[go: up one dir, main page]

WO2025210200A1 - Atténuation d'attaques de dégradation à un réseau mis hors service dans un système sans fil - Google Patents

Atténuation d'attaques de dégradation à un réseau mis hors service dans un système sans fil

Info

Publication number
WO2025210200A1
WO2025210200A1 PCT/EP2025/059203 EP2025059203W WO2025210200A1 WO 2025210200 A1 WO2025210200 A1 WO 2025210200A1 EP 2025059203 W EP2025059203 W EP 2025059203W WO 2025210200 A1 WO2025210200 A1 WO 2025210200A1
Authority
WO
WIPO (PCT)
Prior art keywords
access device
network
policy
access
selection configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2025/059203
Other languages
English (en)
Inventor
Noureddine SABAH
Oscar Garcia Morchon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips NV filed Critical Koninklijke Philips NV
Publication of WO2025210200A1 publication Critical patent/WO2025210200A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions

Definitions

  • This invention and its embodiments relate to method, apparatuses, and systems for operating a wireless device such as a user equipment to improve network security and/or improve the way wireless devices select an access device and connect to different radio access technologies and networks.
  • a wireless device such as a user equipment
  • the methods and devices detailed in this document are used to improve the network security in the context of coexistence of different network generations or technologies, for example to mitigate decommissioned-network bidding-down attacks in a wireless system such as a cellular system, a WiFi network or the like.
  • a primary station serves a plurality of secondary stations located within a cell served by this primary station. Wireless communication from the primary station towards each secondary station is done on downlink channels. Conversely, wireless communication from each secondary station towards the primary station is done on uplink channels.
  • the wireless communication can include data traffic (sometimes referred to User Data), and control information (also referred sometimes as signalling). This control information typically comprises information to assist the primary station and/or the secondary station to exchange data traffic (e.g. resource allocation/requests, physical transmission parameters, information on the state of the respective stations).
  • the primary station is referred to a base station, or a gNodeB (or gNB) in 5G (NR) or an eNodeB (or eNB) in 4G (LTE).
  • the eNB/gNB is part of the Radio Access Network RAN, which interfaces to functions in the Core Network (CN).
  • the secondary station corresponds to a mobile station, or a User Equipment (or a UE) in 4G/5G, which is a wireless client device or a specific role played by such device.
  • the term “node” is also used to denote either a UE or a gNB/eNB.
  • This relay node is a wireless communication station that includes functionalities for relaying communication between a primary station, e.g. a gNB and a secondary station, e.g. a UE.
  • This relay function for example allows to extend the coverage of a cell to an out-of-coverage (OoC) secondary station.
  • This relay node may be a mobile station or could be a different type of device.
  • the Proximity Services (ProSe) functions are defined inter alia in TS 23.303, and TS 24.334 to enable - amongst others -connectivity for the cellular User Equipment (UE) that is temporarily not in coverage of the cellular network base station (eNB) serving the cell.
  • UE User Equipment
  • eNB cellular network base station
  • This particular function is called ProSe UE-to-network relay, or Relay UE for short.
  • the Relay UE relays application and network traffic in two directions between the OoC UE and the eNB.
  • the relay node relays the communications between UE devices.
  • UEs may connect to the core network through a base station when in-coverage.
  • the relay devices may receive and store some information for some time before forwarding it towards the target device.
  • This information that may be stored and forwarded may be discovery messages received from a source UE whereby the relay UE may release them at some point of time later.
  • This information that may be stored and forwarded may be a SIB that may contain a timestamp.
  • cellular networks are evolving to enable more mobile access devices such as satellites, unmanned aerial vehicles, buses or trains that are capable of storing data for some time before forwarding it further.
  • An example relates to a satellite that receives and stores certain data when it is close to a terrestrial gateway and only releases it when the receiving party becomes in coverage.
  • Such mobile access devices may work in a transparent manner or in a regenerative manner. In a transparent mode, the mobile access device acts as a reflector/smart repeater that retransmits the communication sent by, e.g., a gateway, e.g., a Non-Terrestrial Network gateway, towards a UE.
  • a gateway e.g., a Non-Terrestrial Network gateway
  • the mobile access device works as a base station and is able to set up a connection with a UE.
  • the mobile access device may be able to cache some data obtained from the UE or NTN gateway, and transmit it when it is within communication range of the receiver.
  • Wireless telecommunication network systems have undergone tremendous evolution over the years to meet consumers' increasing demands for high-speed, low-latency, secure, and reliable wireless connectivity.
  • 1G first-generation
  • 5G fifth generation
  • technologies are being rapidly deployed worldwide, offering unprecedented levels of data speed, network capacity, and low-latency connectivity to support a range of emerging applications and services, such as loT, autonomous vehicles, virtual and augmented reality, and industrial automation.
  • different types of radio access network technologies are being supported, including terrestrial and nonterrestrial networks. The goal of these advancements is simple: to provide consumers with seamless, ubiquitous, and secure wireless connectivity that meets the ever-growing demands of modern digital life.
  • UEs In their attempt to compromise subscribers’ UEs, malicious actors could leverage existing procedures to trick UEs into connecting to Fake Base Stations (FBS) running older generation networks (e.g., 2G/3G), thus intentionally exposing the UEs to the many known attacks pertaining to these older generation networks (e.g., 2G/3G).
  • FBS Fake Base Stations
  • UEs may not always be able to use all networks or radio access technologies, e.g., because some networks or radio access technologies may not be available, or they may be restricted by the network (e.g., as a form of access technology utilization control in e.g., national roaming scenarios).
  • An aim of the invention is to address the above problems by providing solutions mitigating decommissioned-networks bidding-down attacks and/or by providing means to improve how a UE can select a network or a radio access technology and/or perform a mobility procedure between networks and/or radio access technologies.
  • a receiver adapted to receive an access device selection configuration or policy
  • controller adapted to select an access device and/or performing a handover procedure based on the access device selection configuration or policy.
  • a method for access device selection assistance comprising:
  • an apparatus for access device selection assistance comprising: - a receiver adapted to receive a request for an access device selection configuration or policy from a first device,
  • controller adapted to determine whether the access device selection configuration or policy is available locally, and if not request and receive the access device selection configuration or policy and/or selection configuration from a core network
  • a transmitter adapted to send the access device selection configuration or policy to the first device.
  • informing the second access device, by the first access device, about the access device selection configuration and/or policy of the first device is performed in:
  • an apparatus for access device selection assistance comprising a controller adapted
  • a seventh aspect of the invention it is proposed a computer program for selecting an access device, wherein the program comprises instructions implementing the apparatus of the second and fourth aspects of the invention.
  • the access device selection configuration or policy includes at least one of: - a whitelist of one or more access devices or one or more groups of access devices,
  • the method comprises receiving, by the UE, the access device selection configuration or policy in a registration accept message, such that the restriction may be based on one of, or a multitude of information elements, which include: a list of at least one decommissioned PLMN; and/or a list of at least one decommissioned cell identifier; and/or a list of at least one RAN area code; and/or a list of location information (e.g., tracking area codes) corresponding to at least one (de)commissioned older generation network access device or access device type.
  • information elements include: a list of at least one decommissioned PLMN; and/or a list of at least one decommissioned cell identifier; and/or a list of at least one RAN area code; and/or a list of location information (e.g., tracking area codes) corresponding to at least one (de)commissioned older generation network access device or access device type.
  • the access device selection configuration or policy is received by a UE in message such as a NAS reject message and the message is not integrity protected, the UE discards the message including the access device selection configuration or policy therein according to a rejection policy.
  • the access device selection configuration or policy is signed by an entity managing the access device selection configuration or policy
  • the method comprises the UE verifying by access device selection configuration or policy based on the public key of the entity managing the access device selection configuration or policy.
  • the access device selection configuration or policy is updated periodically, or on-demand, and/or in a conditional manner.
  • the access device selection configuration or policy contains a whitelist and/or a blacklist of access devices or groups of access devices and wherein the whitelist and/or blacklist are determined and provisioned to the UE based on the historical mobility pattern or real-time location and/or movement trajectory of the UE.
  • the method comprises predicting, by a UE, the tracking areas/cells towards which the UE is moving to, and based on whether: a) the UE is configured with whitelists corresponding to the predicted tracking areas/cells; and/or b) the status of the older generation network access devices within the predicted tracking areas/cells has changed (i.e., configured whitelists at the UE became outdated); wherein the whitelists configured at the UE, corresponding to the older generation network access devices within the predicted tracking areas/cells are updated accordingly.
