The advent of 5G technology promises to revolutionize the mobile communication landscape, offering faster speeds and more secure connections. However, this technological leap also introduces many security challenges, particularly within the 5G baseband in mobile phones. Our research introduces 5GBaseChecker, the first ever dynamic security testing framework designed to uncover logical vulnerabilities, e.g., authentication bypass in the protocol implementations of 5G basebands. With the design of new automata learning and differential testing techniques, 5GBaseChecker not only identifies 0-day vulnerabilities but also facilitates the systematic root cause analysis of the security flaws in commercial 5G basebands. Using 5GBaseChecker, we tested 17 commercial 5G basebands and 2 open-source 5G baseband (UE) implementations, uncovering 13 unique 0-day vulnerabilities and a total of 65 vulnerability instances across all tested implementations.
Among our findings, the most critical vulnerability is the "5G AKA Bypass" discovered in one of the widely used 5G basebands. This vulnerability allows attackers to intercept and eavesdrop on victims' Internet data and inject phishing SMS messages. The implications of this attack are profound; it affects users globally who utilize 5G devices with that particular baseband. This flaw violates the underlying security guarantees of 5G technology, leaving users' security and privacy completely compromised.
In summary, in this talk we will introduce a new security analysis tool 5GBaseChecker. We will showcase the application of this framework in identifying critical security vulnerabilities, including a detailed explanation and real-world exploitation video demo of the 5G AKA Bypass flaw in the commercial basebands.
By:
Kai Tu | Research Assistant, The Pennsylvania State University
Yilu Dong | Research Assistant, The Pennsylvania State University
Abdullah Al Ishtiaq | Research Assistant, The Pennsylvania State University
Syed Md Mukit Rashid | Research Assistant, The Pennsylvania State University
Weixuan Wang | Graduate Researcher, The Pennsylvania State University
Tianwei Wu | Research Assistant, The Pennsylvania State University
Syed Rafiul Hussain | Assistant Professor, The Pennsylvania State University
Full Abstract and Presentation Materials: