The first version of the LTE specifications (3GPP Release 8) was published in 2007. For obvious reasons, I am unaware of the state of R&D in LTE security in 3-letter agencies. In the research community, though, the first public disclosure of protocol exploits against LTE did not occur until early 2016 with the work of the team of Prof. Jean-Pierre Seifert at TU Berlin [1] and myself [2].

Back in May of that same year I wrote an article discussing the main reasons why it took 9 years for us security researchers to start finding vulnerabilities in LTE protocols and testing them. The lack of maturity of software-defined radio hardware and, mostly, the lack of open-source low-cost software implementations of the LTE protocol stack. However, as I stated in that article, when the first commit of openLTE was pushed in 2012 things started to change. And then, a couple of years later, srsLTE was available as well. Back in 2016 I anticipated to see a wave of excellent security research in LTE, which would uncover all sorts of vulnerabilities.

As I expected, over the last 3 years, some academic research teams have crafted excellent research and published groundbreaking papers disclosing new vulnerabilities of the LTE protocols (e.g. [3,4,5]). And now, with the availability of srsUE, the possibilities are endless in terms of exploring the security of LTE against the operator’s infrastructure. I am myself collaborating with two teams in academia in what I call LTE protocol fuzzing using srsUE, and there has been already some very interesting findings of potential exploits in the uplink [6].

How do things look like in 5G? Quite different, actually. The first release of the 5G specifications (3GPP Release 15) was published in December 2017, and the first security specifications document was published in March 2018 [7]. However, this time the research community is not waiting to start working and identifying potential protocol vulnerabilities. Despite the lack of open-source implementations of the 5G protocols and tools to facilitate this work, security researchers are not giving any headstart to 3GPP this time. In fact, ever since the publication of the 5G security specifications, these very interesting papers have been published:

It is interesting to note that the first paper above was released in February 2018, before the actual 5G security specifications. Those researchers did their work with the drafts that 3GPP often releases before an official specification release is closed. It is pretty clear that this time the research community is ready and prepared to analyze the proposed security specifications of 5G and an insecure protocol will not slip again and end up being deployed in the field (hopefully). Note that, by the time [1] and [2] identified the first known protocol exploits on LTE, LTE networks were widely deployed already and being used by hundreds of millions of people all over the world.

The current 5G specifications are not optimal yet. Despite a technique to tackle IMSI catchers, it is yet to be seen if a rogue base station of malicious application could easily trigger a mobile device to perform one of the few things that would result in a device disclosing its IMSI in the clear (transmit its SUPI not concealed, using 5G jargon). Also, there is yet no clear way in 5G to tackle the challenge of pre-authentication messages, which are the root cause of most protocol exploits in LTE. Moreover, some of the aforementioned papers and research reports have identified potential vulnerabilities in the Authentication and Key Agreement protocol in 5G. And the media is already picking up on these papers and making noise about them.

There is still work to be done and things to polish in 5G security, but this time it will not take years to identify security problems and start fixing them. The research community, academia, industry and standardization bodies will hopefully start working together with the goal of designing a 5G security architecture that will substantially raise the bar with respect to previous generations.

By the way, I recently found out of an actual software implementation of the 5G core based on 3GPP Release 15. This s great news and will fuel so much more research in this field. The two university teams I collaborate with and myself will start using this tool for our research. Looking forward to it.

Ps. By the way, students with a strong background in math, signal processing, communication systems, Python and C++, both academic groups are looking for PhD students and postdocs. Ping me if you are interested!

[1] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practical attacks against privacy and availability in 4G/LTE mobile communication systems,” in Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS 2016), 2016.

[2] Jover, R.P., 2016. LTE security and protocol exploits. Shmoocon 2016.

[3] Hussain, S.R., Chowdhury, O., Mehnaz, S. and Bertino, E., 2018, February. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Symposium on Network and Distributed Systems Security (NDSS) (pp. 18-21).

[4] Shaik, A., Borgaonkar, R., Park, S. and Seifert, J.P., 2018, June. On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (pp. 75-86). ACM.

[5] Rupprecht, D., Kohls, K., Holz, T. and Pöpper, C., Breaking LTE on Layer Two. In Breaking LTE on Layer Two (p. 0). IEEE.

[6] Raza, Muhammad Taqi, Fatima Muhammad Anwar, and Songwu Lu. “Exposing LTE Security Weaknesses at Protocol Inter-Layer, and Inter-Radio Interactions.” In International Conference on Security and Privacy in Communication Systems, pp. 312-338. Springer, Cham, 2017.

[7] 3GPP TS 33.501 V15.0.0 (2018-03).

Advertisements