Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bit-Flipping Attack Exploration and Countermeasure in 5G Network

Joon Kim, Chengwei Duan, Sandip Ray

TL;DR

This work investigates bit-flipping attacks on 5G data at the network level, where NEA provides confidentiality via a per-packet keystream XOR and NIA offers optional integrity. Using OpenAirInterface to simulate realistic 5G traffic, it demonstrates that a MITM attacker can mutate selective bits to bypass checksums and alter payload values without decrypting NEA. The authors propose a keystream-based shuffling defense that reorders ciphertext positions according to the per-message keystream, achieving a low mutation success rate without adding communication overhead compared to NIA. Experiments show an exponential decay in checksum-flipping success with more flips and a substantial defense improvement from shuffling, making it attractive for latency-sensitive 5G applications like CACC, while acknowledging residual risk and the need for further robust defenses.

Abstract

5G communication technology has become a vital component in a wide range of applications due to its unique advantages such as high data rate and low latency. While much of the existing research has focused on optimizing its efficiency and performance, security considerations have not received comparable attention, potentially leaving critical vulnerabilities unexplored. In this work, we investigate the vulnerability of 5G systems to bit-flipping attacks, which is an integrity attack where an adversary intercepts 5G network traffic and modifies specific fields of an encrypted message without decryption, thus mutating the message while remaining valid to the receiver. Notably, these attacks do not require the attacker to know the plaintext, and only the semantic meaning or position of certain fields would be enough to effect targeted modifications. We conduct our analysis on OpenAirInterface (OAI), an open-source 5G platform that follows the 3GPP Technical Specifications, to rigorously test the real-world feasibility and impact of bit-flipping attacks under current 5G encryption mechanisms. Finally, we propose a keystream-based shuffling defense mechanism to mitigate the effect of such attacks by raising the difficulty of manipulating specific encrypted fields, while introducing no additional communication overhead compared to the NAS Integrity Algorithm (NIA) in 5G. Our findings reveal that enhancements to 5G security are needed to better protect against attacks that alter data during transmission at the network level.

Bit-Flipping Attack Exploration and Countermeasure in 5G Network

TL;DR

This work investigates bit-flipping attacks on 5G data at the network level, where NEA provides confidentiality via a per-packet keystream XOR and NIA offers optional integrity. Using OpenAirInterface to simulate realistic 5G traffic, it demonstrates that a MITM attacker can mutate selective bits to bypass checksums and alter payload values without decrypting NEA. The authors propose a keystream-based shuffling defense that reorders ciphertext positions according to the per-message keystream, achieving a low mutation success rate without adding communication overhead compared to NIA. Experiments show an exponential decay in checksum-flipping success with more flips and a substantial defense improvement from shuffling, making it attractive for latency-sensitive 5G applications like CACC, while acknowledging residual risk and the need for further robust defenses.

Abstract

5G communication technology has become a vital component in a wide range of applications due to its unique advantages such as high data rate and low latency. While much of the existing research has focused on optimizing its efficiency and performance, security considerations have not received comparable attention, potentially leaving critical vulnerabilities unexplored. In this work, we investigate the vulnerability of 5G systems to bit-flipping attacks, which is an integrity attack where an adversary intercepts 5G network traffic and modifies specific fields of an encrypted message without decryption, thus mutating the message while remaining valid to the receiver. Notably, these attacks do not require the attacker to know the plaintext, and only the semantic meaning or position of certain fields would be enough to effect targeted modifications. We conduct our analysis on OpenAirInterface (OAI), an open-source 5G platform that follows the 3GPP Technical Specifications, to rigorously test the real-world feasibility and impact of bit-flipping attacks under current 5G encryption mechanisms. Finally, we propose a keystream-based shuffling defense mechanism to mitigate the effect of such attacks by raising the difficulty of manipulating specific encrypted fields, while introducing no additional communication overhead compared to the NAS Integrity Algorithm (NIA) in 5G. Our findings reveal that enhancements to 5G security are needed to better protect against attacks that alter data during transmission at the network level.

Paper Structure

This paper contains 15 sections, 7 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Fundamental of User Data Transmission in 5G
  4. Checksum Error Detection
  5. Encryption Algorithm for 5G (NEA)
  6. Integrity Algorithm for 5G (NIA)
  7. Related Work
  8. Bit-Flipping Attack in 5G
  9. Threat Model
  10. Bit-Flipping Attack
  11. Keystream-Based Shuffling Defense
  12. Experiment Results
  13. Bit-Flipping Attacks Simulation
  14. Attack and Defense Effect Analysis
  15. Conclusion

Figures (7)

  • Figure 1: Layered Architecture of User-plane Data Transmission in 5G
  • Figure 2: 5G Ciphering Process
  • Figure 3: Bit-Flipping Attack
  • Figure 4: Success-Failure Matrix of (a) Checksum Bit-Flipping Attack, (b) Payload Bit-Flipping Attack. The two flipped bits must be aligned in the same column when divided into two-byte chunks for checksum calculation.
  • Figure 5: Mutation Success Rate of Checksum Bit-Flipping Attack with and without Shuffling Defense
  • ...and 2 more figures