Breaking Cellular IoT with Forged Data-plane Signaling: Attacks and Countermeasure

Abstract

We devise new attacks exploiting the unprotected data-plane signaling in cellular IoT networks (a.k.a. both NB-IoT and Cat-M). We show that, despite the deployed security mechanisms on both control-plane signaling and data-plane packet forwarding, novel data-plane signaling attacks are still feasible. The attacker can forge both uplink and downlink data-plane signaling messages that pass the current security checks used by the receiver. With the capability of forging messages, the attacker can launch attacks that exhibit a variety of attack forms beyond simplistic packet-blasting, denial-of-service (DoS) threats, including location privacy breach, packet delivery loop, prolonged data delivery, throughput limiting, radio resource draining, connection reset, and multicast disabling. Our testbed evaluation and operational network validation have confirmed the attack viability. To combat the threat, we further propose a new defense solution within the 3GPP C-IoT standard framework. It leverages the synchronized timer clock information to protect the data-plane signaling messages with low overhead.