As 3GPP systems have strengthened security at the upper layers of the cellular stack, plaintext PHY and MAC layers have remained relatively understudied, though interest in them is growing. In this work, we explore lower-layer exploitation in modern 5G, where recent releases have increased the number of lower-layer control messages and procedures, creating new opportunities for practical attacks. We present two practical attacks and evaluate them in a controlled lab testbed. First, we reproduce a SIB1 spoofing attack to study manipulations of unprotected broadcast fields. By repeatedly changing a key parameter, the UE is forced to refresh and reacquire system information, keeping the radio interface active longer than necessary and increasing battery consumption. Second, we demonstrate a new Timing Advance (TA) manipulation attack during the random access procedure. By injecting an attacker-chosen TA offset in the random access response, the victim applies incorrect uplink timing, which leads to uplink desynchronization, radio link failures, and repeated reconnection loops that effectively cause denial of service. Our experiments use commercial smartphones and open-source 5G network software. Experimental results in our testbed demonstrate that TA offsets exceeding a small tolerance reliably trigger radio link failures in our testbed and can keep devices stuck in repeated re-establishment attempts as long as the rogue base station remains present. Overall, our findings highlight that compact lower-layer control messages can have a significant impact on availability and power, and they motivate placing defenses for initial access and broadcast procedures.

翻译：随着3GPP系统在蜂窝协议栈上层安全性的不断加强，明文的物理层（PHY）和媒体接入控制层（MAC）虽日益受到关注，但其安全性研究仍相对不足。本研究聚焦现代5G网络中的底层协议漏洞利用，近期协议版本增加了底层控制消息和流程的数量，为实际攻击创造了新的机会。我们提出了两种实际攻击方案，并在受控实验室测试平台上进行了评估。首先，我们复现了SIB1欺骗攻击，以研究未受保护广播字段的篡改效果。通过反复更改关键参数，用户设备（UE）被迫刷新并重新获取系统信息，导致无线接口不必要地长时间保持活跃状态，从而增加电池消耗。其次，我们提出了一种随机接入过程中的新型定时提前量（TA）操纵攻击。通过在随机接入响应中注入攻击者设定的TA偏移量，受害者将采用错误的上行链路定时，导致上行链路失步、无线链路故障以及反复重连循环，最终造成拒绝服务。我们的实验采用商用智能手机和开源5G网络软件。测试平台实验结果表明，超出微小容限的TA偏移量可可靠地触发无线链路故障，并使设备在恶意基站持续存在时陷入反复重建连接的循环。总体而言，我们的研究结果表明，紧凑的底层控制消息可能对网络可用性和设备功耗产生显著影响，这为在初始接入和广播流程中部署防御机制提供了理论依据。