BARON: Base-Station Authentication Through Core Network for Mobility Management in 5G Networks

Fifth-generation (5G) cellular communication networks are being deployed on applications beyond mobile devices, including vehicular networks and industry automation. Despite their increasing popularity, 5G networks, as defined by the Third Generation Partnership Project (3GPP), have been shown to be vulnerable against fake base station (FBS) attacks. An adversary carrying out an FBS attack emulates a legitimate base station by setting up a rogue base station. This enables the adversary to control the connection of any user equipment that (inadvertently) connects with the rogue base station. Such an adversary can gather sensitive information belonging to the user. While there is a large body of work focused on the development of tools to detect FBSs, the user equipment will continue to remain vulnerable to an FBS attack. In this paper, we propose BARON, a defense methodology to enable user equipment to determine whether a target base station that it is connecting to is legitimate or rogue. BARON accomplishes this by ensuring that the user receives an authentication token from the target base station which can be computed only by a legitimate and trusted entity. As a consequence, receiving such an authentication token from a base station ensures legitimacy of the base station. We evaluate BARON through extensive experiments on the handover process between base stations in 5G networks. Our experimental results show that BARON introduces an overhead of less than 1% during handover completion, which is 10000x lower than the overhead reported by a state-of-the-art method. BARON is also effective in thwarting an FBS attack and quickly recovering connection to a legitimate base station.