Fake Base Station Detection and Link Routing Defense †
Abstract
:1. Introduction
2. Related Work
2.1. Threats on SIB and RRC
2.2. Defense against Fake Base Station
2.3. Security Research on Communication Links
3. Background and Primer
3.1. 5G Cellular Network Architecture
3.2. Radio Resource Control (RRC) for Wireless Communication Channel Control and Setup
3.3. Digital 5G-AKA and Non-Access Stratum (NAS) Setup
4. Fake Base Station Threat
4.1. Threat Model
4.2. Fake Base Station Threat against Availability
4.3. Faulty but Legitimate Base Station
5. Our Scheme
5.1. Detection Scheme for Passive Intelligence and Awareness
5.2. Our Link Routing Scheme for Active Defense
5.2.1. Link Routing Concept
- Link routing vs. networking packet routing
- Link routing vs. handover
5.2.2. Link Routing Scheme Design
Algorithm 1: Fake Base Station Detection by User Equipment |
6. The Incorporation of Our Scheme in 5G Mobile Networking
7. Implementation and Experimental Results
7.1. Implementation and Experimental Setup and Optimality for Threshold Selection
- Legitimate vs. faulty vs. fake base stations
- Our scheme variants using different observations
- Optimality for threshold selection.
7.2. Testing without Our Scheme: No Availability against Fake Base Station
7.3. Faulty (but Legitimate) Base Station Experiment: Varying the Signal Power
7.4. Faulty Experiment Informs Threshold Control
7.5. Detection Accuracy Performance against Fake Base Station
7.6. Link Routing Performance Analysis
7.7. Threat Impact Analyses
8. Future Directions Discussion
8.1. More Advanced Threats
8.2. Advancing Detection
8.3. Advancing Blacklisting and Active Control
8.4. Generalizability across Different Channels and Scenarios
8.5. Impacts on Multimedia, Teleinformatics, and IoT Communications
9. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Arise, H. Mobile or Cellular Hacking. 2023. Available online: https://www.hackers-arise.com/mobile-or-cellular-hacking (accessed on 20 February 2024).
- Toscher, A.M.; Margaritelli, S. Awesome-Cellular-Hacking Public. 2023. Available online: https://github.com/W00t3k/Awesome-Cellular-Hacking (accessed on 20 February 2024).
- 5G-NR; User Equipment (UE) Procedures in Idle Mode and in RRC Inactive State, 3GPP. TS 38.304 Version 17.0.0; 2022. Available online: https://www.etsi.org/deliver/etsi_ts/138300_138399/138304/17.00.00_60/ts_138304v170000p.pdf (accessed on 28 August 2024).
- Lee, G.; Lee, J.; Lee, J.; Im, Y.; Hollingsworth, M.; Wustrow, E.; Grunwald, D.; Ha, S. This is your president speaking: Spoofing alerts in 4G LTE networks. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, Seoul, Republic of Korea, 17–21 June 2019; pp. 404–416. [Google Scholar]
- Yang, H.; Bae, S.; Son, M.; Kim, H.; Kim, S.M.; Kim, Y. Hiding in plain signal: Physical signal overshadowing attack on {LTE}. In Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, USA, 14–16 August 2019; pp. 55–72. [Google Scholar]
- Bitsikas, E.; Pöpper, C. You have been warned: Abusing 5G’s warning and emergency systems. In Proceedings of the 38th Annual Computer Security Applications Conference, Austin, TX, USA, 5–9 December 2022; pp. 561–575. [Google Scholar]
- Bitsikas, E.; Pöpper, C. Don’t hand it over: Vulnerabilities in the handover procedure of cellular telecommunications. In Proceedings of the Annual Computer Security Applications Conference, Virtual, USA, 6–10 December 2021; pp. 900–915. [Google Scholar]
- Karakoc, B.; Fürste, N.; Rupprecht, D.; Kohls, K. Never let me down again: Bidding-down attacks and mitigations in 5G and 4G. In Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Guildford, UK, 29 May–1 June 2023; Association for Computing Machinery: New York, NY, USA, 2023; pp. 97–108. [Google Scholar]
- Shaik, A.; Borgaonkar, R.; Park, S.; Seifert, J.P. New vulnerabilities in 4G and 5G cellular access network protocols: Exposing device capabilities. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, Miami, FL, USA, 15–17 May 2019; pp. 221–231. [Google Scholar]
- Li, Z.; Wang, W.; Wilson, C.; Chen, J.; Qian, C.; Jung, T.; Zhang, L.; Liu, K.; Li, X.; Liu, Y. FBS-radar: Uncovering fake base stations at scale in the wild. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 26 February–1 March 2017. [Google Scholar]
- Wen, H.; Porras, P.; Yegneswaran, V.; Lin, Z. Thwarting smartphone SMS attacks at the radio interface layer. In Proceedings of the 30th Annual Network and Distributed System Security Symposium, NDSS, San Diego, CA, USA, 27 February–3 March 2023. [Google Scholar]
- Hussain, S.R.; Echeverria, M.; Karim, I.; Chowdhury, O.; Bertino, E. 5GReasoner: A property-directed security and privacy analysis framework for 5G cellular network protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019; pp. 669–684. [Google Scholar]
- Shaik, A.; Borgaonkar, R.; Park, S.; Seifert, J.P. On the impact of rogue base stations in 4g/lte self organizing networks. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, Stockholm, Sweden, 18–20 June 2018; pp. 75–86. [Google Scholar]
- Shaik, A.; Seifert, J.; Borgaonkar, R.; Asokan, N.; Niemi, V. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS 2016), San Diego, CA, USA, 21–24 February 2016; The Internet Society: Reston, VA, USA, 2016. [Google Scholar]
- Zhuang, Z.; Ji, X.; Zhang, T.; Zhang, J.; Xu, W.; Li, Z.; Liu, Y. Fbsleuth: Fake base station forensics via radio frequency fingerprinting. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security, Incheon, Republic of Korea, 4 June 2018; pp. 261–272. [Google Scholar]
- Mubasshir, K.S.; Karim, I.; Bertino, E. FBSDetector: Fake Base Station and Multi Step Attack Detection in Cellular Networks using Machine Learning. arXiv 2024, arXiv:2401.04958. [Google Scholar]
- Zhang, Y.; Liu, B.; Lu, C.; Li, Z.; Duan, H.; Hao, S.; Liu, M.; Liu, Y.; Wang, D.; Li, Q. Lies in the air: Characterizing fake-base-station spam ecosystem in China. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual, USA, 9–13 November 2020; pp. 521–534. [Google Scholar]
- 5G NR; Radio Resource Control (RRC), 3GPP. TS 33.331 Version 17.2.0; Protocol Specification; 2022. Available online: https://www.etsi.org/deliver/etsi_ts/138300_138399/138331/17.02.00_60/ts_138331v170200p.pdf (accessed on 28 August 2024).
- Hussain, S.R.; Echeverria, M.; Singla, A.; Chowdhury, O.; Bertino, E. Insecure connection bootstrapping in cellular networks: The root of all evil. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, Miami, FL, USA, 15–17 May 2019; pp. 1–11. [Google Scholar]
- Singla, A.; Behnia, R.; Hussain, S.R.; Yavuz, A.; Bertino, E. Look before you leap: Secure connection bootstrapping for 5g networks to defend against fake base-stations. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, Virtual, Hong Kong, 7–11 June 2021; pp. 501–515. [Google Scholar]
- Lotto, A.; Singh, V.; Ramasubramanian, B.; Brighente, A.; Conti, M.; Poovendran, R. Baron: Base-station authentication through core network for mobility management in 5g networks. In Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Guildford, UK, 29 May–1 June 2023; pp. 133–144. [Google Scholar]
- Gao, H.; Zhang, Y.; Wan, T.; Zhang, J.; Duan, H. On evaluating delegated digital signing of broadcasting messages in 5G. In Proceedings of the 2021 IEEE global communications conference (GLOBECOM), Madrid, Spain, 7–11 December 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–7. [Google Scholar]
- Study on 5G Security Enhancements Against False Base Stations, 3GPP. TR 33.809 Version 0.8.0; 2021. Available online: https://www.3gpp.org/ftp//Specs/archive/33_series/33.809/33809-080.zip (accessed on 28 August 2024).
