Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging Services
Authors: 
Yaru Yang, Yiming Zhang, Tao Wan, Chuhan Wang, Haixin Duan, Jianjun Chen, Yishen LiAuthors Info & Claims
Yaru Yang, Yiming Zhang, Tao Wan, Chuhan Wang, Haixin Duan, Jianjun Chen, Yishen LiAuthors Info & ClaimsPages 265 - 276
Abstract
5G messaging services, based on Global System for Mobile Communications Association (GSMA) Rich Communication Service (RCS) and 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS), have been deployed globally by more than 90 mobile operators serving over 421 million monthly active users via 1.2 billion devices. Despite the widespread use, security research of 5G messaging remains sparse. In this paper, we present a comprehensive security analysis and measurement of 5G messaging services, assisted by a semi-automated testing tool we developed. We considered both carrier-side deployment and phone-side software implementations by testing against three large operators, each with hundreds of millions of subscribers, and six popular 5G messaging-enabled devices. We uncovered 4 categories of vulnerabilities, allowing for a wide range of attacks, including Man-In-The-Middle (MITM) attacks, zero-click remote information leakage, phone storage exhaustion and mobile data consumption, and Denial-of-Services (DoS) attacks. Our study underscores the need for further security enhancements in security specifications, implementation, and deployment of 5G messaging services.
References
[1]
3GPP. 2021. Network architecture. Technical Standard (TS) 23.002. 3rd Generation Partnership Project (3GPP). Version 17.0.0.
[2]
3GPP. 2022a. IP Multimedia Subsystem (IMS). Technical Standard (TS) 23.228. 3rd Generation Partnership Project (3GPP). Version 17.3.0.
[3]
3GPP. 2022b. TS 33.203. 3G security; Access security for IP-based services. https://www.3gpp.org/ftp/Specs/archive/33_series/33.203/33203-h10.zip
[4]
3GPP. 2024. S3--240894. LS on GSMA CVD-2023-0075 -- Certificate validation on IMS access interface. https://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_115_Athens/docs/S3--240894.zip
[5]
Francc ois Audet. 2009. The Use of the SIPS URI Scheme in the Session Initiation Protocol (SIP). RFC, Vol. 5630 (2009), 1--56. https://doi.org/10.17487/RFC5630
[6]
Michael Bailey, David Dittrich, Erin Kenneally, and Douglas Maughan. 2012. The Menlo Report. IEEE Secur. Priv., Vol. 10, 2 (2012), 71--75. https://doi.org/10.1109/MSP.2012.52
[7]
David A. Basin, Jannik Dreier, Lucca Hirschi, Sasa Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15--19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 1383--1396. https://doi.org/10.1145/3243734.3243846
[8]
Ravishankar Borgaonkar, Lucca Hirschi, Shinjo Park, and Altaf Shaik. 2019. New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols. Proc. Priv. Enhancing Technol., Vol. 2019, 3 (2019), 108--127. https://doi.org/10.2478/popets-2019-0039
[9]
Hui Gao, Yiming Zhang, Tao Wan, Jia Zhang, and Haixin Duan. 2021. On Evaluating Delegated Digital Signing of Broadcasting Messages in 5G. In IEEE Global Communications Conference, GLOBECOM 2021, Madrid, Spain, December 7--11, 2021. IEEE, 1--7. https://doi.org/10.1109/GLOBECOM46510.2021.9685173
[10]
GSMA. [n.,d.] a. Global forecast for RCS growth. https://www.gsma.com/futurenetworks/rcs/global-launches/. Accessed on May 7, 2023.
[11]
GSMA. [n.,d.] b. GSMA RCS - Future Networks. https://www.gsma.com/futurenetworks/rcs/. Accessed on May 7, 2023.
[12]
GSMA. 2019. RCS Universal Profile Service Definition Document Version 2.4. https://www.gsma.com/futurenetworks/wp-content/uploads/2019/10/RCC.71-v2.4.pdf
[13]
GSMA. 2020. Chinese operators make major RCS commitment: Whitepaper. https://www.gsma.com/futurenetworks/latest-news/china-operators-make-major-rcs-commitment-whitepaper/. Accessed on May 7, 2023.
