research-article

Public Access

SigUnder: a stealthy 5G low power attack and defenses

Authors:

Norbert Ludant,

Guevara NoubirAuthors Info & Claims

WiSec '21: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Pages 250 - 260

https://doi.org/10.1145/3448300.3467817

Published: 28 June 2021 Publication History

Abstract

The 3GPP 5G cellular system is hailed as a major step towards more ubiquitous and pervasive communications infrastructure (including for V2X, Smart Grid, and Healthcare). We disclose and evaluate SigUnder, an attack that enables an adversary to overshadow the Signal Synchronization Block (SSB) with an injected signal at 3.4dB below the legitimate signal (prior work required 3dB above). The attack exploits the polar coding mechanism of 5G and the physical layer OFDM structure. It can be used to make previous DoS and over-shadowing attacks lower-power and stealthy, but also enables new attacks unique to 5G such as setting the cellBarred field in the 5G MIB (and blocking access to a cell). We develop techniques (e.g., phase prediction) to make the attack feasible in a practical setup, and evaluate its performance both in simulations and over the air experiments. We also introduce SICUnder, an extension of Successive Interference Cancellation (SIC) to be able to address the unique challenges that SigUnder poses and demonstrate it effectiveness relatively to standard SIC.

References

[1]

2020. 5G; NR; Base Station (BS) radio transmission and reception (3GPP TS 38.104 version 15.7.0 Release 15).

[2]

2020. 5G; NR; Physical layer; General description (3GPP TS 38.201 version 16.0.0 Release 16).

[3]

2020. 5G; NR; Physical layer procedures for control (3GPP TS 38.213 version 16.3.0 Release 16).

[4]

2020. 5G; NR; Services provided by the physical layer (3GPP TS 38.202 version 15.6.0 Release 15).

[5]

2020. Technical Specification Group Services and System Aspects; Release 16 Description; Summary of Rel-16 Work Items (TR 21.916 Release 16).

[6]

2021. 5G; NR; Multiplexing and channel coding (3GPP TS 38.212 version 16.4.0 Release 16).

[7]

2021. 5G; NR; Physical layer measurements (3GPP TS 38.215 version 16.4.0 Release 16).

[8]

2021. 5G; NR; Physical layer procedures for data (3GPP TS 38.214 version 16.4.0 Release 16).

[9]

2021. 5G; Security architecture and procedures for 5G System (3GPP TS 33.501 version 16.5.0 Release 16).

[10]

2021. 5G; Vehicle-to-Everything (V2X) services in 5G System (5GS); Stage 3 (3GPP TS 24.587 version 16.3.0 Release 16).

[11]

Erdal Arikan. 2009. Channel Polarization: A Method for Constructing Capacity-Achieving Codes for Symmetric Binary-Input Memoryless Channels. IEEE Transactions on Information Theory (2009).

[12]

Alcardo Alex Barakabitze, Arslan Ahmad, Rashid Mijumbi, and Andrew Hines. 2020. 5G network slicing using SDN and NFV: A survey of taxonomy, architectures and future challenges. Computer Networks (2020).

[13]

Valerio Bioglio, Carlo Condo, and Ingmar Land. 2021. Design of Polar Codes in 5G New Radio. IEEE Communications Surveys Tutorials (2021).

[14]

Marc Briceno, Ian Goldberg, and David Wagner. 1998. GSM Cloning. http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html

[15]

Agnes Chan, Xin Liu, Guevara Noubir, and Bishal Thapa. 2007. Broadcast Control Channel Jamming: Resilience and Identification of Traitors. In 2007 IEEE International Symposium on Information Theory.

[16]

Kai Chen, Kai Niu, and Jiaru Lin. 2013. Improved Successive Cancellation Decoding of Polar Codes. IEEE Transactions on Communications (2013).

[17]

T. Cover. 1972. Broadcast channels. IEEE Transactions on Information Theory (1972).

Digital Library

[18]

Simon Alexander Erni. 2020. Protocol-Aware Reactive LTE Signal Overshadowing and its Applications in DoS Attacks. Master's thesis. Department of Computer Science, ETH Zürich.

[19]

EURECOM. 2020. Openairinterface 5G Wireless Implementation. https://gitlab.eurecom.fr/oai/openairinterface5g.

[20]

Caroline Frost. 2019. 5G is being used to perform remote surgery from thousands of miles away, and it could transform the healthcare industry. Business Insider (2019). https://www.businessinsider.com/5g-surgery-could-transform-healthcare-industry-2019-8

[21]

Byeongdo Hong, Sangwook Bae, and Yongdae Kim. 2018. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Proceedings 2018 Network and Distributed System Security Symposium. Internet Society, San Diego, CA.

[22]

Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Proceedings 2018 Network and Distributed System Security Symposium. Internet Society, San Diego, CA.

[23]

Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. 2019. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information. Network and Distributed Systems Security (NDSS) Symposium (2019).

[24]

Syed Rafiul Hussain, Mitziu Echeverria, Ankush Singla, Omar Chowdhury, and Elisa Bertino. 2019. Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (Miami, Florida) (WiSec '19). Association for Computing Machinery.

Digital Library

[25]

Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19-23, 2019. IEEE.

[26]

Mina Labib, Vuk Marojevic, and Jeffrey H. Reed. 2015. Analyzing and enhancing the resilience of LTE/LTE-A systems to RF spoofing. In IEEE Conference on Standards for Communications and Networking, CSCN 2015, Tokyo, Japan, October 28-30, 2015. IEEE.

[27]

Marc Lichtman, Roger Piqueras Jover, Mina Labib, Raghunandan Rao, Vuk Marojevic, and Jeffrey H. Reed. 2016. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Communications Magazine (2016).

[28]

MathWorks. 2020. 5G Toolbox Release 2020b.

[29]

Navid Nikaein, Mahesh K. Marina, Saravana Manickam, Alex Dawson, Raymond Knopp, and Christian Bonnet. 2014. OpenAirInterface: A Flexible Platform for 5G Research. SIGCOMM Comput. Commun. Rev. (2014).

[30]

A. Omri, M. Shaqfeh, A. Ali, and H. Alnuweiri. 2019. Synchronization Procedure in 5G NR Systems. IEEE Access (2019).

[31]

Christina Pöpper, Nils Ole Tippenhauer, Boris Danev, and Srdjan Capkun. 2011. Investigation of Signal and Message Manipulations on the Wireless Channel. In Computer Security - ESORICS 2011, Vijay Atluri and Claudia Diaz (Eds.). Springer Berlin Heidelberg.

[32]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2019. Breaking LTE on Layer Two. In IEEE Symposium on Security & Privacy (SP).

[33]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2020. Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE. In USENIX Security Symposium (SSYM).

[34]

Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems.

[35]

Ido Tal and Alexander Vardy. 2015. List Decoding of Polar Codes. IEEE Transactions on Information Theory (2015).

Digital Library

[36]

Muhammad Taqi Raza and Songwu Lu. 2018. On Key Reinstallation Attacks over 4G/5G LTE Networks: Feasibility and Negative Impact.

[37]

Robotics Online Marketing Team. 2019. 5G-Powered Medical Robot Performs Remote Brain Surgery. Robotics Online (2019). https://www.robotics.org/blog-article.cfm/5G-Powered-Medical-Robot-Performs-Remote-Brain-Surgery/213

[38]

Triet D. Vo-Huu and Guevara Noubir. 2015. Mitigating Rate Attacks through Crypto-Coded Modulation (MobiHoc '15). Association for Computing Machinery.

[39]

Hojoon Yang, Sangwook Bae, Mincheol Son, Hongil Kim, Song Min Kim, and Yongdae Kim. 2019. Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA.

[40]

Chuan Yu, Shuhui Chen, Zhiping Cai, and Jesús Díaz-Verdejo. 2019. LTE Phone Number Catcher: A Practical Attack against Mobile Privacy. Sec. and Commun. Netw. 2019 (2019).

Cited By

Harvanek MBolcek JKufa JPolak LSimka MMarsalek R(2024)Survey on 5G Physical Layer Security Threats and CountermeasuresSensors10.3390/s2417552324:17(5523)Online publication date: 26-Aug-2024
https://doi.org/10.3390/s24175523
Hamici-Aubert VSaint-Martin JNavas RPapadopoulos GDoyen GLagrange X(2024)Leveraging Overshadowing for Time-Delay Attacks in 4G/5G Cellular Networks: An Empirical AssessmentProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670891(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670891
Scalingi AD’Oro SRestuccia FMelodia TGiustiniano D(2024)Det-RAN: Data-Driven Cross-Layer Real-Time Attack Detection in 5G Open RANsIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621223(41-50)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621223
Show More Cited By

Index Terms

SigUnder: a stealthy 5G low power attack and defenses
1. Networks
  1. Network components
    1. Wireless access points, base stations and infrastructure
  2. Network properties
    1. Network reliability
    2. Network security
      1. Denial-of-service attacks
      2. Mobile and wireless security

Recommendations

A Mutual Authentication Protocol with Resynchronisation Capability for Mobile Satellite Communications

Many peer-to-peer security protocols proposed for wireless communications use one-time shared secrets for authentication purposes. This paper analyses online update mechanisms for one-time shared secrets. A new type of attack against update mechanisms, ...
Mitigating denial of service attacks: a tutorial

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
The Feasibility of Launching Reduction of Quality (RoQ) Attacks in 802.11 Wireless Networks
ICPADS '08: Proceedings of the 2008 14th IEEE International Conference on Parallel and Distributed Systems

In this paper, we discuss wireless Reduction of Quality (RoQ) attacks against the transmission control protocol (TCP). RoQ attacks can dramatically degrade the TCP performance with a less number of wireless jamming attacking packets, which makes them ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '21: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks

June 2021

412 pages

ISBN:9781450383493

DOI:10.1145/3448300

General Chairs:
Christina Pöpper
New York University Abu Dhabi, AE
,
Mathy Vanhoef
New York University Abu Dhabi, AE
,
Program Chairs:
Lejla Batina
Radboud University, NL
,
René Mayrhofer
Johannes Kepler University Linz, AT

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 June 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NAVY
NCAE-Cyber Research Program
NSF (National Science Foundation)

Conference

WiSec '21

Sponsor:

SIGSAC

WiSec '21: 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks

June 28 - July 2, 2021

Abu Dhabi, United Arab Emirates

Acceptance Rates

WiSec '21 Paper Acceptance Rate 34 of 121 submissions, 28%;

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
1,449
Total Downloads

Downloads (Last 12 months)503
Downloads (Last 6 weeks)68

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Harvanek MBolcek JKufa JPolak LSimka MMarsalek R(2024)Survey on 5G Physical Layer Security Threats and CountermeasuresSensors10.3390/s2417552324:17(5523)Online publication date: 26-Aug-2024
https://doi.org/10.3390/s24175523
Hamici-Aubert VSaint-Martin JNavas RPapadopoulos GDoyen GLagrange X(2024)Leveraging Overshadowing for Time-Delay Attacks in 4G/5G Cellular Networks: An Empirical AssessmentProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670891(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670891
Scalingi AD’Oro SRestuccia FMelodia TGiustiniano D(2024)Det-RAN: Data-Driven Cross-Layer Real-Time Attack Detection in 5G Open RANsIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621223(41-50)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621223
Herman Muraro Gularte KAlfredo Ruiz Vargas JPaulo Javidi da Costa JSantos da Silva AAlmeida Santos GWang YAlfons Müller CLipps CTimóteo de Sousa Júnior Rde Britto Vidal Filho WSlusallek PDieter Schotten H(2024)Safeguarding the V2X Pathways: Exploring the Cybersecurity Landscape Through Systematic ReviewIEEE Access10.1109/ACCESS.2024.340294612(72871-72895)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3402946
Wang ZKong LLiu XChen G(2023)Embracing Channel Estimation in Multi-Packet Reception of ZigBeeIEEE Transactions on Mobile Computing10.1109/TMC.2021.313147222:5(2693-2708)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TMC.2021.3131472
Ludant NRobyns PNoubir G(2023)From 5G Sniffing to Harvesting Leakages of Privacy-Preserving Messengers2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179353(3146-3161)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179353
Ruzomberka ELove DBrinton CGupta AWang CPoor H(2023)Challenges and Opportunities for Beyond-5G Wireless SecurityIEEE Security and Privacy10.1109/MSEC.2023.325188821:5(55-66)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1109/MSEC.2023.3251888
Flores MPoisson DStevens CNieves AWyglinski A(2023)Implementation and Evaluation of a Smart Uplink Jamming Attack in a Public 5G NetworkIEEE Access10.1109/ACCESS.2023.329670111(75993-76007)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3296701
Fiandrino CMartínez-Villanueva DWidmer J(2023)A study on 5G performance and fast conditional handover for public transit systemsComputer Communications10.1016/j.comcom.2023.07.020209:C(499-512)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1016/j.comcom.2023.07.020
Wen HPorras PYegneswaran VLin ZWang QAsadi A(2022)A fine-grained telemetry stream for security services in 5G open radio access networksProceedings of the 1st International Workshop on Emerging Topics in Wireless10.1145/3565474.3569070(18-23)Online publication date: 9-Dec-2022
https://dl.acm.org/doi/10.1145/3565474.3569070
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents