In a recent paper, researchers disclosed security vulnerabilities in handover, a mechanism that supports modern cellular networks. Adversaries could exploit these vulnerabilities to launch denial-of-service (DoS) and man-in-the-middle attacks using low-cost equipment.
A new study by the researchers at New York University Abu Dhabi reports that “vulnerabilities in the handover procedure are not limited to one case, but apply to all cases and scenarios that rely on unverified measurement reports and signal strength thresholds.” The problem affects all generations since 2G (GSM), remains unresolved.
A handover, also known as a handoff, occurs in telecommunications when a phone call or a data session is transferred from one cell site (aka base station) to another without losing connectivity. Cellular communications require this method, especially when the user is on the move.
Typically, the user equipment (UE) sends signal strength measurements to the network to determine if a handover is needed, and if so, facilitates the switch when a more suitable station is found. While these signal readings are encrypted, their content is not verified, so an attacker can force the device to switch to a cell site controlled by the attacker. An attack relies on the fact that the source base station cannot deal with incorrect measurement values, allowing a malicious handover to go undetected. In essence, the new fake base station attacks render vulnerable the handover procedures, as they are based on the aforementioned encrypted measurement reports and signal power thresholds, allowing an adversary to establish a MitM relay and even intercept, drop, modify, and forward message traffic between the device and the network.
According to the researchers, “If an attacker manipulates the content of the measurement report by including his/her measurements, then the network will process the bogus measurements.” An attacker can accomplish this by imitating a legitimate base station and replaying its broadcast messages.
Using a fake base station to “attract” the device
- As part of the attack, the threat actor uses a smartphone to collect data about nearby legitimate cell sites, utilizing this information to configure a rogue base station that impersonates a genuine cell site.
- A subsequent attack involves forcing the victim’s phone to connect to the false station by broadcasting MIB and SIB messages – necessary information for the phone to connect to the network – with a stronger signal than the emulated base station.
- The purpose of tricking UEs to connect to the imposter station and forcing them to broadcast bogus measurements to the network is to trigger a handover event and exploit security flaws in the process to perform DoS, MitM attacks, and information disclosure affecting both the user and the operator. This compromises the privacy of users and compromises the availability of services.
- “When the UE is in the coverage area of the attacker, the rogue base station has enough signal strength to ‘attract’ the UE and trigger a [measurement report], the attacker has high chances of forcing the victim UE to attach to his/her rogue base station,” explained the researchers.
- “Once the UE is attached to the attacker, it may either become camped because of a denial-of-service (DoS) attack or the attacker may establish a man-in-the-middle (MitM) relay that enables other advanced exploits.”
In the handover process, six security vulnerabilities (from A to F in the image above) were identified.
MIBs and SIBs are insecure broadcast messages
- Measuring reports that have not been verified
- Cross-validation is missing in the preparation phase
- Initiation of a random-access channel (RACH) without verification
- There is no recovery mechanism, and
- It is difficult to distinguish network failures from attacks
- The researchers found that all of the test devices, including the OnePlus 6, Apple iPhone 5, Samsung S10 5G, and Huawei Pro P40 5G, were susceptible to DoS and MitM attacks in an experimental setup. Researchers presented their findings at the Annual Computer Security Applications Conference (ACSAC) earlier this month.