Specialists from New York University Abu Dhabi (NYUAD) spoke about vulnerabilities in the handover mechanism that underlies modern cellular networks. Vulnerabilities can be exploited by attackers to launch denial-of-service (DoS) and man-in-the-middle (MitM) attacks using inexpensive hardware.
“Vulnerabilities in the handover process are not limited to just one case, but involve a variety of handover cases and scenarios based on unverified measurement reports and signal strength thresholds. The problem affects all generations from 2G (GSM) and is still unresolved, ”said researchers Evangelos Bitsikas and Christina Pöpper.
Handover, also known as handoff, is the fundamental mechanism underlying modern cellular networks. In cellular communications, this is the process of handing over a subscriber during a call or data transfer session from one base station to another. Handover plays a critical role in establishing cellular communications, especially when the user is on the move.
The process is as follows: The user's device sends data on the signal strength to the network in order to determine whether a handover is needed, and if necessary, facilitates switching when a more suitable base station is found.
Although the signal strength reports are encrypted, their content is not verified, so an attacker could force a device to connect to a base station under their control. The essence of the attack lies in the fact that the original base station is not able to process incorrect values in the signal strength report, which increases the likelihood of a malicious handover.
“If an attacker manipulates the contents of the [signal strength report] by including his / her measurements, the network will process the bogus values. This is possible by simulating a legitimate base station and playing back its broadcast messages, ”the researchers said.
Before carrying out an attack, the attacker conducts an initial reconnaissance phase. Using a smartphone, it collects data related to nearby legitimate base stations and then uses this information to configure a rogue base station to impersonate the real one. The attacker then forces the victim's device to connect to the fake base station by broadcasting the service information blocks (MIBs and SIBs) needed to help the phone connect to the network — with a higher signal strength than the fake base station.
By forcing a user's device to connect to a fake station and report bogus signal strength measurements to the network, the attacker initiates a handover and exploits vulnerabilities in the process to cause a denial of service (DoS), MitM attack, and information disclosure, which affects both the user and to the telecom operator. This jeopardizes not only the privacy of users but also the availability of services.
“When a user's device is within range of an attacker, and the signal of the fake base station is strong enough to attract the user's device and trigger a report of changes in signal strength, the attacker has a high chance of forcing the victim's device to connect to his / her fake base station through abuse. a handover process, ”the researchers said.
- In total, experts identified six vulnerabilities in the handover:
- Insecure broadcast messages (MIB, SIB);
- Unverified reports of signal strength measurements;
- No cross-validation at the preparation stage;
- Random access channel (RACH) initiation without verification;
- Lack of a recovery mechanism;
- Difficulty distinguishing network outages from attacks.
During the experiment, the researchers found that all tested devices (OnePlus 6, Apple iPhone 5, Samsung S10 5G, and Huawei Pro P40 5G) are vulnerable to DoS and MitM attacks.