Communication Technology  

 

 

 

Security In Cellular Communication

In any information technology, there has always been some risk of security / hacking. But until recently (probably until now) cellular communication is relatively hard (considered impossible to many people) to attack. However, I don't think it is the case any more and it is about the time to start thinking of security issues seriously in cellular communication.

Just for short, I can think of several possible points of security volnerability (i.e, points of attack). Of course, there would be more points that I failed to think of and will come out more.

Possible Points of Attacks

For most person, the point (A) (Security Attack by Mobile phone App) would be the most widely known type. But strictly speaking this type of attack would not be classified as security issues on cellular communication itself unless it is hacking the modem chipset or mobile radio protocol. It is more of conventional (?) type of attack that we often hear of for other application like PC etc.  

Other type of attack that are relatively well known would be point (D). But Jammer can be used not for attack, but for an intended purpose (e.g, blocking culluar communication in workshop hall etc), but this can be considered as a serious attacker if it is blocking (or sometimes even harming directly on hardware of the system).

When I am talking about "Security In cellular communication", I would focus more on point (B), (C), (D). These are the main topics in this note.

Here’s a brief description of each attack point in cellular security as illustrated above

(A) Hacking App: This involves using software tools installed on a mobile device to exploit vulnerabilities in the cellular network. The app can intercept data, manipulate network behavior, or perform man-in-the-middle attacks.

(B) Fake Base Station: Also known as an IMSI catcher or Stingray, this device mimics a legitimate base station to trick nearby mobile phones into connecting to it. This allows the attacker to intercept calls, text messages, or gather device information.

(C) Sniffer: A sniffer captures cellular traffic between devices and base stations. This passive attack tool can be used to monitor and analyze communication, attempting to decode messages or track users without their knowledge.

(D) Jammer: A jammer emits radio signals to disrupt communication between mobile phones and legitimate base stations. This can cause a denial of service, preventing users from making calls, sending texts, or accessing data services.

(E) Fake Mobile Phone: An attacker may use a fake or modified mobile phone to exploit vulnerabilities in network protocols or services. This can be used for impersonating a legitimate user or testing network defenses.

(F) USIM Attack: This involves targeting the User SIM card (USIM) of a mobile phone, often through over-the-air (OTA) updates or malicious SIM cards. It aims to gain unauthorized access to SIM data or manipulate SIM-based authentication processes.

Why we didn't worry much of Cellular Security ?

For some reason, (at least from 3G or later technololgy) cellular communication is almost perfectly secure from any type of security attack. I don't know exactly what is the reasoning behind this perception... I personally would think of a few reason as follows :

  • The security algorithm in Cellular Communication is very robus by design. It has several differently layers of security protection mechanism running at multiple layers by default (e.g, authentication, integrity protection and ciphering). I am not an expert to technically verify that this kind of algorithm in cellular communication is stronger than other by design).
  • Security Key (e.g, K, AMF, OPc etc) is not managed by each individual user. Even the user would not know of those key values on their own devices. These information are stored in USIM card and data base in Carrier side. The structure of those key has a certain level of complexity by default (you cannot set something like 1234568 or your birthday or phone number etc for those key -:))
  • For attackers to develop any method of attacks, they need to do some research and experiments on the target system. But it has been prohibitably expensive to get access to those R&D system.
  • There are relatively small number of people who understand the details of the system to the point where the attacker understand the system and figure out the weakpoint of the system.

Why now we should worry of this ?

To me, I haven't see much differences from 3G through 5G in terms of fundamental security protection algorithm. Why we should consider seriously on this issue. What I have seen in terms of security issue is more of changes in environmental changes in accessbility of the technology. Some of those changes that I can think of are as follows.

