Fake Base Station Detection and Link Routing Defense-Reference-Cited by-同舟云学术

Fake Base Station Detection and Link Routing Defense

Published:2024-09-01 Issue:17 Volume:13 Page:3474
ISSN:2079-9292
Container-title:Electronics
language:en
Short-container-title:Electronics

Author:

Purification Sourav¹^ORCID,Kim Jinoh²^ORCID,Kim Jonghyun³^ORCID,Chang Sang-Yoon¹^ORCID

Affiliation:

1. Department of Computer Science, University of Colorado Colorado Springs, Colorado Springs, CO 80918, USA

2. Department of Computer Science and Information Systems, Texas A&M University-Commerce, Commerce, TX 75428, USA

3. Electronics and Telecommunications Research Institute, Daejeon 34129, Republic of Korea

Abstract

Fake base stations comprise a critical security issue in mobile networking. A fake base station exploits vulnerabilities in the broadcast message announcing a base station’s presence, which is called SIB1 in 4G LTE and 5G NR, to get user equipment to connect to the fake base station. Once connected, the fake base station can deprive the user of connectivity and access to the Internet/cloud. We discovered that a fake base station can disable the victim user equipment’s connectivity for an indefinite period of time, which we validated using our threat prototype against current 4G/5G practices. We designed and built a defense scheme which detects and blacklists a fake base station and then, informed by the detection, avoids it through link routing for connectivity availability. For detection and blacklisting, our scheme uses the real-time information of both the time duration and the number of request transmissions, the features of which are directly impacted by the fake base station’s threat and which have not been studied in previous research. Upon detection, our scheme takes an active measure called link routing, which is a novel concept in mobile/4G/5G networking, where the user equipment routes the connectivity request to another base station. To defend against a Sybil-capable fake base station, we use a history–reputation-based link routing scheme for routing and base station selection. We implemented both the base station and the user on software-defined radios using open-source 5G software (srsRAN v23.10 and Open5GS v2.6.6) for validation. We varied the base station implementation to simulate legitimate vs. faulty but legitimate vs. fake and malicious base stations, where a faulty base station notifies the user of the connectivity disruption and releases the session, while a fake base station continues to hold the session. We empirically analyzed the detection and identification thresholds, which vary with the fake base station’s power and the channel condition. By strategically selecting the threshold parameters, our scheme provides zero errors, including zero false positives, to avoid blacklisting a temporarily faulty base station that cannot provide connectivity at the time. Furthermore, our link routing scheme enables the base station to switch in order to restore the connectivity availability and limit the threat impact. We also discuss future directions to facilitate and encourage R&D in securing telecommunications and base station security.

Funder

Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government

Publisher

MDPI AG

Link

https://www.mdpi.com/2079-9292/13/17/3474/pdf

Reference41 articles.

1. Arise, H. (2024, February 20). Mobile or Cellular Hacking. Available online: https://www.hackers-arise.com/mobile-or-cellular-hacking.

2. Toscher, A.M., and Margaritelli, S. (2024, February 20). Awesome-Cellular-Hacking Public. Available online: https://github.com/W00t3k/Awesome-Cellular-Hacking.

3. (2024, August 28). 5G-NR; User Equipment (UE) Procedures in Idle Mode and in RRC Inactive State, 3GPP. TS 38.304 Version 17.0.0; 2022. Available online: https://www.etsi.org/deliver/etsi_ts/138300_138399/138304/17.00.00_60/ts_138304v170000p.pdf.

4. Lee, G., Lee, J., Lee, J., Im, Y., Hollingsworth, M., Wustrow, E., Grunwald, D., and Ha, S. (2019, January 17–21). This is your president speaking: Spoofing alerts in 4G LTE networks. Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, Seoul, Republic of Korea.

5. Yang, H., Bae, S., Son, M., Kim, H., Kim, S.M., and Kim, Y. (2019, January 14–16). Hiding in plain signal: Physical signal overshadowing attack on {LTE}. Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, USA.