Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G

Abstract

Bidding-down attacks reduce the security of a mobile network connection. Weaker encryption algorithms or even downgrades to prior network generations enable an adversary to exploit numerous attack vectors and harm the users of a network. The problem of bidding-down attacks has been known for generations, and various mitigations are integrated into the latest 4G and 5G specifications. However, current research lacks a systematic identification and analysis of the variety of potential attack vectors. In this work, we classify an extensive set of bidding-down attack vectors and mitigations and analyze their specification and implementation in phones and networks. Our results demonstrate vulnerabilities for all attacks and devices, including the latest mobile generation 5G and recent flagship phones. To further prove how the identified attack vectors can be exploited in sophisticated attacks, we conduct two case studies in which we apply a full downgrade attack from 5G SA to 2G and bid down a 5G NSA connection by enforcing null encryption. Again, we find a majority of systems vulnerable. With this paper, we hope to improve the state of bidding-down mitigations in the specification and implementation.