BARON: Base-Station Authentication Through Core Network for Mobility Management in 5G Networks

The Fifth-Generation (5G) cellular communication networks are nowadays being deployed on applications that go beyond mobile phone devices, including vehicular networks and industry automation, for instance. Despite their increasing popularity, 5G networks, as defined by the Third Generation Partnership Project (3GPP), have been shown to be vulnerable against Fake Base Station (FBS) attacks. An adversary carrying out an FBS attack emulates a target legitimate base station by setting up a rogue base station, which is assumed to have the same capabilities as the legitimate base stations. This enables the adversary to control the connection of any user equipment that (inadvertently) connects with the rogue base station. As a consequence of a successful FBS attack, the adversary not only can gather sensitive information belonging to the user, but also affect the reliability of the network itself. Despite there is a large body of work focused on the development of tools to detect FBSs, these solutions do not actually prevent the FBS attack success, as they do not address the vulnerability cause of such an attack. Therefore, the user equipment will continue to remain vulnerable to an FBS attack. On the other hand, solutions in the literature that are specifically designed to address the FBS attack majorly consist on protecting the broadcast messages transmitted by the base stations. This can be achieved through integrity protection or digital signature mechanisms. However, solutions following these two approaches can be made ineffective, and may lead to a possible increase of manufacturing costs. In this thesis, we present BARON, a new defense methodology to enable the user equipment to determine whether a target base station that it is connecting to is legitimate or rogue. BARON accomplishes its objective by ensuring that the user receives an authentication token from the target base station which can be computed only by a legitimate and trusted entity. As a consequence, receiving such an authentication token from a base station ensures its legitimacy. BARON does not require any additional infrastructure for its deployment, making it being fully backward compatible with the current standard 5G networks. We evaluate BARON through extensive experiments on the handover process between base stations in 5G networks. Our experimental results show that BARON introduces an overhead of less than 1% during handover completion, which is 10000× lower than the overhead reported by a state-of-the-art solution, making its adoption practical. BARON is also effective in thwarting an FBS attack and quickly recovering connection to a legitimate base station.