  • Development of software technology and reduced cost of hardware : Now there are many implementations of purely software based protocols running on general purpose hardware (like PC, even in very low cost PC like Raspberry Pi). Of course, the original motivation of this kind of software based implementation on general purpose equipment is not for attacking anything. But historically we all know that most of these attack is just reuse the well-intentioned technology for ill-purposed application.
  • Also it would be getting more difficult to guarantee the quality assurance in terms of security as more diverse implementation comes out especially implemented in software running on general purpose. This concern is also raised in a 6G whitepaper from SamSung.
  • Number of people who are fluent at the technology : As mentioined above, I think the security attack is mostly based on ethical issues rather than on technical issues. Usually at the initial phase (early phase) of technology where there are not huge mass of experts on the specific technology, the ethics on utilization is relatively well maintained .. but as the technology gets more command and access to wider range of people it gets more and more difficult to maintain the ethics to what has originally intended.. and even the definition of the ethics varies depending on various factors.
  • Now there are active discussions on next generation cellular communication system (6G). It is good time to think of this from inovating the security protection algorithm itself through how to deal with the ethical issues using technology.

What to expect in Security Protection in next generation (6G) cellular system ?

In this section, I will try to compile various ideas and visions proposed by different sources.

Source : Roadmap to 6G (NextG Alliance)

Following is some suggestions in 6G whitepaper from SamSung at security point of view.

  • Hardware-based secure environment that provides secure operation of software code and protection of credential
  • Secure-by-design approach to guarantee that any hardware/software can be trusted
  • Transparency to ensure that the system identifies how and when the AI system accesses any code, training data, etc. related to personal information as well as how securely the AI system operates against adversarial machine learning
  • Mechanisms to securely utilize an unprecedented amount of information concerning business and human users and to strictly maintain the privacy of such information

Evolution of Cellular Technology and Coevolution of Attacking Strategy

From the early days of 1G analog systems to the lightning-fast 5G networks of today, each generation of cellular technology has brought significant advancements in speed, capacity, and reliability. However, as these technologies have evolved, so too have the strategies of those looking to exploit their vulnerabilities. The coevolution of attacking strategies alongside technological progress presents a dynamic landscape where innovation in security must keep pace with technological breakthroughs. here, we explore the intertwined journey of cellular technology advancements and the corresponding evolution of cyberattack methodologies, highlighting the challenges and solutions in this ever-changing digital battlefield.

Here, Norbert Ludant  has provided a comprehensive and perceptive review on the evolution of security procedures and counteracting methodologies..

Security Vulanerability and Attacking stratgies along with generation of cellular technology

Initially, cellular communications were not very secure because they were designed with the attacker capabilities at that time in mind. For that reason, 2G did not even have mutual  authentication, because they didn't think it would be doable for an attacker to actually create a rogue BS. However, with the proliferation of SDRs and low-cost hardware and software implementations, all this became possible. In fact to this day many attacks relied on downgrading a user to insecure 2G networks, and that is why Android for instance now allows the user to disable 2G. Moreover, if you look at the 5G standard, 5G-AKA now has an Anti-Bidding-down Between Architectures (ABBA) parameter to protect from downgrade attacks. Additionally, for instance in 38.331 Annex B.1, Protection of RRC Messages, I think there are indication that they are trying to protect from some of these downgrade attacks, e.g. "RRCRelease message sent before AS security activation cannot include deprioritisationReq, suspendConfig, redirectedCarrierInfo, cellReselectionPriorities information fields."

In 3G, 3GPP added mutual authentication, making rogue base stations less effective. However, user tracking is still a very important attack, which was possible both in 3G and 4G networks. In fact, law enforcement used this very often, basically by using IMSI catchers (Stingray). In essence, you can just start a rogue eNB with high power, and when users try to connect to your rogue BS, you would capture their IMSI, or if they send TMSI, you would send an Identity Request with type IMSI. There are various other ways of tracking users, researchers also showed that it is possible to localize users by linking TMSI to social media, phone number, etc, by listening to paging messages, for instance through silent SMS/phone calls.

However, in 5G, to fix the issue with user-tracking, the standard added the use of SUCI instead of sending the unprotected IMSI. In this way, it is not possible to implement IMSI catcher in 5G (except in some corner cases). Additionally, now it is also mandatory to change the TMSI after every paging procedure, which makes paging-procedure user tracking attacks also hard to perform. Other protection mechanisms were also added in 5G such as protection of the initial NAS message, or integrity protection of the user plane. Due to all these changes, the 5G RAN is considered quite more secure than its predecessor LTE.

