Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G

Bedran Karakoc, Nils Fürste, David Rupprecht, and Katharina Kohls

Ruhr University Bochum, Software Radio Systems, Radix Security, Radboud University

Introduction

When our phone connects to a mobile network, it uses a certain standard aka a mobile generation. The most common standard at the moment is 4G, with 5G being rolled out more and more. Each new generation introduces improvements over the previous ones. This is possible because we try to learn from the mistakes of older technologies and improve the performance that once was the standard. From a security perspective, this means the more up-to-date a connection is, the more security we can expect from it. Things that have been broken in 3G are mostly fixed in 4G. And we try to do the same for 5G and beyond. In a downgrade attack, an adversary tries to force the connection to a less secure standard. That can be weaker encryption algorithms or even connections using an older mobile generation. Such bidding-down attacks can be very diverse and use many different characteristics of a mobile connection, which makes it very difficult to simply protect against all of them. In this project, you will find different examples of bidding-down attacks that demonstrate how it is a persisting problem that affects different mobile generations, different up-to-date smartphones, and commercial networks. The following will guide you through the most important findings and provide pointers to more technical details.

Consequences

The goal of such an attack, no matter what type of attack is applied or what attack vector (a characteristic of the network that can be exploited by the adversary) is used, is to weaken the security. Enforcing a weaker connection opens the door for follow-up attacks in which the adversary can, for example, try to eavesdrop on the connection.

Types of bidding-down attacks

There are different types of attacks, each with its own attack vector and its own consequences for the connection and, eventually, the user.

Types of Bidding-Down Attacks

Intra-Generation

Bidding down the connection within a generation means that the default security characteristics of the connection get weakened. Let’s say a connection uses the latest encryption standard by default. Then an intra-generation attack forces the connection to use a weaker standard. What’s dangerous about these attacks within the generation is that they only lead to minor changes within the connection. Using a less secure connection is not visible to the user, however, once there is weak or no encryption in place it is easy to conduct follow-up attacks.

Inter-Generation

Bidding down a connection to a different generation means a switch from, let’s say, 4G to 3G. The consequences of such a switch are more far-reaching than before: The connection uses a whole different technology and inherits all weaknesses that are known to the generation. Such an attack might be less stealthy but also opens the door for even more follow-up attacks.

How does it work?

There is no simple answer to this question! There is not just one single intra- and one inter-generation attack. A mobile connection is very complex, it follows its own rules for setting up a connection, establishing everything that’s necessary to authenticate a user, encrypting the connection, handling handovers when the user is walking around, etc. Within these complex protocol flows, many messages are sent back and forth between the phone and the network. By manipulating one or multiple of these messages, it might become possible to weaken the security of the connection. And there are many different types of messages and manipulations that to the trick.

Some results at a glance

We have used the vulnerabilities in our findings to forge different types of bidding-down attacks. Note, that while we have carried out these attacks in our shielded laboratory environment, they require sophisticated radio hardware and significant effort in order to be executed in the real world.

Downgrade Dance 5G → 2G

We first present a 5G downgrade dance attack, which is an inter-generation bidding-down that enables an attacker to downgrade a phone from a 5G connection down to an insecure 2G connection. Once downgraded to 2G, the attacker can manipulate and eavesdrop on the entire connection as 2G offers no effective security mechanisms.

Demonstration

NEA0 Bidding-Down Attack

The second attack we present is a NEA0 bidding-down in a 5G NSA, an intra-generation attack aiming to disable the radio connection between the UE and the gNodeB. If the attack succeeds, the adversary can eavesdrop on the user data that is transported via this radio connection.

Demonstration

I want more details, where should I start?

Our work appears at the Conference on Security and Privacy in Wireless and Mobile Networks ‘23 (WiSec’23). You can find the pre-print of our paper here.

BibTeX

    @inproceedings{karakoc2023never,
        author = {Karakoc, Bedran and Fürste, Nils and Rupprecht, David and Kohls, Katharina},
        title = {Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G},
        booktitle = {Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks},
        series = {WiSec '23},
        year = {2023},
        url = {https://doi.org/10.1145/3558482.3581774},
        doi = {10.1145/3558482.3581774},
    }

Frequently Asked Questions

Does this affect me?

Well, it can, but it´s very unlikely. In our project, we focused on a systematic analysis of different devices and networks and found a lot of potential attack vectors. However, attacking a device within a controlled lab setup is much less complicated than repeating the same in the wild. Another reason it’s not necessary to be on the lookout for adversaries is that bidding down is only a stepping stone for a follow-up attack. This adds another layer of complexity and makes it unlikely to be the target of an attack.