5GMap: Enabling external audits of access security and attach procedures in real-world cellular deployments

IF 4.5 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2025-02-10 DOI:10.1016/j.comcom.2025.108091

Andrea Paci , Matteo Chiacchia , Giuseppe Bianchi

{"title":"5GMap: Enabling external audits of access security and attach procedures in real-world cellular deployments","authors":"Andrea Paci , Matteo Chiacchia , Giuseppe Bianchi","doi":"10.1016/j.comcom.2025.108091","DOIUrl":null,"url":null,"abstract":"<div><div>In cellular networks, security vulnerabilities often arise from misconfigurations and improper implementations of protection mechanisms. Typically, ensuring proper security configurations is the responsibility of network operators. The tool described in this paper, called 5GMap, empowers legitimate subscribers, equipped with software-defined radios (Ettus B210 or X310), with innovative means and methodologies for auditing security configurations of the access networks they are connecting to. Specifically, 5GMap allows to evaluate negotiable ciphers, predictability of temporary identifiers (TMSI), resilience against disclosure of privacy-sensitive identifiers (IMSI, IMEI), and susceptibility to downgrade attacks. 5GMap achieves this by iterating access and attach primitives using either carefully crafted signaling messages requiring specific cryptographic configuration, as well as custom methodologies such as using predictable TMSIs and querying the network with non-standard signaling message sequences to detect potential departures from the expected protocol specification. Extensive testing over four mobile network operators and three virtual network operators reveals significant security and privacy issues: many networks allow unencrypted or even unauthenticated communication, TMSI randomness and IMSI concealment are not consistently ensured across all operators tested, and many other fine-grained concerns emerge among different operators. We believe that our findings highlight the usefulness of tools like 5GMap to assess (and ultimately improve, through responsible disclosure) the security posture of 4G and 5G cellular networks in the wild.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"234 ","pages":"Article 108091"},"PeriodicalIF":4.5000,"publicationDate":"2025-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425000489","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In cellular networks, security vulnerabilities often arise from misconfigurations and improper implementations of protection mechanisms. Typically, ensuring proper security configurations is the responsibility of network operators. The tool described in this paper, called 5GMap, empowers legitimate subscribers, equipped with software-defined radios (Ettus B210 or X310), with innovative means and methodologies for auditing security configurations of the access networks they are connecting to. Specifically, 5GMap allows to evaluate negotiable ciphers, predictability of temporary identifiers (TMSI), resilience against disclosure of privacy-sensitive identifiers (IMSI, IMEI), and susceptibility to downgrade attacks. 5GMap achieves this by iterating access and attach primitives using either carefully crafted signaling messages requiring specific cryptographic configuration, as well as custom methodologies such as using predictable TMSIs and querying the network with non-standard signaling message sequences to detect potential departures from the expected protocol specification. Extensive testing over four mobile network operators and three virtual network operators reveals significant security and privacy issues: many networks allow unencrypted or even unauthenticated communication, TMSI randomness and IMSI concealment are not consistently ensured across all operators tested, and many other fine-grained concerns emerge among different operators. We believe that our findings highlight the usefulness of tools like 5GMap to assess (and ultimately improve, through responsible disclosure) the security posture of 4G and 5G cellular networks in the wild.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.