Communication Technology  

 

 

 

Security In Cellular Communication

In any information technology, there has always been some risk of security / hacking. But until recently (probably until now) cellular communication is relatively hard (considered impossible to many people) to attack. However, I don't think it is the case any more and it is about the time to start thinking of security issues seriously in cellular communication.

Just for short, I can think of several possible points of security volnerability (i.e, points of attack). Of course, there would be more points that I failed to think of and will come out more.

Possible Points of Attacks

For most person, the point (A) (Security Attack by Mobile phone App) would be the most widely known type. But strictly speaking this type of attack would not be classified as security issues on cellular communication itself unless it is hacking the modem chipset or mobile radio protocol. It is more of conventional (?) type of attack that we often hear of for other application like PC etc.  

Other type of attack that are relatively well known would be point (D). But Jammer can be used not for attack, but for an intended purpose (e.g, blocking culluar communication in workshop hall etc), but this can be considered as a serious attacker if it is blocking (or sometimes even harming directly on hardware of the system).

When I am talking about "Security In cellular communication", I would focus more on point (B), (C), (D). These are the main topics in this note.

Here’s a brief description of each attack point in cellular security as illustrated above

(A) Hacking App: This involves using software tools installed on a mobile device to exploit vulnerabilities in the cellular network. The app can intercept data, manipulate network behavior, or perform man-in-the-middle attacks.

(B) Fake Base Station: Also known as an IMSI catcher or Stingray, this device mimics a legitimate base station to trick nearby mobile phones into connecting to it. This allows the attacker to intercept calls, text messages, or gather device information.

(C) Sniffer: A sniffer captures cellular traffic between devices and base stations. This passive attack tool can be used to monitor and analyze communication, attempting to decode messages or track users without their knowledge.

(D) Jammer: A jammer emits radio signals to disrupt communication between mobile phones and legitimate base stations. This can cause a denial of service, preventing users from making calls, sending texts, or accessing data services.

(E) Fake Mobile Phone: An attacker may use a fake or modified mobile phone to exploit vulnerabilities in network protocols or services. This can be used for impersonating a legitimate user or testing network defenses.

(F) USIM Attack: This involves targeting the User SIM card (USIM) of a mobile phone, often through over-the-air (OTA) updates or malicious SIM cards. It aims to gain unauthorized access to SIM data or manipulate SIM-based authentication processes.

(G) Injector: This attack involves injecting malicious or spoofed signals into radio link(e.g, into a specific PHY subframe). By crafting signals that appear legitimate, the attacker can manipulate or disrupt normal network operations, trigger unauthorized actions on devices, or facilitate further exploits (e.g., man-in-the-middle attacks). The injected signals may impersonate valid network messages, overwhelm devices, or force them into vulnerable states, thereby enabling deeper compromise of the cellular ecosystem.

Why we didn't worry much of Cellular Security ?

For some reason, (at least from 3G or later technololgy) cellular communication is almost perfectly secure from any type of security attack. I don't know exactly what is the reasoning behind this perception... I personally would think of a few reason as follows :

  • The security algorithm in Cellular Communication is very robus by design. It has several differently layers of security protection mechanism running at multiple layers by default (e.g, authentication, integrity protection and ciphering). I am not an expert to technically verify that this kind of algorithm in cellular communication is stronger than other by design).
  • Security Key (e.g, K, AMF, OPc etc) is not managed by each individual user. Even the user would not know of those key values on their own devices. These information are stored in USIM card and data base in Carrier side. The structure of those key has a certain level of complexity by default (you cannot set something like 1234568 or your birthday or phone number etc for those key -:))
  • For attackers to develop any method of attacks, they need to do some research and experiments on the target system. But it has been prohibitably expensive to get access to those R&D system.
  • There are relatively small number of people who understand the details of the system to the point where the attacker understand the system and figure out the weakpoint of the system.

Why now we should worry of this ?

To me, I haven't see much differences from 3G through 5G in terms of fundamental security protection algorithm. Why we should consider seriously on this issue. What I have seen in terms of security issue is more of changes in environmental changes in accessbility of the technology. Some of those changes that I can think of are as follows.

