How is 5G protected against bidding down attacks? That's what we will be looking at in this video. Bidding-down attacks involves making equipment function in a downgraded way. Let's look at an example. On the first registration in the network, there is no security context, no encryption key, no verification of integrity is established. A terminal, therefore, transmits the registration request in clear text and needs to indicate which encryption algorithm it manages and, more generally, the security capabilities. Attackers can position themselves in the middle of the transmission and change the security capabilities, for example, indicating that the encryption algorithm EA1, EA2, EA3 are unsupported, whereas the terminal announced that it did actually support them. The AMF which receives the message has no way of identifying that it has been modified, so it proceeds with the authentication. Once it has been authenticated, the security and integrity keys are available. But in order to respect the procedure, the security mode is compatible with that supported by the terminal. In other words, we use EA0, which amounts to no encryption at all. So how can we protect ourselves from these attacks? We can't really prevent them, so what we will do when encryptions activity is to echo the security capabilities announced by the terminal, and the message will be completed by an authentication code message to check its integrity. This mechanism is used in 5G but was also defined and is implemented in 4G. Let's look at the case of an attack. The attacker modifies the security capabilities after authentication and integrity check can be triggered and more specifically, a MAC code can be added to each message sent here. We suppose that the attacker who modified the capabilities hasn't modified the echo message. What will happen? The UE checks the integrity of the message, the message hasn't been modified, so there is no problem. Then, the UE will check that the echo is consistent with what was sent here. There's a difference, so the UE rejects the message. Let's look at case two, where the attacker tries to modify the echo message to make the echo consistent. In this case, the integrity check comes into play since the attacker doesn't know which key manages integrity, it can try to modify the echo but will never find the right MAC corresponding to the modified message. The integrity check will therefore fail and the UE can reject the request. In 5G, security capabilities are not the only thing announced by the terminal, there is a set of capabilities that are related to other network functions. For example, when registering a terminal indicates whether or not it supports data transfer on interface S1. A terminal, which only deals with short messages transported in the control plane, is entirely possible. The attacker can modify this network capability. In 5G, we generalize the previous mechanism, namely the echo mechanism to the whole registration message, whatever the capabilities indicated, whatever standard changes may come, the entire message is sent back. Just as we saw before, there is an integrity check and the attack is always detected. If the attacker decides not to modify the echo, the check between the echo received and the message sent will detect the attack. And if the attacker decides to modify the echo message, the integrity check will enable the UE to detect the attack. In conclusion, in 4G and 5G, the initial registration message is transmitted in clear text. Since there are no security issues, (no encryption key or integrity check) this is an inherent weakness. A bidding down attack is an attack from a kind of man-in-the-middle, which announces downgraded capabilities for the terminal. The counter measure in 4G and 5G is an echo mechanism with integrity checks. In 4G, the echo is limited to security capabilities. In 5G, the entire initial message is sent as an echo in order to detect the attack. [MUSIC]