Higher layer vs Lower Layer Attack

As mentioned above, there has been significant efforts devoted to enhancing security mechanisms in 5G, and it has become harder and harder to find vulnerabilities in the security protection mechanism at higher layers (e.g, exploitation of security related signaling procedure).

Due to this, I think some of the security research may be shifting to study vulnerabilities in devices with low-capabilities (IoT), or unprotected low layers. In general the impact of vulnerabilities scales as you go to higher layers, because there is more persistent or relevant UE-related information being exchanged (e.g. IMSI, encrypted data, etc), however it is also easier to protect with proper security measures. The lower layers are tricky to protect, because there is a strong trade-off between security/privacy/reliability and performance, both in throughput and latency. In general I would say that the lower layers are harder to attack or have a strong impact because everything is less “static”; RRC connections can last for some seconds, which leads to temporary identifiers, whereas higher-layer connections are more persistent. Another aspect of working on the low-layers is that it requires expertise in many tough subjects required for PHY attacks, such as RF knowledge, security, and in-depth understanding of the complicated 3GPP procedures.

As an example of security/performance trade-off, due to the requirements for lower-latency communications, many procedures are being pushed to the lower layers, for instance, the initial 4G release had ~7 MAC CE in the specification, whereas the latest 5G release has more than 50. The MAC headers are sent unprotected, because encryption/integrity protection happens at PDCP, so attackers can sniff/inject control elements at low layers nowadays, which is very important too.

In my research, the increased security at higher layers, and the push for control in the lower layers, motivated me to analyze the security and privacy of the low layers of the 5G protocol stack. Particularly, as the encryption and integrity protection happen at the PDCP layer, we look for information leakages in the layers below, such as PHY/MAC. Moreover, with new use-cases such as URLLC, the reliability of the system becomes a crucial aspect, thus the standards for protection are raised, and attacks such as DoS become more important.

In one of our projects, for instance, we wanted to understand if it is still possible to track users, similarly to IMSI-catching, but in 5G, where all the new security enhancements are in place. To answer that we look at the low layers, at the resource-scheduling happening in the PHY/MAC. We leverage the fact that the RNTI (Radio Network Temporary Identifier) is tied to one RRC Connection, and would remain the same while there is an active connection. Then, we inject specific traffic pattern, and we look at the resources allocated to all users in a cell, if we are able to identify the pattern, then we would be able to tell if a user is in a certain area or not, and link it to the phone number/other high layer ID that we used to generate the traffic. Moreover, we create a modified signal app that sends a message with a wrong Message Authentication Code (MAC). In this way, you can send constant data to a signal app user, without the user receiving any notification, because the messages are discarded upon arrival due to wrong integrity checks. This makes the attack quite stealthy.

In general, I think attacks on the signaling level are more powerful, because they can contain long-term user-specific data (identifiers, location...), or modify the state of the UE. However, by looking at the PHY level, we showed that it is also possible to infer user information and violate the user-privacy and track users, finding alternatives for given attacks, and motivating the protection of low-layer information.

How to attack ?

Don't get me wrong. This is not about to let you know of tricks of attac to be an attacker. This is for illustrating some cases of volnerability and motivating you to get interested in how to improve those volnerability by design.  I will also try to summarize what I have learned from various technichs introduced in various sources that I have read and experts who I have personal connection to.

Impersonalization Attack

I think this is the most well known type of attack. Basically it is hijacking the victim UE and network's authentication and security parameters and manipulate it in such a way that network would apply the lowest level of security mechanism (Authentication only and no integrity protection & Ciphering) and occupay the traffic channel with victim UE's access information.

Source :  LTE security disabled: misconfiguration in commercial networks by Chlosta, Merlin et al.

The description of this procedure already described in very readable way -:), I am just copying the descrition from the original paper as it is :

    (1) The benign UE connects to the attacker and sends an Attach Request, containing the IMSI and Security Capabilities.

    (2) The attacker forwards the Attach Request but modifies the supported algorithms to EIA0 and EEA0 only.

    (3) The commercial network starts the AKA with an Authentication Request containing the challenge and network authentication (RAND and AUTN).

    (4) The attacker forwards the Authentication Request to the victim UE.

