A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security

Hu, Xinxin; Liu, Caixia; Liu, Shuxin; You, Wei; Li, Yingle; Zhao, Yu

doi:10.1109/access.2019.2937997

Cited by 22 publications

(9 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is because a baseband implements numerous cellular protocols that have convoluted states; therefore, various stateful information should be considered in the analysis. Moreover, building a reference for logical bugs from the specifications is also not trivial [34], [35], [10], [33], [8]. Therefore, we invite future research in this field by introducing BASESPEC as an entry point.…”

Section: Discussionmentioning

confidence: 99%

BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols

Kim

Park³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Cellular basebands play a crucial role in mobile communication. However, it is significantly challenging to assess their security for several reasons. Manual analysis is inevitable because of the obscurity and complexity of baseband firmware; however, such analysis requires repetitive efforts to cover diverse models or versions. Automating the analysis is also non-trivial because the firmware is significantly large and contains numerous functions associated with complex cellular protocols. Therefore, existing approaches on baseband analysis are limited to only a couple of models or versions within a single vendor. In this paper, we propose a novel approach named BASESPEC, which performs a comparative analysis of baseband software and cellular specifications. By leveraging the standardized message structures in the specification, BASESPEC inspects the message structures implemented in the baseband software systematically. It requires a manual yet one-time analysis effort to determine how the message structures are embedded in target firmware. Then, BASESPEC compares the extracted message structures with those in the specification syntactically and semantically, and finally, it reports mismatches. These mismatches indicate the developer's mistakes, which break the compliance of the baseband with the specification, or they imply potential vulnerabilities. We evaluated BASESPEC with 18 baseband firmware images of 9 models from one of the top three vendors and found hundreds of mismatches. By analyzing these mismatches, we discovered 9 erroneous cases: 5 functional errors and 4 memory-related vulnerabilities. Notably, two of these are critical remote code execution 0-days. Moreover, we applied BASESPEC to 3 models from another vendor, and BASESPEC found multiple mismatches, two of which led us to discover a buffer overflow bug.

show abstract

Section: Discussionmentioning

confidence: 99%

BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols

Kim

Park³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Chlosta et al [24] and Haque et al [33] exploited the Subscription Concealed Identifier (SUCI) identifier and Permanent Equipment Identifier (PEI), respectively. Security issues on 5G RRC and NAS messages were investigated [37,40] but actual experimentation is needed with a 5G SA setup to fully explore the security flaws. LTE Flaws and Misconfigurations.…”

Section: Related Workmentioning

confidence: 99%

You have been warned: Abusing 5G's Warning and Emergency Systems

Bitsikas,

Pöpper

2022

Preprint

View full text Add to dashboard Cite

The Public Warning System (PWS) is an essential part of cellular networks and a country's civil protection. Warnings can notify users of hazardous events (e. g., floods, earthquakes) and crucial national matters that require immediate attention. PWS attacks disseminating fake warnings or concealing precarious events can have a serious impact, causing fraud, panic, physical harm, or unrest to users within an affected area. In this work, we conduct the first comprehensive investigation of PWS security in 5G networks. We demonstrate five practical attacks that may impact the security of 5G-based Commercial Mobile Alert System (CMAS) as well as Earthquake and Tsunami Warning System (ETWS) alerts. Additional to identifying the vulnerabilities, we investigate two PWS spoofing and three PWS suppression attacks, with or without a man-in-the-middle (MitM) attacker. We discover that MitM-based attacks have more severe impact than their non-MitM counterparts. Our PWS barring attack is an effective technique to eliminate legitimate warning messages. We perform a rigorous analysis of the roaming aspect of the PWS, incl. its potentially secure version, and report the implications of our attacks on other emergency features (e. g., 911 SIP calls). We discuss possible countermeasures and note that eradicating the attacks necessitates a scrupulous reevaluation of the PWS design and a secure implementation.

show abstract

“…Further, attacks that violate the MAC layer standards causing DoS are also easy to launch in this case. Hu et al (2019) discussed the several types of DoS attacks that can occur on the 5G network devices.…”

Section: Security Issues Of Wmcc In 5gmentioning

confidence: 99%

Security of Broadcast Authentication for Cloud-Enabled Wireless Medical Sensor Devices in 5G Networks

Hayajneh¹,

Bhuiyan²,

McAndrew³

2020

CIS

View full text Add to dashboard Cite

Wireless Body Area Network (WBAN) has become one of the fastest growing technologies nowadays. There are some characteristic limitations in WBAN, especially when it comes to health-related applications that are used to monitor human bodies. To overcome and mitigate theses limitations in WBAN, cloud computing technology can be combined with the WBAN as a solution. We can classify the WBAN sensors in the cloud-based WBAN into i) nodes that monitor the human body and ii) WBAN actuators that take action upon the order commands from the medical staff. The biggest concern is the security of the medical commands to the WBAN actuators because if they are altered or tampered with, there can be serious consequences. Therefore, authentication plays an important role in securing cloud-based WBANs. In this article, we explore the security and privacy issues of Wireless Body Area Network combined with Mobile Cloud Computing (wMCC) with 5G mobile networks and investigate public-key based security solutions. At first, the paper presents a detailed description of wMCC architecture, discussing its main advantages and limitations. The main features of 5G mobile network are then presented, focusing on the advancement it may provide if integrated with wMCC systems. We further investigate the security issues of wMCC with 5G mobile networks while emphasizing the challenges that face this system in healthcare applications. The authentication techniques in wMCC are then classified and discussed with the feasibility of deploying practical solutions. Finally, we outline the main challenges and metrics of an ideal authentication protocols to be used in wMCC with 5G. The metrics are helpful for researchers in this field to evaluate, analyze, and compare the authentication protocols to decide the suitable application for each protocol.

show abstract

A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security

Cited by 22 publications

References 33 publications

BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols

BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols

You have been warned: Abusing 5G's Warning and Emergency Systems

Security of Broadcast Authentication for Cloud-Enabled Wireless Medical Sensor Devices in 5G Networks

Contact Info

Product

Resources

About