My Name is Nobody: Generalized Anonymous Network Access in 5G
Thijs Heijligenberg, Alexandre Bouez, Katharina Kohls
Published at: TBD
Abstract
5G is the latest and most advanced mobile network generation to date, and provides more security than its predecessors. However, it relies on the user to fully trust the network operator with identity and session data. This limits the privacy level that a mobile network user can possibly attain. We introduce a framework that provides privacy between the user and network in 5G networks. Our framework fully relies on existing 5G mechanisms with only minor changes, ensuring minimal impact to existing security and performance. In our framework, multiple users share a given identity, and users are given access to multiple shared identities, which makes it so the network cannot identify a user based on identity alone. We also introduce mechanisms to verify that the framework is providing these identities as promised, which allows the user to verify that it is getting a private connection. Conversely we introduce mechanisms for the network to verify that the users are accurately reporting their traffic use for subscription purposes.
The attacks aren’t alright: Large-Scale Simulation of Fake Base Station Attacks and Detections
Thijs Heijligenberg, David Rupprecht, Katharina Kohls
Published at: CSET 2024
Abstract
Fake base stations are a well-known threat to pre-5G mobile networks and are one of the most common primitives for mobile attacks that are used in the real world. However, despite years of research we only have limited knowledge about their performance spectrum and how well detection mechanisms work in practice. Consequently, mobile network operators and vendors struggle to identify, implement, and deploy a practical solution in the form of detection mechanisms. For the first time, we systematically study fake base station attacks and their main influencing factors. We use a specification-conform simulation model that lets us analyze fake base station attacks on a large scale, and test detection mechanisms on the generated data. The simulation environment allows us to test diverse scenarios with a large measure of control and insight, while providing realism in the aspects that matter. We study detection mechanisms from academic work and ongoing 3GPP discussions. Our experiments reveal the influencing factors of the success of fake base station attacks and detection, and provides nuances for performance that is missing from existing work.
Bigmac: Performance overhead of user plane integrity protection in 5g networks
Thijs Heijligenberg, Guido Knips, Christian Böhm, David Rupprecht, Katharina Kohls
Published at: WiSec 2023
Abstract
5G introduces a series of new security features that overcome known issues of the previous mobile generations. One of these features is integrity protection for user plane data. While this addition protects against manipulations like DNS spoofing, it also introduces extra overhead to user plane traffic. As it is optional to enable, this additional overhead can be the decision point for network operators to avoid the additional security feature. In this work, we investigate the overhead induced by different integrity protection algorithms and test the burden they add to the workload of a device. Our results indicate how visible performance differences would be on the end-devices of users, and how the performance of the algorithms differs in isolation. With these results we aim to initiate a discussion regarding the benefits of enabling user plane integrity protection and to overcome misconceptions regarding the performance impairments for end users.
Leaky Blinders: Information Leakage in Mobile VPNs
Thijs Heijligenberg, Oualid Lkhaouni, Katharina Kohls
Published at: SecMT 2022
Abstract
In the mobile domain, VPN applications promise an additional layer of protection for wireless connections. They offer users the choice to improve the security of their connections, however, we only have very limited knowledge about the technical implications that the shift from desktop to mobile applications brings. In this work, we conduct a quantitative analysis of selected Android VPNs and demonstrate how all of them leak packets during an active tunnel. We conduct these measurements for different phones and in varying use case scenarios, including the comparison of Wi-Fi and 4G connections, to get a better understanding of how the mobile setting influences the security of a VPN. While we observe leaks in all combinations, some settings particularly cause the transmission of thousands of unprotected packets. We further conduct a series of case studies to provide some first insights on the causes for the observed leakage.