CSAI: Open-Source Cellular Radio Access Network Security Analysis Instrument

  title={CSAI: Open-Source Cellular Radio Access Network Security Analysis Instrument},
  author={Thomas D. Byrd and Vuk Marojevic and Roger Piqueras Jover},
  journal={2020 IEEE 91st Vehicular Technology Conference (VTC2020-Spring)},
This paper presents our methodology and toolbox that allows analyzing the radio access network security of laboratory and commercial 4G and future 5G cellular networks. [] Key Method Using CSAI, the Cellular RAN Security Analysis Instrument, a researcher can analyze broadcast and paging messages of cellular networks. CSAI is also able to test networks to aid in the identification of vulnerabilities and verify functionality post-remediation. Additionally, we found that it can crash an eNB which motivates…

Figures and Tables from this paper

On Identifying Threats and Quantifying Cybersecurity Risks of Mnos Deploying Heterogeneous Rats

The proposed methodology has been designed to aid both, mobile operators towards planning more effective cybersecurity strategies and adopting efficient defences to minimise the probability of an attack and predict its impact on the operational, market and business aspects of mobile network operators.

DDoS Attacks in Experimental LTE Networks

The evaluated results show that the existing IP-based DDoS attack can be successfully launched and cause significant amount of traffic volume to the experimental networks.

AI Testing Framework for Next-G O-RAN Networks: Requirements, Design, and Research Opportunities

This article presents a general automated, distributed and AI-enabled testing framework to test AI models deployed in O-RAN in terms of their decision- making performance, vulnerability and security, and adopts a master-actor architecture to manage a number of end devices for distributed testing.

Study of GNSS CV Data Transmission Method Based on Redundant Communication Network

The proposed GNSS common-view data transmission method enables automatic, continuous, and reliable transmission of data and is more reliable than any of the singular mode of optical Ethernet or 4G mobile communication networks.



LTE PHY layer vulnerability analysis and testing using open-source SDR tools

The analysis for the LTE downlink shows that the synchronization signals are very resilient to interference, whereas the downlink pilots or Cell-Specific Reference signals are the most susceptible to a synchronized protocol-aware interferer.

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane

This paper implemented a semi-automated testing tool, named LTEFuzz, by using open-source LTE software over which the user has full control, and uncovered 36 vulnerabilities in operational Long Term Evolution (LTE) networks which have not been disclosed previously.

LTE security, protocol exploits and location tracking experimentation with low-cost software radio

This manuscript, which summarizes and expands the results presented by the author at ShmooCon 2016, investigates the insecurity rationale behind LTE protocol exploits and LTE rogue base stations based on the analysis of real LTE radio link captures from the production network.

LTE security disabled: misconfiguration in commercial networks

This work enhances the open baseband srsLTE with support for commercial networks and performs a subsequent analysis of the security configuration of commercial LTE networks, providing a proof-of-concept attack in a live network where the adversary obtains an IP address at the victim's cost.

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

This work constitutes the first publicly reported practical attacks against LTE access network protocols and recommends that safety margins introduced into future specifications to address such trade-offs should incorporate greater agility to accommodate subsequent changes in the trade-off equilibrium.

Security and Protocol Exploit Analysis of the 5G Specifications

Comparison with known 4G long-term evolution protocol exploits reveals that the 5G security specifications, as of Release 15, Version 1.0, do not fully address the user privacy and network availability challenges.

Breaking LTE on Layer Two

A comprehensive layer two security analysis is presented and three attack vectors are identified that impair the confidentiality and/or privacy of LTE communication.

Performance Analysis of a Mission-Critical Portable LTE System in Targeted RF Interference

This paper uses software-defined radio technology and open-source software to develop a fully configurable protocol-aware interference waveform and shows that LTE synchronization signal interference causes significant throughput degradation at low interference power.

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE

This paper investigates the security and privacy of the three critical procedures of the 4G LTE protocol, and proposes a modelbased testing approachLTEInspector which lazily combines a symbolic model checker and a cryptographic protocol veri er in the symbolic attacker model.

Enhancing the Robustness of LTE Systems: Analysis and Evolution of the Cell Selection Process

This article analyzes the effect of different levels of RF spoofing applied to LTE and proposes effective mitigation techniques to prevent denial of service and recommends modifications that improve the cell selection process at the LTE user equipment, and are backward-compatible with existing LTE networks.