38C3 Community Stages

How Roaming Agreements Enable 5G MitM Attacks
2024-12-27 , Stage YELL
Language: English

End-users in cellular networks are at risk of connecting to fake base stations, and we show that mitigations pushed in 5G are insufficient.


Machine-in-the-Middle (MitM) attackers aim to overhear and manipulate network traffic. The MitM position can also be used as an entry point for baseband exploitation. Proceeding from there, attackers can gain full control of a user’s phone. Standardization bodies pushed many mitigations against MitM into the specification of cellular networks. However, roaming agreements still enable powerful attackers to perform seamless attacks – even in 5G!

In this talk, you’ll learn about the complex nature of cellular roaming and how roaming is implemented in recent smartphones. The specification puts a lot of trust in network operators. This impedes security in real-world deployments. We show that the capabilities of network operators exceed the intended capabilities of lawful interception. If those are abused, end-users have no possibility of noticing the attacks.

Attacks on roaming are challenging to prevent or even detect in practice. The specification needs a major update to make cellular roaming secure. Users at risk should be aware of the current state of the system. We discuss multiple mitigations, including solutions for end-user devices.

I am a PhD student at Hasso Plattner Institute working on 5G Security!