Abstract:With the expansion of wireless mobile networks into both the daily lives of individuals as well as into the widely developing market of connected devices, communication is an increasingly attractive target for attackers. As the complexity of mobile cellular systems grows and the respective countermeasures are implemented to secure data transmissions, the attacks have become increasingly sophisticated on the one hand, but at the same time the system complexity can open up expanded opportunities for security and privacy breaches. After an in-depth summary of possible entry points to attacks to mobile networks, this paper first briefly reviews the basic principles of the physical layer implementation of 4G/5G systems, then gives an overview of possible attacks from a physical layer perspective. It also provides an overview of the software frameworks and hardware tool-software defined radios currently in use for experimenting with 4G/5G mobile networks, and it discusses their basic capabilities. In the final part, the paper summarizes the currently most promising families of techniques to detect illegitimate base stations—the machine-learning-based, localization-based, and behavior-based methods .

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zhiwei Cui,Baojiang Cui,Li Su,Haitao Du,Hongxin Wang,Junsong Fu

2023-03-20

Abstract:The security context used in 5G authentication is generated during the Authentication and Key Agreement (AKA) procedure and stored in both the user equipment (UE) and the network sides for the subsequent fast registration procedure. Given its importance, it is imperative to formally analyze the security mechanism of the security context. The security context in the UE can be stored in the Universal Subscriber Identity Module (USIM) card or in the baseband chip. In this work, we present a comprehensive and formal verification of the fast registration procedure based on the security context under the two scenarios in ProVerif. Our analysis identifies two vulnerabilities, including one that has not been reported before. Specifically, the security context stored in the USIM card can be read illegally, and the validity checking mechanism of the security context in the baseband chip can be bypassed. Moreover, these vulnerabilities also apply to 4G networks. As a consequence, an attacker can exploit these vulnerabilities to register to the network with the victim's identity and then launch other attacks, including one-tap authentication bypass leading to privacy disclosure, location spoofing, etc. To ensure that these attacks are indeed realizable in practice, we have responsibly confirmed them through experimentation in three operators. Our analysis reveals that these vulnerabilities stem from design flaws of the standard and unsafe practices by operators. We finally propose several potential countermeasures to prevent these attacks. We have reported our findings to the GSMA and received a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

Cryptography and Security

Mohammed Mahyoub,AbdulAziz AbdulGhaffar,Emmanuel Alalade,Ezekiel Ndubisi,Ashraf Matrawy

DOI: https://doi.org/10.1109/comst.2024.3377161

IF: 35.6

2024-01-01

IEEE Communications Surveys & Tutorials

Abstract:Interfaces play a crucial role in the Fifth Generation (5G) architecture as they interconnect Network Functions (NFs) to exchange data and services. Certain interfaces are particularly critical because they are involved in the exchange of sensitive data or are exposed externally. To the best of our knowledge, no literature work analyzes the 5G security from a network architecture or interface perspective. Therefore, existing research on 5G security may not be helpful when considering a certain component of the network or a specific interface. This paper reviews the security measures recommended by the selected Standardization Development Organizations (SDOs) for critical interfaces and classifies them based on security goals. It also identifies vulnerabilities and threats to these interfaces in the absence of security measures and categorizes them based on STRIDE model and impacted traffic types.

