4G/5G Low-Layer Control Procedures Vulnerabilities Exposed

Lower layers of 4G/5G networks are vulnerable to passive and active attacks due to lack of encryption and integrity protection.

Introduction: Security vulnerabilities in 3GPP cellular systems have been demonstrated in literature. Focus on lower layers of the cellular radio stack, such as PHY and MAC, which lack encryption. Control Procedures Vulnerabilities: Increased number of low-layer control messages in 5G raises security concerns. Attacks identified include passive user localization and active attacks disrupting user communications. Background: Description of the physical layer and the cellular 4G/5G protocol stack. Low-Layer Attacks: Adversary model, vulnerabilities, and attacks on PRACH, PDCCH, PUCCH, and more. Technical Challenges: Overcoming challenges in spoofing control information and obtaining radio user identifiers. Experimental Evaluation: Evaluation setup, ethical considerations, and results of passive user localization and active injection attacks.

5G BS operates in the 28 GHz band. 48 beams used to cover an area within an angle of approximately 120 degrees. TA value reported by the BS used for user localization.

"An attacker can disable semi-persistent SRS transmissions by sending a deactivation MAC CE to a UE." "Passive attacker can track users' movement using CSI reports in beamforming scenarios."