  • Development of software technology and reduced cost of hardware : Now there are many implementations of purely software based protocols running on general purpose hardware (like PC, even in very low cost PC like Raspberry Pi). Of course, the original motivation of this kind of software based implementation on general purpose equipment is not for attacking anything. But historically we all know that most of these attack is just reuse the well-intentioned technology for ill-purposed application.
  • Also it would be getting more difficult to guarantee the quality assurance in terms of security as more diverse implementation comes out especially implemented in software running on general purpose. This concern is also raised in a 6G whitepaper from SamSung.
  • Number of people who are fluent at the technology : As mentioined above, I think the security attack is mostly based on ethical issues rather than on technical issues. Usually at the initial phase (early phase) of technology where there are not huge mass of experts on the specific technology, the ethics on utilization is relatively well maintained .. but as the technology gets more command and access to wider range of people it gets more and more difficult to maintain the ethics to what has originally intended.. and even the definition of the ethics varies depending on various factors.
  • Now there are active discussions on next generation cellular communication system (6G). It is good time to think of this from inovating the security protection algorithm itself through how to deal with the ethical issues using technology.

What to expect in Security Protection in next generation (6G) cellular system ?

In this section, I will try to compile various ideas and visions proposed by different sources.

Source : Roadmap to 6G (NextG Alliance)

Following is some suggestions in 6G whitepaper from SamSung at security point of view.

  • Hardware-based secure environment that provides secure operation of software code and protection of credential
  • Secure-by-design approach to guarantee that any hardware/software can be trusted
  • Transparency to ensure that the system identifies how and when the AI system accesses any code, training data, etc. related to personal information as well as how securely the AI system operates against adversarial machine learning
  • Mechanisms to securely utilize an unprecedented amount of information concerning business and human users and to strictly maintain the privacy of such information

Evolution of Cellular Technology and Coevolution of Attacking Strategy

From the early days of 1G analog systems to the lightning-fast 5G networks of today, each generation of cellular technology has brought significant advancements in speed, capacity, and reliability. However, as these technologies have evolved, so too have the strategies of those looking to exploit their vulnerabilities. The coevolution of attacking strategies alongside technological progress presents a dynamic landscape where innovation in security must keep pace with technological breakthroughs. here, we explore the intertwined journey of cellular technology advancements and the corresponding evolution of cyberattack methodologies, highlighting the challenges and solutions in this ever-changing digital battlefield.

Here, Norbert Ludant  has provided a comprehensive and perceptive review on the evolution of security procedures and counteracting methodologies..

Security Vulanerability and Attacking stratgies along with generation of cellular technology

Initially, cellular communications were not very secure because they were designed with the attacker capabilities at that time in mind. For that reason, 2G did not even have mutual  authentication, because they didn't think it would be doable for an attacker to actually create a rogue BS. However, with the proliferation of SDRs and low-cost hardware and software implementations, all this became possible. In fact to this day many attacks relied on downgrading a user to insecure 2G networks, and that is why Android for instance now allows the user to disable 2G. Moreover, if you look at the 5G standard, 5G-AKA now has an Anti-Bidding-down Between Architectures (ABBA) parameter to protect from downgrade attacks. Additionally, for instance in 38.331 Annex B.1, Protection of RRC Messages, I think there are indication that they are trying to protect from some of these downgrade attacks, e.g. "RRCRelease message sent before AS security activation cannot include deprioritisationReq, suspendConfig, redirectedCarrierInfo, cellReselectionPriorities information fields."

In 3G, 3GPP added mutual authentication, making rogue base stations less effective. However, user tracking is still a very important attack, which was possible both in 3G and 4G networks. In fact, law enforcement used this very often, basically by using IMSI catchers (Stingray). In essence, you can just start a rogue eNB with high power, and when users try to connect to your rogue BS, you would capture their IMSI, or if they send TMSI, you would send an Identity Request with type IMSI. There are various other ways of tracking users, researchers also showed that it is possible to localize users by linking TMSI to social media, phone number, etc, by listening to paging messages, for instance through silent SMS/phone calls.

However, in 5G, to fix the issue with user-tracking, the standard added the use of SUCI instead of sending the unprotected IMSI. In this way, it is not possible to implement IMSI catcher in 5G (except in some corner cases). Additionally, now it is also mandatory to change the TMSI after every paging procedure, which makes paging-procedure user tracking attacks also hard to perform. Other protection mechanisms were also added in 5G such as protection of the initial NAS message, or integrity protection of the user plane. Due to all these changes, the 5G RAN is considered quite more secure than its predecessor LTE.

Higher layer vs Lower Layer Attack

As mentioned above, there has been significant efforts devoted to enhancing security mechanisms in 5G, and it has become harder and harder to find vulnerabilities in the security protection mechanism at higher layers (e.g, exploitation of security related signaling procedure).

Due to this, I think some of the security research may be shifting to study vulnerabilities in devices with low-capabilities (IoT), or unprotected low layers. In general the impact of vulnerabilities scales as you go to higher layers, because there is more persistent or relevant UE-related information being exchanged (e.g. IMSI, encrypted data, etc), however it is also easier to protect with proper security measures. The lower layers are tricky to protect, because there is a strong trade-off between security/privacy/reliability and performance, both in throughput and latency. In general I would say that the lower layers are harder to attack or have a strong impact because everything is less “static”; RRC connections can last for some seconds, which leads to temporary identifiers, whereas higher-layer connections are more persistent. Another aspect of working on the low-layers is that it requires expertise in many tough subjects required for PHY attacks, such as RF knowledge, security, and in-depth understanding of the complicated 3GPP procedures.

As an example of security/performance trade-off, due to the requirements for lower-latency communications, many procedures are being pushed to the lower layers, for instance, the initial 4G release had ~7 MAC CE in the specification, whereas the latest 5G release has more than 50. The MAC headers are sent unprotected, because encryption/integrity protection happens at PDCP, so attackers can sniff/inject control elements at low layers nowadays, which is very important too.

In my research, the increased security at higher layers, and the push for control in the lower layers, motivated me to analyze the security and privacy of the low layers of the 5G protocol stack. Particularly, as the encryption and integrity protection happen at the PDCP layer, we look for information leakages in the layers below, such as PHY/MAC. Moreover, with new use-cases such as URLLC, the reliability of the system becomes a crucial aspect, thus the standards for protection are raised, and attacks such as DoS become more important.

In one of our projects, for instance, we wanted to understand if it is still possible to track users, similarly to IMSI-catching, but in 5G, where all the new security enhancements are in place. To answer that we look at the low layers, at the resource-scheduling happening in the PHY/MAC. We leverage the fact that the RNTI (Radio Network Temporary Identifier) is tied to one RRC Connection, and would remain the same while there is an active connection. Then, we inject specific traffic pattern, and we look at the resources allocated to all users in a cell, if we are able to identify the pattern, then we would be able to tell if a user is in a certain area or not, and link it to the phone number/other high layer ID that we used to generate the traffic. Moreover, we create a modified signal app that sends a message with a wrong Message Authentication Code (MAC). In this way, you can send constant data to a signal app user, without the user receiving any notification, because the messages are discarded upon arrival due to wrong integrity checks. This makes the attack quite stealthy.

In general, I think attacks on the signaling level are more powerful, because they can contain long-term user-specific data (identifiers, location...), or modify the state of the UE. However, by looking at the PHY level, we showed that it is also possible to infer user information and violate the user-privacy and track users, finding alternatives for given attacks, and motivating the protection of low-layer information.

How to attack ?

Don't get me wrong. This is not about to let you know of tricks of attac to be an attacker. This is for illustrating some cases of volnerability and motivating you to get interested in how to improve those volnerability by design.  I will also try to summarize what I have learned from various technichs introduced in various sources that I have read and experts who I have personal connection to.

Impersonalization Attack

I think this is the most well known type of attack. Basically it is hijacking the victim UE and network's authentication and security parameters and manipulate it in such a way that network would apply the lowest level of security mechanism (Authentication only and no integrity protection & Ciphering) and occupay the traffic channel with victim UE's access information.

Source :  LTE security disabled: misconfiguration in commercial networks by Chlosta, Merlin et al.

The description of this procedure already described in very readable way -:), I am just copying the descrition from the original paper as it is :

    (1) The benign UE connects to the attacker and sends an Attach Request, containing the IMSI and Security Capabilities.

    (2) The attacker forwards the Attach Request but modifies the supported algorithms to EIA0 and EEA0 only.

    (3) The commercial network starts the AKA with an Authentication Request containing the challenge and network authentication (RAND and AUTN).

    (4) The attacker forwards the Authentication Request to the victim UE.

Note that in case the UE connects with Attach Request but identifies with TMSI, the attacker requests the IMSI with an Identity Request. If the UE connects with Service Request or Tracking Area Update, the attacker denies access with reason Implicitly Detached, forcing the UE to re-attach with Attach Request

Resource Depletion Attack

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim et al

Following is the direct citation from the paper linked above :

The adversary repeatedly performs Random Access and generates RRC Connections in order to increase the number of active RRC Connections as depicted in the diagram shown above. In a normal situation, immediately after the RRC Connection is established, an initial NAS Connection procedure proceeds through either an NAS Attach request or NAS Service request piggybacked on an RRC Connection complete message. In our attack, the adversary sends the NAS Attach request with an arbitrary user IMSI. Unlike the normal procedure, once the adversary receives the NAS Authentication request, it restarts Random Access to establish a new RRC Connection. The reason the adversary does not reply to the NAS Authentication request from the MME is to sustain the established RRC Connection while the MME waits for a valid NAS Authentication response. If the adversary replies with an invalid NAS Authentication response, it causes immediate RRC Connection release. One consideration for the attack to succeed is that the number of newly established RRC Connections has to be greater than the number of existing RRC Connections that are released.

Blind DoS Attack

This attack prevents the Network from sending paging to the victim UE or cause Radio Link Failure by continuously triggering RRC Connection with the victim's S-TMSI.

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim  et al

For this kind of attack, the attacker should figure out Victim's S-TMSI first. How ?  This is the quote from the paper linked above.

  • An adversary who has knowledge of the victims phone number or accounts on social media (such as Facebook and Whatsapp) could obtain the victims S-TMSI by performing a silent Paging attack.
  • An adversary located in the vicinity of the target user could operate a rogue eNB to obtain the NAS TAU request of the victim UE. This request contains the S-TMSI of the victim UE. As soon as this message is received, the adversary turns off the rogue eNB to enable the victim UE to recover the LTE service by connecting to a carrier network.
  • The adversary sniffs the RRC Connection procedure of the target UE to obtain the S-TMSI of the target UE as specified in the RRC Connection setup

Remote de-registration attack

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim  et al

User Identification Attack by PHY layer hacking

Most of the attacks described above was done by utilizing / analysing higher layer traffic (i.e, OTA signaling messages). However, the attack can be done at much fundamental level (i.e, PHY layer level). An example is illustrated below.

Source :  From 5G Sniffing to Harvesting Leakages from Privacy-Preserving Messengers  - Norbert Ludant et al

This is the overall procedure of this type of attack

  • Adversary Sends Messages: The adversary sends Signal messages to the victim's phone number (+1 (555) 111111). These messages are sent at known intervals and with a predictable size, leveraging the victim’s online identity.
  • Victim Receives Messages: The victim's smartphone, which has Signal installed and mobile data enabled, receives these messages. The phone automatically handles these push notifications.
  • Passive Sniffing: The adversary passively sniffs the downlink resource allocations from the gNB (gNodeB) serving the victim. This is done using a 5G sniffer equipped with an SDR (Software-Defined Radio).
  • Correlating Patterns(Determination of the victim's RNTI): By correlating the timing and size of the messages sent with the observed downlink resource allocations, the adversary can determine the victim's RNTI. Since the downlink traffic pattern for these messages is recognizable, it can be matched with the traffic generated by the victim's device.

The key point for this type of attack is to decode PDCCH and eventually get direct access to user traffic. This is done as illustrated below. This is my own summary of the paper : From 5G Sniffing to Harvesting Leakages from Privacy-Preserving Messengers

Here goes the verbal description of the above diagram by the author of the paper - Norbert Ludant

In order to obtain resource-scheduling information from a 5G cell, an attacker would need to decode the Physical Downlink Control Channel (PDCCH), which carries the Downlink Control Information (DCI), which ultimately contains information about resource scheduling. The DCI tells a user, addressed by its RNTI, which resources are directed to the user (DL traffic), or which UL resources to use to transmit its data (UL grant). The DCI contains information such as frequency and time domain resources allocated, the MCS used for the data, etc. By obtaining these DCIs, it is possible to infer the traffic of users in a given cell. In fact, some researchers have used this DCI information to determine which apps or type of service users are performing just by looking at the resources allocated to them, by using machine learning techniques. LTE sniffers were developed in the past, such as OWL or FALCON, but due to the increased complexity of the 5G RAN, developing a 5G Sniffer became more complicated. Some of the main difficulties come from changes in the encoding of the DCI, for instance, now the scrambling sequence uses as input both the RNTI and some scramblingID that is conveyed through protected RRC messages. This and other changes complicate considerably blindly decoding the DCI.

In order to decode the PDCCH, the receiver obtains the IQ samples from the frequency band that the gNB is operating, and performs time and frequency synchronization, as a normal UE would do. Then, the receiver would need to know the Bandwidth Part and CORESET configuration. However, this is conveyed through RRC messages, such as RRC Reconfiguration/RRC Setup or in MIB/SIB. The best option is to obtain these values by connecting a COTS UE and obtaining these messages, as the connection remains static for long periods of time, and common to all users in a cell. Using this prior information, the CORESET and BWP can be configured. Alternatively, it would be possible to blindly scan for DCIs by using all possible combinations of values, until a DCI is found, and then use that configuration.

Once the configuration is known, the PDCCH symbols have to be decoded to obtain the DCI bits. However, the attacker does not know the aggregation level (AL), the RNTI or scramblingID, or other required parameters. In this case, we optimize finding possible DCIs by finding the correlation with pre-computed PDCCH-DMRS symbols, which accompany each DCI, and are generated by a pseudo-random sequence with the scramblingID used as seed value. Other optimizations come from exploiting redundancy in the rate-matching block, allowing to early determine if an RNTI is valid, or by prioritizing previously seen RNTIs, etc.

The decoded DCIs contain resource scheduling information that can be used for privacy-related attacks such as determining the presence of a user. In order to do so, an attacker would monitor a 5G cell, and decode all resource scheduling to all users. Then, it injects a specific traffic pattern that can be easily recognizable through the resource scheduling information. These patterns need to be robust against background traffic, delays in scheduling, and others. For instance, transmitting an ON-OFF signal which creates sharp peaks (e.g. transmitting 1 MB file periodically), leads to an easily recognizable pattern.  The attacker then, will determine if the user is present in a specific cell, if its able to find the injected traffic pattern, and link the higher layer identity, such as phone number, to the RNTI, and determine that a user is present in a specific area delimited by the cell.

In addition, the resource scheduling information can be used for other privacy-related attacks. For instance, researchers have shown that it is possible to analyze the traffic for a specific user and identify which apps/services are being used, or which Youtube video an user is watching. This can lead to fingerprinting of specific users based on their usage patterns

Signal Overshadowing Attack

In cellular network attacks, Fake Base Stations (FBS), also known as rogue base stations, are a common method. These exploit user equipment (UE) by luring devices with stronger signals, establishing connections to extract sensitive information like IMSI, temporary identifiers, or communication data. This connection becomes the vector for attacks such as denial-of-service (DoS), tracking, or eavesdropping.

The Signal Overshadowing Attack, however, introduces a new methodology. Unlike FBS, it requires no connection with the victim UE. Instead, it leverages the principle that receivers decode the strongest signal when multiple signals are transmitted at the same frequency. By transmitting a stronger signal, attackers can inject malicious messages directly into the victim UE.

A key challenge is achieving precise timing and frequency synchronization with the legitimate base station. Attackers use synchronization signals like Primary Synchronization Signal (PSS) and Secondary Synchronization Signal (SSS) to align transmissions. This ensures that their stronger malicious signal overshadows the legitimate one.

Once synchronization is achieved, the attacker passively collects information from unprotected broadcast signals like Master Information Block (MIB), System Information Blocks (SIBs), and Paging messages from legitimate base stations. These messages, inherently unprotected in LTE, provide critical parameters like network configuration and timing information.

With synchronization and collected information, attackers can transmit malicious messages directly to the physical layer at a specific radio frame, exploiting precise timing and coordination. By leveraging these factors, they ensure that the malicious message arrives at the UE at the right moment to be processed instead of the legitimate message from the legitimate BTS. The technique relies on overpowering the legitimate signal, making it nearly impossible for the UE to distinguish between the two. By simply increasing the power of the malicious transmission, attackers effectively "overshadow" the original signal, forcing the UE to decode and process the malicious content instead. This deceptive manipulation of signal power and timing is the basis for the term "overshadowing."

Overall concept of Signal Overshadowing Attacking can be illustrated as follows.

Image Source : Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE  

NOTE : For the full details on this technique, I strongly recommend to watch this well presented video : USENIX Security '19 - Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE  and 36C3 - SigOver + alpha You will get a lot of insight not only in terms of security but also in terms of general LTE PHY processing

 

Where/When/How often to attack

In the context of LTE signaling flows, understanding where, when, and how often to target specific messages is critical for executing effective signal overshadowing attacks. These attacks leverage vulnerabilities in the timing and structure of LTE communications, particularly during key stages of connection establishment and message exchange. Broadcast messages, such as the Master Information Block (MIB) and System Information Block (SIB), are ideal targets because they are transmitted periodically and lack encryption or integrity protection. Similarly, unicast messages, like RRC Connection Release or Paging messages, present opportunities for manipulation, especially before the security context is fully activated. Attacks must be precisely timed to align with the broadcast intervals or specific signaling events, ensuring that malicious signals overshadow legitimate ones without disrupting overall decoding. The frequency of these attacks depends on the type of message being targeted, with broadcast message injections synchronized to periodic transmissions and unicast message injections strategically timed to exploit security gaps in real time.

  • Where in the signaling flow?
    • The attack is targeted at specific parts of the LTE signaling process, depending on the type of message and synchronization requirements. Key targets include:
      • Broadcast Messages: These include the Master Information Block (MIB) and System Information Block (SIB) messages, which are unprotected and critical during the initial synchronization and system information acquisition phase.
      • Unicast Messages: Such as RRC Connection Release messages or Paging messages that can redirect the UE to an attacker-controlled frequency or base station.
  • When in the signaling flow?
    • The attack's timing is crucial and depends on the synchronization between the attacker and the legitimate base station:
    • Broadcast Message Attacks (e.g., MIB/SIB):
      • These can be targeted right after the UE synchronizes with the PSS/SSS signals from the base station. At this point, the UE is decoding the broadcast messages to establish a connection.
      • Example: The attacker overshadows the legitimate SIB1 message to modify network parameters or inject malicious information.
    • Unicast Message Attacks (e.g., RRC Connection Release):
        • These are targeted after the UE has established an RRC connection but before the security activation phase, as this window allows unprotected message injection.
        • Example: The attacker injects an RRC Connection Release message with a redirection frequency field to move the UE to a fake base station.
  • How often to attack?
    • Too Frequent Attacks:
      • If the attack occurs too often,
        • the UE may fail to detect even the legitimage signals. So the attacking signal would act like simple jamming
        • the UE or network may detect abnormal behavior. Repeated interference can raise suspicion, prompting defensive measures such as flagging the activity or outright ignoring the injected messages.
    • Too Sparse Attacks: If the attack is too infrequent, the legitimate base station signals are more likely to dominate. This increases the chance of the UE successfully decoding the original messages instead of the attacker’s, reducing the attack’s effectiveness.
    • Optimal Frequency: The attack frequency must balance these extremes. It should be frequent enough to consistently overshadow the legitimate signal but sparse enough to avoid detection or triggering defensive mechanisms.
    • Key Consideration: Understanding the UE’s tolerance for timing and message anomalies is crucial to determining the ideal frequency. This ensures the attacker’s message is prioritized while minimizing the risk of detection.

 

Use Cases of Signal Overshadowing Attacks

Signal overshadowing attacks in LTE networks open up a range of malicious use cases that exploit vulnerabilities in the system's broadcast and signaling protocols. From overwhelming the core network with a Signaling Storm, selectively disabling services through Selective DoS, bypassing security mechanisms with IMSI Paging, to manipulating public behavior via Fake Emergency Alerts, these attacks highlight the risks posed by unprotected and insecure channels. Each of these use cases demonstrates how an attacker can target specific elements of the LTE signaling flow to disrupt operations, compromise security, and exploit user trust, often with minimal resources and low chances of detection.

  • Signaling Storm
    • Description: This attack exploits broadcast messages, such as System Information Block Type 1 (SIB1) or Tracking Area Update (TAU), to overload the core network.
    • Mechanism: By changing the Tracking Area Code (TAC) in broadcasted SIB1 messages, the attacker forces UEs in the coverage area to repeatedly perform Tracking Area Update (TAU) procedures.
    • Impact: Generates a massive amount of signaling messages, overwhelming the core network. For example, a normal UE sends about 600 signaling messages per hour, but during a signaling storm, this can rise to 400,000, representing a 640x increase.
    • Detection Avoidance: The attack does not disconnect UEs from their legitimate base station, making it harder for network operators to identify the cause.
  • Selective DoS (Denial of Service)
    • Description: Targets specific services, such as voice calls, video calls, or SMS, while allowing other services to function normally.
    • Mechanism: The attacker modifies fields in SIB2 or related signaling messages to prevent specific UEs from accessing certain services or delaying service access.
    • For example, barring only voice services during a disaster while allowing data services.
    • Impact: Can selectively disable critical services without completely disrupting the UE's overall connectivity.
    • Advantage Over Fake Base Stations: Unlike traditional attacks, which require disrupting the entire UE connection, Selective DoS only targets specific services, minimizing resource requirements and detection risks.
  • IMSI Paging
    • Description: Exploits the Paging Procedure by injecting malicious paging messages using the UE’s International Mobile Subscriber Identity (IMSI) or Temporary Identifier (TMSI).
    • Mechanism: The attacker sends a paging message with the UE's unique identifier, forcing the UE to disconnect and reattach, which resets the UE’s security context.
    • Impact: This process allows the attacker to bypass encryption and integrity protections temporarily, enabling the injection of unprotected signaling messages, such as RRC Connection Release.
    • Advantages for Attacker:
      • Bypasses the need for a persistent fake base station connection.
      • Exploits a legitimate LTE process to weaken the UE's security.
  • Fake Emergency Alert
    • Description: Leverages the Commercial Mobile Alert System (CMAS) protocol to inject false emergency alerts into the UE.
    • Mechanism:
    • The attacker overshadows legitimate base station signals for CMAS-related messages, such as SL1, SL2, and Paging, to broadcast fake alerts.
    • These alerts bypass encryption and are displayed as legitimate emergency notifications on the UE.
    • Impact: Causes widespread panic or manipulates public behavior based on the false information presented.
    • Advantages Over Traditional Attacks:
      • The alert appears legitimate to users due to its alignment with expected CMAS formats.
      • Requires less power and is stealthier than conventional methods like fake base stations.
  • Attack by Unicast Message: RRC Connection Release
    • Description: This attack exploits the RRC Connection Release procedure, which is a unicast message used by the base station to command the UE to release its radio connection.
    • Mechanism:
      • The attacker targets the UE's specific Radio Network Temporary Identifier (RNTI) and crafts a malicious RRC Connection Release message.
      • The injected message includes additional fields, such as:
        • Redirected Carrier Information Field: Directs the UE to a specific frequency (e.g., an attacker-controlled fake base station).
        • Idle Mode Mobility Control Information Field: Alters the UE’s frequency selection priorities to prioritize the attacker's fake base station.
      • Upon receiving the message, the UE disconnects from the legitimate base station and connects to the redirected frequency, which could be an LTE, 3G, or even a 2G base station.
    • Impact:
      • Forced UE Redirection: The attacker can move the UE to their fake base station, gaining control over the UE’s signaling and data communication.
      • Man-in-the-Middle (MitM) Potential: Once connected to the fake base station, the attacker can intercept and manipulate UE traffic for further exploits.
      • Service Disruption: The UE’s legitimate connection is terminated, leading to temporary service loss until the redirection completes.
    • Challenges for the Attacker:
      • The attacker must know the victim UE's RNTI or IMSI to target it specifically.
      • Timing is critical, as the attack must occur before the UE’s security context is fully activated to avoid integrity-check failures.
      • The message must be precisely crafted and injected in the UE-specific space, where unicast messages are decoded.
    • Advantages Over Broadcast Attacks:
      • Precision: Only the targeted UE is affected, reducing collateral impact and making the attack harder to detect.
      • Versatility: The attacker can redirect the UE to vulnerable networks (e.g., 2G or 3G) or manipulate its behavior with greater control.

