Localization Attack by Precoder Feedback Overhearing in 5G Networks and Countermeasures

In fifth-generation (5G) cellular networks, users feed back to the base station the index of the precoder (from a codebook) to be used for downlink transmission. The precoder is strongly related to the user channel and in turn to the user position within the cell. We propose a method by which an external attacker determines the user position by passively overhearing this unencrypted layer-2 feedback signal. The attacker first builds a map of fed back precoder indices in the cell. Then, by overhearing the precoder index fed back by the victim user, the attacker finds its position on the map. We focus on the type-I single-panel codebook, which today is the only mandatory solution in the 3GPP standard. We analyze the attack and assess the obtained localization accuracy against various parameters. We analyze the localization error of a simplified precoder feedback model and describe its asymptotic localization precision. We also propose a mitigation against our attack, wherein the user randomly selects the precoder among those providing the highest rate. Simulations confirm that the attack can achieve a high localization accuracy, which is significantly reduced when the mitigation solution is adopted, at the cost of a negligible rate degradation.

[1]  Akbar M. Sayeed,et al.  Deconstructing multiantenna fading channels , 2002, IEEE Trans. Signal Process..

[2]  Teuvo Kohonen,et al.  The self-organizing map , 1990, Neurocomputing.

[3]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[4]  Luis E. Ortiz,et al.  Network-side positioning of cellular-band devices with minimal effort , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[5]  Fredrik Tufvesson,et al.  Microwave vs. Millimeter-Wave Propagation Channels: Key Differences and Impact on 5G Cellular Systems , 2018, IEEE Communications Magazine.

[6]  Henk Wymeersch,et al.  Position and Orientation Estimation Through Millimeter-Wave MIMO in 5G Systems , 2017, IEEE Transactions on Wireless Communications.

[7]  Theodore S. Rappaport,et al.  Simulating Motion - Incorporating Spatial Consistency into NYUSIM Channel Model , 2018, 2018 IEEE 88th Vehicular Technology Conference (VTC-Fall).

[8]  Carlo Fischione,et al.  A Survey of Enabling Technologies for Network Localization, Tracking, and Navigation , 2018, IEEE Communications Surveys & Tutorials.

[9]  Yongdae Kim,et al.  GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier , 2018, NDSS.

[10]  K. J. Ray Liu,et al.  A Time-Reversal Paradigm for Indoor Positioning System , 2015, IEEE Transactions on Vehicular Technology.

[11]  Henk Wymeersch,et al.  5G Positioning and Mapping With Diffuse Multipath , 2021, IEEE Transactions on Wireless Communications.

[12]  Joseph L. Hammond,et al.  Generation of Pseudorandom Numbers with Specified Univariate Distributions and Correlation Coefficients , 1975, IEEE Transactions on Systems, Man, and Cybernetics.

[13]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[14]  Thorsten Holz,et al.  Lost traffic encryption: fingerprinting LTE/4G traffic on layer two , 2019, WiSec.

[15]  Stefano Tomasin,et al.  Location-Privacy-Preserving Technique for 5G mmWave Devices , 2020, IEEE Communications Letters.

[16]  Henk Wymeersch,et al.  A survey on 5G massive MIMO localization , 2019, Digit. Signal Process..

[17]  Kaishun Wu,et al.  CSI-Based Indoor Localization , 2013, IEEE Transactions on Parallel and Distributed Systems.

[18]  M. G. Michael,et al.  The social and behavioural implications of location-based services , 2011, J. Locat. Based Serv..

[19]  Stefan Roth,et al.  Ensemble-Based Learning in Indoor Localization: A Hybrid Approach , 2019, 2019 IEEE 90th Vehicular Technology Conference (VTC2019-Fall).

[20]  Yue Wang,et al.  Linear least squares localization in sensor networks , 2015, EURASIP J. Wirel. Commun. Netw..

[21]  Hamzah Sakidin,et al.  WLAN location fingerprinting technique for device-free indoor localization system , 2016, 2016 3rd International Conference on Computer and Information Sciences (ICCOINS).

[22]  Theodore S. Rappaport,et al.  Millimeter-Wave Extended NYUSIM Channel Model for Spatial Consistency , 2018, 2018 IEEE Global Communications Conference (GLOBECOM).

[23]  Dushantha Nalin K. Jayakody,et al.  A Survey on Security and Privacy of 5G Technologies: Potential Solutions, Recent Advancements, and Future Directions , 2020, IEEE Communications Surveys & Tutorials.

[24]  R. Clarke A statistical theory of mobile-radio reception , 1968 .

[25]  Theodore S. Rappaport,et al.  Small-Scale, Local Area, and Transitional Millimeter Wave Propagation for 5G Communications , 2017, IEEE Transactions on Antennas and Propagation.