skip to main content
10.1145/3538969.3544448acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Analyzing RRC Replay Attack and Securing Base Station with Practical Method

Published: 23 August 2022 Publication History

Abstract

This paper presents our analysis on the possibility of replay attacks with Radio Resource Control (RRC) packet on 5G Non-Standalone (NSA) network based on the 3GPP standard document. We analyzed the RRC Connection Setup process of User Equipment (UE), a malicious UE before and after sending an RRC connection request message, and processing procedures of the false base station and the commercial 5G base station. Through sending a strong signal, the false base station can cause a victim UE to establish the RRC connection to the false base station itself. Moreover, it may be able to launch a Denial-of-Service (DoS) attack, resulting in continuous denial of network access to the victim UE, by exploiting an RRC control message without integrity protection, and victim's temporary identity. In order to protect 5G communication services securely, we suggested practical measures to deter a replay attack based on the 3GPP standard document.

Supplemental Material

PPTX File
Supplemental figures

References

[1]
M. Chlosta, D. Rupprecht, T. Holz, and C. Pöpper. “LTE security disabled: misconfiguration in commercial networks”. 2019. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '19). Association for Computing Machinery, New York, NY, USA, 261–266
[2]
I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila and A. Gurtov, "Overview of 5G Security Challenges and Solutions," in IEEE Communications Standards Magazine, MARCH 2018, vol. 2, no. 1, pp. 36-43.
[3]
S. R. Hussain, M. Echeverria, O. Chowdhury, N. Li, and E. Bertino. “Privacy Attacks to the 4G and 5G Cellular Paging Pro-tocols Using Side Channel Information,” in 26nd Annual Network and Distributed System Security Symposium (NDSS), 2019.
[4]
D. Rupprecht, “Call me maybe: eavesdropping encrypted LTE calls with ReVoLTE”. In: 29th USENIX security symposium
[5]
H. Kim, D. Kim, M. Kwon, H. Han, Y. Jang, D. Han, T. Kim, and Y. Kim. 2015. “Breaking and Fixing VoLTE : Exploiting Hidden Data Channels and Mis-implementations. In ACM Conference on Computer and Communications Security (CCS).
[6]
S. Park, S. Kim, K. Son and H. Kim, J. Park and K. Yim, “Real threats using GTP protocol and countermeasures on a 4G mobile grid computing environment,” in Int. J. Web and Grid Services(IJWGS), Vol. 13, No. 1, Jan. 2017, pp. 3–24.26.
[7]
H. Kim, J. Lee, E. Lee, and Y. Kim. 2018. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In IEEE Symposium on Security & Privacy (SP). IEEE.
[8]
S. R. Hussain, M. Echeverria, I. Karim, O. Chowdhury, and E. Bertino, “5Greasoner: A property-directed security and privacy analysis framework for 5G cellular network protocol,'' in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2019, pp. 669-684.
[9]
S. Park, H. Cho, Y. Park, B. Choi, D. Kim and K. Yim. 2020. Security Problems of 5G Voice Communication. In I. You (eds) Information Security Applications. WISA 2020.
[10]
S. Park, S. Kim, K. Son, and H. Kim, “Security threats and countermeasure frame using a session control mechanism on volte,” in 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), Nov 2015, pp. 532-537.
[11]
S. R. Hussain, O. Chowdhury, S. Mehnaz, and E. Bertino, “LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE,” in Proceedings of the Network and Distributed Systems Security (NDSS), 2018.
[12]
D. Rupprecht, K. Kohls, T. Holz, and C. P¨opper, “Breaking LTE on Layer Two,” in IEEE Symposium on Security & Privacy (SP). IEEE, 2019.
[13]
S. F. Mjølsnes and R. F. Olimid, “Easy 4G/LTE IMSI Catchers for Non-Programmers,” in International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security. Springer, 2017.
[14]
A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems,” Proceedings of the Network and Distributed System Security Symposium (NDSS), 2016.
[15]
H. Lin, “LTE REDIRECTION: Forcing Targeted LTE Cellphone into Unsafe Network,” in Hack In The Box Security Conference (HITBSec-Conf), 2016.
[16]
B. Hong, S. Park, H. Kim, D. Kim, H. Hong, H. Choi, J. P. Seifert, S.-J. Lee, and Y. Kim, “Peeking over the Cellular Walled Gardens-A Method for Closed Network Diagnosis,” IEEE Transactions on Mobile Computing, 2018.
[17]
U. Meyer and S. Wetzel, “On the Impact of GSM Encryption and Man in-the-Middle Attacks on the Security of Interoperating GSM/UMTS Networks,” in Personal, Indoor and Mobile Radio Communications, 2004. PIMRC 2004. 15th IEEE International Symposium on, vol. 4. IEEE, 2004.
[18]
C. Mitchell, “The Security of the GSM Air Interface Protocol,” Univ. of London, Royal Holloway, RHUL-MA-2001-3, 2001.
[19]
D. Strobel, “IMSI catcher,” Chair for Communication Security, Ruhr-Universit¨at Bochum, vol. 14, 2007.
[20]
U. Meyer and S. Wetzel, “A Man-in-the-Middle Attack on UMTS,” in Proceedings of the 3rd ACM workshop on Wireless security. ACM, 2004.
[21]
Z. Ahmadian, S. Salimi, and A. Salahi, “New Attacks on UMTS Network Access,” in Wireless Telecommunications Symposium, 2009. WTS 2009. IEEE, 2009.
[22]
D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim, “Location leaks on the GSM Air Interface,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), 2012.
[23]
Y. Li, C. Peng, Z. Yuan, J. Li, H. Deng, and T. Wang, “Mobile insight: Extracting and Analyzing Cellular Network Information on Smartphones.” in Proceedings of the ACM Annual International Conference on Mobile Computing & Networking (MobiCom), 2016.
[24]
3GPP. TS 23.003, “Numbering, addressing and identification” (Rel. 16) 2020.
[25]
3GPP. TS 38.304, "5G; NR; User Equipment (UE) procedures in Idle mode and RRC Inactive state" (Rel. 16) 2020.
[26]
3GPP. TS 38.133 "5G; NR; Requirements for support of radio resource management" (Rel. 16) 2020.
[27]
3GPP. TS 36.331, “Evolved Universal Terrestrial Radio Access (EUTRA); Radio Resource Control (RRC); Protocol specification,” (Rel. 16) 2020.

Cited By

View all
  • (2024)Security Vulnerabilities in 5G Non-Stand-Alone Networks: A Systematic Analysis and Attack TaxonomyJournal of Cybersecurity and Privacy10.3390/jcp40100024:1(23-40)Online publication date: 2-Jan-2024
  • (2024)A Systematic Survey on 5G and 6G Security Considerations, Challenges, Trends, and Research AreasFuture Internet10.3390/fi1603006716:3(67)Online publication date: 20-Feb-2024
  • (2024)Cyber5Gym: An Integrated Framework for 5G Cybersecurity TrainingElectronics10.3390/electronics1305088813:5(888)Online publication date: 26-Feb-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security
August 2022
1371 pages
ISBN:9781450396707
DOI:10.1145/3538969
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. 5G Vulnerabilities
  2. Mobile Network Threats
  3. RRC protocols
  4. Replay attack

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES 2022

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)85
  • Downloads (Last 6 weeks)4
Reflects downloads up to 23 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Security Vulnerabilities in 5G Non-Stand-Alone Networks: A Systematic Analysis and Attack TaxonomyJournal of Cybersecurity and Privacy10.3390/jcp40100024:1(23-40)Online publication date: 2-Jan-2024
  • (2024)A Systematic Survey on 5G and 6G Security Considerations, Challenges, Trends, and Research AreasFuture Internet10.3390/fi1603006716:3(67)Online publication date: 20-Feb-2024
  • (2024)Cyber5Gym: An Integrated Framework for 5G Cybersecurity TrainingElectronics10.3390/electronics1305088813:5(888)Online publication date: 26-Feb-2024
  • (2024)5G Specifications Formal Verification with Over-the-Air Validation: Prompting is All You NeedMILCOM 2024 - 2024 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM61039.2024.10773849(412-418)Online publication date: 28-Oct-2024

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media