Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous

TL;DR

This work reveals that unencrypted and unauthenticated control procedures at the physical and MAC layers of 4G/5G can be exploited to localize, track, or disrupt users, despite cryptographic protections at higher layers. It systematically analyzes L1/L2 procedures, demonstrates both passive leakage and active injection attacks, and validates them with real-world measurements on commercial devices and operator configurations across multiple countries. The authors show concrete results, including sub-20 m localization accuracy in most cases, high-probability movement tracking, and drastic throughput reductions or disconnections triggered by DCI, SR, and MAC CE spoofing. The findings underscore the need for new protections at the PHY/MAC levels, such as PHY-layer keys, authenticated MAC/CER for critical control messages, and robust detection mechanisms, to preserve privacy and network availability in next-generation networks.

Abstract

Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Figures (11)

• Figure 1: Random Access (RA) procedure including the most important information carried by each message.
• Figure 2: Recording of a 5G downlink transmission, with the main physical channels highlighted, and the protocol stack carried by the PDSCH.
• Figure 3: Two examples of the HARQ procedure during a missed allocation in normal operation (left) and under an active attack (right). The DAI counter implicitly indicates missed transmissions, and can be leveraged by an attacker.
• Figure 4: The UE measures the strongest beam and implicitly reports it during RA. An attacker passively listening to the exchange, which includes TA, can then localize the user.
• Figure 5: Fingerprinting of static beams within a cell. Red points denote the GPS locations of every measurement and the BS. Colored overlays denote the fingerprinted beam locations. The magnified area shows five localization examples with annotations of the distance between the actual and the estimated locations.