- Chang, S.Y.; Sarker, A.; Wuthier, S.; Kim, J.; Kim, J.; Zhou, X. Base station gateway to secure user channel access at the first hop edge. Comput. Netw. 2024, 240, 110165. [Google Scholar] [CrossRef]
- Cao, Z.; Zhou, X.; Xu, M.; Chen, Z.; Hu, J.; Tang, L. Enhancing base station security against DoS attacks in wireless sensor networks. In Proceedings of the 2006 International Conference on Wireless Communications, Networking and Mobile Computing, Wuhan, China, 22–24 September 2006; pp. 1–4. [Google Scholar] [CrossRef]
- Kang, M.S.; Lee, S.B.; Gligor, V.D. The crossfire attack. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 19–22 May 2013; pp. 127–141. [Google Scholar] [CrossRef]
- Kang, M.S.; Gligor, V.D. Routing bottlenecks in the internet: Causes, exploits, and countermeasures. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014; pp. 321–333. [Google Scholar]
- Chang, S.Y.; Park, Y.; Ashok Babu, B.B. Fast IP Hopping Randomization to Secure Hop-by-Hop Access in SDN. IEEE Trans. Netw. Serv. Manag. 2019, 16, 308–320. [Google Scholar] [CrossRef]
- Javadpour, A.; Ja’fari, F.; Taleb, T.; Shojafar, M.; Yang, B. SCEMA: An SDN-Oriented Cost-Effective Edge-Based MTD Approach. IEEE Trans. Inf. Forensics Secur. 2023, 18, 667–682. [Google Scholar] [CrossRef]
- Nie, S.; Li, S.; Xue, L.; Zhang, L. Security analysis of 5G handover in commercial networks utilizing a formal method. In Proceedings of the 2023 11th International Conference on Information Systems and Computing Technology (ISCTech), Qingdao, China, 30 July–1 August 2023; IEEE: Piscataway, NJ, USA, 2023; pp. 439–446. [Google Scholar]
- Sivaraman, N.; Tehrani, S.N. 5G handover: When forward security breaks. In Proceedings of the SECRYPT 2023, 20th International Conference on Security and Cryptography, Rome, Italy, 10–12 July 2023; Volume 1, pp. 503–510. [Google Scholar]
- Amirbekov, Y.; Bozkaya, E. Secure Handover Management Against False Base Station Attacks. Bitlis Eren Üniv. Fen Bilim. Derg. 2023, 12, 704–711. [Google Scholar] [CrossRef]
- Kim, J.; Duguma, D.G.; Astillo, P.V.; Park, H.Y.; Kim, B.; You, I.; Sharma, V. A formally verified security scheme for inter-gNB-DU handover in 5G vehicle-to-everything. IEEE Access 2021, 9, 119100–119117. [Google Scholar] [CrossRef]
- Scholtz, R. The Spread Spectrum Concept. IEEE Trans. Commun. 1977, 25, 748–755. [Google Scholar] [CrossRef]
- Popper, C.; Strasser, M.; Capkun, S. Anti-jamming broadcast communication using uncoordinated spread spectrum techniques. IEEE J. Sel. Areas Commun. 2010, 28, 703–715. [Google Scholar] [CrossRef]
- Chang, S.Y.; Hu, Y.C.; Laurenti, N. SimpleMAC: A jamming-resilient MAC-layer protocol for wireless channel coordination. In Proceedings of the 18th Annual International Conference on Mobile Computing and Networking (Mobicom ’12), Istanbul, Turkey, 22–26 August 2012; Association for Computing Machinery: New York, NY, USA, 2012; pp. 77–88. [Google Scholar] [CrossRef]
- Lakshminarayana, S.; Karachiwala, J.S.; Chang, S.Y.; Revadigar, G.; Kumar, S.L.S.; Yau, D.K.; Hu, Y.C. Signal Jamming Attacks Against Communication-Based Train Control: Attack Impact and Countermeasure. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec ’18), Stockholm, Sweden, 18–20 June 2018; Association for Computing Machinery: New York, NY, USA, 2018; pp. 160–171. [Google Scholar] [CrossRef]
- Software Radio Systems. srsRAN Project. 2022. Available online: https://github.com/srsran/srsRAN_Project (accessed on 28 August 2024).
- Lee, S. Open5GS. 2022. Available online: https://github.com/open5gs (accessed on 28 August 2024).
- Purification, S.; Wuthier, S.; Kim, J.; Kim, J.; Chang, S.Y. Fake Base Station Detection and Blacklisting. In Proceedings of the 33rd International Conference on Computer Communications and Networks (ICCCN), Honolulu, HI, USA, 29–31 July 2024. [Google Scholar] [CrossRef]
- Purification, S.; Park, K.; Kim, J.; Kim, J.; Chang, S.Y. Wireless Link Routing to Secure Against Fake Base Station in 5G. In Proceedings of the 2024 Silicon Valley Cybersecurity Conference (SVCC), Seoul, Republic of Korea, 17–19 June 2024. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Purification, S.; Kim, J.; Kim, J.; Chang, S.-Y. Fake Base Station Detection and Link Routing Defense. Electronics 2024, 13, 3474. https://doi.org/10.3390/electronics13173474
Purification S, Kim J, Kim J, Chang S-Y. Fake Base Station Detection and Link Routing Defense. Electronics. 2024; 13(17):3474. https://doi.org/10.3390/electronics13173474
Chicago/Turabian StylePurification, Sourav, Jinoh Kim, Jonghyun Kim, and Sang-Yoon Chang. 2024. "Fake Base Station Detection and Link Routing Defense" Electronics 13, no. 17: 3474. https://doi.org/10.3390/electronics13173474
APA StylePurification, S., Kim, J., Kim, J., & Chang, S.-Y. (2024). Fake Base Station Detection and Link Routing Defense. Electronics, 13(17), 3474. https://doi.org/10.3390/electronics13173474