Breaking 5G on The Lower Layer
Subangkar Karmaker Shanto, Imtiaz Karim, Elisa Bertino
TL;DR
This paper investigates unprotected PHY/MAC control-plane procedures in 5G NR and demonstrates two practical attacks: SIB1 spoofing and Timing Advance manipulation. Using a rogue gNB lab setup and commercial UEs, the authors provide empirical evidence that unprotected $SIB1$ fields (via $valueTag$, $TAC$, and $si$-WindowLength) and $RAR$-embedded Timing Advance modifications can degrade availability and power, inducing SI reacquisition loops and uplink desynchronization. The work highlights a concrete lower-layer attack surface and motivates defenses such as integrity protection for $RAR$ and broadcast messages, plus network- and UE-side monitoring to detect anomalous timing and scheduling behavior. The findings underscore the need for securing initial access and broadcast procedures to prevent persistent DoS and resource exhaustion in 5G networks, with future work aimed at quantifying detection rates and developing authenticated signaling. Overall, the paper contributes important empirical validation of lower-layer vulnerabilities in 5G NR and provides a practical baseline for defense development against PHY/MAC-level exploits.
Abstract
As 3GPP systems have strengthened security at the upper layers of the cellular stack, plaintext PHY and MAC layers have remained relatively understudied, though interest in them is growing. In this work, we explore lower-layer exploitation in modern 5G, where recent releases have increased the number of lower-layer control messages and procedures, creating new opportunities for practical attacks. We present two practical attacks and evaluate them in a controlled lab testbed. First, we reproduce a SIB1 spoofing attack to study manipulations of unprotected broadcast fields. By repeatedly changing a key parameter, the UE is forced to refresh and reacquire system information, keeping the radio interface active longer than necessary and increasing battery consumption. Second, we demonstrate a new Timing Advance (TA) manipulation attack during the random access procedure. By injecting an attacker-chosen TA offset in the random access response, the victim applies incorrect uplink timing, which leads to uplink desynchronization, radio link failures, and repeated reconnection loops that effectively cause denial of service. Our experiments use commercial smartphones and open-source 5G network software. Experimental results in our testbed demonstrate that TA offsets exceeding a small tolerance reliably trigger radio link failures in our testbed and can keep devices stuck in repeated re-establishment attempts as long as the rogue base station remains present. Overall, our findings highlight that compact lower-layer control messages can have a significant impact on availability and power, and they motivate placing defenses for initial access and broadcast procedures.