核心概念
The authors reveal vulnerabilities in lower layers of 4G/5G networks, highlighting the risks of unprotected control procedures and potential attacks.
要約
The study uncovers security flaws in lower layers of cellular networks, emphasizing passive and active attacks that exploit information leakage and control message injection. Attacks include user localization, tracking, throughput reduction, and network disruption. The research evaluates real-world scenarios and operator configurations to validate the impact of these vulnerabilities.
Over the years, security vulnerabilities in cellular systems have been demonstrated in literature. While higher layers are protected, lower layers like PHY and MAC are vulnerable. The complexity of cellular standards makes security analysis challenging. The study identifies new passive and active attacks due to information leakage in beamforming procedures. These attacks can disrupt user communications by tricking connected UEs or disconnecting active users stealthily.
The paper evaluates practicality by measuring current operators' configurations across three countries. Results show attackers can localize users with high accuracy, track their movements, reduce throughput significantly, and disrupt communication effectively within seconds. Spoofing MAC CEs can drain users' battery life and impact network performance. The study highlights the need for enhanced security measures in lower protocol layers to mitigate these risks.
統計
Our results show that an attacker can localize users with an accuracy below 20 meters 96% of the time.
Track the movement of active users with a success rate of 90% by listening to channel state reports.
Spoofing MAC CEs can drain users’ battery life and halve their throughput.
An attacker can disrupt communication by spoofing resource scheduling or control commands to UEs.
Spoofed uplink transmissions lead to UL collisions between users.
Spoofed downlink ACKs cause HARQ failures disrupting communication.
引用
"Passive attacks enable localization and tracking of user movements through beamforming configuration."
"Active attacks involve injecting signaling commands at unprotected layers to manipulate UE behavior."
"Attacks on Carrier Aggregation lead to drastic throughput reduction at physical and application layers."