Breaking 5G on The Lower Layer

TL;DR

This paper uncovers practical vulnerabilities in 5G's lower layers, demonstrating how control message manipulations can cause device failures and increased power consumption, highlighting the need for enhanced security measures.

Contribution

It presents two novel, practical attacks on 5G lower-layer control messages, validated through experiments with commercial devices and open-source software.

Findings

TA manipulation causes uplink desynchronization and radio link failures.

SIB1 spoofing increases battery consumption by forcing system information refresh.

Attacks can induce denial of service by exploiting unprotected control messages.

Abstract

As 3GPP systems have strengthened security at the upper layers of the cellular stack, plaintext PHY and MAC layers have remained relatively understudied, though interest in them is growing. In this work, we explore lower-layer exploitation in modern 5G, where recent releases have increased the number of lower-layer control messages and procedures, creating new opportunities for practical attacks. We present two practical attacks and evaluate them in a controlled lab testbed. First, we reproduce a SIB1 spoofing attack to study manipulations of unprotected broadcast fields. By repeatedly changing a key parameter, the UE is forced to refresh and reacquire system information, keeping the radio interface active longer than necessary and increasing battery consumption. Second, we demonstrate a new Timing Advance (TA) manipulation attack during the random access procedure. By injecting an attacker-chosen TA offset in the random access response, the victim applies incorrect uplink timing, which leads to uplink desynchronization, radio link failures, and repeated reconnection loops that effectively cause denial of service. Our experiments use commercial smartphones and open-source 5G network software. Experimental results in our testbed demonstrate that TA offsets exceeding a small tolerance reliably trigger radio link failures in our testbed and can keep devices stuck in repeated re-establishment attempts as long as the rogue base station remains present. Overall, our findings highlight that compact lower-layer control messages can have a significant impact on availability and power, and they motivate placing defenses for initial access and broadcast procedures.