Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous
- URL: http://arxiv.org/abs/2403.06717v1
- Date: Mon, 11 Mar 2024 13:42:05 GMT
- Title: Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous
- Authors: Norbert Ludant, Marinos Vomvas, Guevara Noubir,
- Abstract summary: We study the complexity of the cellular standards and the high degree of cross-layer operations.
We find that current cellular systems are susceptible to several new passive attacks due to information leakage.
We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE.
- Score: 4.235733335401408
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.
Related papers
- Red Pill and Blue Pill: Controllable Website Fingerprinting Defense via Dynamic Backdoor Learning [93.44927301021688]
Website fingerprint (WF) attacks covertly monitor user communications to identify the web pages they visit.
Existing WF defenses attempt to reduce the attacker's accuracy by disrupting unique traffic patterns.
We introduce Controllable Website Fingerprint Defense (CWFD), a novel defense perspective based on backdoor learning.
arXiv Detail & Related papers (2024-12-16T06:12:56Z) - IDU-Detector: A Synergistic Framework for Robust Masquerader Attack Detection [3.3821216642235608]
In the digital age, users store personal data in corporate databases, making data security central to enterprise management.
Given the extensive attack surface, assets face challenges like weak authentication, vulnerabilities, and malware.
We introduce the IDU-Detector, integrating Intrusion Detection Systems (IDS) with User and Entity Behavior Analytics (UEBA)
This integration monitors unauthorized access, bridges system gaps, ensures continuous monitoring, and enhances threat identification.
arXiv Detail & Related papers (2024-11-09T13:03:29Z) - Federated Learning for Zero-Day Attack Detection in 5G and Beyond V2X Networks [9.86830550255822]
Connected and Automated Vehicles (CAVs) on top of 5G and Beyond networks (5GB) make them vulnerable to increasing vectors of security and privacy attacks.
We propose in this paper a novel detection mechanism that leverages the ability of the deep auto-encoder method to detect attacks relying only on the benign network traffic pattern.
Using federated learning, the proposed intrusion detection system can be trained with large and diverse benign network traffic, while preserving the CAVs privacy, and minimizing the communication overhead.
arXiv Detail & Related papers (2024-07-03T12:42:31Z) - Corpus Poisoning via Approximate Greedy Gradient Descent [48.5847914481222]
We propose Approximate Greedy Gradient Descent, a new attack on dense retrieval systems based on the widely used HotFlip method for generating adversarial passages.
We show that our method achieves a high attack success rate on several datasets and using several retrievers, and can generalize to unseen queries and new domains.
arXiv Detail & Related papers (2024-06-07T17:02:35Z) - Poisoning Retrieval Corpora by Injecting Adversarial Passages [79.14287273842878]
We propose a novel attack for dense retrieval systems in which a malicious user generates a small number of adversarial passages.
When these adversarial passages are inserted into a large retrieval corpus, we show that this attack is highly effective in fooling these systems.
We also benchmark and compare a range of state-of-the-art dense retrievers, both unsupervised and supervised.
arXiv Detail & Related papers (2023-10-29T21:13:31Z) - Deep Attention Recognition for Attack Identification in 5G UAV
scenarios: Novel Architecture and End-to-End Evaluation [3.3253720226707992]
Despite the robust security features inherent in the 5G framework, attackers will still discover ways to disrupt 5G unmanned aerial vehicle (UAV) operations.
We propose Deep Attention Recognition (DAtR) as a solution to identify attacks based on a small deep network embedded in authenticated UAVs.
arXiv Detail & Related papers (2023-03-03T17:10:35Z) - Illusory Attacks: Information-Theoretic Detectability Matters in Adversarial Attacks [76.35478518372692]
We introduce epsilon-illusory, a novel form of adversarial attack on sequential decision-makers.
Compared to existing attacks, we empirically find epsilon-illusory to be significantly harder to detect with automated methods.
Our findings suggest the need for better anomaly detectors, as well as effective hardware- and system-level defenses.
arXiv Detail & Related papers (2022-07-20T19:49:09Z) - TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack.
Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets.
TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
arXiv Detail & Related papers (2021-03-10T19:03:38Z) - Graph-Based Intrusion Detection System for Controller Area Networks [1.697297400355883]
The controller area network (CAN) is the most widely used intra-vehicular communication network in the automotive industry.
We propose a four-stage intrusion detection system that uses the chi-squared method and can detect any kind of strong and weak cyber attacks in a CAN.
Our experimental results show that we have a very low 5.26% misclassification for denial of service (DoS) attack, 10% misclassification for fuzzy attack, 4.76% misclassification for replay attack, and no misclassification for spoofing attack.
arXiv Detail & Related papers (2020-09-24T01:33:58Z) - Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy.
We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
arXiv Detail & Related papers (2020-06-10T16:05:05Z) - Multi-stage Jamming Attacks Detection using Deep Learning Combined with
Kernelized Support Vector Machine in 5G Cloud Radio Access Networks [17.2528983535773]
This research focuses on deploying a multi-stage machine learning-based intrusion detection (ML-IDS) in 5G C-RAN.
It can detect and classify four types of jamming attacks: constant jamming, random jamming, jamming, and reactive jamming.
The final classification accuracy of attacks is 94.51% with a 7.84% false negative rate.
arXiv Detail & Related papers (2020-04-13T17:21:45Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.