More Web Proxy on the site http://driver.im/

research-article

Open access

Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G

Authors:

Bedran Karakoc,

David Rupprecht,

Katharina KohlsAuthors Info & Claims

WiSec '23: Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Pages 97 - 108

https://doi.org/10.1145/3558482.3581774

Published: 28 June 2023 Publication History

Abstract

Bidding-down attacks reduce the security of a mobile network connection. Weaker encryption algorithms or even downgrades to prior network generations enable an adversary to exploit numerous attack vectors and harm the users of a network. The problem of bidding-down attacks has been known for generations, and various mitigations are integrated into the latest 4G and 5G specifications. However, current research lacks a systematic identification and analysis of the variety of potential attack vectors. In this work, we classify an extensive set of bidding-down attack vectors and mitigations and analyze their specification and implementation in phones and networks. Our results demonstrate vulnerabilities for all attacks and devices, including the latest mobile generation 5G and recent flagship phones. To further prove how the identified attack vectors can be exploited in sophisticated attacks, we conduct two case studies in which we apply a full downgrade attack from 5G SA to 2G and bid down a 5G NSA connection by enforcing null encryption. Again, we find a majority of systems vulnerable. With this paper, we hope to improve the state of bidding-down mitigations in the specification and implementation.

References

[1]

3GPP. 2020a. Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3. Technical Specification (TS) 24.501. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/24501.htm Version 16.7.0.

[2]

3GPP. 2020b. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3. Technical Specification (TS) 24.301. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/24301.htm Version 16.7.0.

[3]

3GPP. 2022a. 3GPP System Architecture Evolution (SAE); Security architecture. Technical Specification (TS) 33.401. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/33401.htm Version 17.2.0.

[4]

3GPP. 2022b. Security architecture and procedures for 5G System. Technical Specification (TS) 33.501. 3rd Generation Partnership Project (3GPP). http://www.3gpp.org/DynaReport/33501.htm Version 17.6.0.

[5]

Amarisoft. 2022. The 4G/5G network on your desk. https://www.amarisoft.com/products/test-measurements/amari-lte-callbox/ [Online; accessed 18-Nov-2022].

[6]

Yi Chen, Yepeng Yao, XiaoFeng Wang, Dandan Xu, Chang Yue, Xiaozhong Liu, Kai Chen, Haixu Tang, and Baoxu Liu. 2021. Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis. In 2021 IEEE Symposium on Security and Privacy (SP). ieee, online, 1197--1214. https://doi.org/10.1109/SP40001.2021.00104

[7]

Merlin Chlosta, David Rupprecht, Thorsten Holz, and Christina Pöpper. 2019. LTE Security Disabled: Misconfiguration in Commercial Networks. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (Miami, Florida) (WiSec '19). Association for Computing Machinery, New York, NY, USA, 261--266. https://doi.org/10.1145/3317549.3324927

Digital Library

[8]

Merlin Chlosta, David Rupprecht, Christina Pöpper, and Thorsten Holz. 2021. 5G SUCI-Catchers: Still Catching Them All?. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (Abu Dhabi, United Arab Emirates) (WiSec '21). Association for Computing Machinery, New York, NY, USA, 359--364. https://doi.org/10.1145/3448300.3467826

Digital Library

[9]

Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, and Edgar Weippl. 2014. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. In Proceedings of the 30th Annual Computer Security Applications Conference (New Orleans, Louisiana, USA) (ACSAC '14). Association for Computing Machinery, New York, NY, USA, 246--255. https://doi.org/10.1145/2664243.2664272

Digital Library

[10]

Firecell. 2022. 4G and 5G Private Networks made simple. https://firecell.io/

[11]

free5GC. 2022. free5GC: open-source project for 5th generation mobile core networks. free5GC. https://www.free5gc.org/

[12]

Ismael Gomez-Miguelez, Andres Garcia-Saavedra, Paul D. Sutton, Pablo Serrano, Cristina Cano, and Doug J. Leith. 2016. SrsLTE: An Open-Source Platform for LTE Evolution and Experimentation. In Proceedings of the Tenth ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation, and Characterization (New York City, New York) (WiNTECH '16). Association for Computing Machinery, New York, NY, USA, 25--32. https://doi.org/10.1145/2980159.2980163

Digital Library

[13]

GSMA. 2018. Road to 5G: Introduction and Migration. https://www.gsma.com/futurenetworks/wp-content/uploads/2018/04/Road-to-5G-Introduction-and-Migration_FINAL.pdf

[14]

GSMA. 2022a. GSMA Coordinated Vulnerability Disclosure Programme. https://www.gsma.com/security/gsma-coordinated-vulnerability-disclosure-programme/

[15]

GSMA. 2022b. GSMA Network Equipment Security Assurance Scheme. https://www.gsma.com/security/network-equipment-security-assurance-scheme/

[16]

Byeongdo Hong, Shinjo Park, Hongil Kim, Dongkwan Kim, Hyunwook Hong, Hyunwoo Choi, Jean-Pierre Seifert, Sung-Ju Lee, and Yongdae Kim. 2018. Peeking Over the Cellular Walled Gardens - A Method for Closed Network Diagnosis -. IEEE Transactions on Mobile Computing, Vol. 17, 10 (2018), 2366--2380. https://doi.org/10.1109/TMC.2018.2804913

[17]

Xinxin Hu, Caixia Liu, Shuxin Liu, Wei You, Yingle Li, and Yu Zhao. 2019. A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security. IEEE Access, Vol. 7 (2019), 125424--125441. https://doi.org/10.1109/ACCESS.2019.2937997

[18]

Lin Huang. 2016. Forcing a Targeted LTE Cellphone into an Eavesdropping Network. https://conference.hitb.org/hitbsecconf2016ams/sessions/forcing-a-targeted-lte-cellphone-into-an-eavesdropping-network/

[19]

Syed Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Network and Distributed Systems Security (NDSS) Symposium 2018. isoc-ndss, San Diego, CA, USA. https://doi.org/10.14722/ndss.2018.23319

[20]

Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 2019a. 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol. In Conference on Computer and Communications Security (CCS) (London, United Kingdom) (CCS '19). Association for Computing Machinery, New York, NY, USA, 669--684. https://doi.org/10.1145/3319535.3354263

Digital Library

[21]

Syed Rafiul Hussain, Mitziu Echeverria, Ankush Singla, Omar Chowdhury, and Elisa Bertino. 2019b. Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (Miami, Florida) (WiSec '19). Association for Computing Machinery, New York, NY, USA, 1--11. https://doi.org/10.1145/3317549.3323402

Digital Library

[22]

Syed Rafiul Hussain, Imtiaz Karim, Abdullah Al Ishtiaq, Omar Chowdhury, and Elisa Bertino. 2021. Noncompliance as Deviant Behavior: An Automated Black-Box Noncompliance Checker for 4G LTE Cellular Devices. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 1082--1099. https://doi.org/10.1145/3460120.3485388

Digital Library

[23]

NextEPC Inc. 2021. Build your own 5G and LTE networks with NextEPC. https://nextepc.com/

[24]

Roger Piqueras Jover. 2016. LTE Security, Protocol Exploits and Location Tracking Experimentation with Low-Cost Software Radio. CoRR, Vol. abs/1607.05171 (2016). arxiv: 1607.05171 http://arxiv.org/abs/1607.05171

[25]

Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, 1153--1168. https://doi.org/10.1109/SP.2019.00038

[26]

Sebastian Lambert. 2022. Number of Internet Users in 2022/2023: Statistics, Current Trends, and Predictions. https://financesonline.com/number-of-internet-users/

[27]

Software Radio Systems Ltd. 2021. CoreScope: 5G core testing solution. https://github.com/srsran/corescope

[28]

Magma. 2022. A modern mobile core network solution. Magma. https://magmacore.org/

[29]

Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. 2013. The TAMARIN Prover for the Symbolic Analysis of Security Protocols. In Computer Aided Verification, Natasha Sharygina and Helmut Veith (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 696--701.

