DoS Attacks in Wi-Fi Networks

2025-01-01

Fact-Checking 5G Security: Bridging the Gap Between Expectations and Reality

IEEE Open Journal of the Communications Society · 2025-01-01 · 2 citations

5G cellular systems are currently being deployed worldwide delivering the promised unprecedented levels of throughput and latency to hundreds of millions of users. At such scale and reach, security is crucial. Consequently, the 5G standard includes a new series of features to improve the security of its predecessors (i.e., 3G and 4G). In this work, we evaluate the security of currently deployed 5G commercial networks in Europe and North America. Specifically, by collecting 5G signaling traffic in the wild in several cities in Spain, Germany, France, Canada, and the USA, we i) fact-check which 5G security enhancements are implemented in current deployments, ii) provide a rich overview of the implementation status of each 5G security feature in a selection of 5G commercial networks in Europe and North America and compare it with previous results in China, iii) analyze the implications of optional features not being deployed, and iv) discuss on the still remaining 4G-inherited vulnerabilities. Our findings indicate that the rollout of 5G security features in the analyzed commercial networks is still a work in progress. On the one hand, several networks continue to rely on 4G for their core network operations, which hinders the deployment of new security features (e.g., SUCI) and, on the other hand, fully-fledged 5G deployments lack mandatory security measures such as GUTI reallocation after paging. Moreover, we find that some operators fail to provide proper temporary identifier randomization, in both 4G and 5G networks. Some of the obtained results are aligned with results previously reported from China <xref ref-type="bibr" rid="ref1" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">[1]</xref> and keep the European and North American studied networks vulnerable to some 4G attacks, during their migration period from 4G to 5G. Conversely, studied networks deployed in North America exhibit stronger adherence to 5G security standards, with near-complete compliance observed, in contrast to deployments in China and Europe, where comparatively lower compliance levels have been observed.

Low-Layer Attacks Against 4G/5G Networks

2025-06-27

Deep Learning for Robust and Secure Wireless Communications

Advances in information security · 2024-01-01

Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous

arXiv (Cornell University) · 2024-03-11 · 3 citations

Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Establishing Trust in the Beyond-5G Core Network using Trusted Execution Environments

arXiv (Cornell University) · 2024-05-20 · 1 citations

The fifth generation (5G) of cellular networks starts a paradigm shift from the traditional monolithic system design to a Service Based Architecture, that fits modern performance requirements and scales efficiently to new services. This paradigm will be the foundation of future cellular core networks beyond 5G. The new architecture splits network functionalities into smaller logical entities that can be disaggregated logically, physically, and geographically. This affords interoperability between the mobile network operators and commercial software and hardware vendors or cloud providers. By making use of commodity services and products, this system construct inherits the vulnerabilities in those underlying technologies, thereby increasing its attack surface and requiring a rigorous security analysis. In this work, we review the security implications introduced in B5G networks, and the security mechanisms that are supported by the 5G standard. We emphasize on the support of Zero Trust Architecture in 5G and its relevance in decentralized deployments. We revisit the definition of trust in modern enterprise network operations and identify important Zero Trust properties that are weakened by the nature of cloud deployments. To that end, we propose a vertical extension of Zero Trust, namely, Zero Trust Execution, to model untrusted execution environments, and we provide an analysis on how to establish trust in Beyond-5G network architectures using Trusted Execution Environments. Our analysis shows how our model architecture handles the increased attack surface and reinforces the Zero Trust Architecture principles in the 5G Core, without any changes to the 5G standard. Finally, we provide experimental results over a 5G testbed using Open5GS and UERANSIM that demonstrate minimal performance overhead, and a monetary cost evaluation.

JaX: Detecting and Cancelling High-power Jammers Using Convolutional Neural Network

2023-05-29 · 6 citations

In this paper, we present JaX, a novel approach for detecting and cancelling high-power jammers in the scenarios when the traditional spread spectrum techniques and other jammer avoidance approaches are not sufficient. JaX does not require explicit probes, sounding, training sequences, channel estimation, or the cooperation of the transmitter. We identify and address multiple challenges, resulting in a convolutional neural network for a multi-antenna system to infer the existence of interference, the number of interfering emissions and their respective phases. This information is continuously fed into an algorithm that cancels the interfering signal. We develop a two-antenna prototype system and evaluate our approach in various environment settings and modulation schemes using SDR platforms. We demonstrate that the receiving node equipped with our approach can detect a jammer with over 99% of accuracy and achieve a Bit Error Rate as low as 10^6 even when the jammer power is nearly two orders of magnitude (19 dB) higher than the legitimate signal, and without modifying the link modulation. JaX is resilient against various jammers with different characteristics of jamming signals, jamming power, and timing pattern.

Forward Security with Crash Recovery for Secure Logs

ACM Transactions on Privacy and Security · 2023-11-03 · 2 citations

Logging is a key mechanism in the security of computer systems. Beyond supporting important forward security properties, it is critical that logging withstands both failures and intentional tampering to prevent subtle attacks leaving the system in an inconsistent state with inconclusive evidence. We propose new techniques combining forward security with crash recovery for secure log data storage. As the support of specifically forward integrity and the online nature of logging prevent the use of conventional coding, we propose and analyze a coding scheme resolving these unique design constraints. Specifically, our coding enables forward integrity, online encoding, and most importantly a constant number of operations per encoding. It adds a new log item by 𝖷𝖮𝖱 ing it to k cells of a table. If up to a certain threshold of cells is modified by the adversary, or lost due to a crash, we still guarantee recovery of all stored log items. The main advantage of the coding scheme is its efficiency and compatibility with forward integrity. The key contribution of the paper is the use of spectral graph theory techniques to prove that k is constant in the number n of all log items ever stored and small in practice, e.g., k = 5. Moreover, we prove that to cope with up to \(\sqrt {n}\) modified or lost log items, storage expansion is constant in n and small in practice. For k = 5, the size of the table is only 12% more than the simple concatenation of all n items. We propose and evaluate original techniques to scale the computation cost of recovery to several GBytes of security logs. We instantiate our scheme into an abstract data structure which allows to either detect adversarial modifications to log items or treat modifications like data loss in a system crash. The data structure can recover lost log items, thereby effectively reverting adversarial modifications.

From 5G Sniffing to Harvesting Leakages of Privacy-Preserving Messengers

2023-05-01 · 38 citations

We present the first open-source tool capable of efficiently sniffing 5G control channels, 5GSniffer and demonstrate its potential to conduct attacks on users privacy. 5GSniffer builds on our analysis of the 5G RAN control channel exposing side-channel leakage. We note that decoding the 5G control channels is significantly more challenging than in LTE, since part of the information necessary for decoding is provided to the UEs over encrypted channels. We devise a set of techniques to achieve real-time control channels sniffing (over three orders of magnitude faster than brute-forcing). This enables, among other things, to retrieve the Radio Network Temporary Identifiers (RNTIs) of all users in a cell, and perform traffic analysis. To illustrate the potential of our sniffer, we analyse two privacy-focused messengers, Signal and Telegram. We identify privacy leaks that can be exploited to generate stealthy traffic to a target user. When combined with 5GSniffer, it enables stealthy exposure of the presence of a target user in a given location (solely based on their phone number), by linking the phone number to the RNTI. It also enables traffic analysis of the target user. We evaluate the attacks and our sniffer, demonstrating nearly 100% accuracy within 30 seconds of attack initiation.