[14]
GSMA. 2022a. Rich Communication Suite Endorsement of OMA CPM 2.2 Conversation Functions. https://www.gsma.com/newsroom/wp-content/uploads//RCC.11-v11.0--2.pdf
[15]
GSMA. 2022b. Rich Communication Suite -- Advanced Communications Services and Client Specification v13.0. https://www.gsma.com/newsroom/wp-content/uploads//RCC.07-v13.0--1.pdf
[16]
Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. 2019a. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24--27, 2019. The Internet Society. https://www.ndss-symposium.org/ndss-paper/privacy-attacks-to-the-4g-and-5g-cellular-paging-protocols-using-side-channel-information/
[17]
Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 2019b. 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11--15, 2019, Lorenzo Cavallaro, Johannes Kinder, XiaoFeng Wang, and Jonathan Katz (Eds.). ACM, 669--684. https://doi.org/10.1145/3319535.3354263
[18]
Pijus Jauniskis. [n.,d.]. VPN statistics: Users, markets, and legality. https://surfshark.com/blog/vpn-users. Accessed on Mar 7, 2022.
[19]
Cullen Fluffy Jennings, Ben Campbell, and Rohan Mahy. 2007. The Message Session Relay Protocol (MSRP). RFC 4975. https://doi.org/10.17487/RFC4975
[20]
Nan Jiang, Yu Jin, Ann Skudlark, and Zhi-Li Zhang. 2013. Greystar: Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks Using Gray Phone Space. In Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14--16, 2013, Samuel T. King (Ed.). USENIX Association, 1--16. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/jiang
[21]
Zhenhua Li, Weiwei Wang, Christo Wilson, Jian Chen, Chen Qian, Taeho Jung, Lan Zhang, Kebin Liu, Xiangyang Li, and Yunhao Liu. 2017. FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society. https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/fbs-radar-uncovering-fake-base-stations-scale-wild/
[22]
Aniss Maghsoudlou, Lukas Vermeulen, Ingmar Poese, and Oliver Gasser. 2023. Characterizing the VPN Ecosystem in the Wild. In Passive and Active Measurement - 24th International Conference, PAM 2023, Virtual Event, March 21--23, 2023, Proceedings (Lecture Notes in Computer Science, Vol. 13882), Anna Brunströ m, Marcel Flores, and Marco Fiore (Eds.). Springer, 18--45. https://doi.org/10.1007/978--3-031--28486--1_2
[23]
Rhys Miller, Ioana Boureanu, Stephan Wesemeyer, and Christopher J. P. Newton. 2022. The 5G Key-Establishment Stack: In-Depth Formal Verification and Experimentation. In ASIA CCS '22: ACM Asia Conference on Computer and Communications Security, Nagasaki, Japan, 30 May 2022 - 3 June 2022, Yuji Suga, Kouichi Sakurai, Xuhua Ding, and Kazue Sako (Eds.). ACM, 237--251. https://doi.org/10.1145/3488932.3517421
[24]
Collin Mulliner, Nico Golde, and Jean-Pierre Seifert. 2011. SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale. In 20th USENIX Security Symposium, San Francisco, CA, USA, August 8--12, 2011, Proceedings. USENIX Association. http://static.usenix.org/events/sec11/tech/full_papers/Mulliner.pdf
[25]
Ilona Murynets and Roger Piqueras Jover. 2012. Crime scene investigation: SMS spam data analysis. In Proceedings of the 12th ACM SIGCOMM Internet Measurement Conference, IMC '12, Boston, MA, USA, November 14--16, 2012, John W. Byers, Jim Kurose, Ratul Mahajan, and Alex C. Snoeren (Eds.). ACM, 441--452. https://doi.org/10.1145/2398776.2398822
[26]
Akshay Narayan and Prateek Saxena. 2013. The curse of 140 characters: evaluating the efficacy of SMS spam detection on android. In SPSM'13, Proceedings of the 2013 ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, Co-located with CCS 2013, November 8, 2013, Berlin, Germany, William Enck, Adrienne Porter Felt, and N. Asokan (Eds.). ACM, 33--42. https://doi.org/10.1145/2516760.2516772
[27]
Arvind Narayanan, Xumiao Zhang, Ruiyang Zhu, Ahmad Hassan, Shuowei Jin, Xiao Zhu, Xiaoxuan Zhang, Denis Rybkin, Zhengxuan Yang, Zhuoqing Morley Mao, Feng Qian, and Zhi-Li Zhang. 2021. A variegated look at 5G in the wild: performance, power, and QoE implications. In ACM SIGCOMM 2021 Conference, Virtual Event, USA, August 23--27, 2021, Fernando A. Kuipers and Matthew C. Caesar (Eds.). ACM, 610--625. https://doi.org/10.1145/3452296.3472923
[28]
Shiyue Nie, Yiming Zhang, Tao Wan, Haixin Duan, and Song Li. 2022. Measuring the Deployment of 5G Security Enhancement. In WiSec '22: 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, San Antonio, TX, USA, May 16 - 19, 2022, Murtuza Jadliwala, Yongdae Kim, and Alexandra Dmitrienko (Eds.). ACM, 169--174. https://doi.org/10.1145/3507657.3528559
[29]
Jon Postel. 1980. User Datagram Protocol. RFC, Vol. 768 (1980), 1--3. https://doi.org/10.17487/RFC0768
[30]
Jon Postel. 1981. Transmission Control Protocol. RFC, Vol. 793 (1981), 1--91. https://doi.org/10.17487/RFC0793
[31]
Bradley Reaves, Logan Blue, Dave Tian, Patrick Traynor, and Kevin R. B. Butler. 2016a. Detecting SMS Spam in the Age of Legitimate Bulk Messaging. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WISEC 2016, Darmstadt, Germany, July 18--22, 2016, Matthias Hollick, Panos Papadimitratos, and William Enck (Eds.). ACM, 165--170. https://doi.org/10.1145/2939918.2939937
[32]
Bradley Reaves, Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, and Kevin R. B. Butler. 2016b. Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22--26, 2016. IEEE Computer Society, 339--356. https://doi.org/10.1109/SP.2016.28
[33]
David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pö pper. 2019. Breaking LTE on Layer Two. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19--23, 2019. IEEE, 1121--1136. https://doi.org/10.1109/SP.2019.00006
[34]
Eve Schooler, Jonathan Rosenberg, Henning Schulzrinne, Alan Johnston, Gonzalo Camarillo, Jon Peterson, Robert Sparks, and Mark J. Handley. 2002. SIP: Session Initiation Protocol. RFC 3261. https://doi.org/10.17487/RFC3261
[35]
Sebastian Schrittwieser, Peter Frü hwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. 2012. Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications. In 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, February 5--8, 2012. The Internet Society. https://www.ndss-symposium.org/ndss2012/guess-whos-texting-you-evaluating-security-smartphone-messaging-applications
[36]
Altaf Shaik, Ravishankar Borgaonkar, Shinjo Park, and Jean-Pierre Seifert. 2019. New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, Miami, Florida, USA, May 15--17, 2019. ACM, 221--231. https://doi.org/10.1145/3317549.3319728
[37]
Rifaat Shekh-Yusef. 2020. The Session Initiation Protocol (SIP) Digest Access Authentication Scheme. RFC, Vol. 8760 (2020), 1--9. https://doi.org/10.17487/RFC8760
[38]
Rifaat Shekh-Yusef, David Ahrens, and Sophie Bremer. 2015. HTTP Digest Access Authentication. RFC, Vol. 7616 (2015), 1--32. https://doi.org/10.17487/RFC7616
[39]
Ankush Singla, Rouzbeh Behnia, Syed Rafiul Hussain, Attila A. Yavuz, and Elisa Bertino. 2021. Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations. In ASIA CCS '21: ACM Asia Conference on Computer and Communications Security, Virtual Event, Hong Kong, June 7--11, 2021, Jiannong Cao, Man Ho Au, Zhiqiang Lin, and Moti Yung (Eds.). ACM, 501--515. https://doi.org/10.1145/3433210.3453082
