5G NR Physical Layer Vulnerability- Jamming, Sniffing and Spoofing

5G, New Radio, NR, Tech Fundas

3GPP New Radio (NR) will be primary 5G standard moving forward. Cellular networks are no longer fixed to provide commercial  services only, these are also being used to emergency service, natural disasters, public safety and military communications. As it was with LTE, despite being designed for commercial network, it is often utilized for public safety and military communications. It is very likely that soon 5G NR can be used for similar communication service.

NR technology must ensure to be secure and available when and where it is needed. Unfortunately, like any wireless technology, disruption through deliberate radio frequency (RF) interference, or jamming, is possible. The objectives of this article are to outline the physical (PHY) layer vulnerabilities of 5G NR.

Before moving further, lets get familiar with vulnerability terminologies for radio networks.

  • Radio jamming is the deliberate jamming, blocking or creating interference with authorized wireless network. A radio jammer is a transmitter that tunes to the same frequency as the opponents’ receiving equipment and with the same type of modulation, with enough power to override any signal at the receiver.
  • Radio Sniffing technique helps to decode all sorts of essential network configuration details easily with low-cost software radios. Sniffing information can aid attackers in optimizing and crafting attacks
  • RF spoofing refers to transmitting a fake signal meant to pretence as an actual signal

In 5G NR, physical layer have different types of reference signals, synchronization signal and channels in downlink and uplink. The vulnerability of each channel or signal is based primarily on three factors:

    • The sparsity of the channel/signal w.r.t. the entire downlink or uplink frame, i.e. the percent of REs occupied
      by the channel/signal.
    •  The jamming power needed to significantly corrupt the channel or signal.
    • The complexity of the jammer required to perform such an attack, based on whether synchronization to the cell is needed and whether some parameters need to be decoded.

Reference Signals

5G NR uses several reference signals (RSs) which act as pilots. NR use DM-RS which are separated by physical channel, because 5G NR does not include cell specific reference signals. There is a separate DM-RS for the PDSCH, PUSCH, PDCCH, PUCCH, and PBCH. In addition, there is the Phase-tracking RS (PT-RS) for the PDSCH and PUSCH, Channel state information RS (CSI-RS) for the downlink, and Sounding RS (SRS) for the uplink.

Jamming Vulnerability of Reference Signals

From jammer perspective, the best RS to jam would be the one that requires the least amount of energy to jam (i.e. least number of REs per frame), but also be essential to the operation of the link. The DM-RS for the PBCH fits the bill, because it is in the same spot every frame and only requires knowledge of the cell ID and where the PBCH is located, which can easily be known if the jammer is already able to time-synchronize to the frame. The DM-RS for the PBCH occupies 1 ⁄4 of the REs assigned to the PBCH.

It is also possible to jam the DM-RS for the PBCH without needing to synchronize to the cell, by jamming the correct 60 sub-carriers. Phase-tracking RS for the PDSCH are only used when the higher layer parameter Downlink-PTRS-Config is set to ON, and even then the mapping is a function of parameters timeDensity and frequencyDensity. The effectiveness of a downlink PT-RS jamming attack is not clear using the information currently available, because it needs to know how often PT-RS are enabled in practice, and what density the gNB vendors decide to use as a default.

Synchronization Signal

5G NR contains PSS and SSS which together are used for frame/slot/symbol timing as well as conveying the Physical Cell ID. There are 1008 unique Physical Cell IDs in 5G NR, the PSS has 3 possible combinations and the SSS has 336 combinations.

The PSS is an m-sequence of length 127, mapped to a contiguous set of 127 sub-carriers within the same OFDM symbol. The SSS is also a sequence of length 127, mapped to the same sub-carriers as the PSS but a different OFDM symbol. The SSS uses a Gold sequence, which is formed by combining two m-sequences. Gold sequences within the same set have low cross-correlation, allowing a UE to distinguish between several nearby base stations on the same carrier at low SINR making them resilient to jamming.

Jamming Vulnerability of Synchronization Signal

In 5G NR, PSS and SSS are not always mapped to the downlink resource grid in the same location, it depends on the cell’s sub-carrier spacing, carrier frequency, and the parameter offset-ref-low-scs-ref-PRB. There are three different options for sub-carrier spacing below 6 GHz (15, 30, 60 kHz), and for all three options the PSS and SSS are mapped to the first two slots for carriers below 3 GHz, and the first four slots for those above 3 GHz.

A jammer designed to jam the PSS and/or SSS  has to synchronize to the cell in time, and identify the sub-carrier spacing, which might already available from publicly available band plans. This is only a little more complicated than PSS/SSS jamming in LTE.

However, for a jammer it may be more effective for an adversary to transmit fake PSS/SSS signals rather than attempt to inject noise on top of the existing PSS/SSS, because it does not have to synchronize to a cell. It also uses less power because the PSS and SSS are designed to be detected at low signal-to-noise ratio (SNR), thus requiring more jammer power to successfully jam the signal.

Although it depends on the Mobile chipset and whether any PSS/SSS blacklisting algorithm exists, it may only be necessary to spoof the PSS. Spoofing the PSS and SSS involves the attacker transmitting several fake signal,asynchronous to the target 5G NR frame(s) i.e., not overlapping in time with the real PSS/SSS and at higher power. PSS/SSS spoofing can cause denial of service (DoS), which would likely occur during initial cell search.

Jamming Vulnerability of the PBCH: The symbols assigned to the PBCH region are all within two or four slots of each other (depending on whether the carrier is below or above 3 GHz respectively), so a jammer selectively targeting the PBCH will appear to have a very low duty cycle, especially at the higher sub-carrier spacings where the duration of one slot is lower.

By jamming the PBCH, UEs will not be able to access critical information they need to connect to a cell, thus preventing new UEs from accessing one or more cells. PBCH jamming can be performed in a time-selective manner if the jammer can synchronize to the target cell. Otherwise, the jammer could simply jam the subcarriers the PBCH is on using 100% duty cycle. This latter approach involves jamming 240 subcarriers, and to provide some perspective, a 20 MHz downlink using 15 kHz subcarrier spacing has 1272 subcarriers. Thus, it would involve jamming 19% of the downlink signal, leading to a jamming gain around 7 dB w.r.t. barrage jamming.

Sniffing and Spoofing Vulnerability of the PBCH: Despite the large number of changes in the PHY layer of 5G NR, most of the underlying protocols are very similar to those of LTE e.g. MIB and SIB messages maintain a similar structure and payload to LTE. MIB message contains essential PHY layer configuration necessary by the UE to establish a radio link with a cell, the SIB messages contain detailed information on the configuration of the cell and overall network. The SIB messages provide information such as the idle timer configuration of the network, unique cell identifiers, and the RB mapping of critical control channels. This information is always broadcasted in the clear without any encrypted.

Considering these messages occur prior to authentication and are not protected, it is likely that some of these fields could potentially be leveraged for security exploits against the 5G NR. This could be achieved, for example, by spoofing SIB messages or impersonating a base station during the RRC handshake. The 5G NR has very similar RRC and Non-Access Stratum (NAS) protocol architecture as LTE where a number of pre-authentication messages implicitly trusted by both the UE and the base station. By both impersonating a UE or a base station, an adversary can leverage exploits.

Physical Downlink Control Channel (PDCCH)

The PDCCH channel is used to send control information to the UEs on a per-slot basis. It is used to schedule downlink transmissions, uplink transmissions, MCS of those transmissions, and HARQ information. The PDCCH can appear on any subcarrier; so the jammer must decode the parameter CORESET freq-domain. The parameter CORESET-time-duration, which can take on values 1, 2, or 3, indicates how many OFDM symbols the PDCCH occupies each slot. The PDCCH always starts in the first symbol of each slot, is QPSK modulated and uses polar coding.

Jamming Vulnerability of PDCCH

In order to jam all possible locations the PDCCH might reside in, assuming knowledge of CORESET-freq-domain, the jammer would have to jam every sub-carrier, using a duty cycle of either 7%, 14%, or 21% depending on the value of CORESET-time-duration. This type of pulsed jamming attack can also act as a form of automatic gain control jamming.

Shared Channel (PDSCH and PUSCH)

The Physical Downlink Shared Channel (PDSCH) and Physical Uplink Shared Channel (PUSCH) are used to transmit
user data from the gNB to the UE and vice versa, and represent the bulk of the frame. While surgically jamming these channels is possible, the adversary might as well jam the entire uplink or downlink signal. Thus, PDSCH and PUSCH jamming are two of the least important threats to consider.

Jamming Vulnerability of Physical Uplink Control Channel
The  PUCCH is used by UE to send gNB a variety of control information, including HARQ ACKs, SRs, and CSI. There are different PUCCH formats, and there are a variety of parameters provided by the higher layer to inform the UE about which subcarriers and symbols to transmit each PUCCH message. The PUCCH has an option for intra-slot hopping, which acts as a great defense mechanism. The PUCCH is modulated with either BPSK or QPSK and uses either repetition code, or polar code (depending on the number of bits to transmit).

The uplink control information can also be carried on the PUSCH, meaning jamming just the PUCCH will not block all uplink control information. All of these factors make the PUCCH an extremely complicated physical channel to jam.

Jamming Vulnerability Physical Random Access Channel
5G NR random access procedure for regular UEs is very similar to that of LTE. When a UE wants to connect to a cell, it first receives the PSS, SSS, and PBCH. After synchronizing to the cell in time and frequency, it transmits a preamble over the Physical Random Access Channel (PRACH), which takes the form of a Zadoff-Chu sequence that embeds a value used to temporarily identify the UE. The gNB broadcasts the candidate locations of the PRACH (in time and frequency) in case a UE wants to connect.

The large number of possible locations, and the complexity required to decode the positions in real time, makes the PRACH an unlikely target for a jammer. On the other hand PRACH spoofing, where the UEs flood the PRACH might be feasible, but the 5G NR specifications do not specify the behavior of the gNB when encountering a large number of invalid preambles.

Reference: 5G NR Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation Paper