False Base Station (FBS) has posed a security threat to all generations of mobile networks since 2G. Certain aspects of 5G help mitigate the risks, but in 5G release 16, 3GPP SA3 is studying FBS again and looking for a more complete solution, according to a recent CableLabs blog post. However, consensus has not been reached.
"It is hard to predict when the companies which object to the (proposed) solutions will change their position," said Tao Wan, principal architect, Security, CableLabs.
For those not familiar, FBS, and likewise Rogue Base Station (RBS), International Mobile Subscriber Identifier (IMSI) Catcher or Stingray, refers to a combination of hardware and software that allows for both active and passive attacks over radio access networks (RANs) by exploiting security weaknesses in mobile networks. Namely, base stations broadcast information about the network so that mobile devices can select an appropriate cell and connect. These messages are not protected because of a variety of challenges. The FBS broadcasts the same network identifier using a stronger signal so that it succeeds in luring the user away. (The signal has to be at least 30 dB stronger; those 40 dB stronger have a 100% success rate.) A passive attack involves listening but not interfering with the communication; the end result could be identity theft or location tracking. An active attack is a man-in-the-middle or a man-on-the-side setup where a signal is injected.
3GPP has studied the mitigation of FBS-type attacks, but there have been constraints including difficulty in both the deployment of cryptographic key management and timing synchronization. 5G Release 15 specifies network side detection which reduces the risk but does not fully prevent FBS. 5G Release 15 also offers public key encryption of subscriber permanent identifier, which makes it more difficult for the FBS to get hold of this information.
CableLabs' view is that lack of integrity protection of broadcasting messages is the primary reason FBS can occur, and therefore the solution should include protecting broadcasting messages with integrity via public key based digital signatures, for example. However, Wan said that there is not one solution to fit all, since there are hundreds of mobile operators worldwide and more to come. Therefore, there should be multiple solutions supported so that operators can make the best choice for them.
The digital-signature based solutions face challenges with key management, computational overhead, and time synchronization between devices. The solutions that are not related to digital signatures leverage the existing security contexts shared between devices and the network when the devices are in the state to verify broadcast message integrity.
"The challenge with those solutions is that they can only mitigate certain threats," Wan said.
Users are often not aware that the attack is occurring, but sometimes there are ways to detect it. For example, if the service generation icon switches from 4G or LTE to 2G, that could be a sign, Wan said. Users should also be aware of fraudulent text messages send out by FBS; certain mobile apps are available to help determine which messages are frauds.
"We look forward to agreement from 3GPP SA3 on a long-term solution that can fundamentally solve the problem of FBS in 5G," Wan said.