computer science, information systems,telecommunications

Su, Li,Du, Haitao

DOI: https://doi.org/10.1007/s00500-023-09486-x

IF: 3.732

2024-01-11

Soft Computing

Abstract:The security context, generally stored in the universal subscriber identity module card or the baseband chip, is the critical information applied by the subscriber to access the 5G network during the fast authentication procedure. Once exposed or illegally used, the security context can be exploited to derive various keys for authentication and encryption. Despite its importance, challenges and questions still remain in the previous relevant research. To fill this gap, by adopting the security protocol verification tool ProVerif, we provide a comprehensive formal model of the fast authentication procedure based on the security context to analyze whether security goals can be met. Unfortunately, we uncover two vulnerabilities, including one never reported before. Our analysis shows that these vulnerabilities stem from fundamental design flaws in the cellular network protocol and thus apply to the 4G network. These vulnerabilities could be exploited to launch several attacks, including impersonation and eavesdropping. We have validated these attacks using 5 mobile phones from 5 different baseband manufacturers through experimentation in three mobile carriers. We find an insecure implementation of one of these phones, which exposed it to replay attacks. And we further discuss the security threats posed by the impersonation attack, such as location spoofing and one-tap authentication bypass, which is verified on 10 popular apps. We finally propose several countermeasures to eliminate these security issues. Actually, we have reported the novel vulnerability to the GSM Association and received a confirmation in the form of a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

computer science, artificial intelligence, interdisciplinary applications

Yaru Yang,Yiming Zhang,Tao Wan,Chuhan Wang,Haixin Duan,Jianjun Chen,Yishen Li

DOI: https://doi.org/10.1145/3643833.3656131

2024-01-01

Abstract:5G messaging services, based on Global System for Mobile Communications Association (GSMA) Rich Communication Service (RCS) and 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS), have been deployed globally by more than 90 mobile operators serving over 421 million monthly active users via 1.2 billion devices. Despite the widespread use, security research of 5G messaging remains sparse. In this paper, we present a comprehensive security analysis and measurement of 5G messaging services, assisted by a semi-automated testing tool we developed. We considered both carrier-side deployment and phone-side software implementations by testing against three large operators, each with hundreds of millions of subscribers, and six popular 5G messaging-enabled devices. We uncovered 4 categories of vulnerabilities, allowing for a wide range of attacks, including Man-In-The-Middle (MITM) attacks, zero-click remote information leakage, phone storage exhaustion and mobile data consumption, and Denial-of-Services (DoS) attacks. Our study underscores the need for further security enhancements in security specifications, implementation, and deployment of 5G messaging services.

S. Sullivan,Alessandro Brighente,S. A. P. Kumar,M. Conti

DOI: https://doi.org/10.1109/access.2021.3105396

IF: 3.9

2021-01-01

IEEE Access

Abstract:The Fifth Generation of Communication Networks (5G) envisions a broader range of services compared to previous generations, supporting an increased number of use cases and applications. The broader application domain leads to increase in consumer use and, in turn, increased hacker activity. Due to this chain of events, strong and efficient security measures are required to create a secure and trusted environment for users. In this paper, we provide an objective overview of 5G security issues and the existing and newly proposed technologies designed to secure the 5G environment. We categorize security technologies using Open Systems Interconnection (OSI) layers and, for each layer, we discuss vulnerabilities, threats, security solutions, challenges, gaps and open research issues. While we discuss all seven OSI layers, the most interesting findings are in layer one, the physical layer. In fact, compared to other layers, the physical layer between the base stations and users' device presents increased opportunities for attacks such as eavesdropping and data fabrication. However, no single OSI layer can stand on its own to provide proper security. All layers in the 5G must work together, providing their own unique technology in an effort to ensure security and integrity for 5G data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Alexandre Sousa,Manuel J. C. S. Reis

DOI: https://doi.org/10.70082/esiculture.vi.1054

2024-09-17

Evolutionary Studies in Imaginative Culture

Abstract:The evolution of wireless communications, from the first to the fifth generation, has driven Internet of Things (IoT) advancements. IoT is transforming sectors like agriculture, healthcare, and transportation, but also presents challenges like spectrum bandwidth demand, speed requirements, and security issues. IoT environments, with embedded sensors and actuators, connect to other devices to transmit and receive data over the internet. These data are processed locally or in the cloud, enabling decision-making and automation. Various wireless technologies, including Bluetooth, Zigbee, LoRa, and WiFi, cater to specific IoT applications. 5G, with its high speeds, low latency, and efficient bandwidth sharing, is ideal for high-speed data transmission, and thus it provides robust infrastructure for low-latency and bandwidth-sensitive applications. This latest mobile network technology is being rapidly implemented worldwide, providing unprecedented throughput and low latency, which are crucial for the IoT. This paper presents a comprehensive systematic review on 5G security features, vulnerabilities, threats to mobile devices, security in IoT devices, common attacks to IoT devices and protection of data in this environment. Despite enhanced security, 5G faces challenges like Distributed Denial of Service (DDoS), Man In The Middle (MITM), cross-slice disruptions, and side-channel attacks.

Keyvan Ramezanpour,Jithin Jagannath,Anu Jagannath

DOI: https://doi.org/10.1016/j.comnet.2022.109515

IF: 5.493

2022-12-14

Computer Networks

Abstract:Spectrum scarcity has been a major concern for achieving the desired quality of experience (QoE) in next-generation (5G/6G and beyond) networks supporting a massive volume of mobile and IoT devices with low-latency and seamless connectivity. Hence, spectrum sharing systems have been considered as a major enabler for next-generation wireless networks in meeting QoE demands. Specifically, the 3rd generation partnership project (3GPP) has standardized coexistence of 4G LTE License Assisted Access (LAA) network with WiFi in the unlicensed 5 GHz bands, and the 5G New Radio Unlicensed (NR-U) with WiFi 6/6E in 6 GHz bands. While most current coexistence solutions and standards focus on performance improvement and QoE optimization, the emerging security challenges of such network environments have been ignored in the literature. The security framework of standalone networks (either 5G or WiFi) assumes the ownership of entire network resources from spectrum to core functions. Hence, all accesses to the network shall be authenticated and authorized within the intra-network security system and is deemed illegal otherwise. However, coexistence network environments can lead to unprecedented security vulnerabilities and breaches as the standalone networks shall tolerate unknown and out-of-network accesses, specifically in the medium access. In this paper, for the first time in literature, we review some of the critical and emerging security vulnerabilities in the 5G/WiFi coexistence network environment which have not been observed previously in standalone networks. Specifically, independent medium access control (MAC) protocols and the resulting hidden node issues can result in exploitation such as service blocking, deployment of rogue base-stations, and eavesdropping attacks. We study potential vulnerabilities in the perspective of physical layer authentication, network access security, and cross-layer authentication mechanisms. This study opens a new direction of research in the analysis and design of a security framework that can address the unique challenges of coexistence networks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Shari-Ann Smith-Haynes

2024-07-24

Abstract:Advances in fifth-generation (5G) networks enable unprecedented reliability, speed, and connectivity compared to previous mobile networks. These advancements can revolutionize various sectors by supporting applications requiring real-time data processing. However, the rapid deployment and integration of 5G networks bring security concerns that must be addressed to operate these infrastructures safely. This paper reviews penetration testing approaches for identifying security vulnerabilities in 5G networks. Penetration testing is an ethical hacking technique used to simulate a network's security posture in the event of cyberattacks. This review highlights the capabilities, advantages, and limitations of recent 5G-targeting security tools for penetration testing. It examines ways adversaries exploit vulnerabilities in 5G networks, covering tactics and strategies targeted at 5G features. A key topic explored is the comparison of penetration testing methods for 5G and earlier generations. The article delves into the unique characteristics of 5G, including massive MIMO, edge computing, and network slicing, and how these aspects require new penetration testing methods. Understanding these differences helps develop more effective security solutions tailored to 5G networks. Our research also indicates that 5G penetration testing should use a multithreaded approach for addressing current security challenges. Furthermore, this paper includes case studies illustrating practical challenges and limitations in real-world applications of penetration testing in 5G networks. A comparative analysis of penetration testing tools for 5G networks highlights their effectiveness in mitigating vulnerabilities, emphasizing the need for advanced security measures against evolving cyber threats in 5G deployment.

Cryptography and Security

Elisa Bertino,Syed Rafiul Hussain,Omar Chowdhury

DOI: https://doi.org/10.48550/arXiv.2003.13604

2020-03-31

Abstract:Cellular networks represent a critical infrastructure and their security is thus crucial. 5G - the latest generation of cellular networks - combines different technologies to increase capacity, reduce latency, and save energy. Due to its complexity and scale, however, ensuring its security is extremely challenging. In this white paper, we outline recent approaches supporting systematic analyses of 4G LTE and 5G protocols and their related defenses and introduce an initial security and privacy roadmap, covering different research challenges, including formal and comprehensive analyses of cellular protocols as defined by the standardization groups, verification of the software implementing the protocols, the design of robust defenses, and application and device security.

Computers and Society,Cryptography and Security,Networking and Internet Architecture

Zhihong Tian,Yanbin Sun,Shen Su,Mohan Li,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.48550/arXiv.1902.04009

2019-02-12

Abstract:The 5th generation (5G) network adopts a great number of revolutionary technologies to fulfill continuously increasing requirements of a variety of applications, including ultra-high bandwidth, ultra-low latency, ultra-massive device access, ultra-reliability, and so on. Correspondingly, traditional security focuses on the core network, and the logical (non-physical) layer is no longer suitable for the 5G network. 5G security presents a tendency to extend from the network center to the network edge and from the logical layer to the physical layer. The physical layer security is also an essential part of 5G security. However, the security of each layer in 5G is mostly studied separately, which causes a lack of comprehensive analysis for security issues across layers. Meanwhile, potential security threats are lack of automated solutions. This article explores the 5G security by combining the physical layer and the logical layer from the perspective of automated attack and defense, and dedicate to provide automated solution framework for 5G security.

Networking and Internet Architecture

Lei Shi

DOI: https://doi.org/10.1051/shsconf/202214402007

2022-08-27

SHS Web of Conferences

Abstract:In today's society, 5G network technology has gradually entered everyone's life, from the simplest communication to smart cars, artificial intelligence, traffic signals to the medical field, military industry and so on. All aspects of 5G network technology can be used to greatly improve the convenience of people's lives and the technological transformation of human society. However, there are many countries, companies and people who are not so sure about 5G technology, and who may even abandon its use because of concerns about its security. As a result, this thesis focuses on the benefits and drawbacks of 5G technology's security in networks, as well as its application in everyday life and potential security threats, as well as whether its security will escalate from a cyber-level attack to physical harm to humans or facilities when combined with the Internet of Things. The analysis of current articles, data, and expert opinion will help to produce findings that will address the concerns of those who are sceptical about the security of 5G. In this regard, it is concluded that the safety of 5G network technology requires a warning, but at this stage, its convenience and safety are within human control and can be used with confidence.

Guan-Hua Tu,Min-Yue Chen,Chunyi Peng,Sihan Wang,Jingwen Shi,Chi-Yu Li,Tian Xie,Man-Hsin Chen,Yiwen Hu

DOI: https://doi.org/10.1145/3636534.3649377

2024-05-29

Abstract:IMS (IP Multimedia Subsystem) is vital for delivering IP-based multimedia services in mobile networks. Despite constant upgrades by 3GPP over the past two decades to support heterogeneous radio access networks (e.g., 4G LTE, 5G NR, and Wi-Fi) and enhance IMS security, the focus has primarily been on cellular infrastructure. Consequently, IMS security measures on mobile equipment (ME), such as smartphones, lag behind rapid technological advancements. Our study reveals that mandated IMS security measures on ME fail to keep pace, resulting in new vulnerabilities and attack vectors, including denial of service (DoS) across all networks, named SMS source spoofing, and covert communications over Video-over-IMS attacks. All vulnerabilities and proof-of-concept attacks have been experimentally validated in operational 5G/4G networks across various phone models and network operators. Finally, we propose and prototype standard-compliant remedies for these vulnerabilities.

Computer Science,Engineering