[30]

Benoit Michau and Christophe Devine. 2016. How to not Break LTE Crypto. In ANSSI Symposium sur la sé curité des technologies de l'information et des communications (SSTIC).

[31]

Stig F. Mjølsnes and Ruxandra F. Olimid. 2017. Easy 4G/LTE IMSI Catchers for Non-Programmers. https://doi.org/10.48550/ARXIV.1702.04434

[32]

Open5GS. 2022. Open source project of 5GC and EPC. https://open5gs.org/

[33]

OpenAirInterfaceTM Software Alliance (OSA). 2022. OpenAirInterface (OAI) - 5G Software Alliance for Democratising Wireless Innovation. [Online; accessed 15-Nov-2022].

[34]

Ivan Palamà, Francesco Gringoli, Giuseppe Bianchi, and Nicola Melazzi. 2021. IMSI Catchers in the wild: A real world 4G/5G assessment. Computer Networks, Vol. 194 (05 2021), 108137. https://doi.org/10.1016/j.comnet.2021.108137

[35]

CheolJun Park, Sangwook Bae, BeomSeok Oh, Jiho Lee, Eunkyu Lee, Insu Yun, and Yongdae Kim. 2022. DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 1325--1342. https://www.usenix.org/conference/usenixsecurity22/presentation/park-cheoljun

[36]

Shinjo Park, Altaf Shaik, Ravishankar Borgaonkar, and Jean-Pierre Seifert. 2019. Anatomy of Commercial IMSI Catchers and Detectors. In Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society (London, United Kingdom) (WPES'19). Association for Computing Machinery, New York, NY, USA, 74--86. https://doi.org/10.1145/3338498.3358649

Digital Library

[37]

Roger Piqueras Jover and Vuk Marojevic. 2019. Security and Protocol Exploit Analysis of the 5G Specifications. IEEE Access, Vol. 7 (2019), 24956--24963. https://doi.org/10.1109/ACCESS.2019.2899254

[38]

David Rupprecht, Kai Jansen, and Christina Pöpper. 2016. Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness. In Proceedings of the 10th USENIX Conference on Offensive Technologies (Austin, TX) (WOOT'16). USENIX Association, USA, 40--51.

[39]

Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. In Symposium on Network and Distributed System Security (NDSS). ISOC.

[40]

Guan-Hua Tu, Yuanjie Li, Chunyi Peng, Chiyu Li, Hongyi Wang, and Songwu Lu. 2014. Control-Plane Protocol Interactions in Cellular Networks. ACM SIGCOMM Computer Communication Review, Vol. 44 (08 2014). https://doi.org/10.1145/2619239.2626302

Digital Library

[41]

Wikipedia. 2021. List of 5G NR networks. https://en.wikipedia.org/wiki/List_of_5G_NR_networks io

Cited By

Paci AChiacchia MBianchi G(2024)5GMap: User-Driven Audit of Access Security Configurations in Cellular Networks2024 19th Wireless On-Demand Network Systems and Services Conference (WONS)10.23919/WONS60642.2024.10449586(97-104)Online publication date: 29-Jan-2024
https://doi.org/10.23919/WONS60642.2024.10449586
D'Alterio FRotunno MSettembre MBernardini ASagratella LBianchi GMancini FPaci AMaunero N(2024)Navigating 5G Security: Challenges and Progresses on 5G Security Assurance and Risk Assessment2024 AEIT International Annual Conference (AEIT)10.23919/AEIT63317.2024.10736736(1-6)Online publication date: 25-Sep-2024
https://doi.org/10.23919/AEIT63317.2024.10736736
R RGanesha S AKumar R BSriganesh Das D(2024)A Novel Method of Determining an Authentic Cell in Next Generation Cellular Communication System2024 IEEE Wireless Communications and Networking Conference (WCNC)10.1109/WCNC57260.2024.10571142(1-6)Online publication date: 21-Apr-2024
https://doi.org/10.1109/WCNC57260.2024.10571142
Show More Cited By

Index Terms

Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G
1. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

Adversarial Attacks and Mitigations on Scene Segmentation of Autonomous Vehicles
Computer Security. ESORICS 2022 International Workshops
Abstract
In this study, we focus on the effectiveness of adversarial attacks on the scene segmentation function of autonomous driving systems (ADS). We explore both offensive as well as defensive aspects of the attacks in order to gain a comprehensive ...
You have been warned: Abusing 5G’s Warning and Emergency Systems
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

The Public Warning System (PWS) is an essential part of cellular networks and a country’s civil protection. Warnings can notify users of hazardous events (e. g., floods, earthquakes) and crucial national matters that require immediate attention. PWS ...
Let's Downgrade Let's Encrypt
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Following the recent off-path attacks against PKI, Let's Encrypt deployed in 2020 domain validation from multiple vantage points to ensure security even against the stronger on-path MitM adversaries. The idea behind such distributed domain validation is ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '23: Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 2023

394 pages

ISBN:9781450398596

DOI:10.1145/3558482

General Chairs:
Ioana Boureanu
University of Surrey, United Kingdom
,
Steve Schneider
University of Surrey, United Kingdom
,
Program Chairs:
Bradley Reaves
North Carolina State University, USA
,
Nils Ole Tippenhauer
CISPA Helmholtz Center for Information Security, Germany

Copyright © 2023 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 June 2023

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Deutsche Forschungsgemeinschaft

Conference

WiSec '23

Sponsor:

WiSec '23: 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 29 - June 1, 2023

Guildford, United Kingdom

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
1,071
Total Downloads

Downloads (Last 12 months)854
Downloads (Last 6 weeks)136

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Paci AChiacchia MBianchi G(2024)5GMap: User-Driven Audit of Access Security Configurations in Cellular Networks2024 19th Wireless On-Demand Network Systems and Services Conference (WONS)10.23919/WONS60642.2024.10449586(97-104)Online publication date: 29-Jan-2024
https://doi.org/10.23919/WONS60642.2024.10449586
D'Alterio FRotunno MSettembre MBernardini ASagratella LBianchi GMancini FPaci AMaunero N(2024)Navigating 5G Security: Challenges and Progresses on 5G Security Assurance and Risk Assessment2024 AEIT International Annual Conference (AEIT)10.23919/AEIT63317.2024.10736736(1-6)Online publication date: 25-Sep-2024
https://doi.org/10.23919/AEIT63317.2024.10736736
R RGanesha S AKumar R BSriganesh Das D(2024)A Novel Method of Determining an Authentic Cell in Next Generation Cellular Communication System2024 IEEE Wireless Communications and Networking Conference (WCNC)10.1109/WCNC57260.2024.10571142(1-6)Online publication date: 21-Apr-2024
https://doi.org/10.1109/WCNC57260.2024.10571142
Dessources DAppiah-Mensah SAmato CParikh DBull JBurger E(2024)5G/O-RAN Security Automated TestingMILCOM 2024 - 2024 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM61039.2024.10774015(129-134)Online publication date: 28-Oct-2024
https://doi.org/10.1109/MILCOM61039.2024.10774015
Purification SWuthier SKim JKim JChang S(2024)Fake Base Station Detection and Blacklisting2024 33rd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN61486.2024.10637542(1-9)Online publication date: 29-Jul-2024
https://doi.org/10.1109/ICCCN61486.2024.10637542
Mahyoub MAbdulGhaffar AAlalade ENdubisi EMatrawy A(2024)Security Analysis of Critical 5G InterfacesIEEE Communications Surveys & Tutorials10.1109/COMST.2024.337716126:4(2382-2410)Online publication date: Dec-2025
https://doi.org/10.1109/COMST.2024.3377161
Lange SGringoli FHollick MClassen J(2024)Wherever I May Roam: Stealthy Interception and Injection Attacks Through Roaming AgreementsComputer Security – ESORICS 202410.1007/978-3-031-70903-6_11(208-228)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70903-6_11

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents