This project, 5G-UE-SecurityTesting, is currently a work in progress. It focuses on security testing for 5G Standalone User Equipment (UE). The objective of this project is to develop a comprehensive framework for assessing the security aspects of 5G UE devices.
prerequisite: sudo apt-get install build-essential cmake libfftw3-dev libmbedtls-dev libboost-program-options-dev libconfig++-dev libsctp-dev
More details on srsRAN installation can be found at: https://docs.srsran.com/projects/4g/en/latest/general/source/1_installation.html
prerequisite: apt install python3-pip python3-setuptools python3-wheel ninja-build build-essential flex bison git cmake libsctp-dev libgnutls28-dev libgcrypt-dev libssl-dev libidn11-dev libmongoc-dev libbson-dev libyaml-dev libnghttp2-dev libmicrohttpd-dev libcurl4-gnutls-dev libnghttp2-dev libtins-dev libtalloc-dev meson libjson0 libjson0-dev
pwd/installMore details on open5gs installation can be found at: https://open5gs.org/open5gs/docs/guide/01-quickstart/
curl -fsSL https://open5gs.org/open5gs/assets/webui/install | sudo -E bash -
Before starting the automatic testing process, it is advised to check if all the components are working fine.
For the NAS test:
sudo ./open5gs/build/tests/app/5gc -n /home/usr/Desktop/5G/Test_nas/test1.jsonsudo ./srsRAN/build/srsenb/src/srsenb configFiles/enb.confFor the RRC test:
sudo ./open5gs/build/tests/app/5gc -n /home/usr/Desktop/5G/Test_nas/test1.jsonsudo ./srsRAN/build/srsenb/src/srsenb configFiles/enb.conftest /home/usr/Desktop/5G/Test_rrc/testcases1.json (On the terminal, after a complete gNB initialization)If these steps run properly, then the system is ready for the automation process using handler.py. Please note that in order to run the RRC test, it is necessary to run a NAS test as well. In this case, the NAS test1.json is executed concurrently with the RRC test, but NAS test1.json can be a dummy testcase.
For the automation process, connect the Android device to the PC using a USB connection and ensure that the phone is recognized as a connected device. This tutorial can be helpful: https://www.youtube.com/watch?v=GERlhgCcoBc
The program assumes Open5gs, srsRAN, NAS test case folder, and RRC test case folder are in the same directory. In case of a different directory kindly change the path. For example:
./path/to/testcase/directory e.g., test_directory = "./Test_nas"In this repository we provide sample testcases for NAS and RRC. The parameters and names are selected according to our definitions in the modified messages in the files: nas-path.c (Open5GS) and rrc_nr_ue.cc (srsRAN).
The type of test case needs to be specified with -t flag, followed by an option either nas or rrc. For example
sudo python3 handler.py -t rrc
This program takes all the test cases and runs them one by one.The phone is toggled between airplane mode and normal mode a maximum of 5 times to establish a fresh connection with the network. As soon as "testing finished" keyword is found then it immediately completes that test case and goes for the next test case. If the keyword is not found (after 5 times toggling), then go for the next test case. When the whole round is completed it tries for the failed test case again.
The program will create a folder (e.g., rrc_results). All logs and pcaps will be saved there. It will also create a real-time test case status log (e.g., Fri Jun 23 6:29:57 2023_RRC.txt ) where it can be seen if a test case is completed or not invoked.
The 5G-UE-SecurityTesting project is open-source.
If you are using or referencing this project, please cite the following paper:
@inproceedings{bitsikas23UEframework,
title = {UE Security Reloaded: Developing a 5G Standalone User-Side Security Testing Framework},
author = {Bitsikas, Evangelos and Khandker, Syed and Salous, Ahmad and Ranganathan, Aanjhan and Piqueras Jover, Roger and Pöpper, Christina},
booktitle = {Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks},
year = {2023},
url = {https://doi.org/10.1145/3558482.3590194}
}