research-article

Open access

Fixing Insecure Cellular System Information Broadcasts For Good

Authors:

Alexander J. Ross,

Bradley Reaves,

Roger Piqueras JoverAuthors Info & Claims

RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 693 - 708

https://doi.org/10.1145/3678890.3678924

Published: 30 September 2024 Publication History

All formats PDF

Abstract

Cellular networks are essential everywhere, and securing them is increasingly important as attacks against them become more prevalent and powerful. All cellular network generations bootstrap new radio connections with unauthenticated System Information Blocks (SIBs), which provide critical parameters needed to identify and connect to the network. Many cellular network attacks require exploiting SIBs. Authenticating these messages would eliminate whole classes of attack, from spoofed emergency alerts to fake base stations.

This paper presents Broadcast But Verify, an efficient backwards-compatible mechanism for SIB authentication. Broadcast But Verify specifies a new signing SIB that encodes authentication signatures and hashes for all other SIBs while building on a standard cellular PKI. We identify the security and functional requirements for such a system, define a scalable and flexible mechanism to meet those requirements, and demonstrate negligible common-case connection latency overhead of 3.220 ms in a 4G LTE testbed. We also demonstrate that unmodified mobile devices successfully connect to networks deploying Broadcast But Verify. In contrast to prior proposals, Broadcast But Verify authenticates every SIB broadcasted by a cell. By demonstrating that even 4G LTE has the capacity to authenticate SIBs, we argue that future network generations can and should mandate authenticated SIBs.

References

[1]

2020. Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools. https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/

[2]

3rd Generation Partnership Project (3GPP). 2022. 5G; NR; Radio Resource Control (RRC); Protocol specification (Release 17). 3GPP TS 38.331, V17.0.0 (May 2022).

[3]

3rd Generation Partnership Project (3GPP). 2022. Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; Stage 2 (Release 17). 3GPP TS 36.300, V17.0.0 (May 2022).

[4]

3rd Generation Partnership Project (3GPP). 2023. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification (Release 17). 3GPP TS 36.331, V17.5.0 (July 2023).

[5]

3rd Generation Partnership Project (3GPP). 2024. Universal Mobile Telecommunications System (UMTS); LTE; 5G; Network Domain Security (NDS); Authentication Framework (AF) (Release 17). 3GPP TS 33.310, V17.8.0 (Jan. 2024).

[6]

Evangelos Bitsikas and Christina Pöpper. 2022. You have been warned: Abusing 5G’s Warning and Emergency Systems. In Proceedings of the 38th Annual Computer Security Applications Conference(ACSAC ’22). Association for Computing Machinery, New York, NY, USA, 561–575. https://doi.org/10.1145/3564625.3568000

Digital Library

[7]

Yi Chen, Yepeng Yao, XiaoFeng Wang, Dandan Xu, Chang Yue, Xiaozhong Liu, Kai Chen, Haixu Tang, and Baoxu Liu. 2021. Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1197–1214. https://doi.org/10.1109/SP40001.2021.00104

[8]

Merlin Chlosta, David Rupprecht, Thorsten Holz, and Christina Pöpper. 2019. LTE security disabled: misconfiguration in commercial networks. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks. ACM, Miami Florida, 261–266. https://doi.org/10.1145/3317549.3324927

Digital Library

[9]

Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, and Edgar Weippl. 2014. IMSI-catch me if you can: IMSI-catcher-catchers. In Proceedings of the 30th Annual Computer Security Applications Conference on - ACSAC ’14. ACM Press, New Orleans, Louisiana, 246–255. https://doi.org/10.1145/2664243.2664272

Digital Library

[10]

Kieran Devine. 2023. Ukraine war: Mobile networks being weaponised to target troops on both sides of conflict. https://news.sky.com/story/ukraine-war-mobile-networks-being-weaponised-to-target-troops-on-both-sides-of-conflict-12577595

[11]

D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory 29, 2 (March 1983), 198–208. https://doi.org/10.1109/TIT.1983.1056650 Conference Name: IEEE Transactions on Information Theory.

Digital Library

[12]

Simon Erni, Martin Kotuliak, Patrick Leu, Marc Roeschlin, and Srdjan Capkun. 2022. AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks. In Proceedings of the 28th Annual International Conference on Mobile Computing And Networking(MobiCom ’22). Association for Computing Machinery, New York, NY, USA, 743–755. https://doi.org/10.1145/3495243.3560525 event-place: Sydney, NSW, Australia.

Digital Library

[13]

Ettus Research. [n. d.]. Ettus Research USRP.

[14]

Felix Girke, Fabian Kurtz, Nils Dorsch, and Christian Wietfeld. 2019. Towards Resilient 5G: Lessons Learned from Experimental Evaluations of LTE Uplink Jamming. In 2019 IEEE International Conference on Communications Workshops (ICC Workshops). IEEE, Shanghai, China, 1–6. https://doi.org/10.1109/ICCW.2019.8756977

[15]

Ismael Gomez-Miguelez, Andres Garcia-Saavedra, Paul D. Sutton, Pablo Serrano, Cristina Cano, and Doug J. Leith. 2016. srsLTE: an open-source platform for LTE evolution and experimentation. In Proceedings of the Tenth ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation, and Characterization. ACM, New York City New York, 25–32. https://doi.org/10.1145/2980159.2980163

Digital Library

[16]

Jeff Hodges, Collin Jackson, and Adam Barth. 2012. HTTP Strict Transport Security (HSTS). RFC 6797. https://doi.org/10.17487/RFC6797

Digital Library

[17]

Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Proceedings 2018 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. https://doi.org/10.14722/ndss.2018.23313

[18]

Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 2019. 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM, London United Kingdom, 669–684. https://doi.org/10.1145/3319535.3354263

Digital Library

[19]

Syed Rafiul Hussain, Mitziu Echeverria, Ankush Singla, Omar Chowdhury, and Elisa Bertino. 2019. Insecure connection bootstrapping in cellular networks: the root of all evil. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks. ACM, Miami Florida, 1–11. https://doi.org/10.1145/3317549.3323402

Digital Library

[20]

Roger Piqueras Jover. 2016. LTE security, protocol exploits and location tracking experimentation with low-cost software radio. arXiv:1607.05171 [cs] (July 2016). http://arxiv.org/abs/1607.05171 arXiv:1607.05171.

[21]

Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1153–1168. https://doi.org/10.1109/SP.2019.00038

[22]

Gyuhong Lee, Jihoon Lee, Jinsung Lee, Youngbin Im, Max Hollingsworth, Eric Wustrow, Dirk Grunwald, and Sangtae Ha. 2019. This is Your President Speaking: Spoofing Alerts in 4G LTE Networks. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services. ACM, Seoul Republic of Korea, 404–416. https://doi.org/10.1145/3307334.3326082

Digital Library

[23]

Zhenhua Li, Weiwei Wang, Christo Wilson, Jian Chen, Chen Qian, Taeho Jung, Lan Zhang, Kebin Liu, Xiangyang Li, and Yunhao Liu. 2017. FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. In Proceedings 2017 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. https://doi.org/10.14722/ndss.2017.23098

[24]

Marc Lichtman, Roger Piqueras Jover, Mina Labib, Raghunandan Rao, Vuk Marojevic, and Jeffrey H. Reed. 2016. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Communications Magazine 54, 4 (April 2016), 54–61. https://doi.org/10.1109/MCOM.2016.7452266

Digital Library

[25]

Alessandro Lotto, Vaibhav Singh, Bhaskar Ramasubramanian, Alessandro Brighente, Mauro Conti, and Radha Poovendran. 2023. BARON: Base-Station Authentication Through Core Network for Mobility Management in 5G Networks. In Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks. ACM, Guildford United Kingdom, 133–144. https://doi.org/10.1145/3558482.3590187

Digital Library

[26]

Stig F. Mjølsnes and Ruxandra F. Olimid. 2017. Easy 4G/LTE IMSI Catchers for Non-Programmers. In Computer Network Security, Jacek Rak, John Bay, Igor Kotenko, Leonard Popyack, Victor Skormin, and Krzysztof Szczypiorski (Eds.). Springer International Publishing, Cham, 235–246.

[27]

Shinjo Park, Altaf Shaik, Ravishankar Borgaonkar, Andrew Martin, and Jean-Pierre Seifert. 2017. White-Stingray: Evaluating IMSI Catchers Detection Applications. In 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, Vancouver, BC. https://www.usenix.org/conference/woot17/workshop-program/presentation/park

Digital Library

[28]

Eric Priezkalns. 2023. Paris IMSI-Catcher Mistaken for Bomb Was Actually Used for Health Insurance SMS Phishing Scam.

