Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks

Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.

It's a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.

Step 1: Set Up a Fake Base Station

When a device first attempts to connect with a mobile network base station, the two undergo an authentication and key agreement (AKA). The device sends a registration request, and the station replies with requests for authentication and security checks.

Though the station vets the phone, the phone does not initially vet the station. Its legitimacy is essentially accepted as a given.

"Base stations advertise their presence in a particular area by broadcasting 'sib1' messages every 20 milliseconds, or 40 milliseconds, and none of those broadcast messages have authentication, or any kind of security mechanisms," explains Penn State assistant professor Syed Rafiul Hussain. "They're just plaintext messages. So there's no way that a phone or a device can check whether it's coming from a fake tower."

Setting up a fake tower isn't as tall a task as it might seem. You just need to mimic a real one using a software-defined radio (SDR). As Kai Tu, another Penn State research assistant points out, "People can purchase them online — they're easy to get. Then you can get some open source software (OSS) to run on it, and this kind of setup can be used as a fake base station." Expensive SDRs might cost tens of thousands of dollars, but cheap ones that get the job done are available for only a few hundred.

It might seem counterintuitive that a small contraption could seduce your phone away from an established commercial tower. But a targeted attack with a nearby SDR could provide even greater 5G signal strength than a tower servicing thousands of other people at the same time. "By their nature, devices try to connect to the best possible cell towers — that is, the ones providing the highest signal strength," Hussain says.

Step 2: Exploit a Vulnerability

Like any security process, AKA can be exploited. In the 5G modem integrated in one popular brand of mobile processor, for example, the researchers found a mishandled security header that an attacker could use to bypass the AKA process entirely.

This processor in question is used in the majority of devices manufactured by two of the world's biggest smartphone companies. Dark Reading has agreed to keep its name confidential.

After having attracted a targeted device, an attacker could use this AKA bypass to return a maliciously crafted "registration accept" message and initiate a connection. At this point the attacker becomes the victim's Internet service provider, capable of seeing everything they do on the Web in unencrypted form. They can also engage the victim by, for example, sending a spear phishing SMS message, or redirecting them to malicious sites.

Though AKA bypass was the most severe, the researchers discovered other vulnerabilities that would allow them to determine a device's location, and perform denial of service (DoS).

How to Secure 5G

The Penn State researchers have reported all the vulnerabilities they discovered to their respective mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, "If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?"

It's unlikely that such an overhaul will happen any time soon, as 5G systems were knowingly built to transmit messages in plaintext for specific reasons.

"It's a matter of incentives. Messages are sent in milliseconds, so if you incorporate some kind of cryptographic mechanism, it will increase the computational overhead for the cell tower and for the user device. Computational overhead is also associated with time, so performance-wise it will be a bit slower," Hussain explains.

Perhaps the performance incentives outweigh security ones. But whether it be via a fake cell tower, Stingray device, or any other means, "They all exploit this feature — the lack of authentication of the initial broadcast messages from the cell towers."

"This is the root of all evil," Hussain adds.