UCLA

5G/4G offers anytime, anywhere data services to billions of users every month. It is thus of great importance to proper protection of the 5G/4G systems from adversaries. The current systems deploy a few security mechanisms. Most notably, the user device and network perform a one-time mutual authentication using a secured private key. After the procedure, all subsequent data packets and control-plane signaling messages are encrypted and integrity protected. In addition, the delivery of each data is strictly controlled by the network. That said, the conventional wisdom believes these deployed mechanisms sufficiently ensure 5G/4G data-plane security. Most published works report attacks before mutual authentication or manipulate the procedure with techniques such as man-in-the-middle.

Contrary to common belief, this dissertation finds the current 5G/4G systems to be still vulnerable to new attacks even after the mutual authentication. The data-plane signaling messages, which facilitate data transfer (for scheduling, power management, etc.), are always sent in cleartext over the air. Meanwhile, message authenticity such as integrity protection is not always enabled.

This dissertation makes four intellectual contributions. First, we design novel data-plane forgery attacks, which can be launched assuming no key compromise, malware, or fake base station. The forged data can pass all security fences at receiver and incur serious damages from privacy intrusion to DoS variants. The attacks include CDS which targets critical data-plane signaling messages and FANE which could forge data-plane packets. Second, we propose a novel, marginal-overhead protection scheme that fundamentally secures 5G/4G data plane without protecting data itself. The goal is to secure the necessary step in data delivery to prevent any forgery attacks. Third, we devise a complementary device-centric detection and mitigation method. It can be achieved on the device side in user space with no infrastructure support, firmware/hardware access, or root privilege. This way, it provides a prompt remedy for legacy devices. Finally, we study a reversed problem of improving the performance without affecting security. We propose an application-layer, rootless solution that facilitates latency-sensitive applications such as VR/AR.

This dissertation shows how a forgery attacker addresses two critical challenges. Firstly, the attacker needs to break 5G/4G access control and make the forgery appear legitimate. To achieve so, the attack leverages the cross-layer vulnerabilities in link layers and infers the authenticated time slots and frequency. The attacker then corrupts the legitimate transmission and sends the forged data-plane signaling as retransmission. Second, the attacker needs to select the timing and content of the forge messages. We propose a smart attacker that eavesdrops on the channel and adapts the forgery content based on the observed context. With the attack methodology, we design CDS that leverage data-plane signaling, which includes 3 attacks that cause dysfunction in a single protocol and 4 more that cause cascading damages in multiple layers. They can inflict a range of serious damages from breach of privacy (e.g., inferring the victim's location) to beyond-simplistic DoS (e.g., forcing the victim to repeatedly send the same data). We also introduce FANE which forges encrypted data packets by leveraging retransmission. It can redirect a user's HTTP connection to a malicious server or infer the victim's encrypted IP address.

To combat data-plane forgery attacks including CDS and FANE, the conventional approach takes the per-packet protection philosophy. However, protecting all data (data-plane signaling + user packets) in 5G/4G incurs unacceptable overhead considering the high data rate. Instead, we note that a successful delivery requires using the correct meta-info, such as physical layer ID or modulation parameters. If an attacker is denied from getting meta-info, it cannot launch a successful forgery. This dissertation proposes an alternative solution to protecting meta-info with low overhead. We study which meta-info is suitable for protection among all possible choices. The ideal meta-info should be both necessary for every message and practical to protect. We propose a solution that targets a data structure called DCI. It is magnitude less frequent compared to data packets, while containing critical meta-info for both MAC and PHY. Securing DCI can thus effectively protect 5G/4G systems. We overcome the challenges of lack of variant parameters for DCI by using a novel, time-based scheme to generate keystream. The design leverages the property in 5G/4G scheduling and adopts an inference algorithm to pre-generate the keystream for low solution overhead.

This dissertation further designs a device-side, user-space detection and reaction scheme. The core idea is to verify what's right according to the protocol operations, rather than defend against certain threats. It thus differentiates itself from any defense scheme that can only protect against certain attacks. To operate on the user space, we devise a novel algorithm to infer, decode, and analyze critical 5G/4G signaling messages and configurations to verify if the messages are received in the right context. When a potential attack is spotted, our solution triggers proper countermeasure to void the attacker with techniques such as band switching. Neither detection nor mitigation requires extra privilege (e.g., root access), thus not exposing any new vulnerabilities. This scheme complements the fundamental meta-info protection and benefits the current device and next-generation applications before the new security mechanism is fully rolled out.

To evaluate the attacks and solutions, we build an open-source, standard-compliant software-defined radio 5G/4G system named Flora. Its salient features include in-network analytics, run-time intelligence, and new feature support (carrier aggregation, handover, etc.). Flora does not depend on any specialized hardware (SIM, chipset, or infrastructure) and works with commercial-off-the-shelf devices. We implement and integrate our security defenses in our system testbed. To assess the security, we further develop next-generational mobile VR/AR applications that run on Flora platform. The evaluation has validated the attacks and confirmed the effectiveness of our approach to protection, detection, and mitigation. We also build Sonica, the first software-defined NB-IoT platform that implements 5G/4G CIoT optimizations. We confirm that our attacks and countermeasures in broadband apply to IoT scenarios.

Moreover, we show that improving 5G/4G network performance can be achieved in the application layer without extra privilege. Many performance-boosting algorithms for 5G/4G end-users need additional privilege or even firmware change, as OS and network only expose constrained information without root. However, enabling root privilege is usually unavailable and opens new vulnerabilities for attackers to install malware or steal information. We design a rootless solution LRP that can infer critical parameters in 5G/4G networks with deep domain knowledge and learning algorithms on the application layer. With the inferred parameters, the application layer can act accordingly to boost the performance. We show that, an application can ask for 5G/4G radio resources early and bypass unnecessary waiting to reduce delay. LRP thus helps latency-sensitive applications, such as VR/AR, to meet stringent requirements. The effectiveness of LRP is verified with devices under commercial operational networks.

The results of this dissertation unveil some deeply-rooted design choices in 5G/4G systems that sacrifice their security. One example is the improper trust model, where any data-plane signaling message is received without verifying the data content. The cross-layer vulnerabilities make our attacks (forging data) possible, while our protections (verify meta-info for every delivery) and detection (content verification) shed light on proper security measures in future 5G releases and xG security.