Roaming Agreements - The Hidden 5G Attack Surface

Forcing end-users into connecting to a fake base station has always been a risk to connection privacy. We show that even the mitigations added in 5G allow for fake base station attacks where users successfully connect and expose their network traffic. The underlying flaws are deeply anchored in the specification.

Machine-in-the-Middle (MitM) attackers seek to intercept and manipulate network traffic. Additionally, they can use their MitM position as an entry point for baseband exploitation. Utilizing the exploit, attackers can gain full control of a user’s phone. In cellular networks, a lot of mitigations against MitM were pushed into the specification. However, roaming agreements still enable powerful attackers to perform seamless attacks – even in 5G!

In this talk, you’ll learn about the complex nature of cellular roaming and how roaming is implemented in recent smartphones. The specification puts a lot of trust in network operators, regardless of the size of the company behind them or their country. This impedes security in real-world deployments. We show that the capabilities of network operators exceed the intended capabilities of lawful interception. Since they are specification-compliant and do not impede the encryption on the wireless layer, end-users have limited possibility of noticing the attacks. However, we discuss possibilities of detecting such attacks that could be implemented on end-user systems or the 5G core.

In addition to talking about the attacks, we provide low-level details of the technical setup we used for this research. Further, we share our experiences with the Coordinated Vulnerability Disclosure processes.