Berserker: ASN.1-based Fuzzing of Radio Resource Control Protocol for 4G and 5G

TL;DR

Berserker is a novel ASN.1-based fuzzer for 4G and 5G RRC protocols that detects previously unknown vulnerabilities, enhancing telecom network robustness testing.

Contribution

It introduces a backward and forward compatible RRC fuzzer covering multiple protocol versions and includes testing of tunneled NAS messages.

Findings

Discovered two serious previously unknown vulnerabilities in srsLTE.

Confirmed applicability to openLTE.

Demonstrated effectiveness across multiple protocol versions.

Abstract

Telecom networks together with mobile phones must be rigorously tested for robustness against vulnerabilities in order to guarantee availability. RRC protocol is responsible for the management of radio resources and is among the most important telecom protocols whose extensive testing is warranted. To that end, we present a novel RRC fuzzer, called Berserker, for 4G and 5G. Berserker's novelty comes from being backward and forward compatible to any version of 4G and 5G RRC technical specifications. It is based on RRC message format definitions in ASN.1 and additionally covers fuzz testing of another protocol, called NAS, tunneled in RRC. Berserker uses concrete implementations of telecom protocol stack and is unaffected by lower layer protocol handlings like encryption and segmentation. It is also capable of evading size and type constraints in RRC message format definitions. Berserker discovered two previously unknown serious vulnerabilities in srsLTE -- one of which also affects openLTE -- confirming its applicability to telecom robustness.