The 5G Security Test Bed’s latest tests have confirmed that 5G networks are resilient to attacks from false base stations attempting to impersonate legitimate 5G network base stations.

Access the full technical report, highlights summary, and one-pager.

The Test Bed analyzed several false base station attack scenarios, assessing a 5G test device’s response to these  scenarios both with and without 5G encryption protocols enabled. When provisioned with 5G encryption protocols, the test device (“user
equipment,” or UE) recovered from the false base station attacks or avoided them completely in all scenarios, and no identifying information was shared with the false base station.

The test cases covered several high-level categories, assessing whether the UE could successfully mitigate against each type of false base station attack, including Denial-of-Service, invalid authentication scenarios, and false Public Warning System message scenarios.

In all testing, the 5G device with encrypted identifiers recovered from the attacks or avoided them completely, and it did not reveal any private identifying information in any of the attack scenarios. The test results confirm 5G networks are significantly more resilient against false base station attacks compared to earlier systems, due to their encryption and authentication protocols:

• Encrypted 5G Devices Reject Invalid Authentication and Connection Attempts from False Base Stations.
• Encrypted 5G Devices Do Not Share Data During False Base Station Attacks.
• 5G Device Protections Work As Intended, Securing Data on Encrypted SIMs.

5G device identifiers are always encrypted on 5G networks per international standards, except in rare scenarios when the device is in emergency mode, which is meant to connect with unknown networks by design. After false base station attacks, encrypted 5G devices will reconnect to their home networks automatically, reconnect after being reset (either by toggling airplane mode or power cycling the device), or automatically reset and reconnect after a timeout.

Resilience and recovery from false base station attacks can be further improved at the device level by shortening the wait timers in 3GPP standards, which “[give] an opportunity to [devices] to recover and avoid lock-outs,” as 3GPP notes in its technical specifications. Additional testing in a future phase using different commercial devices is warranted to understand their behavior with respect these standards and the expected behavior for the DoS attack and false Public Warning System message test cases.

The Technical Report includes the full technical details of the tests, their execution, and results. The Highlights Summary is a shorter paper highlighting the key points of the main paper and is meant for non-technical audiences who are interested in some level of detail. The One-Pager provides a very high-level summary of the test cases and their applications.