[29]

Eric Priezkalns. 2023. Thousands Tricked Into Revealing Banking Details by Smishing IMSI-Catcher Driven around Norway. https://commsrisk.com/thousands-tricked-into-revealing-banking-details-by-smishing-imsi-catcher-driven-around-norway/

[30]

Muhammad Taqi Raza, Fatima Muhammad Anwar, and Songwu Lu. 2018. Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions. In Security and Privacy in Communication Networks, Xiaodong Lin, Ali Ghorbani, Kui Ren, Sencun Zhu, and Aiqing Zhang (Eds.). Vol. 238. Springer International Publishing, Cham, 312–338. https://doi.org/10.1007/978-3-319-78813-5_16 Series Title: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.

[31]

Muhammad Taqi Raza, Yunqi Guo, Songwu Lu, and Fatima Muhammad Anwar. 2021. On Key Reinstallation Attacks over 4G LTE Control-Plane: Feasibility and Negative Impact. In Annual Computer Security Applications Conference. ACM, Virtual Event USA, 877–886. https://doi.org/10.1145/3485832.3485833

Digital Library

[32]

David Rupprecht, Adrian Dabrowski, Thorsten Holz, Edgar Weippl, and Christina Pöpper. 2018. On Security Research Towards Future Mobile Network Generations. IEEE Communications Surveys & Tutorials 20, 3 (2018), 2518–2542. https://doi.org/10.1109/COMST.2018.2820728

[33]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Popper. 2019. Breaking LTE on Layer Two. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1121–1136. https://doi.org/10.1109/SP.2019.00006

[34]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2020. Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 73–88. https://www.usenix.org/conference/usenixsecurity20/presentation/rupprecht

[35]

Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. In Proceedings 2016 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. https://doi.org/10.14722/ndss.2016.23236

[36]

Ankush Singla, Rouzbeh Behnia, Syed Rafiul Hussain, Attila Yavuz, and Elisa Bertino. 2021. Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security(ASIA CCS ’21). Association for Computing Machinery, New York, NY, USA, 501–515. https://doi.org/10.1145/3433210.3453082

Digital Library

[37]

Hojoon Yang, Sangwook Bae, Mincheol Son, Hongil Kim, S. Kim, and Yongdae Kim. 2019. Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 55–72. https://www.usenix.org/conference/usenixsecurity19/presentation/yang-hojoon

[38]

Kim Zetter. 2020. How Cops Can Secretly Track Your Phone. https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/

Cited By

Akhi MEising CLuxmi Dhirani L(2025)TCN-Based DDoS Detection and Mitigation in 5G Healthcare-IoT: A Frequency Monitoring and Dynamic Threshold ApproachIEEE Access10.1109/ACCESS.2025.353165913(12709-12733)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3531659

Index Terms

Fixing Insecure Cellular System Information Broadcasts For Good
1. Networks
  1. Network protocols
    1. Network layer protocols
      1. Signaling protocols
    2. Session protocols
2. Security and privacy
  1. Network security
    1. Mobile and wireless security
    2. Security protocols
  2. Security services
    1. Authentication

Recommendations

Insecure connection bootstrapping in cellular networks: the root of all evil
WiSec '19: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks

In the cellular ecosystem, base stations act as trusted intermediaries between cellular devices and the core network. During connection bootstrapping, devices currently, however, do not possess any mechanisms to authenticate a base station before ...
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE ...
Uncovering insecure designs of cellular emergency services (911)
MobiCom '22: Proceedings of the 28th Annual International Conference on Mobile Computing And Networking

Cellular networks that offer ubiquitous connectivity have been the major medium for delivering emergency services. In the U.S., mobile users can dial an emergency call with 911 for emergency uses in cellular networks, and the call can be forwarded to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

September 2024

719 pages

ISBN:9798400709593

DOI:10.1145/3678890

Copyright © 2024 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 September 2024

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

National Science Foundation

Conference

RAID '24

RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses

September 30 - October 2, 2024

Padua, Italy

Acceptance Rates

RAID '24 Paper Acceptance Rate 43 of 173 submissions, 25%;

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
444
Total Downloads

Downloads (Last 12 months)444
Downloads (Last 6 weeks)106

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Akhi MEising CLuxmi Dhirani L(2025)TCN-Based DDoS Detection and Mitigation in 5G Healthcare-IoT: A Frequency Monitoring and Dynamic Threshold ApproachIEEE Access10.1109/ACCESS.2025.353165913(12709-12733)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3531659

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten