5GMap: Enabling external audits of access security and attach procedures in real-world cellular deployments

IF 4.5 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2025-02-10 DOI:10.1016/j.comcom.2025.108091

Andrea Paci , Matteo Chiacchia , Giuseppe Bianchi

{"title":"5GMap: Enabling external audits of access security and attach procedures in real-world cellular deployments","authors":"Andrea Paci , Matteo Chiacchia , Giuseppe Bianchi","doi":"10.1016/j.comcom.2025.108091","DOIUrl":null,"url":null,"abstract":"<div><div>In cellular networks, security vulnerabilities often arise from misconfigurations and improper implementations of protection mechanisms. Typically, ensuring proper security configurations is the responsibility of network operators. The tool described in this paper, called 5GMap, empowers legitimate subscribers, equipped with software-defined radios (Ettus B210 or X310), with innovative means and methodologies for auditing security configurations of the access networks they are connecting to. Specifically, 5GMap allows to evaluate negotiable ciphers, predictability of temporary identifiers (TMSI), resilience against disclosure of privacy-sensitive identifiers (IMSI, IMEI), and susceptibility to downgrade attacks. 5GMap achieves this by iterating access and attach primitives using either carefully crafted signaling messages requiring specific cryptographic configuration, as well as custom methodologies such as using predictable TMSIs and querying the network with non-standard signaling message sequences to detect potential departures from the expected protocol specification. Extensive testing over four mobile network operators and three virtual network operators reveals significant security and privacy issues: many networks allow unencrypted or even unauthenticated communication, TMSI randomness and IMSI concealment are not consistently ensured across all operators tested, and many other fine-grained concerns emerge among different operators. We believe that our findings highlight the usefulness of tools like 5GMap to assess (and ultimately improve, through responsible disclosure) the security posture of 4G and 5G cellular networks in the wild.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"234 ","pages":"Article 108091"},"PeriodicalIF":4.5000,"publicationDate":"2025-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425000489","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In cellular networks, security vulnerabilities often arise from misconfigurations and improper implementations of protection mechanisms. Typically, ensuring proper security configurations is the responsibility of network operators. The tool described in this paper, called 5GMap, empowers legitimate subscribers, equipped with software-defined radios (Ettus B210 or X310), with innovative means and methodologies for auditing security configurations of the access networks they are connecting to. Specifically, 5GMap allows to evaluate negotiable ciphers, predictability of temporary identifiers (TMSI), resilience against disclosure of privacy-sensitive identifiers (IMSI, IMEI), and susceptibility to downgrade attacks. 5GMap achieves this by iterating access and attach primitives using either carefully crafted signaling messages requiring specific cryptographic configuration, as well as custom methodologies such as using predictable TMSIs and querying the network with non-standard signaling message sequences to detect potential departures from the expected protocol specification. Extensive testing over four mobile network operators and three virtual network operators reveals significant security and privacy issues: many networks allow unencrypted or even unauthenticated communication, TMSI randomness and IMSI concealment are not consistently ensured across all operators tested, and many other fine-grained concerns emerge among different operators. We believe that our findings highlight the usefulness of tools like 5GMap to assess (and ultimately improve, through responsible disclosure) the security posture of 4G and 5G cellular networks in the wild.

查看原文本刊更多论文

5GMap：在实际蜂窝部署中启用访问安全性和附加过程的外部审计

在蜂窝网络中，安全漏洞往往是由保护机制的错误配置和不正确实现引起的。通常，确保适当的安全配置是网络运营商的责任。本文中描述的工具称为5GMap，它使配备了软件定义无线电（Ettus B210或X310）的合法用户能够使用创新的手段和方法来审计他们所连接的接入网络的安全配置。具体来说，5GMap允许评估可协商的密码、临时标识符（TMSI）的可预测性、针对隐私敏感标识符（IMSI、IMEI）泄露的弹性以及对降级攻击的易感性。5GMap通过使用需要特定加密配置的精心制作的信令消息以及自定义方法（如使用可预测的tmsi和使用非标准信令消息序列查询网络以检测可能偏离预期协议规范）迭代访问和附加原语来实现这一点。对四家移动网络运营商和三家虚拟网络运营商的广泛测试揭示了重大的安全和隐私问题：许多网络允许未加密甚至未经身份验证的通信，TMSI随机性和IMSI隐蔽性并没有在所有被测试的运营商中得到一致的保证，并且不同运营商之间出现了许多其他细粒度的问题。我们认为，我们的研究结果强调了5GMap等工具在评估（并最终通过负责任的披露改善）4G和5G蜂窝网络的安全状况方面的有用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.