Annual Computer Security Applications Conference (ACSAC) 2021

Full Program »

Don’t hand it Over: Vulnerabilities in the Handover Procedure of Cellular Telecommunications

Mobility management in the cellular networks plays a significant role in preserving mobile services with minimal latency while a user is moving. To support this essential functionality the cellular networks rely on the handover procedure. Most often, the User Equipment (UE) provides signal measurements to the network via reports to facilitate the handover decision when it discovers a more suitable base station. These measurement reports are cryptographically protected. In this paper, we examine the cellular specification and illustrate that this crucial functionality has critical security implications. To the best of our knowledge, this is the first work on cellular MitM attacks based on the handover procedure. In particular, we demonstrate a new type of fake base station attacks in which the handover procedures, based on the encrypted measurement reports and signal power thresholds, are vulnerable. An attacker who sets up a false base station mimicking a legitimate one can utilize the vulnerabilities in the handover procedure to cause Denial-Of-Service attacks, Man-In-The-Middle attacks, and information disclosure affecting the user as well as the operator. Therefore, users' privacy and service availability are jeopardized. Through rigorous experimentation, we uncover the vulnerable parts of the handover procedure, a comprehensive attacker methodology, and attack requirements. We largely focus on the 5G network showing that handover vulnerabilities remain unmitigated to date. Finally, we assess the impact of the handover attacks, and carefully present potential countermeasures that can be used against them.

Evangelos Bitsikas
New York University Abu Dhabi

Christina Pöpper
New York University Abu Dhabi

Paper (ACM DL)

Slides

Video

 



Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC