New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities

Cellular devices support various technical features and services for 2G, 3G, 4G and upcoming 5G networks. For example, these technical features contain physical layer throughput categories, radio protocol information, security algorithm, carrier aggregation bands and type of services such as GSM-R, Voice over LTE etc. In the cellular security standardisation context, these technical features and network services termed as device capabilities and exchanged with the network during the device registration phase. In this paper, we study device capabilities information specified for 4G and 5G devices and their role in establishing security association between the device and network. Our research results reveal that device capabilities are exchanged with the network before the authentication stage without any protection and not verified by the network. Consequently, we present three novel classes of attacks exploiting unprotected device capabilities information in 4G and upcoming 5G networks - identification attacks, bidding down attacks, and battery drain attacks against cellular devices. We implement proof-of-concept attacks using low-cost hardware and software setup to evaluate their impact against commercially available 4G devices and networks. We reported identified vulnerabilities to the relevant standardisation bodies and provide countermeasure to mitigate device capabilities attacks in 4G and upcoming 5G networks.

[1]  MuYi,et al.  Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5.0 and its countermeasure , 2018 .

[2]  Keijo Haataja,et al.  Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures , 2010, IEEE Transactions on Wireless Communications.

[3]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[4]  Ahmad-Reza Sadeghi,et al.  IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT , 2016, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[5]  Yi Mu,et al.  Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5.0 and its countermeasure , 2018, Personal and Ubiquitous Computing.

[6]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[7]  Jean-Pierre Seifert,et al.  On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks , 2018, WISEC.

[8]  Ravishankar Borgaonkar,et al.  Mobile Subscriber WiFi Privacy , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[9]  K. Hypponen,et al.  Man-In-The-Middle attacks on bluetooth: a comparative analysis, a novel attack, and countermeasures , 2008, 2008 3rd International Symposium on Communications, Control and Signal Processing.