SecChecker: Inspecting the security implementation of 5G Commercial Off-The-Shelf (COTS) mobile devices

Abstract

Although 5G security has been further improved with the evolution of the standard, it remains to be checked whether 5G cellular devices (i.e., User Equipment or UE) have correctly implemented the designed security features following the specification. In this work, we present SecChecker, a security inspection system, to examine the security implementation of 5G devices. Firstly, to determine which security items to check, we extract 11 general Security Requirements (SRs) for 5G UEs after a comprehensive study of the 3GPP standard. Then we design corresponding Inspection Cases (ICs) for testing the UE implementation of these SRs. We implemented a prototype of SecChecker based on open-source 5G projects and utilized it to inspect 7 Commercial Off-The-Shelf (COTS) devices using 5G baseband chips from the top five vendors. The results indicate that most of the required key security features in the specification are securely implemented by the tested 5G devices. However, we also found several UE security implementations that do not meet the extracted SRs or that are vulnerable to exploits, as well as some protocol mismatches. To show the implications on mobile users using the affected 5G devices, we implement two proof-of-concept attacks including the 5G redirection attack and the 5G user plane Man-in-the-Middle attack, to exploit the identified security flaws. Finally, the mitigations are discussed.