-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathattacks.html
More file actions
268 lines (242 loc) · 15.4 KB
/
attacks.html
File metadata and controls
268 lines (242 loc) · 15.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
<!DOCTYPE html>
<html lang="en">
<style>
.hero {
padding-bottom: 0rem !important;
}
</style>
<head>
<meta charset="UTF-8" />
<title>Attacks & Feasibility – 4G/5G Security</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="style.css" />
</head>
<body>
<header>
<div class="nav-inner">
<div class="logo">4G / 5G Security</div>
<nav>
<ul>
<li><a href="index.html">Introduction</a></li>
<li><a href="mechanisms.html">Security Mechanisms</a></li>
<li><a href="attacks.html" class="active">Attacks & Feasibility</a></li>
<li><a href="opinions.html">Opinion & Conclusion</a></li>
<li><a href="references.html">References</a></li>
</ul>
</nav>
</div>
</header>
<main>
<section class="hero">
<h1>3. Known Attacks and Feasibility Analysis</h1>
<p>
This page describes major attacks on 4G/LTE and 5G networks and analyzes their feasibility based on
protocol-level weaknesses, implementation gaps, and attacker resource requirements. The explanations
draw from real experimental results and academic research, while also considering security improvements
in modern deployments such as 5G Standalone (SA), gradual 2G/3G sunset in some regions, and updated
device firmware.
</p>
<div style="text-align:center; margin: 20px 0;">
<img src="images/attack/5G Security Threat Landscape.png" alt="5G Security Threat Landscape"
style="max-width: 70%; border-radius: 10px;">
<p style="font-size: 0.8rem; color:#9ca3af; margin-top: 5px;">
Figure: 5G Security Threat Landscape
</p>
</div>
<div style="text-align:center; margin: 20px 0;">
<img src="images/attack/Attacks in 5G wireless networks.png" alt="Attacks in 5G Wireless Networks"
style="max-width: 70%; border-radius: 10px;">
<p style="font-size: 0.8rem; color:#9ca3af; margin-top: 5px;">
Figure: Common Wireless Attacks in 5G (Eavesdropping, Jamming, DDoS, MITM)
</p>
</div>
<h4>3.1 Downgrade and Fake Base-Station Attacks</h4>
<h6>What it is</h6>
<p>
Downgrade attacks and fake base-station impersonation exploit the fact that LTE and 5G Non-Standalone (NSA)
connection procedures inherit LTE’s security model for initial access. Attackers can broadcast a rogue cell to
entice nearby devices into connecting to an attacker-controlled LTE/NR cell or falling back to weaker legacy
technologies (especially 2G, and in some cases 3G), where encryption and integrity protection are significantly
weaker or absent. In these LTE/NSA settings, certain initial RRC and NAS messages may be processed before full
authentication and key establishment, so devices can temporarily accept parameters from an attacker-controlled
base station. In contrast, 5G SA improves initial identity protection using SUCI, making direct large-scale IMSI
exposure significantly harder.
</p>
<h6>Key concepts</h6>
<ul>
<li><strong>Rogue base station:</strong> A fake eNodeB/gNodeB that imitates a real cell to influence, intercept, or manipulate signaling in LTE or 5G NSA.</li>
<li><strong>Downgrade forcing:</strong> Techniques that cause a device to fall back to 3G/2G networks with weaker security, if legacy RATs are still enabled and allowed by the operator configuration.</li>
</ul>
<h6>How the attack works</h6>
<ul>
<li>The attacker broadcasts a strong cell signal, often advertising restricted capabilities (for example, “LTE not supported” or only weakly protected RATs).</li>
<li>The UE may camp on the rogue cell, release its secure LTE/5G session, and attempt to reconnect using the advertised capabilities.</li>
<li>In legacy networks, especially on 2G and misconfigured 3G deployments, the attacker can obtain identifiers such as IMSI or observe/manipulate traffic due to weaker or missing protection in the legacy radio stack.</li>
</ul>
<h6>Feasibility under current security</h6>
<p>
These attacks remain feasible primarily in LTE and 5G NSA environments where fallback to older RATs is still allowed and
2G/3G remain deployed. Even with modern devices, many operators keep legacy technologies enabled for coverage, making
downgrade a realistic threat in those regions. However, 5G SA with SUCI significantly reduces the risk of permanent identity
exposure over the air, and in networks that have fully retired 2G/3G the downgrade surface is much smaller. For implementation,
passive monitoring can be done with very low-cost SDR receivers, but running a fully functional rogue base station that transmits,
remains synchronized, and correctly handles signaling typically requires higher-end SDR hardware and RF components. This pushes
the cost beyond simple “under €100” setups, though it is still relatively low for a moderately resourced attacker.
</p>
<h4>3.2 Signaling Abuse and Denial-of-Service (DoS)</h4>
<h6>What it is</h6>
<p>
Signaling manipulation targets critical mobility and session management procedures such as Attach, Tracking
Area Update (TAU), and RRC connection establishment. In LTE and 5G NSA, specific NAS rejection messages
are defined to be processed before integrity protection is established, in order to avoid signaling loops. This
design decision creates an attack surface where adversaries can push devices into denial-of-service states or
force fallback to less secure networks. 5G SA retains similar concepts but benefits from tightened specifications
and more mature implementations in newer devices and core networks.
</p>
<h6>Key concepts</h6>
<ul>
<li><strong>Downgrade Attack (D1):</strong> Forged “LTE services not allowed” messages that can force UEs to prefer or fall back to 2G/3G where such RATs are still available.</li>
<li><strong>Persistent DoS (D2):</strong> Forged “LTE and non-LTE services not allowed” messages that can lock some devices out of all service until reboot or the expiry of internal recovery timers.</li>
<li><strong>Control-plane flooding:</strong> Overloading the MME/AMF or RAN by generating excessive attach, TAU, or RRC requests.</li>
</ul>
<div style="text-align:center; margin: 20px 0;">
<img src="images/attack/DoS attack.png" alt="LTE DoS Attacks via TAU Reject"
style="max-width: 70%; border-radius: 10px;">
<p style="font-size: 0.8rem; color:#9ca3af; margin-top: 5px;">
Figure: DoS Attacks Using TAU Reject (D1: Denying LTE Services, D2: Denying All Mobile Services)
</p>
</div>
<h6>How the attack works</h6>
<ul>
<li>A rogue base station sends unauthenticated TAU Reject or Attach Reject messages that conform to the standard format but carry malicious cause values.</li>
<li>The UE, following the LTE specification and its implementation-specific logic, may accept these messages and enter a restricted-service or no-service mode for a defined period.</li>
<li>Flooding attacks target network nodes directly, consuming signaling and processing resources and degrading service availability for legitimate subscribers.</li>
</ul>
<h6>Feasibility under current security</h6>
<p>
These attacks require only moderate technical skill and SDR-based infrastructure. Because the standards originally
allowed certain reject messages to be processed without integrity protection, there is a structural attack surface
that cannot be removed purely by configuration. However, modern UE firmware and network equipment increasingly
implement mitigations (for example, ignoring abnormally frequent rejects, applying more conservative timers, or
cross-checking causes), which can reduce the success rate compared to early LTE deployments. As a result, the
attacks are still relevant, especially on older or poorly updated devices and networks, but real-world effectiveness
is more variable than in controlled lab demonstrations.
</p>
<h4>3.3 Privacy Attacks via Paging and Identifier Correlation</h4>
<h6>What it is</h6>
<p>
Paging is used to notify devices of incoming services. Although permanent subscriber identities are protected,
temporary identifiers such as S-TMSI or 5G-GUTI can still leak information through reuse or correlation. By observing
paging patterns, attackers can determine whether a user is present in a given cell or even track movement across
areas at a coarse granularity. These attacks typically assume a worst-case scenario where identifier refresh is
infrequent and paging behavior is relatively stable.
</p>
<h6>Key concepts</h6>
<ul>
<li><strong>Identifier reuse:</strong> Temporary identifiers that are not refreshed frequently enough enable longer-term tracking across paging areas.</li>
<li><strong>Paging correlation:</strong> Linking paging bursts with attacker-triggered events (for example, messaging, calls, or application notifications).</li>
<li><strong>Presence detection:</strong> Determining if the target is currently within the monitored paging area.</li>
</ul>
<h6>How the attack works</h6>
<ul>
<li>The attacker passively monitors paging channels using inexpensive SDR receivers, without transmitting any radio signals.</li>
<li>They induce activity for the target (for example, sending messages, calling, or triggering app notifications) to cause predictable paging events.</li>
<li>Repeated observations allow the attacker to estimate the user’s presence and coarse movement patterns between cells or tracking areas.</li>
</ul>
<h6>Feasibility under current security</h6>
<p>
Paging-based tracking is feasible and difficult to detect because it relies only on passive reception. While 5G protects permanent
identifiers using SUCI, paging operations themselves remain unavoidable and broadcast by design. In practice, some operators have
strengthened defenses by shortening TMSI/GUTI refresh intervals, adding randomness, and varying paging behavior, which makes
long-term correlation attacks harder than in early LTE research setups. In other networks, refresh and paging policies are still more
static, leaving greater exposure. Therefore, the risks described reflect a conservative worst-case; actual feasibility depends strongly
on each operator’s configuration, refresh policies, and device behavior.
</p>
<h4>3.4 Attacks on the 5G Service-Based Architecture (SBA)</h4>
<h6>What it is</h6>
<p>
The 5G Core adopts a service-based architecture, replacing many traditional signaling interfaces with HTTP/2-based,
JSON-encoded APIs on Service-Based Interfaces (SBI) between network functions. This design improves flexibility and
programmability but expands the attack surface, particularly if authentication, TLS configuration, or access control
policies are misconfigured. Security components such as SEPP (Security Edge Protection Proxy) are introduced to protect
inter-operator traffic and roaming interfaces, but internal misconfigurations or weak segmentation can still lead to exposure.
</p>
<h6>Key concepts</h6>
<ul>
<li><strong>SBA exposure:</strong> Misconfigured or overly permissive APIs may allow unauthorized or overly privileged NF calls within the core network.</li>
<li><strong>Network slicing risks:</strong> Shared physical resources and insufficient isolation can allow faults or compromises in one slice to affect another, if slice isolation is poorly designed or misconfigured.</li>
<li><strong>IoT-driven signaling storms:</strong> Massive IoT deployments can overload AMF/SMF and RAN resources with simultaneous registration or session establishment attempts.</li>
</ul>
<h6>How the attack works</h6>
<ul>
<li>An attacker first gains some form of internal access (for example, via a compromised host, misconfigured firewall, exposed management API, or supply-chain compromise).</li>
<li>They enumerate network functions and attempt calls to NF services, abusing any gaps in authentication, authorization, or API-level validation.</li>
<li>Poor TLS configuration or missing/incorrect SEPP enforcement for inter-domain traffic can leak subscriber data or enable manipulation of core signaling across operator boundaries.</li>
</ul>
<h6>Feasibility under current security</h6>
<p>
SBA vulnerabilities largely depend on operator configuration, vendor implementations, and internal security hygiene. In principle,
carrier core networks are operated as closed, strongly segmented environments with SEPP, firewalls, and mutual TLS, which creates
a higher barrier to entry compared to typical internet-facing web systems. Nevertheless, as 5G cores increasingly adopt cloud-native
and virtualized infrastructures, configuration complexity, automation pipelines, and new management interfaces introduce additional
risk. SBA exploitation should therefore be viewed as a high-impact but higher-precondition threat that typically requires some form
of internal, management-plane, or supply-chain compromise before protocol-level vulnerabilities can be abused.
</p>
<h4>3.5 Feasibility and Complexity Summary</h4>
<table class="attack-table">
<thead>
<tr>
<th>Attack</th>
<th>Target</th>
<th>Skills</th>
<th>Cost</th>
<th>Practicality</th>
</tr>
</thead>
<tbody>
<tr>
<td>Fake base station & downgrade</td>
<td>4G / 5G NSA UE (legacy enabled)</td>
<td>Moderate RF & protocol knowledge</td>
<td>$$–$$$ (active SDR + RF chain)</td>
<td><span class="pill-med">Medium–High (where 2G/3G still exist)</span></td>
</tr>
<tr>
<td>Signaling DoS (TAU/Attach)</td>
<td>Mobility management</td>
<td>Moderate</td>
<td>$$</td>
<td><span class="pill-high">High (legacy / unpatched)</span></td>
</tr>
<tr>
<td>Paging-based location tracking</td>
<td>Paging channels</td>
<td>Low–Moderate</td>
<td>$–$$ (passive SDR)</td>
<td><span class="pill-med">Medium (operator- & policy-dependent)</span></td>
</tr>
<tr>
<td>SBA interface exploitation</td>
<td>5G Core APIs (internal)</td>
<td>High</td>
<td>$$$ (internal foothold)</td>
<td><span class="pill-med">Medium–High (if misconfigured)</span></td>
</tr>
<tr>
<td>IoT signaling storms</td>
<td>RRC / NAS</td>
<td>Low (botnet control)</td>
<td>$ (compromised IoT)</td>
<td><span class="pill-high">Rising</span></td>
</tr>
</tbody>
</table>
</section>
</main>
<footer>
<p class="muted">
© 2025 JongYeon Bae — Security in 4G / 5G Mobile Networks.
</p>
</footer>
</body>
</html>