 

Advante of SigOver over Other method (e.g, Fake Base Station : FBS)

The SigOver attack offers several advantages over the Fake Base Station (FBS) method in LTE signal attacks:

  • No Connection Establishment Required:
    • SigOver does not require establishing a connection with the victim UE (User Equipment) to inject malicious messages. It works by physically overwriting the legitimate broadcast signal directly over the air.
    • FBS, on the other hand, must establish a connection with the victim UE, which requires disrupting the current connection between the victim UE and the legitimate base station.
  • Stealthiness:
    • SigOver is more difficult to detect because it simply modifies or overshadows parts of the legitimate broadcast signal without interrupting ongoing communication with the legitimate base station.
    • FBS is more noticeable as it actively disrupts and replaces the legitimate base station's connection, which can trigger denial-of-service (DoS) scenarios or alert monitoring systems.
  • UE Maintains Connection with the Legitimate Network:
    • During a SigOver attack, the victim UE continues communicating with the legitimate base station and core network. This ensures ongoing services and avoids detection through service interruptions.
    • In FBS attacks, the victim UE disconnects from the legitimate network, potentially causing denial-of-service issues and making the attack more conspicuous.
  • Attack Flexibility:
    • SigOver can inject malicious messages without the need for a full-blown fake base station setup. For example, it can alter broadcast messages like SIB1 (System Information Block Type 1) to trigger malicious procedures, such as frequent tracking area updates, causing a signaling storm.
    • FBS is limited to injecting messages after establishing a connection with the UE, reducing its flexibility.
  • Lower Power Requirements:
    • SigOver requires significantly less power since it only needs to overpower the legitimate broadcast signal by a small margin (e.g., 3 dB higher signal strength) to execute the overshadowing attack successfully.
    • FBS requires much higher power to entirely disrupt the legitimate base station's signal and establish itself as the dominant station, making it less efficient.

USIM Attack

The USIM (Universal Subscriber Identity Module) plays a critical role in mobile communication, serving as a secure element that stores user credentials and enables authentication with cellular networks. However, as the bridge between the user and the network, the USIM is also a potential target for various security threats. USIM attacks can range from attempts to intercept sensitive data to manipulating authentication protocols, exposing users to risks like unauthorized access, data theft, and identity spoofing. Understanding the vulnerabilities and implementing safeguards around USIM security is essential for maintaining the integrity of mobile communications.

Several typical ways an attacker could gain control of a SIM card are

  • Physical access to a device or SIM card
  • Remote SIM administration features
  • Supply chain attacks
  • Exploiting vulnerabilities in a SIM’s software

Recently I found a well documented paper on this subject which is SIMurai: Slicing Through the Complexity of SIM Card Security Research. Followings are brief highlights from the paper.

Purpose : The main purpose of this paper is to highlight the security risks posed by malicious SIM cards and introduce a new software tool, SIMURAI, to facilitate research in this area. The authors emphasize that hostile SIM cards represent a realistic yet often overlooked attack vector in cellular security. They aim to bring attention to this issue and provide researchers with the means to further investigate and mitigate these threats.

Key arguments and findings : SIM cards' privileged access to a device's baseband, combined with often outdated security measures, makes them vulnerable to exploitation, which tools like SIMURAI can analyze by emulating SIM behavior for research purposes

  • SIM cards have privileged access to a device's baseband. This access, coupled with the baseband's frequent lack of modern security features, makes it a prime target for exploitation.
  • Several realistic scenarios could enable an attacker to control a SIM card. These include physical access, remote administration features, supply chain attacks, and exploiting vulnerabilities in a SIM's software stack.
  • SIMURAI is a flexible software platform that enables a wide range of security-focused research on SIM cards. Unlike previous tools that relied on physical SIMs, SIMURAI allows researchers to emulate SIM card behavior and deliberately violate standards for testing purposes.

Exposed/Identified threat : The paper showcases SIMURAI's ability to replicate real-world SIM-based threats, conduct large-scale vulnerability research, and demonstrate practical attack scenarios, emphasizing the risks posed by malicious SIM cards.

  • Replication of SIM-based spyware: The authors easily re-implemented the core functionality of Simjacker, a known SIM-based spyware, using SIMURAI. This demonstrates the platform's ability to aid in analyzing and understanding real-world threats.
  • Fuzzing campaign against commercial baseband firmware: By integrating SIMURAI with the FirmWire emulation platform, the authors conducted a large-scale fuzzing campaign that uncovered two high-severity vulnerabilities in Google Pixel devices. This finding underscores the potential for malicious SIM cards to compromise device security.
  • Case studies demonstrating the feasibility of SIM-based attacks: The paper outlines two attack scenarios: using a SIM interposer to gain physical access and leveraging a rogue carrier's ability to remotely update a SIM. The authors successfully implemented proof-of-concept attacks for both scenarios using SIMURAI, highlighting the practical implications of hostile SIM cards.

Test Setup : The paper utilizes three distinct test setups to evaluate SIMURAI's capabilities and demonstrate the feasibility of SIM-based attacks, as illustrated bellow. These setups allow researchers to analyze SIM card interactions within different cellular network environments, ranging from physical devices to fully emulated systems.

Followings are brief descriptions of each setup :

  • Setup 1: Physical UE in 2G/4G/5G Networks
    • This setup uses real smartphones in conjunction with physical 2G, 4G, and 5G networks. The key element here is the SIMtrace2 device, a specialized hardware tool that acts as a bridge between the smartphone and SIMURAI.
    • SIMtrace2 connects to the smartphone through its SIM card slot and communicates with SIMURAI running on a separate workstation via USB.
    • SIMtrace2 runs cardem firmware which allows it to intercept and forward messages between the phone and SIMURAI, providing the electrical and transmission-layer interface necessary for data exchange
    • This setup allowed researchers to test SIMURAI's compatibility with various commercial smartphones and confirm its ability to establish network connections, access the SIM file system, and perform authentication procedures
  • Setup 2: Emulated, SRS-based Network
    • This setup leverages the srsRAN framework, a software suite that provides a nearly complete end-to-end emulated cellular environment.
    • srsRAN includes implementations for a core network, an eNodeB, and a UE, facilitating research without relying on physical hardware for these components.
    • The authors connected SIMURAI to the UE component (srsUE) using two approaches:
      • Via SIMtrace2, similar to Setup 1. This demonstrated SIMURAI's flexibility and confirmed consistent behavior across different setups.
      • Directly to the SIM layer of srsUE using its PC/SC interface. This method bypassed the need for any hardware, enabling a fully virtualized connection between the emulated UE and SIMURAI.
      • This direct integration represents a step towards achieving a completely virtual, end-to-end cellular setup, which can offer advantages in terms of scalability and control
  • Setup 3: Emulation Platform
    • This setup focuses on emulating the baseband firmware itself using the FirmWire platform.
    • FirmWire allows researchers to analyze the behavior of baseband firmware images from different devices in a controlled environment.
    • A key challenge was the lack of a built-in way to connect a SIM card in FirmWire.
    • To address this, the researchers reverse engineered the firmware for Samsung Exynos-based UEs and developed a custom USIM peripheral.
    • This peripheral acts as a virtual SIM card, utilizing SIMURAI's low-level interfaces to exchange data with the emulated baseband firmware in FirmWire.
    • This integration enables more realistic analysis of baseband behavior, especially for functionality that relies on SIM card interactions, such as SMS and USSD processing

Reference

YouTube