17 research outputs found
Applying Machine Learning on RSRP-based Features for False Base Station Detection
False base stations -- IMSI catchers, Stingrays -- are devices that
impersonate legitimate base stations, as a part of malicious activities like
unauthorized surveillance or communication sabotage. Detecting them on the
network side using 3GPP standardized measurement reports is a promising
technique. While applying predetermined detection rules works well when an
attacker operates a false base station with an illegitimate Physical Cell
Identifiers (PCI), the detection will produce false negatives when a more
resourceful attacker operates the false base station with one of the legitimate
PCIs obtained by scanning the neighborhood first. In this paper, we show how
Machine Learning (ML) can be applied to alleviate such false negatives. We
demonstrate our approach by conducting experiments in a simulation setup using
the ns-3 LTE module. We propose three robust ML features (COL, DIST, XY) based
on Reference Signal Received Power (RSRP) contained in measurement reports and
cell locations. We evaluate four ML models (Regression Clustering, Anomaly
Detection Forest, Autoencoder, and RCGAN) and show that several of them have a
high precision in detection even when the false base station is using a
legitimate PCI. In our experiments with a layout of 12 cells, where one cell
acts as a moving false cell, between 75-95\% of the false positions are
detected by the best model at a cost of 0.5\% false positives.Comment: 9 pages,5 figure, 3 tables, 2 algorithm
A novel clock gating approach for the design of low-power linear feedback shift register
This paper presents an efficient solution to reduce the power consumption of the popular
linear feedback shift register by exploiting the gated clock approach. The power reduction with respect to
other gated clock schemes is obtained by an efficient implementation of the logic gates and properly
reducing the number of XOR gates in the feedback network. Transistor level simulations are performed by
using standard cells in a 28-nm FD-SOI CMOS technology and a 300-MHz clock. Simulation results show
a power reduction with respect to traditional implementations, which reaches values higher than 30%
The Impact of IMSI Catcher Deployments on Cellular Network Security: Challenges and Countermeasures in 4G and 5G Networks
IMSI (International Mobile Subscriber Identity) catchers, also known as "Stingrays" or "cell site simulators," are rogue devices that pose a significant threat to cellular network security [1]. IMSI catchers can intercept and manipulate cellular communications, compromising the privacy and security of mobile devices and their users. With the advent of 4G and 5G networks, IMSI catchers have become more sophisticated and pose new challenges to cellular network security [2].
This paper provides an overview of the impact of IMSI catcher deployments on cellular network security in the context of 4G and 5G networks. It discusses the challenges posed by IMSI catchers, including the unauthorized collection of IMSI numbers, interception of communications, and potential misuse of subscriber information. It also highlights the potential consequences of IMSI catcher deployments, including the compromise of user privacy, financial fraud, and unauthorized surveillance.
The paper further reviews the countermeasures that can be employed to mitigate the risks posed by IMSI catchers. These countermeasures include network-based solutions such as signal analysis, encryption, and authentication mechanisms, as well as user-based solutions such as mobile applications and device settings. The paper also discusses the limitations and effectiveness of these countermeasures in the context of 4G and 5G networks.
Finally, the paper identifies research gaps and future directions for enhancing cellular network security against IMSI catchers in the era of 4G and 5G networks. This includes the need for improved encryption algorithms, authentication mechanisms, and detection techniques to effectively detect and prevent IMSI catcher deployments. The paper also emphasizes the importance of regulatory and policy measures to govern the deployment and use of IMSI catchers to protect user privacy and security
Seeing the Unseen: The REVEAL protocol to expose the wireless Man-in-the-Middle
A Man-in-the-Middle (MiM) can collect over-the-air packets whether from a
mobile or a base station, process them, possibly modify them, and forward them
to the intended receiver. This paper exhibits the REVEAL protocol that can
detect a MiM, whether it has half duplex capability, full duplex capability, or
double full duplex capability. Protocol is based on synchronizing clocks
between the mobile and the base station, with the MiM being detected if it
interferes in the synchronization process. Once synchronized, the REVEAL
protocol creates a sequence of challenge packets where the transmission times
of the packets, their durations, and their frequencies, are chosen to create
conflicts at the MiM, and make it impossible for the MiM to function. We
implement the REVEAL protocol for detecting a MiM in 4G technology. We
instantiate a MiM between the 4G/5G base station and a mobile, and exhibit the
successful detection mechanisms. With the shared source code, our work can be
reproduced using open software defined cellular networks with off-the-shelf
device
BaseSAFE: Baseband SAnitized Fuzzing through Emulation
Rogue base stations are an effective attack vector. Cellular basebands
represent a critical part of the smartphone's security: they parse large
amounts of data even before authentication. They can, therefore, grant an
attacker a very stealthy way to gather information about calls placed and even
to escalate to the main operating system, over-the-air. In this paper, we
discuss a novel cellular fuzzing framework that aims to help security
researchers find critical bugs in cellular basebands and similar embedded
systems. BaseSAFE allows partial rehosting of cellular basebands for fast
instrumented fuzzing off-device, even for closed-source firmware blobs.
BaseSAFE's sanitizing drop-in allocator, enables spotting heap-based
buffer-overflows quickly. Using our proof-of-concept harness, we fuzzed various
parsers of the Nucleus RTOS-based MediaTek cellular baseband that are
accessible from rogue base stations. The emulator instrumentation is highly
optimized, reaching hundreds of executions per second on each core for our
complex test case, around 15k test-cases per second in total. Furthermore, we
discuss attack vectors for baseband modems. To the best of our knowledge, this
is the first use of emulation-based fuzzing for security testing of commercial
cellular basebands. Most of the tooling and approaches of BaseSAFE are also
applicable for other low-level kernels and firmware. Using BaseSAFE, we were
able to find memory corruptions including heap out-of-bounds writes using our
proof-of-concept fuzzing harness in the MediaTek cellular baseband. BaseSAFE,
the harness, and a large collection of LTE signaling message test cases will be
released open-source upon publication of this paper
Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings
Short Message Service (SMS) remains one of the most popular communication
channels since its introduction in 2G cellular networks. In this paper, we
demonstrate that merely receiving silent SMS messages regularly opens a
stealthy side-channel that allows other regular network users to infer the
whereabouts of the SMS recipient. The core idea is that receiving an SMS
inevitably generates Delivery Reports whose reception bestows a timing attack
vector at the sender. We conducted experiments across various countries,
operators, and devices to show that an attacker can deduce the location of an
SMS recipient by analyzing timing measurements from typical receiver locations.
Our results show that, after training an ML model, the SMS sender can
accurately determine multiple locations of the recipient. For example, our
model achieves up to 96% accuracy for locations across different countries, and
86% for two locations within Belgium. Due to the way cellular networks are
designed, it is difficult to prevent Delivery Reports from being returned to
the originator making it challenging to thwart this covert attack without
making fundamental changes to the network architecture