research-article

Open access

UE Security Reloaded: Developing a 5G Standalone User-Side Security Testing Framework

Authors:

Evangelos Bitsikas,

Aanjhan Ranganathan,

Roger Piqueras Jover,

Christina PöpperAuthors Info & Claims

WiSec '23: Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Pages 121 - 132

https://doi.org/10.1145/3558482.3590194

Published: 28 June 2023 Publication History

Abstract

Security flaws and vulnerabilities in cellular networks lead to severe security threats given the data-plane services that are involved, from calls to messaging and Internet access. While the 5G Standalone (SA) system is currently being deployed worldwide, practical security testing of User Equipment (UE) has only been conducted and reported publicly for 4G/LTE and earlier network generations. In this paper, we develop and present the first open-source based security testing framework for 5G SA User Equipment. To that end, we modify the functionality of open-source suites (Open5GS and srsRAN) and develop a broad set of test cases for the 5G NAS and RRC layers. We apply our testing framework in a proof-of-concept manner to 5G SA mobile phones and provide detailed insights from our experiments. While being a framework in development, the results of our experiments presented in this paper can assist other researchers in the field and have the potential to improve 5G SA security.

References

[1]

3GPP. 2023 a. 5G; Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3. 3rd Generation Partnership Project (3GPP). Version 17.9.0.

[2]

3GPP. 2023 b. 5G; NR; Radio Resource Control (RRC); Protocol specification. 3rd Generation Partnership Project (3GPP). Version 17.3.0.

[3]

3GPP. 2023 c. 5G; Security architecture and procedures for 5G System. 3rd Generation Partnership Project (3GPP). Version 17.8.0.

[4]

3GPP. 2023 d. LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification. 3rd Generation Partnership Project (3GPP). Version 17.3.0.

[5]

5G Americas. 2020. Security Considerations for the 5G Era. https://www.5gamericas.org/wp-content/uploads/2020/07/Security-Considerations-for-the-5G-Era-2020-WP-Lossless.pdf.

[6]

Evangelos Bitsikas and Christina Pöpper. 2021. Don't Hand It Over: Vulnerabilities in the Handover Procedure of Cellular Telecommunications. In Annual Computer Security Applications Conference (ACSAC '21). Association for Computing Machinery, NY, USA, 900--915. https://doi.org/10.1145/3485832.3485914

Digital Library

[7]

Evangelos Bitsikas and Christina Pöpper. 2022. You Have Been Warned: Abusing 5G's Warning and Emergency Systems. In Annual Computer Security Applications Conference (ACSAC '22). Association for Computing Machinery, New York, NY, USA, 561--575. https://doi.org/10.1145/3564625.3568000

Digital Library

[8]

Yi Chen, Yepeng Yao, XiaoFeng Wang, Dandan Xu, Chang Yue, Xiaozhong Liu, Kai Chen, Haixu Tang, and Baoxu Liu. 2021. Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24--27 May 2021. IEEE, 1197--1214. https://doi.org/10.1109/SP40001.2021.00104

[9]

Merlin Chlosta, David Rupprecht, Thorsten Holz, and Christina Pö pper. 2019. LTE security disabled: misconfiguration in commercial networks. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, Miami, Florida, USA, May 15--17, 2019. ACM, 261--266. https://doi.org/10.1145/3317549.3324927

Digital Library

[10]

Merlin Chlosta, David Rupprecht, Christina Pöpper, and Thorsten Holz. 2021. 5G SUCI-Catchers: Still Catching Them All?. In Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21). Association for Computing Machinery, New York, NY, USA, 359--364. https://doi.org/10.1145/3448300.3467826

Digital Library

[11]

ENISA. [n. d.]. Security in 5G Specifications. https://www.enisa.europa.eu/publications/security-in-5g-specifications.

[12]

Kaiming Fang and Guanhua Yan. 2018. Emulation-Instrumented Fuzz Testing of 4G/LTE Android Mobile Devices Guided by Reinforcement Learning. In Computer Security - 23rd European Symposium on Research in Computer Security, ESORICS 2018, Barcelona, Spain, September 3--7, 2018, Proceedings, Part II (Lecture Notes in Computer Science), Javier Ló pez, Jianying Zhou, and Miguel Soriano (Eds.), Vol. 11099. Springer, 20--40. https://doi.org/10.1007/978--3--319--98989--1_2

[13]

Matheus E. Garbelini, Zewen Shang, Sudipta Chattopadhyay, Sumei Sun, and Ernest Kurniawan. 2022. Towards Automated Fuzzing of 4G/5G Protocol Implementations Over the Air. In GLOBECOM 2022 - 2022 IEEE Global Communications Conference. 86--92. https://doi.org/10.1109/GLOBECOM48099.2022.10001673

[14]

GSM Association. 2022. The Mobile Economy. https://www.gsma.com/mobileeconomy/wp-content/uploads/2022/02/280222-The-Mobile-Economy-2022.pdf.

[15]

Grant Hernandez, Marius Muench, Dominik Maier, Alyssa Milburn, Shinjo Park, Tobias Scharnowski, Tyler Tucker, Patrick Traynor, and Kevin R. B. Butler. 2022. FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware. In Symposium on Network and Distributed System Security (NDSS).

[16]

Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18--21, 2018. The Internet Society.

[17]

Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. 2019a. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA. The Internet Society.

[18]

Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 2019b. 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3319535.3354263

Digital Library

[19]

Syed Rafiul Hussain, Imtiaz Karim, Abdullah Al Ishtiaq, Omar Chowdhury, and Elisa Bertino. 2021. Noncompliance as Deviant Behavior: An Automated Black-Box Noncompliance Checker for 4G LTE Cellular Devices. In ACM SIGSAC Conference on Computer and Communications Security (CCS '21).

Digital Library

[20]

Imtiaz Karim, Syed Rafiul Hussain, and Elisa Bertino. 2021. ProChecker: An Automated Security and Privacy Analysis Framework for 4G LTE Protocol Implementations. In 41st IEEE International Conference on Distributed Computing Systems, ICDCS 2021, Washington DC, USA, July 7--10, 2021. IEEE, 773--785.

[21]

Rabia Khan, Pardeep Kumar, Dushantha Nalin K. Jayakody, and Madhusanka Liyanage. 2020. A Survey on Security and Privacy of 5G Technologies: Potential Solutions, Recent Advancements, and Future Directions. IEEE Communications Surveys & Tutorials, Vol. 22, 1 (2020), 196--248. https://doi.org/10.1109/COMST.2019.2933899

[22]

Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19--23, 2019. IEEE, 1153--1168. https://doi.org/10.1109/SP.2019.00038

[23]

Norbert Ludant and Guevara Noubir. 2021. SigUnder: A Stealthy 5G Low Power Attack and Defenses. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21). Association for Computing Machinery, NY, USA, 250--260. https://doi.org/10.1145/3448300.3467817

Digital Library

[24]

Dominik Maier, Lukas Seidel, and Shinjo Park. 2020. BaseSAFE: Baseband Sanitized Fuzzing through Emulation. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '20). Association for Computing Machinery, New York, NY, USA, 122--132. https://doi.org/10.1145/3395351.3399360

Digital Library

[25]

CheolJun Park, Sangwook Bae, BeomSeok Oh, Jiho Lee, Eunkyu Lee, Insu Yun, and Yongdae Kim. 2022. DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices. In 31th USENIX Security Symposium (USENIX Security 22).

[26]

Srinath Potnuru and Prajwol Kumar Nakarmi. 2021. Berserker: ASN.1-based Fuzzing of Radio Resource Control Protocol for 4G and 5G. 17th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob) (2021), 295--300.

[27]

David Rupprecht, Kai Jansen, and Christina Pöpper. 2016. Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness. In USENIX Workshop on Offensive Technologies (WOOT'16). USENIX Association, USA, 40--51.

[28]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2019. Breaking LTE on Layer Two. In IEEE Symposium on Security & Privacy (SP). IEEE.

[29]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2020. IMP4GT: IMPersonation Attacks in 4G NeTworks. In ISOC Network and Distributed System Security Symposium (NDSS). ISOC.

[30]

Altaf Shaik, Ravishankar Borgaonkar, Shinjo Park, and Jean-Pierre Seifert. 2019. New Vulnerabilities in 4G and 5G Cellular Access Network Protocols: Exposing Device Capabilities. In Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '19). Association for Computing Machinery, New York, NY, USA, 221--231. https://doi.org/10.1145/3317549.3319728

Digital Library

[31]

Digital Trends. 2023. What is 5G? Speeds, coverage, comparisons, and more. https://www.digitaltrends.com/mobile/what-is-5g/.

[32]

Hojoon Yang, Sangwook Bae, Mincheol Son, Hongil Kim, Song Min Kim, and Yongdae Kim. 2019. Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 55--72. https://www.usenix.org/conference/usenixsecurity19/presentation/yang-hojoon

Cited By

Paci AChiacchia MBianchi G(2024)5GMap: User-Driven Audit of Access Security Configurations in Cellular Networks2024 19th Wireless On-Demand Network Systems and Services Conference (WONS)10.23919/WONS60642.2024.10449586(97-104)Online publication date: 29-Jan-2024
https://doi.org/10.23919/WONS60642.2024.10449586

Index Terms

UE Security Reloaded: Developing a 5G Standalone User-Side Security Testing Framework
1. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

ASTRA-5G: Automated Over-the-Air Security Testing and Research Architecture for 5G SA Devices
WiSec '24: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Despite the widespread deployment of 5G technologies, there exists a critical gap in security testing for 5G Standalone (SA) devices. Existing methods, largely manual and labor-intensive, are ill-equipped to fully uncover the state of security in the ...
Security Testing Framework for Web Applications

The growth of web-based applications has increased tremendously from last two decades. While these applications bring huge benefits to society, yet they suffer from various security threats. Although there exist various techniques to ensure the security ...
Security Standards and Measures for Massive IoT in the 5G Era
Abstract
With the development of 5G technology, Internet of Things (IoT) is proliferating and deeply integrated with our daily lives and industry productions. IoT applications in the 5G era generate massive connections, and this would bring about many ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '23: Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 2023

394 pages

ISBN:9781450398596

DOI:10.1145/3558482

General Chairs:
Ioana Boureanu
University of Surrey, United Kingdom
,
Steve Schneider
University of Surrey, United Kingdom
,
Program Chairs:
Bradley Reaves
North Carolina State University, USA
,
Nils Ole Tippenhauer
CISPA Helmholtz Center for Information Security, Germany

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 June 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Google
Abu Dhabi Award for Research Excellence

Conference

WiSec '23

Sponsor:

WiSec '23: 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 29 - June 1, 2023

Guildford, United Kingdom

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
622
Total Downloads

Downloads (Last 12 months)615
Downloads (Last 6 weeks)60

Reflects downloads up to 28 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Paci AChiacchia MBianchi G(2024)5GMap: User-Driven Audit of Access Security Configurations in Cellular Networks2024 19th Wireless On-Demand Network Systems and Services Conference (WONS)10.23919/WONS60642.2024.10449586(97-104)Online publication date: 29-Jan-2024
https://doi.org/10.23919/WONS60642.2024.10449586

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents