4G/5G Low-Layer Control Procedures Vulnerabilities Exposed

4G/5G low-layer control procedures are vulnerable to passive and active attacks, leading to user tracking, communication disruption, and privacy breaches.

Introduction Security vulnerabilities in 3GPP cellular systems have been demonstrated in literature. Focus on lower layers like PHY and MAC, not encrypted or integrity protected. Increase in low-layer control messages in 5G raises security concerns. Control Procedures Vulnerabilities Passive attacks enable user localization and tracking through beamforming information leakage. Active attacks reduce user throughput, disrupt communications, and drain battery. Attacks evaluated against COTS UEs in various scenarios. Background Description of 4G/5G radio protocols and vulnerabilities identified in the analysis. Low-Layer Attacks Adversary model assumptions and vulnerabilities in L1 and L2 procedures. Attacks on PRACH, PDCCH, PUCCH, and more. Technical Challenges and Considerations Overcoming challenges in spoofing control information and obtaining user identifiers. Experimental Evaluation Setup details and ethical considerations for passive and active attacks. Results of passive user localization and tracking attacks. Fingerprinting of beam locations and evaluation of SSB-RA localization attack.

결과는 사용자를 20미터 이내로 96%의 정확도로 지역화할 수 있음. 사용자의 이동 경로를 90%의 성공률로 추적할 수 있음. 적극적인 공격으로 사용자의 처리량을 95% 이상 감소시킬 수 있음.

"Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time." "Passive attacks enable user localization and tracking through beamforming information leakage."