New vulnerabilities in 4G and 5G cellular access network protocols exposing device capabilities

Cellular devices support various technical features and services for 2G, 3G, 4G and upcoming 5G networks. For example, these technical features contain physical layer throughput categories, radio protocol information, security algorithm, carrier aggregation bands and type of services such as GSM-R, Voice over LTE etc. In the cellular security standardisation context, these technical features and network services termed as device capabilities and exchanged with the network during the device registration phase. In this paper, we study device capabilities information specified for 4G and 5G devices and their role in establishing security association between the device and network. Our research results reveal that device capabilities are exchanged with the network before the authentication stage without any protection and not verified by the network. Consequently, we present three novel classes of attacks exploiting unprotected device capabilities information in 4G and upcoming 5G networks - identification attacks, bidding down attacks, and battery drain attacks against cellular devices. We implement proof-of-concept attacks using low-cost hardware and software setup to evaluate their impact against commercially available 4G devices and networks. We reported identified vulnerabilities to the relevant standardisation bodies and provide countermeasure to mitigate device capabilities attacks in 4G and upcoming 5G networks.