Note that in case the UE connects with Attach Request but identifies with TMSI, the attacker requests the IMSI with an Identity Request. If the UE connects with Service Request or Tracking Area Update, the attacker denies access with reason Implicitly Detached, forcing the UE to re-attach with Attach Request

Resource Depletion Attack

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim et al

Following is the direct citation from the paper linked above :

The adversary repeatedly performs Random Access and generates RRC Connections in order to increase the number of active RRC Connections as depicted in the diagram shown above. In a normal situation, immediately after the RRC Connection is established, an initial NAS Connection procedure proceeds through either an NAS Attach request or NAS Service request piggybacked on an RRC Connection complete message. In our attack, the adversary sends the NAS Attach request with an arbitrary user IMSI. Unlike the normal procedure, once the adversary receives the NAS Authentication request, it restarts Random Access to establish a new RRC Connection. The reason the adversary does not reply to the NAS Authentication request from the MME is to sustain the established RRC Connection while the MME waits for a valid NAS Authentication response. If the adversary replies with an invalid NAS Authentication response, it causes immediate RRC Connection release. One consideration for the attack to succeed is that the number of newly established RRC Connections has to be greater than the number of existing RRC Connections that are released.

Blind DoS Attack

This attack prevents the Network from sending paging to the victim UE or cause Radio Link Failure by continuously triggering RRC Connection with the victim's S-TMSI.

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim  et al

For this kind of attack, the attacker should figure out Victim's S-TMSI first. How ?  This is the quote from the paper linked above.

  • An adversary who has knowledge of the victims phone number or accounts on social media (such as Facebook and Whatsapp) could obtain the victims S-TMSI by performing a silent Paging attack.
  • An adversary located in the vicinity of the target user could operate a rogue eNB to obtain the NAS TAU request of the victim UE. This request contains the S-TMSI of the victim UE. As soon as this message is received, the adversary turns off the rogue eNB to enable the victim UE to recover the LTE service by connecting to a carrier network.
  • The adversary sniffs the RRC Connection procedure of the target UE to obtain the S-TMSI of the target UE as specified in the RRC Connection setup

Remote de-registration attack

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim  et al

User Identification Attack by PHY layer hacking

Most of the attacks described above was done by utilizing / analysing higher layer traffic (i.e, OTA signaling messages). However, the attack can be done at much fundamental level (i.e, PHY layer level). An example is illustrated below.

Source :  From 5G Sniffing to Harvesting Leakages from Privacy-Preserving Messengers  - Norbert Ludant et al

This is the overall procedure of this type of attack

  • Adversary Sends Messages: The adversary sends Signal messages to the victim's phone number (+1 (555) 111111). These messages are sent at known intervals and with a predictable size, leveraging the victim’s online identity.
  • Victim Receives Messages: The victim's smartphone, which has Signal installed and mobile data enabled, receives these messages. The phone automatically handles these push notifications.
  • Passive Sniffing: The adversary passively sniffs the downlink resource allocations from the gNB (gNodeB) serving the victim. This is done using a 5G sniffer equipped with an SDR (Software-Defined Radio).
  • Correlating Patterns(Determination of the victim's RNTI): By correlating the timing and size of the messages sent with the observed downlink resource allocations, the adversary can determine the victim's RNTI. Since the downlink traffic pattern for these messages is recognizable, it can be matched with the traffic generated by the victim's device.

The key point for this type of attack is to decode PDCCH and eventually get direct access to user traffic. This is done as illustrated below. This is my own summary of the paper : From 5G Sniffing to Harvesting Leakages from Privacy-Preserving Messengers

Here goes the verbal description of the above diagram by the author of the paper - Norbert Ludant

In order to obtain resource-scheduling information from a 5G cell, an attacker would need to decode the Physical Downlink Control Channel (PDCCH), which carries the Downlink Control Information (DCI), which ultimately contains information about resource scheduling. The DCI tells a user, addressed by its RNTI, which resources are directed to the user (DL traffic), or which UL resources to use to transmit its data (UL grant). The DCI contains information such as frequency and time domain resources allocated, the MCS used for the data, etc. By obtaining these DCIs, it is possible to infer the traffic of users in a given cell. In fact, some researchers have used this DCI information to determine which apps or type of service users are performing just by looking at the resources allocated to them, by using machine learning techniques. LTE sniffers were developed in the past, such as OWL or FALCON, but due to the increased complexity of the 5G RAN, developing a 5G Sniffer became more complicated. Some of the main difficulties come from changes in the encoding of the DCI, for instance, now the scrambling sequence uses as input both the RNTI and some scramblingID that is conveyed through protected RRC messages. This and other changes complicate considerably blindly decoding the DCI.

In order to decode the PDCCH, the receiver obtains the IQ samples from the frequency band that the gNB is operating, and performs time and frequency synchronization, as a normal UE would do. Then, the receiver would need to know the Bandwidth Part and CORESET configuration. However, this is conveyed through RRC messages, such as RRC Reconfiguration/RRC Setup or in MIB/SIB. The best option is to obtain these values by connecting a COTS UE and obtaining these messages, as the connection remains static for long periods of time, and common to all users in a cell. Using this prior information, the CORESET and BWP can be configured. Alternatively, it would be possible to blindly scan for DCIs by using all possible combinations of values, until a DCI is found, and then use that configuration.

Once the configuration is known, the PDCCH symbols have to be decoded to obtain the DCI bits. However, the attacker does not know the aggregation level (AL), the RNTI or scramblingID, or other required parameters. In this case, we optimize finding possible DCIs by finding the correlation with pre-computed PDCCH-DMRS symbols, which accompany each DCI, and are generated by a pseudo-random sequence with the scramblingID used as seed value. Other optimizations come from exploiting redundancy in the rate-matching block, allowing to early determine if an RNTI is valid, or by prioritizing previously seen RNTIs, etc.

The decoded DCIs contain resource scheduling information that can be used for privacy-related attacks such as determining the presence of a user. In order to do so, an attacker would monitor a 5G cell, and decode all resource scheduling to all users. Then, it injects a specific traffic pattern that can be easily recognizable through the resource scheduling information. These patterns need to be robust against background traffic, delays in scheduling, and others. For instance, transmitting an ON-OFF signal which creates sharp peaks (e.g. transmitting 1 MB file periodically), leads to an easily recognizable pattern.  The attacker then, will determine if the user is present in a specific cell, if its able to find the injected traffic pattern, and link the higher layer identity, such as phone number, to the RNTI, and determine that a user is present in a specific area delimited by the cell.

In addition, the resource scheduling information can be used for other privacy-related attacks. For instance, researchers have shown that it is possible to analyze the traffic for a specific user and identify which apps/services are being used, or which Youtube video an user is watching. This can lead to fingerprinting of specific users based on their usage patterns

USIM Attack

The USIM (Universal Subscriber Identity Module) plays a critical role in mobile communication, serving as a secure element that stores user credentials and enables authentication with cellular networks. However, as the bridge between the user and the network, the USIM is also a potential target for various security threats. USIM attacks can range from attempts to intercept sensitive data to manipulating authentication protocols, exposing users to risks like unauthorized access, data theft, and identity spoofing. Understanding the vulnerabilities and implementing safeguards around USIM security is essential for maintaining the integrity of mobile communications.

Several typical ways an attacker could gain control of a SIM card are

  • Physical access to a device or SIM card
  • Remote SIM administration features
  • Supply chain attacks
  • Exploiting vulnerabilities in a SIM’s software

Recently I found a well documented paper on this subject which is SIMurai: Slicing Through the Complexity of SIM Card Security Research. Followings are brief highlights from the paper.

Purpose : The main purpose of this paper is to highlight the security risks posed by malicious SIM cards and introduce a new software tool, SIMURAI, to facilitate research in this area. The authors emphasize that hostile SIM cards represent a realistic yet often overlooked attack vector in cellular security. They aim to bring attention to this issue and provide researchers with the means to further investigate and mitigate these threats.

Key arguments and findings : SIM cards' privileged access to a device's baseband, combined with often outdated security measures, makes them vulnerable to exploitation, which tools like SIMURAI can analyze by emulating SIM behavior for research purposes

  • SIM cards have privileged access to a device's baseband. This access, coupled with the baseband's frequent lack of modern security features, makes it a prime target for exploitation.
  • Several realistic scenarios could enable an attacker to control a SIM card. These include physical access, remote administration features, supply chain attacks, and exploiting vulnerabilities in a SIM's software stack.
  • SIMURAI is a flexible software platform that enables a wide range of security-focused research on SIM cards. Unlike previous tools that relied on physical SIMs, SIMURAI allows researchers to emulate SIM card behavior and deliberately violate standards for testing purposes.

Exposed/Identified threat : The paper showcases SIMURAI's ability to replicate real-world SIM-based threats, conduct large-scale vulnerability research, and demonstrate practical attack scenarios, emphasizing the risks posed by malicious SIM cards.

  • Replication of SIM-based spyware: The authors easily re-implemented the core functionality of Simjacker, a known SIM-based spyware, using SIMURAI. This demonstrates the platform's ability to aid in analyzing and understanding real-world threats.
  • Fuzzing campaign against commercial baseband firmware: By integrating SIMURAI with the FirmWire emulation platform, the authors conducted a large-scale fuzzing campaign that uncovered two high-severity vulnerabilities in Google Pixel devices. This finding underscores the potential for malicious SIM cards to compromise device security.
  • Case studies demonstrating the feasibility of SIM-based attacks: The paper outlines two attack scenarios: using a SIM interposer to gain physical access and leveraging a rogue carrier's ability to remotely update a SIM. The authors successfully implemented proof-of-concept attacks for both scenarios using SIMURAI, highlighting the practical implications of hostile SIM cards.

Test Setup : The paper utilizes three distinct test setups to evaluate SIMURAI's capabilities and demonstrate the feasibility of SIM-based attacks, as illustrated bellow. These setups allow researchers to analyze SIM card interactions within different cellular network environments, ranging from physical devices to fully emulated systems.

Followings are brief descriptions of each setup :

  • Setup 1: Physical UE in 2G/4G/5G Networks
    • This setup uses real smartphones in conjunction with physical 2G, 4G, and 5G networks. The key element here is the SIMtrace2 device, a specialized hardware tool that acts as a bridge between the smartphone and SIMURAI.
    • SIMtrace2 connects to the smartphone through its SIM card slot and communicates with SIMURAI running on a separate workstation via USB.
    • SIMtrace2 runs cardem firmware which allows it to intercept and forward messages between the phone and SIMURAI, providing the electrical and transmission-layer interface necessary for data exchange
    • This setup allowed researchers to test SIMURAI's compatibility with various commercial smartphones and confirm its ability to establish network connections, access the SIM file system, and perform authentication procedures
  • Setup 2: Emulated, SRS-based Network
    • This setup leverages the srsRAN framework, a software suite that provides a nearly complete end-to-end emulated cellular environment.
    • srsRAN includes implementations for a core network, an eNodeB, and a UE, facilitating research without relying on physical hardware for these components.
    • The authors connected SIMURAI to the UE component (srsUE) using two approaches:
      • Via SIMtrace2, similar to Setup 1. This demonstrated SIMURAI's flexibility and confirmed consistent behavior across different setups.
      • Directly to the SIM layer of srsUE using its PC/SC interface. This method bypassed the need for any hardware, enabling a fully virtualized connection between the emulated UE and SIMURAI.
      • This direct integration represents a step towards achieving a completely virtual, end-to-end cellular setup, which can offer advantages in terms of scalability and control
  • Setup 3: Emulation Platform
    • This setup focuses on emulating the baseband firmware itself using the FirmWire platform.
    • FirmWire allows researchers to analyze the behavior of baseband firmware images from different devices in a controlled environment.
    • A key challenge was the lack of a built-in way to connect a SIM card in FirmWire.
    • To address this, the researchers reverse engineered the firmware for Samsung Exynos-based UEs and developed a custom USIM peripheral.
    • This peripheral acts as a virtual SIM card, utilizing SIMURAI's low-level interfaces to exchange data with the emulated baseband firmware in FirmWire.
    • This integration enables more realistic analysis of baseband behavior, especially for functionality that relies on SIM card interactions, such as SMS and USSD processing

Reference

YouTube