Wherever I May Roam: Stealthy Interception and Injection Attacks Through Roaming Agreements

Cellular network users can be attacked through Rogue Base Stations (RBSes). 3G introduced network authentication as a mitigation. However, roaming partnerships between network operators allow requesting authentication vectors. This feature opens doors for state-sponsored attackers with access to roaming infrastructure, allowing the operation of stealthy RBSes anywhere in the world. This by far exceeds what lawful interception interfaces were designed for but provides attackers with similar capabilities, such as network traffic interception, manipulation, and injecting management frames towards a user’s device. Updated 5G roaming procedures do not prevent this issue. We demonstrate that modern smartphones effectively cannot indicate such attacks to end-users.