Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous

TL;DR

This paper reveals significant security vulnerabilities in the low-layer control procedures of 4G/5G cellular systems, demonstrating practical passive and active attacks that compromise user privacy and communication integrity.

Contribution

It systematically analyzes low-layer control procedures in 4G/5G, identifying new vulnerabilities and demonstrating real-world attacks on user localization, tracking, and disruption.

Findings

Beamforming info leakage enables user fingerprinting and tracking.

Active attacks can drastically reduce throughput or disconnect users.

Attacks are practical against current commercial devices in real-world scenarios.

Abstract

Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.