AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks

TL;DR

AdaptOver introduces a new MITM attack system for LTE and 5G-NSA networks that can overshadow, decode, and inject messages, enabling persistent DoS and privacy leaks over long distances, challenging existing security measures.

Contribution

This paper presents AdaptOver, a novel software-defined radio-based attack system that performs overshadowing in cellular networks, demonstrating practical long-range attacks and exposing vulnerabilities beyond fake base station methods.

Findings

AdaptOver can attack devices over 3.8 km away.

It enables persistent DoS and privacy leaks in LTE and 5G-NSA.

Existing countermeasures are insufficient against AdaptOver.

Abstract

In cellular networks, attacks on the communication link between a mobile device and the core network significantly impact privacy and availability. Up until now, fake base stations have been required to execute such attacks. Since they require a continuously high output power to attract victims, they are limited in range and can be easily detected both by operators and dedicated apps on users' smartphones. This paper introduces AdaptOver - a MITM attack system designed for cellular networks, specifically for LTE and 5G-NSA. AdaptOver allows an adversary to decode, overshadow (replace) and inject arbitrary messages over the air in either direction between the network and the mobile device. Using overshadowing, AdaptOver can cause a persistent ($\geq$ 12h) DoS or a privacy leak by triggering a UE to transmit its persistent identifier (IMSI) in plain text. These attacks can be launched against all users within a cell or specifically target a victim based on its phone number. We implement AdaptOver using a software-defined radio and a low-cost amplification setup. We demonstrate the effects and practicality of the attacks on a live operational LTE and 5G-NSA network with a wide range of smartphones. Our experiments show that AdaptOver can launch an attack on a victim more than 3.8km away from the attacker. Given its practicability and efficiency, AdaptOver shows that existing countermeasures that are focused on fake base stations are no longer sufficient, marking a paradigm shift for designing security mechanisms in cellular networks.