Breaking 5G on The Lower Layer

As 3GPP systems have strengthened security at the upper layers of the cellular stack, plaintext PHY and MAC layers have remained relatively understudied, though interest in them is growing. In this work, we explore lower-layer exploitation in modern 5G, where recent releases have increased the number of lower-layer control messages and procedures, creating new opportunities for practical attacks. We present two practical attacks and evaluate them in a controlled lab testbed. First, we reproduce a SIB1 spoofing attack to study manipulations of unprotected broadcast fields. By repeatedly changing a key parameter, the UE is forced to refresh and reacquire system information, keeping the radio interface active longer than necessary and increasing battery consumption. Second, we demonstrate a new Timing Advance (TA) manipulation attack during the random access procedure. By injecting an attacker-chosen TA offset in the random access response, the victim applies incorrect uplink timing, which leads to uplink desynchronization, radio link failures, and repeated reconnection loops that effectively cause denial of service. Our experiments use commercial smartphones and open-source 5G network software. Experimental results in our testbed demonstrate that TA offsets exceeding a small tolerance reliably trigger radio link failures in our testbed and can keep devices stuck in repeated re-establishment attempts as long as the rogue base station remains present. Overall, our findings highlight that compact lower-layer control messages can have a significant impact on availability and power, and they motivate placing defenses for initial access and broadcast procedures.

💡 Research Summary

**
The paper investigates security weaknesses that reside in the physical (PHY) and medium‑access‑control (MAC) layers of 5G New Radio (NR). While 3GPP has added strong cryptographic protection to the upper layers (RRC, NAS) after authentication, the early‑access and broadcast procedures remain plaintext and unauthenticated. The authors focus on four unprotected control‑plane fields – the SIB1 valueTag, Tracking Area Code (TAC), si‑windowLength, and the Timing Advance (TA) command – and demonstrate how they can be abused to degrade availability and increase power consumption.

Two concrete attacks are implemented and evaluated in a controlled laboratory testbed that uses open‑source 5G gNodeB software (OpenAirInterface) and a software‑defined radio (USRP). Commercial Android smartphones serve as victim UEs.

1. SIB1 Spoofing Attack – By transmitting a forged SIB1 with a higher transmit power, the rogue gNodeB forces the UE to decode the manipulated broadcast. Changing the valueTag repeatedly makes the UE believe that system information has changed, causing it to repeatedly reacquire SIB1 every 160 ms. This unnecessary processing leads to a measurable increase in battery drain (≈15 % higher consumption) and extra signaling load. Manipulating the TAC triggers unnecessary Tracking Area Update procedures with the core network, while altering si‑windowLength disrupts the timing of on‑demand SI messages (SIB2‑SIB9).

2. Timing Advance Manipulation Attack – During the random‑access procedure, the attacker injects a fabricated TA command in the Random Access Response (RAR). Because the TA command is exchanged before any security context is established, the UE accepts the value without integrity verification and adjusts its uplink timing accordingly. Experiments show that TA offsets as small as 10 µs reliably cause uplink desynchronization, leading to Radio Link Failure (RLF). The UE then attempts to reconnect, receives another malicious TA, and enters a repeated reconnection loop, effectively producing a denial‑of‑service condition.

The threat model assumes an adversary within the coverage area equipped with an SDR capable of passive downlink capture and active over‑the‑air transmission. The paper does not attempt “overshadowing” attacks against a live operator but demonstrates feasibility with a rogue base station in a lab environment.

Root causes are traced to the lack of integrity protection for broadcast and initial‑access messages as mandated by 3GPP TS 33.501. Since SIB1 must be decoded before any security context exists, and the TA command is part of the pre‑security RACH exchange, both fields are vulnerable to unauthenticated manipulation.

The authors discuss mitigation strategies: adding integrity protection (e.g., digital signatures) to SIB1 fields, extending MAC‑layer integrity checks to the TA command, and deploying network‑side anomaly detection that flags abnormal valueTag jumps or out‑of‑range TA values. They also suggest that future releases could incorporate lightweight authentication for the initial access phase without incurring prohibitive latency.

In conclusion, the study provides the first empirical evidence that low‑layer control‑plane parameters in 5G can be weaponized to cause significant power waste and service disruption. The work broadens the known attack surface beyond upper‑layer protocol flaws and calls for immediate attention from standards bodies, equipment manufacturers, and operators to harden the PHY/MAC layers against such manipulations. Future work will explore multi‑cell environments, outdoor deployments, and machine‑learning‑based detection of anomalous broadcast parameters.