Jamming Attacks on the Random Access Channel in 5G and B5G Networks
Wilfrid Azariah, Yi-Quan Chen, Zhong-Xin You, Ray-Guang Cheng, Shiann-Tsong Sheu, Binbin Chen
TL;DR
This work investigates Msg1-based jamming as a denial-of-access threat to 5G/B5G RACH procedures. It develops an analytical model that connects attacker parameters, notably power $p_{attacker}$ and periodicity $T_a$, to the evolution of the gNB’s Msg1 detection threshold via the recursion $p_{th,i} = \alpha p_{measured,i} + \beta p_{measured,i-1} + \gamma p_{th,i-1}$ and the detection condition $P_{S,i} = 1$ if $p_{UE} > (p_{th,i} + \delta)$, deriving closed-form behavior and steady-state results. The authors implement a protocol-aware Msg1 jammer on an OpenAirInterface (OAI) testbed using USRP hardware and validate the model with over-the-air experiments, showing that frequent, even low-power Msg1 transmissions can significantly reduce UE access probability. Key findings include a closed-form steady-state threshold under continuous attack, and the Insight that attacker periodicity and gNB configuration jointly determine RACH resilience, providing guidance for defense design against Msg1 jamming.
Abstract
Random Access Channel (RACH) jamming poses a critical security threat to 5G and beyond (B5G) networks. This paper presents an analytical model for predicting the impact of Msg1 jamming attacks on RACH performance. We use the OpenAirInterface (OAI) open-source user equipment (UE) to implement a Msg1 jamming attacker. Over-the-air experiments validate the accuracy of the proposed analytical model. The results show that low-power and stealthy Msg1 jamming can effectively block legitimate UE access in 5G/B5G systems.