Breaking Cellular IoT with Forged Data-plane Signaling: Attacks and Countermeasure-Reference-Cited by-同舟云学术

Breaking Cellular IoT with Forged Data-plane Signaling: Attacks and Countermeasure

Published:2022-11-29 Issue:4 Volume:18 Page:1-26
ISSN:1550-4859
Container-title:ACM Transactions on Sensor Networks
language:en
Short-container-title:ACM Trans. Sen. Netw.

Author:

Tan Zhaowei¹^ORCID,Ding Boyan¹^ORCID,Zhao Jinghao¹^ORCID,Guo Yunqi¹^ORCID,Lu Songwu¹^ORCID

Affiliation:

1. University of California, Los Angeles, USA

Abstract

We devise new attacks exploiting the unprotected data-plane signaling in cellular IoT networks (a.k.a. both NB-IoT and Cat-M). We show that, despite the deployed security mechanisms on both control-plane signaling and data-plane packet forwarding, novel data-plane signaling attacks are still feasible. The attacker can forge both uplink and downlink data-plane signaling messages that pass the current security checks used by the receiver. With the capability of forging messages, the attacker can launch attacks that exhibit a variety of attack forms beyond simplistic packet-blasting, denial-of-service (DoS) threats, including location privacy breach, packet delivery loop, prolonged data delivery, throughput limiting, radio resource draining, connection reset, and multicast disabling. Our testbed evaluation and operational network validation have confirmed the attack viability. To combat the threat, we further propose a new defense solution within the 3GPP C-IoT standard framework. It leverages the synchronized timer clock information to protect the data-plane signaling messages with low overhead.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications

Link

https://dl.acm.org/doi/pdf/10.1145/3534124

Reference59 articles.

1. 3GPP. 2017. Proposed way forward on IMT-2020 submission. Retrieved from https://portal.3gpp.org/ngppapp/CreateTDoc.aspx?mode=view&contributionUid=RP-172098.

2. 3GPP. 2019. TS36.213: Evolved Universal Terrestrial Radio Access (E-UTRA); Physical layer procedures. Retrieved from https://www.3gpp.org/dynareport/36213.htm.

3. 3GPP. 2020. TS33.401: 3GPP System Architecture Evolution (SAE); Security architecture. Retrieved from https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2296.

4. 3GPP. 2020. TS33.501: Security architecture and procedures for 5G System. Retrieved from https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169.

5. 3GPP. 2020. TS33.809: Study on 5G security enhancements against False Base Stations (FBS). Retrieved from https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3539.

Cited by 6 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Privacy-Aware Offloading Strategy via Self-Supervised Feature Mapping in the End-Edge-Cloud System;ACM Transactions on Sensor Networks;2024-08-02

2. Leveraging Overshadowing for Time-Delay Attacks in 4G/5G Cellular Networks: An Empirical Assessment;Proceedings of the 19th International Conference on Availability, Reliability and Security;2024-07-30

3. Channel-Robust Radio Frequency Fingerprint Identification for Cellular Uplink LTE Devices;IEEE Internet of Things Journal;2024-05-15

4. Quantum-Resistant Reliable Authentication and Lightweight Security Scheme for 5G enabled Narrow Band Internet of Things;2023 IEEE 5th PhD Colloquium on Emerging Domain Innovation and Technology for Society (PhD EDITS);2023-11-25

5. AdaptOver;Proceedings of the 28th Annual International Conference on Mobile Computing And Networking;2022-10-14