How to Hack 5G - Part 4

Fingerprint Icon Written by Chris Powell

Previous Article

Hacking 5G

Last time I discussed IMSI catchers and how they can be used to trace people via their mobile phones, and how it may be possible to initiate large scale Denial-of-Service (DoS) attacks.

This post discusses the most exposed part of cellular networks, the base station. It does not go into the underlying protocols and instead explains what a base station is. I’ve left the specifics for the next post where I will describe security considerations and likely attack vectors originating from the air interface.

Base Stations

Fundamentally a base station is nothing more than an incredibly intelligent, highly specialised radio. They operate on the same laws of physics that allow you to listen to music in your car, or talk to your friends through a walkie-talkie.

They are the front end devices in cellular telecommunication networks and make up the majority of devices within the Radio Access Network (RAN). Its what your mobile phone talks to, and through, when you send a text message or make a phone call.

Base Station Image
- A standard base station

It’s challenging to describe how base stations function as they are incredibly detailed, especially in the 5G New Radio (NR) standard. But what I do hope is that you develop a high-level understanding of the key concepts.

Base Station Names

Base stations have many names, and typically you’ll hear something along the lines of Base Transceiver Station (BTS). It is the official function name of the radio in the 2G Global System for Mobile (GSM) communications standard.

However, manufacturers also decided to name their products using the BTS acronym, which made sense at the time. But with subsequent generations, the BTS name stuck.

To put it simply there are two types of naming conventions in cellular telecommunications, the official function name within the standard itself. And the actual product name of the physical device.

I’ve created the list below to compare example physical devices names with their function in the network, the latter being the appropriate name within the standards. To stay vendor agnostic I’ve invented a new company called Unhackable Devices Company with three product lines, A, B and D.

The increasing letters and numbers represent newer generations, as is typical within real-life manufacturers. Also, be aware that devices seldom exist with a single function, and are instead combined into one ubiquitous product.

Product Name Supported Standard Function Name
BTS A2000 2G/GSM — BTS
BTS A2200 2G/GSM — BTS
3G/UMTS — NodeB
BTS B3400 2G/GSM — BTS
3G/UMTS — NodeB
4G/LTE — eNodeB
BTS D6500 2G/GSM — BTS
3G/UMTS — NodeB
4G/LTE — eNodeB
5G/NR — gNodeB

It can be confusing to differentiate the device name, the standards name and the cellular generation that a device supports. But this is the tech industry, so we need as many confusing acronyms as possible.

Base Station Architecture

Modern base stations are a mess of legacy technology combined with cutting edge physics and engineering. And it’s not unusual to see three or four different generations of technology within the same physical device.

Fortunately, these days base stations are pretty modular, and typically only require a board swap to support a new feature, maybe an extra antenna.

Manufacturers break base stations down into three broad components.

  • Antenna
  • Radio Resource Unit/Head (RRU/RRH)
  • Base Band Unit (BBU)
Base Station Diagram
- Typical base station layout

Antenna

Antennas are incredible pieces of kit; in some instances, they’re nothing more than a bendy bit of metal. In others, they’re near-microscopic conductors designed and created entirely by machine learning algorithms.

Type of Antennas
- Example Antennas

But fundamentally they capture electromagnetic energy out of the air and convert it to voltage levels in a wire. These voltage levels change over time, and these changes represent zeroes and ones that encode higher-level data.

Your mobile has an antenna inside its case, and it’s the phone’s job to energise and de-energise it whenever you want to communicate. The process of rapidly energising and de-energising antennas creates invisible waves that break away and travel in all directions.

These waves can travel forever unless they hit something. It could be you, the air or another antenna tuned to the exact frequency of a mobile handset. Tuned antennas are what you see on large buildings and towers, and are the interface into the cellular network.

Waves and Voltage
- 0’s and 1’s converted to digital/analogue waves

Fortunately, our knowledge of microelectronics has evolved to such a point that we can send and receive these invisible waves at will. And this is where the magic of cellular communication happens.

The trick of rapid communication is to manipulate data and nature itself to create more reliable signals, that propagate further while carrying more information per transmission. But ultimately we’re combining multiple layers of technology into one neat little package that allows us to send swathes of data.

RRH

The RRH is a device that processes signals received from and sent to the antenna. Its main job is to multiplex, demultiplex and amplify these signals before converting them to voltage levels in a wire.

RRH Image
- Example RRH

Let me go off on a tangent for a moment.

Have you ever wondered why acoustic guitars are hollow with holes in the middle? If you have, the answer is that the body of an acoustic guitar is something called a resonance chamber. Whose job is to combine the vibrating airwaves generated by an oscillating string in such a way, as to produce a louder, more distinctive sound.

The waves bounce back and forth inside the body of the guitar to produce unique signals inherent to its physical design. On the other hand, if an acoustic guitar didn’t have a resonance chamber, it wouldn’t sound pleasant and would be extremely quiet.

It turns out that RRHs have something similar to these resonance chambers called diplexers, which work on electromagnetic waves instead of acoustic ones. Here is an image of one that I’ve borrowed from the excellent YouTube channel Kaizer Power Electronics — http://kaizerpowerelectronics.dk.

Diplex Chambers
- Diplex Chambers

In the image above, you can see several antenna ports at the bottom of the RRH. These channels allow electromagnetic signals to enter the enclosed metal chambers.

The job of these chambers is to bounce radio waves back and forth in precise patterns to multiplex, demultiplex and amplify the incoming signals. The weird round things you see in the middle are called resonators and aid in the process.

Diplexers are passive components, much like resonance chambers that make up acoustic guitars. However, they are only one part of the central unit.

RRHs also contain power amplifiers and supplementary processing boards used to administer and monitor the device. The image below is one such example, courtesy of Kaizer Power Electronics.

RRU Internal Board
- Internal RRU Board

I’m not going discuss the specific functionality of these boards here. Instead, I’m leaving that for my next post about BBU internals.

Just be sure to understand that RRUs take the waves captured by antennas, multiplex and amplify them. Then convert the resultant signals into voltage levels within a circuit. Their primary purpose is the maintenance of the air interface, and the conversion of data sent to, and from the BBU.

One thing to note is related to the current 5G NR deployment, i.e. Non-Standalone (NSA) mode. When operators talk about deploying new 5G networks, what they mean is attaching a new antenna to a mast, upgrading the RRH and swapping out a board within the BBU.

I’ve explained my nuanced point before in previous posts. 5G in its current form is nothing more than a new radio glued onto existing 4G infrastructure.

BBU

The final stop on our journey is the BBU.

Remember that no single device manages the air interface alone or does all of the data processing. As detailed in this post, the base station function comprises multiple modular components.

If the antenna and RRH take care of the radio side, then the BBU is the brains of the operation. Its job is to process the resultant baseband signal for further use.

I need to be careful when I use the term baseband as it has a precise definition in the radio world. But generally, it means the original unmodified signal before it gets processed.

In any case, the cleaned-up baseband signal gets placed into data packets by the RRH and sent to the BBU via an optical cable. The protocol that manages these messages is the enhanced Common Public Radio Interface (eCPRI).

End-to-End Base Station
- End-to-End Base Station Signal Flow

As the BBU handles most of the data processing within the base station, it’s an ideal target for external attackers. I’ve spent many days with my head buried in these components looking for any way to trigger a stack or heap overflow.

What’s interesting is subsequent cellular generations, particularly 4G LTE and 5G NR, push more and more functionality into network edge devices, particularly BBUs. They parse more data, calculate more parameters and handle more traffic.

To an attacker, it is an ideal situation. Devices are becoming more complicated, the code base is getting longer, and importantly they’re parsing more data.

The complexity also comes with a downside. More functionality means more boards, more components, and more operating system architectures to exploit. There’s probably not going to be a single Remote Code Execution (RCE) bug that lets an attacker hop directly into the core network.

It’s going to take a multitude of zero-days, board pivoting and a tremendous amount of effort to exploit an entire BBU. Unfortunately, many manufacturers don’t quite appreciate that attackers don’t care so much about RCE bugs, as much as DoS attacks.

In standard security settings, RCEs are a dream to attackers, but in telecommunications where availability is everything. DoS attacks rule supreme.

That’s not to say RCE’s aren’t just as dangerous, which can also cause outages. More like the gap between RCEs and a DoS exploits is much smaller in the telecommunications space.

It is incredibly terrifying to realise that working BBUs can be purchased online via auction sites such as eBay and Alibaba. Remember as well that these things stay commissioned for decades.

If an attacker buys one and finds a way to crash part of a BBU via the air interface, then there’s a pretty high probability they can do it to live networks. I’ve never heard of this type of thing occurring outside of a vulnerability research lab, but that doesn’t mean it hasn’t or isn’t happening.

Conclusion

I shall conclude here, but for the excitable ones among you. My next article is mainly about the BBU, how their boards interconnect and likely attack vectors.

Remember that a base station comprises of three general components.

  • Antenna to capture radio signal in the air
  • RRH to amplify and convert them to digital eCPRI packets
  • BBU to process, monitor and haul the data upstream to the network core

Upcoming Topics

  • Inside the BBU and telecommunication devices
  • Boards, backplanes and protocols
  • Attacking embedded devices
  • How cryptography works in 5G
  • The Radio Access Network (RAN), and why 5G New Radio (NR) is awesome
  • Attaching to a network in 5G
  • How your SIM works with the User Data Repository (UDR)
  • The 5G core, virtualisation and its REST APIs