CSAI: Open-Source Cellular Radio Access Network Security Analysis Instrument
This enables security researchers to identify vulnerabilities in cellular networks, though it represents an incremental application of existing open-source tools to a new domain.
The researchers developed an open-source toolbox called CSAI to analyze security vulnerabilities in 4G/5G cellular radio access networks by modifying LTE software to decode downlink messages, and they found it could crash an eNB, demonstrating denial-of-service risks.
This paper presents our methodology and toolbox that allows analyzing the radio access network security of laboratory and commercial 4G and future 5G cellular networks. We leverage a free open-source software suite that implements the LTE UE and eNB enabling real-time signaling using software radio peripherals. We modify the UE software processing stack to act as an LTE packet collection and examination tool. This is possible because of the openness of the 3GPP specifications. Hence, we are able to receive and decode LTE downlink messages for the purpose of analyzing potential security problems of the standard. This paper shows how to rapidly prototype LTE tools and build a software-defined radio access network (RAN) analysis instrument for research and education. Using CSAI, the Cellular RAN Security Analysis Instrument, a researcher can analyze broadcast and paging messages of cellular networks. CSAI is also able to test networks to aid in the identification of vulnerabilities and verify functionality post-remediation. Additionally, we found that it can crash an eNB which motivates equivalent analyses of commercial network equipment and its robustness against denial of service attacks.