The cellular network offers a ubiquitous emergency call service with its pervasive coverage. In the United States, it can be consumed by dialing 911 for cellular users, and the emergency call is forwarded to the public safety answer point (PSAP), which handles emergency service requests. According to regulatory authority requirements [1,2,3] for cellular emergency services, anonymous user equipment (UE) is allowed to access them without a SIM (Subscriber Identity Module) card, a valid mobile subscription, or a roaming agreement with the visited cellular network. Such support of the cellular emergency services requires different operations from conventional cellular services, thereby increasing the attack surface of the cellular infrastructure.

Unveiling the Insecurity of Operational Cellular Emergency Services (911): Vulnerabilities, Attacks, and Countermeasures

In current cellular network generations (4G, 5G) the IMS (IP Multimedia Subsystem) plays an integral role in terminating voice calls and short messages. Many operators use VoWiFi (Voice over Wi-Fi, also Wi-Fi calling) as an alternative network access technology to complement their cellular coverage in areas where no radio signal is available (e.g., rural territories or shielded buildings). In a mobile world where customers regularly traverse national borders, this can be used to avoid expensive international roaming fees while journeying overseas, since VoWiFi calls are usually invoiced at domestic rates. To not lose this revenue stream, some operators block access to the IMS for customers staying abroad. This work evaluates the current deployment status of VoWiFi among worldwide operators and analyzes existing geoblocking measures on the IP layer. We show that a substantial share (IPv4: 14.6%, IPv6: 65.2%) of operators implement geoblocking at the DNS- or VoWiFi protocol level, and highlight severe drawbacks in terms of emergency calling service availability.

pdf/why-e-t-can-t-phone-home-a-global-view-on-ip-based-tg8drxv018.pdf

Why E.T. Can't Phone Home: A Global View on IP-based Geoblocking at VoWiFi

Distributed Ledgers and Security Mechanisms on Radio Access Networks: A Systematic Review

While a significant efforts have been made in the specification and deployment of the 5th generation mobile systems (5G), there is a noticeable lack of practical experiments regarding its security. The 3GPP standardisation body has already defined numerous protocols, procedures and implementation guidelines for 5G. However, many of these requirements and procedures are missing assessment and experiments to validate their security conformance. In this paper we experiment and implement various DoS attacks in the 5G protocol stack by using a COTS 5G solution. we mainly show through these experiments that numerous potential misconfiguration and misuses pose significant threats to the security of 5G networks.

An Experimental Study of Denial of Service Attacks on a 5G COTS Hardware

Abstract-5G/4G voice calls are always encrypted for security and privacy. However, in this work, we unveil several vulnerabilities which can unintentionally leak 5G/4G call state information, despite encryption protection. They stem from recent call optimization techniques standardized in the 3GPP specifications and adopted by mobile network operators. While these techniques are effective to enhance 5G/4G call quality and efficiency, they unfortunately expose extra call information, which can be exploited to precisely infer call states and launch side-channel attacks. By leveraging precise call states, we devise a Cross-domain Identity Linkage attack, CrossIL, which aims to infer mobile users’ user identities and cellular identities, thereby enabling powerful cyberattacks or privacy inferences against high-value victims. We have experimentally validated these vulnerabilities and assessed the attack damages with three major U.S. carriers. Our experimental result shows that the success rate on the identity inference ranges from 89% to 98%. Finally, we propose and evaluate a cellular-friendly solution.

When Good Turns Evil: Encrypted 5G/4G Voice Calls Can Leak Your Identities

Cellular networks that offer ubiquitous connectivity have been the major medium for delivering emergency services. In the U.S., mobile users can dial an emergency call with 911 for emergency uses in cellular networks, and the call can be forwarded to public safety answer points (PSAPs), which deal with emergency service requests. According to regulatory authority requirements for the cellular emergency services, anonymous user equipment (UE), which does not have a SIM (Subscriber Identity Module) card or a valid mobile subscription, is allowed to access them. Such support of emergency services for anonymous UEs requires different operations from conventional cellular services, and can therefore increase the attack surface of the cellular infrastructure. In this work, we are thus motivated to study the insecurity of the cellular emergency services and then discover four security vulnerabilities from them. Threateningly, they can be exploited to launch not only free data service attacks against cellular carriers, but also data DoS/overcharge and denial of cellular emergency service (DoCES) attacks against mobile users. All vulnerabilities and attacks have been validated experimentally as practical security issues in the networks of three major U.S. carriers. We finally propose and prototype standard-compliant remedies to mitigate the vulnerabilities.

Uncovering insecure designs of cellular emergency services (911)

More than 150 cellular networks worldwide have rolled out LTE-M (LTE-Machine Type Communication) and/or NB-IoT (Narrow Band Internet of Things) technologies to support massive IoT services such as smart metering and environmental monitoring. Such cellular IoT services share the existing cellular network architecture with non-IoT (e.g., smartphone) ones. When they are newly integrated into the cellular network, new security vulnerabilities may happen from imprudent integration. In this work, we explore the security vulnerabilities of the cellular IoT from both system-integrated and service-integrated aspects. We discover several vulnerabilities spanning cellular standard design defects, network operation slips, and IoT device implementation flaws. Threateningly, they allow an adversary to remotely identify IP addresses and phone numbers assigned to cellular IoT devices, interrupt their power saving services, and launch various attacks, including data/text spamming, battery draining, device hibernation against them. We validate these vulnerabilities over five major cellular IoT carriers in the U.S. and Taiwan using their certified cellular IoT devices. The attack evaluation result shows that the adversary can raise an IoT data bill by up to ${\$}226$ with less than 120 MB spam traffic, increase an IoT text bill at a rate of ${\$}5$ per second, and prevent an IoT device from entering/leaving power saving mode; moreover, cellular IoT devices may suffer from denial of IoT services. We finally propose, prototype, and evaluate recommended solutions.

Dissecting Operational Cellular IoT Service Security: Attacks and Defenses

IMS is Not That Secure on Your 5G/4G Phones

Handle everyday research tasks with reliable, citation-backed results

Your personal Research Agent to handle research tasks with citation-backed results

Popular Tasks used by Researchers

How can I help with your research?

Meet SciSpace

Get more enhanced response by uploading the PDFs you want me to reference.

No relevant PDFs in your library

SciSpace is the AI research assistant for academics. Run systematic literature reviews on 280M+ papers, and write papers with cited sources. Trusted by 1M+ students, PhDs & researchers.

SciSpace | AI for Research

Analyze PDFs

Code & Manuscripts

Funding & Grants

Literature & Patents

Medical & Clinical Data

Systematic Review

Visualize & Present

Web & Data

Build a Google Scholar-like website for your research.

Build a website

Create charts and images for your research

Create a Chart

Write a paper for submission to a journal

Draft a manuscript

Patent Search

Design eye-catching scientific posters in minutes.

Scientific Poster Generation

Systematic Literature Review

One task is running at the moment. Your messages will be shown right after.

Drag and drop or click here to browse

Loved by <highlight>1 million+</highlight> researchers

Extract a list of specific topics and their sources from unstructured text

Topics

Compare and analyze relevant papers that matches with your search

Papers

Get insights from PDFs and bookmarked papers from your library

My library

Recent searches

Try searching for:

Catch AI-generated content in scholarly and non-scholarly content

{ai} Detector

Ai Writer

Get PDF Summaries, highlighted text explanations 

Chat with PDF

Effortlessly create in-text citations and bibliographies in APA and 2,500 other formats

Citation generator

Get explanations, summaries, and answers on academic papers

Ease up your research workflow with {scispace}'s cohort of exciting AI tools

Elevate your academic writing skills and convey your ideas the way you want

Paraphraser

Explore our range of reading and writing tools

Your file is being prepared and should be ready in a few minutes. If it's a large file, it might take a bit longer. You can close this window, and we'll email you the file when it's done.

You have reached a maximum limit of <strong>{limit}</strong> columns in the table. Remove at least <strong>1</strong> column to add or create another one.

Min-Yue Chen

Author Tools

Chat about Author