Applying Machine Learning on RSRP-based Features for False Base Station Detection

False base stations -- IMSI catchers, Stingrays -- are devices that impersonate legitimate base stations, as a part of malicious activities like unauthorized surveillance or communication sabotage. Detecting them on the network side using 3GPP standardized measurement reports is a promising technique. While applying predetermined detection rules works well when an attacker operates a false base station with an illegitimate Physical Cell Identifiers (PCI), the detection will produce false negatives when a more resourceful attacker operates the false base station with one of the legitimate PCIs obtained by scanning the neighborhood first. In this paper, we show how Machine Learning (ML) can be applied to alleviate such false negatives. We demonstrate our approach by conducting experiments in a simulation setup using the ns-3 LTE module. We propose three robust ML features (COL, DIST, XY) based on Reference Signal Received Power (RSRP) contained in measurement reports and cell locations. We evaluate four ML models (Regression Clustering, Anomaly Detection Forest, Autoencoder, and RCGAN) and show that several of them have a high precision in detection even when the false base station is using a legitimate PCI. In our experiments with a layout of 12 cells, where one cell acts as a moving false cell, between 75-95\% of the false positions are detected by the best model at a cost of 0.5\% false positives.Comment: 9 pages,5 figure, 3 tables, 2 algorithm

A novel clock gating approach for the design of low-power linear feedback shift register

This paper presents an efficient solution to reduce the power consumption of the popular linear feedback shift register by exploiting the gated clock approach. The power reduction with respect to other gated clock schemes is obtained by an efficient implementation of the logic gates and properly reducing the number of XOR gates in the feedback network. Transistor level simulations are performed by using standard cells in a 28-nm FD-SOI CMOS technology and a 300-MHz clock. Simulation results show a power reduction with respect to traditional implementations, which reaches values higher than 30%

The Impact of IMSI Catcher Deployments on Cellular Network Security: Challenges and Countermeasures in 4G and 5G Networks

IMSI (International Mobile Subscriber Identity) catchers, also known as "Stingrays" or "cell site simulators," are rogue devices that pose a significant threat to cellular network security [1]. IMSI catchers can intercept and manipulate cellular communications, compromising the privacy and security of mobile devices and their users. With the advent of 4G and 5G networks, IMSI catchers have become more sophisticated and pose new challenges to cellular network security [2]. This paper provides an overview of the impact of IMSI catcher deployments on cellular network security in the context of 4G and 5G networks. It discusses the challenges posed by IMSI catchers, including the unauthorized collection of IMSI numbers, interception of communications, and potential misuse of subscriber information. It also highlights the potential consequences of IMSI catcher deployments, including the compromise of user privacy, financial fraud, and unauthorized surveillance. The paper further reviews the countermeasures that can be employed to mitigate the risks posed by IMSI catchers. These countermeasures include network-based solutions such as signal analysis, encryption, and authentication mechanisms, as well as user-based solutions such as mobile applications and device settings. The paper also discusses the limitations and effectiveness of these countermeasures in the context of 4G and 5G networks. Finally, the paper identifies research gaps and future directions for enhancing cellular network security against IMSI catchers in the era of 4G and 5G networks. This includes the need for improved encryption algorithms, authentication mechanisms, and detection techniques to effectively detect and prevent IMSI catcher deployments. The paper also emphasizes the importance of regulatory and policy measures to govern the deployment and use of IMSI catchers to protect user privacy and security

Seeing the Unseen: The REVEAL protocol to expose the wireless Man-in-the-Middle

A Man-in-the-Middle (MiM) can collect over-the-air packets whether from a mobile or a base station, process them, possibly modify them, and forward them to the intended receiver. This paper exhibits the REVEAL protocol that can detect a MiM, whether it has half duplex capability, full duplex capability, or double full duplex capability. Protocol is based on synchronizing clocks between the mobile and the base station, with the MiM being detected if it interferes in the synchronization process. Once synchronized, the REVEAL protocol creates a sequence of challenge packets where the transmission times of the packets, their durations, and their frequencies, are chosen to create conflicts at the MiM, and make it impossible for the MiM to function. We implement the REVEAL protocol for detecting a MiM in 4G technology. We instantiate a MiM between the 4G/5G base station and a mobile, and exhibit the successful detection mechanisms. With the shared source code, our work can be reproduced using open software defined cellular networks with off-the-shelf device

BaseSAFE: Baseband SAnitized Fuzzing through Emulation

Rogue base stations are an effective attack vector. Cellular basebands represent a critical part of the smartphone's security: they parse large amounts of data even before authentication. They can, therefore, grant an attacker a very stealthy way to gather information about calls placed and even to escalate to the main operating system, over-the-air. In this paper, we discuss a novel cellular fuzzing framework that aims to help security researchers find critical bugs in cellular basebands and similar embedded systems. BaseSAFE allows partial rehosting of cellular basebands for fast instrumented fuzzing off-device, even for closed-source firmware blobs. BaseSAFE's sanitizing drop-in allocator, enables spotting heap-based buffer-overflows quickly. Using our proof-of-concept harness, we fuzzed various parsers of the Nucleus RTOS-based MediaTek cellular baseband that are accessible from rogue base stations. The emulator instrumentation is highly optimized, reaching hundreds of executions per second on each core for our complex test case, around 15k test-cases per second in total. Furthermore, we discuss attack vectors for baseband modems. To the best of our knowledge, this is the first use of emulation-based fuzzing for security testing of commercial cellular basebands. Most of the tooling and approaches of BaseSAFE are also applicable for other low-level kernels and firmware. Using BaseSAFE, we were able to find memory corruptions including heap out-of-bounds writes using our proof-of-concept fuzzing harness in the MediaTek cellular baseband. BaseSAFE, the harness, and a large collection of LTE signaling message test cases will be released open-source upon publication of this paper

Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings

Short Message Service (SMS) remains one of the most popular communication channels since its introduction in 2G cellular networks. In this paper, we demonstrate that merely receiving silent SMS messages regularly opens a stealthy side-channel that allows other regular network users to infer the whereabouts of the SMS recipient. The core idea is that receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. We conducted experiments across various countries, operators, and devices to show that an attacker can deduce the location of an SMS recipient by analyzing timing measurements from typical receiver locations. Our results show that, after training an ML model, the SMS sender can accurately determine multiple locations of the recipient. For example, our model achieves up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium. Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture