Monday, April 22, 2019

5G-NR False Base Stations (Part 1)

This is my first technology post for a while at trewmte blogspot as my time in research now extends to 5G-NR; network investigations; connected cars and autonomous vehicles; drones; in addition to existing digital forensics, smartphone examinations and cell site analysis. I have a number new insights and revelations for readers this year about the aforementioned subjects. So I will be more active on the blog.

5G False Base Stations (Part 1)
With 5G-NR (new radio) now in limited use and operators in pursuit to increase its usage and, at some point, replace 2G and 3G, it has not escaped the notice of those creating mobile and data networks the need for security. Given the slew of research into networks and devices susceptible to MiTM (man-in-the-middle) attacks it isn't a surprise to find forum conversations about possible attacks by 5G-NR false base stations.

As a quick technical reference for a 5G-NR base station it is defined by "gNB" = g that it is directing communications and signalling to a 5G network via an NB = Node B (the base station). This quick reference does not replace or take precedence over the definition 5G-NR base station as recorded in the 3GPP Standards; so always refer to the standards as your reference point as my comments are evangelistic-observations on the subject and those observations are made to quickly shoehorn readers into this discussion.

Other Side of the Coin
Some may think that little has been done by network operators/standards bodies confirming measures taken to assuage mobile users that once a false base station is in use (MiTM) that nothing can be done and an attack or crime succeeds un-impeded. This is not only wrong and misguided viewpoint, worst still it would be untrue. As an example of just one deployable security method there is a case for active participation (not visible to the mobile user) between the UE (user equipment) and the network termed "UE-assisted network-based detection of false base station".

Preamble
The UE in RRC_CONNECTED mode sends measurement reports to the network in accordance with the measurement configuration provided by the network. These measurement reports have security values in being useful for detection of false base stations or SUPI/5G-GUTI catchers (as an example IMSI catchers). Mobile network operators, using an implementation specific process/procedure, may choose UEs or tracking areas or duration for which measurement reports are to be analysed for detection of false base station. So measurement reports from UEs can be used for detection of false base station, and some additional actions thereafter.

What Type of Content is in a Measurement Report
Examples given are the received-signal strength and location information in measurement reports can be used to detect a false base station that attract UEs which it does by transmitting signal with higher power than those genuine base stations surrounding the UEs.

Measurement reports can also be used to detect a false base stations that replays genuine information blocks (MIB/SIB) without modification. In order to detect a false base station which replays modified version of broadcast information to prevent victim UEs from switching back and forth between itself and genuine base stations (e.g. modifying neighbouring cells, cell reselection criteria, registration timers, etc. to avoid the so called ping-pong effect), information on broadcast information can be used to detect inconsistency from the deployment information.

It is known a false base station which uses inconsistent cell identifier or operates in inconsistent frequency than the deployment of the genuine base stations can be detected respectively by using the cell identifier or the frequency information in the measurement reports.

Moreover, MiTM attackers deploying a false base station may deploy rogue UEs to assist in the attack by attempting to trick the network. Measurement reports collected from multiple UEs in an area can be used to filter out incorrect reports sent by a potential rogue UE.

It doesn't automatically follow when reading forum posts or discussions about attackers and false base stations that they (both) are somehow undetectable.

I will be posting more on this subject given this is Part 1).

No comments: