Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Security Analysis of 5G NR Device-to-Device Sidelink Communications

Evangelos Bitsikas, Aanjhan Ranganathan

TL;DR

This work presents the first comprehensive, specification-driven security analysis of 5G NR V2X sidelink, revealing systemic weaknesses across synchronization, resource allocation, HARQ, and PC5 signaling due to unauthenticated identifiers, unprotected broadcasts, and flexible security policies. By mapping identified gaps to concrete attacks—such as SyncRef impersonation, false S-SSB injections, SCI spoofing, and HARQ feedback spoofing—the paper demonstrates potential threats to integrity, availability, and privacy in mode 2 autonomous sidelink. It then offers a set of mitigations, including physical-layer authentication for SyncRef signals, HARQ validation, and enhanced PC5 message verification, while calling for revisions to 3GPP specifications to reduce security gaps. The findings underscore the practical risk to critical V2X applications (e.g., collision avoidance, drone control) and establish a foundation for future security testing frameworks and field evaluations of NR V2X sidelink.

Abstract

5G NR sidelink communication enables new possibilities for direct device-to-device interactions, supporting applications from vehicle-to-everything (V2X) systems to public safety, industrial automation, and drone networks. However, these advancements come with significant security challenges due to the decentralized trust model and increased reliance on User Equipment (UE) for critical functions like synchronization, resource allocation, and authorization. This paper presents the first comprehensive security analysis of NR V2X sidelink. We identify vulnerabilities across critical procedures and demonstrate plausible attack, including attacks that manipulate data integrity feedback and block resources, ultimately undermining the reliability and privacy of sidelink communications. Our analysis reveals that NR operational modes are vulnerable, with the ones relying on autonomous resource management (without network supervision) particularly exposed. To address these issues, we propose mitigation strategies to enhance the security of 5G sidelink communications. This work establishes a foundation for future efforts to strengthen 5G device-to-device sidelink communications, ensuring its safe deployment in critical applications.

Security Analysis of 5G NR Device-to-Device Sidelink Communications

TL;DR

This work presents the first comprehensive, specification-driven security analysis of 5G NR V2X sidelink, revealing systemic weaknesses across synchronization, resource allocation, HARQ, and PC5 signaling due to unauthenticated identifiers, unprotected broadcasts, and flexible security policies. By mapping identified gaps to concrete attacks—such as SyncRef impersonation, false S-SSB injections, SCI spoofing, and HARQ feedback spoofing—the paper demonstrates potential threats to integrity, availability, and privacy in mode 2 autonomous sidelink. It then offers a set of mitigations, including physical-layer authentication for SyncRef signals, HARQ validation, and enhanced PC5 message verification, while calling for revisions to 3GPP specifications to reduce security gaps. The findings underscore the practical risk to critical V2X applications (e.g., collision avoidance, drone control) and establish a foundation for future security testing frameworks and field evaluations of NR V2X sidelink.

Abstract

5G NR sidelink communication enables new possibilities for direct device-to-device interactions, supporting applications from vehicle-to-everything (V2X) systems to public safety, industrial automation, and drone networks. However, these advancements come with significant security challenges due to the decentralized trust model and increased reliance on User Equipment (UE) for critical functions like synchronization, resource allocation, and authorization. This paper presents the first comprehensive security analysis of NR V2X sidelink. We identify vulnerabilities across critical procedures and demonstrate plausible attack, including attacks that manipulate data integrity feedback and block resources, ultimately undermining the reliability and privacy of sidelink communications. Our analysis reveals that NR operational modes are vulnerable, with the ones relying on autonomous resource management (without network supervision) particularly exposed. To address these issues, we propose mitigation strategies to enhance the security of 5G sidelink communications. This work establishes a foundation for future efforts to strengthen 5G device-to-device sidelink communications, ensuring its safe deployment in critical applications.

Paper Structure

This paper contains 41 sections, 11 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background and Threat Model
  3. 5G NR Sidelink Architecture and Operational Modes
  4. Physical-Layer Channels and Key Mechanisms
  5. Sidelink Protocol Stack
  6. Threat Model
  7. Methodology for Security Evaluation
  8. Threat Modeling and Specifications Review
  9. Systematic Security Analysis
  10. Vulnerability Identification and Evaluation
  11. Sidelink Synchronization Attacks
  12. Synchronization Procedure
  13. Security Issues in Sidelink Synchronization Procedures
  14. Unauthenticated Identifiers and Vulnerable Broadcasts
  15. Static Synchronization Hierarchy and Manipulable Priority
  16. ...and 26 more sections

Figures (11)

  • Figure 1: In the 5G architecture, the sidelink components include the UEs communicating over the PC5 or PC5-RRC interface, while potentially having a Uu connection with the network, if available and permitted.
  • Figure 2: Stack protocols in the PC5 interface.
  • Figure 3: The figure illustrates our methodology; (1) the threat modeling and reviewing of specification documents, (2) the various security analysis techniques used, and (3) the identification and evaluation of vulnerabilities.
  • Figure 4: An example of a cellular-based sidelink synchronization stage. The $SLSS_{ID}$ is not 0 for UE A, because it synchronizes with a gNodeB, not GNSS.
  • Figure 5: A simple depiction of a false synchronization reference injection.
  • ...and 6 more figures