[40]
Christian Spanring and Alexander Mayrhofer. 2010. A Uniform Resource Identifier for Geographic Locations ('geo' URI). RFC 5870. https://doi.org/10.17487/RFC5870
[41]
Randall R. Stewart, Qiaobing Xie, Ken Morneault, Chip Sharp, Hanns Juergen Schwarzbauer, Tom Taylor, Ian Rytina, Malleswar Kalla, Lixia Zhang, and Vern Paxson. 2000. Stream Control Transmission Protocol. RFC, Vol. 2960 (2000), 1--134. https://doi.org/10.17487/RFC2960
[42]
Guan-Hua Tu, Chi-Yu Li, Chunyi Peng, Yuanjie Li, and Songwu Lu. 2016. New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 1118--1130. https://doi.org/10.1145/2976749.2978393
[43]
Dongzhu Xu, Anfu Zhou, Xinyu Zhang, Guixian Wang, Xi Liu, Congkai An, Yiming Shi, Liang Liu, and Huadong Ma. 2020. Understanding Operational 5G: A First Measurement Study on Its Coverage, Performance and Energy Consumption. In SIGCOMM '20: Proceedings of the 2020 Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication, Virtual Event, USA, August 10--14, 2020, Henning Schulzrinne and Vishal Misra (Eds.). ACM, 479--494. https://doi.org/10.1145/3387514.3405882
[44]
Jingjing Zhang, Lin Yang, Weipeng Cao, and Qiang Wang. 2020b. Formal Analysis of 5G EAP-TLS Authentication Protocol Using Proverif. IEEE Access, Vol. 8 (2020), 23674--23688. https://doi.org/10.1109/ACCESS.2020.2969474
[45]
Yiming Zhang, Baojun Liu, Chaoyi Lu, Zhou Li, Haixin Duan, Shuang Hao, Mingxuan Liu, Ying Liu, Dong Wang, and Qiang Li. 2020a. Lies in the Air: Characterizing Fake-base-station Spam Ecosystem in China. In CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9--13, 2020, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM, 521--534. https://doi.org/10.1145/3372297.3417257
[46]
Jinghao Zhao, Qianru Li, Zengwen Yuan, Zhehui Zhang, and Songwu Lu. 2022. 5G Messaging: System Insecurity and Defenses. In 10th IEEE Conference on Communications and Network Security, CNS 2022, Austin, TX, USA, October 3--5, 2022. IEEE, 37--45. https://doi.org/10.1109/CNS56114.2022.9947238
Index Terms
- Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging Services
Recommendations
Vulnerabilities of UMTS Access Domain Security Architecture
SNPD '08: Proceedings of the 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed ComputingThis paper presents vulnerabilities of UMTS access domain security architecture. The security architecture of UMTS offers some protection against known threats including false base station attacks, man-in-the-middle attacks and replay attacks. The ...
Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security
Due to its distributed and open nature, Web Services give rise to new security challenges. This technology is susceptible to Cross-site Scripting (XSS) attack, which takes advantage of existing vulnerabilities. The proposed approach makes use of two ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments
Information & Contributors
Information
Published In
May 2024
312 pages
ISBN:9798400705823
DOI:10.1145/3643833
- General Chairs:
- Yongdae Kim,
- Jong Kim,
- Program Chairs:
- Farinaz Koushanfar,
- Kasper Rasmussen
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
WiSec '24: 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks
May 27 - 29, 2024
Seoul, Republic of Korea
Acceptance Rates
Overall Acceptance Rate 98 of 338 submissions, 29%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 256Total Downloads
- Downloads (Last 12 months)256
- Downloads (Last 6 weeks)109
Reflects downloads up to 01 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in