  • the access device selection configuration or policy is updated on-demand or in a conditional manner and wherein the method further comprises: determining, by the network, the configuration for the UE; predicting, by the network, the tracking areas/cells towards which the UE is moving, based on historical mobility data, and/or real-time location information, and/or movement direction/trajectory information, and/or velocity; and determining, by the network, whether the whitelists configured at the user equipment need to be updated, wherein the whitelists correspond to the older generation network access devices within the predicted tracking areas/cells.
  • the method further comprises the steps of:
  • the method for network (re-)selection with network assistance further comprises: receiving, by the UE, signals from different network access devices which may correspond to different network generations; and compiling, by the UE, measurement reports corresponding to signals received from the different network access devices and ordering said measurement reports based on its selection criteria; selecting, by the UE, the most recent network generation access device available to access the network and performing the initial access procedure; communicating, by the UE, the ordered list of measurement reports to the network in a request message, e.g., the registration/attach request; receiving, by the UE, in a response message, e.g., the registration response message, the ordered list of network access devices prioritized according to the network, and indicating the status of each network access device, and based on said ordered list, performing, by the UE, cell (re-)selection or network access through the pre-selected access device.
  • the method further comprises the steps of:
  • the method comprises requesting, by the UE, if inconclusive selection of an access device, network assistance to determine the access device legitimacy.
  • the method is such that:
  • the pilot signal is a synchronization signal of the device, and/or
  • pilot signal features include the signal strength, and/or - the access device selection configuration or policy is determined, and adapted or updated by an Al model, and/or
  • the access device selection configuration or policy is a threshold value or range of a configured similarity measurement.
  • the method comprises requesting, by a UE lacking the status of one or more older generation networks, network assistance to determine the network status of one, or multiple older generation networks during the random-access including an indication of the cell or cell generation to check.
  • the method comprises receiving, by the user equipment, a response with an access device selection configuration and/or policy that may include: a bitstring whose length corresponds to the number (N) of cell IDs indicated by the user equipment, and whose bits correspond respectively to the legitimacy evaluation results of said cell IDs; and/or the cell IDs, or an indication thereof, of the cells whose legitimacy verification failed.
  • the configuration or policy comprises one or more of: a cryptographic function, a secret key, input parameters to the cryptographic function comprising at least one of o an input identifier (e.g., cell ID, tracking area ID); o Cell/RAT type; o Network generation; o Cell location information (e.g., longitude and latitude); o Current time (e.g., UTC time) and/or time resolution; expected output values of the cryptographic function, and the step of selecting, by the UE, an access device based on the access device selection configuration and/or policy comprises: receiving or obtaining input parameters, computing an output value by using the cryptographic function taking as input the received or obtained input parameters and the secret key; and performing one of: o comparing the computed output value to an expected output value saved at the device as part of the configuration; or o querying the network using the computed output value to determine the network access device validity and legitimacy.
  • a cryptographic function e.g., a secret key, input parameters to the cryptographic function comprising at least one of
  • the method comprises allowing selecting, by the UE, a blacklisted access device based on the access device selection configuration and/or policy when the UE requires emergency services.
  • Figure 2 illustrates signal strength levels associated with different base stations, as monitored by a User Equipment
  • Figure 3 describes an exemplary procedure to request the network to verify and assist a User Equipment in access device selection.
  • Figure 4 schematically represents cells corresponding to different network generations and the mobility patterns of a set of UEs across these cells.
  • Embodiments of the present invention are now described based on a cellular communication network environment based on cellular communication technologies, such as 2G, 3G, 4G, 5G or 6G.
  • the present invention and its embodiments may also be used in connection with other wireless technologies, and in particular to the connection setup of devices trying to access a wireless network.
  • Atypical example is a cellular network, for example a 5G network, possibly including some relay nodes.
  • These relay nodes may be implemented by UEs, such as Sidelink compatible UEs which can operate as relay nodes, or by other types of repeaters.
  • the CN is the communication network’s core part, which offers numerous services to customers who are interconnected via the RAN. More specifically, it directs communication streams over the communication network and possibly other networks.
  • Wireless telecommunication network systems have undergone tremendous evolution over the years to meet consumers' increasing demands for high-speed, low-latency, secure, and reliable wireless connectivity.
  • 1G first-generation
  • 5G fifth generation
  • the goal of these advancements is simple: to provide consumers with seamless, ubiquitous, and secure wireless connectivity that meets the ever-growing demands of modern digital life.
  • MNOs Mobile Network Operators
  • This phasing out, or decommissioning, of older generation networks happens gradually, and may be subject to several criteria e.g., demand, availability and coverage of newer generation RANs, population distribution, etc.
  • MNOs have announced the decommissioning of their 2G or 3G networks in favor of 4G/5G networks and given the weaker protection in these (older) generations (e.g., 2G/3G), this initiative could have a significant impact on the security of subscribers’ User Equipments (UE), as newer generation networks feature, among other functionalities, security enhancements as well.
  • UE User Equipments
  • the invention described herein aims at addressing the security threats associated with decommissioned older generation networks and provide future proof methods and solutions to mitigate and prevent bidding down attacks in that context.
  • older generation networks e.g., 2G/3G
  • 2G/3G may be decommissioned, or generally restricted (e.g., in a particular area or across a network)
  • the UE may fall victim to a bidding down attack launched by a malicious actor, or failure cases that could have otherwise been avoided by checking restrictions.
  • the UE does not currently have any filtering criteria and/or means to determine whether an older network generation (e.g., 2G/3G) is decommissioned and is, therefore, not to be considered when performing the BS selection.
  • the lack of said means enables malicious actors to set up Fake Base Stations (FBS) launch Bidding down attacks to lure UEs to select the FBS to connect through. It is therefore the object of the following embodiments to alleviate the threat of Bidding down attacks in the context of Decommissioned older generation networks.
  • FBS Fake Base Stations
  • a UE may be provisioned/configured by the network with a list of whitelisted cells and/or tracking areas (TAs), and/or Registration Areas (RAs) in which access through older generation networks is still permitted, while the default behaviour the UE may be configured to exhibit when camping/roaming in non-whitelisted cells and/or tracking areas and/or registration areas is to ignore older generation networks given their decommissioning. For instance, in a Registration area where all cells are allowed to operate older generation base stations, the UE may be configured to have the entire registration area whitelisted.
  • TAs whitelisted cells and/or tracking areas
  • RAs Registration Areas
  • the UE may be configured to only allow older generation base station selection in these whitelisted TAs.
  • the UE may be configured with a list, in which only particular cells within a TA (or list of TAs) are whitelisted.
  • the UE may be provisioned/configured with nested lists, wherein the nested lists, if any, contain only the TAs/Cells which are to be whitelisted.
  • the UE may be provisioned/configured with the exemplary list below, wherein Registration Area 3 is entirely whitelisted (i.e., all Tracking Areas and cell within are whitelisted), whereas in Registration Area 1 , only Tracking Area 4 (i.e., all cells within) and Cells X and Y of the Tracking Area 2 are whitelisted.
  • the top -left drawing illustrates a networkwide (e.g., across a country) categorization of Registration Areas (RAs) and the Cells to be whitelisted therein.
  • the top-right and bottom drawings correspond to a heatmap illustrating areas in which UEs (i.e., UE1 , UE2, and UE3) are most active in, based on the analytics of their historical mobility data.
  • the network e.g., AMF
  • the network may provision/configure the UE with the whitelisted RAs and TAs/Cells within corresponding to all the RAs. For instance, UE2 seems to be more active in RA3 and RA4, the network may thus choose to provision/configure it with whitelists corresponding only to these two RAs.
  • a Network Function (NF) or the Operation, Administration and Maintenance (OAM) system may be responsible for the cell categorization based on the criteria described above. For example, a NF or the OAM may assign each cell a priority level and a whitelist flag indicating whether the cell is whitelisted or not.
  • Another NF may be responsible for the management of the UE Mobility Pattern, which may include collecting, storing, analyzing, and updating the historical and statistical data of the UE mobility. For example, this NF may be the AMF or a separate entity that interacts with the AMF.
  • the network may, based on a set of criteria e.g., UE historical mobility data, real-time location information, movement direction, velocity, RAT types providing coverage, and/or a change of RAT status (e.g., from operational to decommissioned), etc predict the RA/TAs/Cells the UE may be moving towards and determine the status of RATs within these areas, and in case the UE is not configured with the whitelists corresponding to these RAs/TAs/Cells, or if the whitelists are outdated, the network may trigger an update of the lists configured at the UE.
  • a set of criteria e.g., UE historical mobility data, real-time location information, movement direction, velocity, RAT types providing coverage, and/or a change of RAT status (e.g., from operational to decommissioned), etc predict the RA/TAs/Cells the UE may be moving towards and determine the status of RATs within these areas, and in case the UE is not configured with the whitelists corresponding to
  • the network may send a reject message which may have an indication of the failure cause, and/or a back-off timer to retry once the UE is closer to the TAs/Cells in question (e.g., if failure was due to being at a distance greater than the network defined one).
  • the network may do the opposite; that is, the network may provision the UE with the whitelists corresponding to the areas which the UE may be (or likely to be) the least active in.
  • This has the advantage of reducing potential signalling required to perform updates to the whitelists e.g., as the network detects and/or predicts that the UE is moving into an area that the UE is not configured with whitelists for.
  • the UE may not be able to make the distinction between Non-whitelisted areas (e.g., RAs/TAs/Cells), and areas that were not considered by the network (e.g., during UE configuration) in the whitelisting process.
  • areas e.g., RAs/TAs/Cell
  • Non-whitelisted areas e.g., RAs/TAs/Cells
  • the UE may by default consider that a RA3 (and the TAs/Cell therein) is not whitelisted, when it may, in fact, be partially (e.g., certain TAs and/or Cells) or fully whitelisted. This may occur for instance if the UE’s configured list of whitelisted areas is not updated, and the UE has moved to an area that is not covered by its configuration.
  • the UE may be configured to only consider the status of whitelisted RAs (and TAs/Cells therein) that it is configured with; that is, for Registration Areas which contain whitelisted TAs (or Cells), the default behavior of the UE with regards to other non-whitelisted TAs or Cells therein is to ignore/discard synchronization signals from older network generations in them, whereas for RAs that are not part of the list, the UE may be configured to perform/trigger a whitelist update procedure to include the new RA (and TAs/Cells therein) it is roaming in or moving towards.
  • the network may provision/configure the UE with whitelist(s) that are associated with an expiration time, after which the UE is required to renew the whitelists. For example, the network may send a message to the UE containing one or more whitelists and a validity period (e.g., in seconds, minutes, hours, days, etc.) for each whitelist.
  • the UE may store the whitelists and the validity period in its memory and use them to determine whether to ignore/discard synchronization signals from older generation networks in the corresponding areas. However, if the validity period of a whitelist expires, the UE may not use that whitelist anymore and may request the network to update it.
  • the UE may periodically request the network to update the whitelists regardless of their validity period, or the network may proactively update the whitelists without waiting for the UE's request.
  • the network may also provision/configure the UE with information about the operational schedule of (older generation) cells (e.g., 2G/3G) that are not permanently decommissioned but may operate only at certain times or days. For example, some cells may be turned off during nighttime or weekends to save energy or reduce interference, while others may be activated only when there is high demand or emergency situations.
  • the UE may receive from the network a message containing one or more whitelists that include not only the identities and locations of older generation cells, but also their operational schedule (e.g., start and end time, frequency, duration, etc.).
  • the UE may store this information in its memory and use it to determine whether to ignore/discard synchronization signals from older generation networks in the corresponding areas and times. For instance, if the UE receives a synchronization signal from an older generation cell that is supposed to be inactive according to its operational schedule, the UE may suspect that the signal is coming from a fake base station and may avoid camping on or connecting to it. Alternatively, the UE may request the network to verify the legitimacy of the older generation cell before camping on or connecting to it. This may prevent the UE from being lured by an attacker exploiting the temporal gaps in the older generation network coverage.
  • the AMF may indicate to the UE whether a network-generation (e.g., 2G) is Allowed or Not-Allowed (e.g., determined by TA Identity, or geolocation information, etc or a combination as described in the following embodiments) through Service Area Restriction Information, where restriction of services may be limited to a network generation (or a set of network generations), which may be indicated by a network generation (or set of network generations) indication (e.g., radio access technology type (RAT)) added to the Service Area Restriction Information.
  • a network-generation e.g., 2G
  • Not-Allowed e.g., determined by TA Identity, or geolocation information, etc or a combination as described in the following embodiments
  • Service Area Restriction Information e.g., a network generation (or a set of network generations) indication (e.g., radio access technology type (RAT)) added to the Service Area Restriction Information.
  • RAT radio access technology type
  • the network may selectively restrict access through older network generations to a set of UEs, while it allows access through the same network generations to other UEs (e.g., police, firefighters, etc), as such the restriction profile for (older) network generations may also be part of UE’s subscription in the UDM.
  • UEs e.g., police, firefighters, etc
  • the list of decommissioned PLMNs may be communicated to the UE upon a successful registration (e.g., in the Registration Accept message), although the list of PLMNs may not be sufficient as restriction may be location dependent (i.e., the same PLMN may allow access through an older generation network BS (e.g., RAT type) in one TA, but not in another), hence, the decommissioned PLMNs communicated to the UE in the registration access message may need to be enriched with location information (e.g., Tracking Area Code (TAC), or other geolocation information e.g., longitude/latitude), or specific cell identifiers, or RAN area code, or specific network generation.
  • location information e.g., Tracking Area Code (TAC)
  • TAC Tracking Area Code
  • specific cell identifiers e.g., longitude/latitude
  • RAN area code e.g., RAN area code
  • AMF may also provide UE with PLMN-ldentitylnfoList, as defined in TS 38.331 , corresponding to the whitelisted(Allowed) and/or blacklisted(Non- Allowed) PLMNs upon successful registration. Additionally, the list of decommissioned PLMNs enriched with location information, specific cell identifiers, RAN area codes, or specific network generation information may also be communicated to the UE in a registration reject message.
  • the UE may receive a confirmation or reject message. In particular, it may receive a reject message when the RAT is not supported.
  • this also poses a security risk if an attacker fakes (unprotected) reject messages.
  • the UE when the UE receives a policy or configuration (or the radio access technology (RAT) restriction information) determining the whitelisted (nonrestricted) and/or blacklisted (restricted) access technologies in a reject message (e.g., attach/registration reject message), the UE processes the message and retrieves the RAT restriction information depending on whether the reject message is (or is not) integrity protected. For instance, if the reject message contains a cause value indicating (1) that no suitable cells/access technology is available and/or (2) a list of access technology restriction information, and the message is not integrity protected, then the UE shall discard the received reject message.
  • RAT radio access technology
  • the configuration/policy determining which (legacy) access devices are allowed or disallowed may be exchanged between UEs, e.g., via SCI.
  • the network configuration associated with the older generation network access devices, or radio access technologies (RATs) i.e., which are allowed/not-allowed or whitelisted/blackl isted
  • RATs radio access technologies
  • the network configuration may be signed by the Home Network (HN), and message (e.g., SCI) may also include a HN key identifier, allowing the receiving UE to verify the received network configuration.
  • restrictions to access cellular networks through any older generation network access device(s) while the UE is roaming may be configured by default, where access may only be permitted through selected operators and/or countries.
  • the network may only whitelist specific MNC and/or MMC, such, while roaming, only access to/through network operators that are whitelisted, or are within a whitelisted country, is permitted.
  • MCC Mobile Country Codes
  • MCC Mobile Country Codes
  • the UE may be (pre-)configured, or have in store a configuration/policy (e.g., in the USIM/UICC) which determines for each of these MNOs whether access through an older generation network access device (e.g., 2G/3G base station) is, or is not allowed.
  • a configuration/policy e.g., in the USIM/UICC
  • the UE may have in store a list of these MNOs, indicating each MNO and for each RAT type supported by an MNO, whether it is whitelisted or blacklisted.
  • the UE may be configured to blacklist all older generation network access devices associated with MNOs of said category, in which case, the MCC (i.e., 901) may be blacklisted, as described in previous embodiments.
  • the identifiers (PLMN, cell IDs, RAN area codes) and/or location information that may be whitelisted or blacklisted may be determined by using a selection filter for more efficient encoding/transmission/storage. For instance, given an identifier, the identifier may be blacklisted or whitelisted if the identifier combined with the selection filter matches a whitelisted/blacklisted identifier.
  • PLMN MCC
  • PLMN XOR 000111 2001111
  • a similar approach may be used to allow/disallow other identifiers.
  • a user equipment is restricted from network access to, and/or through, a network operator, or the entirety of network operators within a specific country, wherein said restriction is based on blacklisting the Mobile Network Code (MNC) associated with the network operator to block, or on blacklisting the Mobile Country Code (MCC) associated with the country where network access is to be restricted.
  • MNC Mobile Network Code
  • MCC Mobile Country Code
  • all networks in a given country (MCC) of a given type may be blacklisted (e.g., by default), except specific networks (MNCs) that may be explicitly whitelisted.
  • an attacker may place a fake base station for country B in country A, where the base station of country B is for a legacy access device that is still in usage in country B, but not in A.
  • an attacker may still be able to lure a UE to a legacy access device even if all legacy access devices in country A have been decommissioned and UE has policies for country A stating this. Addressing this issue may be achieved by using the embodiments in this invention combined as follows.
  • a UE may have a configuration that whitelists networks for country A, and all other networks (of other countries) may be blacklisted.
  • a UE may be able to determine its location so that networks (and access devices associated to them) that do not belong to its current location are blacklisted, in particular, all access devices associated to a PLMN with a mobile country code that is not associated with the country where the UE is currently located are blacklisted, or are whitelisted/blacklisted based on whether their mobile network codes are whitelisted/blacklisted.
  • legacy wireless network generation access devices associated to a PLMN with a mobile country code associated with an international and/or satellite network operator that is different from the mobile country code used in the country where the UE is currently located are blacklisted by default (e.g., for all mobile network codes), or are whitelisted/blacklisted based on whether their mobile network codes, associated with the international and/or satellite network operator(s), are whitelisted/blacklisted.
  • the UE (300) receives messages/signals (e.g., Synchronization signals) transmitted by different base stations (i.e., 301 , 302, 303, and 304), which may belong to different network generations (i.e., different RAT types).
  • 301 and 304 are assumed to be older generations (e.g., 3G and 2G access devices, respectively), while 302 and 303 correspond to current generations (e.g., 5G and 4G access devices, respectively).
  • UE 300 sends a Registration Request (or Initial Attach in case the cell selected is a 4G BS) to a network function and/or OAM, e.g., mobility function (e.g., AMF where AMF is used next, without loss of generality) the AMF wherein UE 300 may include the measurement reports compiled in step 311 , its location, and may further indicate its preference and/or an ordered list of the cells sorted based on UE’s prioritization criteria (e.g., to use as an access device to the network).
  • a Registration Request or Initial Attach in case the cell selected is a 4G BS
  • OAM e.g., mobility function (e.g., AMF where AMF is used next, without loss of generality) the AMF
  • UE 300 may include the measurement reports compiled in step 311 , its location, and may further indicate its preference and/or an ordered list of the cells sorted based on UE’s prioritization criteria (e.g., to use as an access device to the
  • the network status check may be performed at a first stage (e.g., in Msg1), and following a positive network response (e.g., 11 ), UE (300) may want to further check whether the Cell ID corresponding to the access device from which the synchronization signals with the best signal quality is legitimate, in which case, 300 may in a second stage, request (e.g., in Msg3) the selected access device (e.g., 302) to perform a check on the legitimacy of the cell(s) (e.g., 301) by including the Cell ID(s) (or a part thereof, which is sufficient to uniquely identify the cell(s)), to which the access device may respond, upon verification, based on a (network) policy, with a bitstring wherein each bit corresponds to the legitimacy evaluation result.
  • a first stage e.g., in Msg1
  • a positive network response e.g. 11
  • UE (300) may want to further check whether the Cell ID corresponding to the access device from which the
  • Synchronization signals strength pattern matching for FBS detection
  • these conditions may also vary depending on the scenario applicable to a UE, e.g., conditions may be different for a UE performing handover than for a UE that is attempting to connect. Similarly, the conditions may vary depending on whether the UE is moving or not.
  • the UE may be conditionally triggered e.g., based on an increase in the number of received synchronization signals and/or detecting a new signal with a strength level that is above a pre-determined/configured threshold, to perform continuous monitoring and collection of data pertaining to the suspicious synchronization signal(s).
  • a UE may be stationary, and thus is expected to receive a fixed number of synchronization signals associated with the base stations in proximity.
  • the known base stations may be stored and may also be shared with the network.
  • UE may detect a new synchronization signal whose strength level may be higher in comparison to the rest of the synchronization signals received from other base stations, and as the initial strength level of the new synchronization signal is abnormally high, that may prompt the UE to categorize the BS from which said synchronization signal was received as Fake and/or checkwith the network, as described in previous embodiments (e.g., in relation to Fig. 3).
  • a UE may be moving, in which case, UE may be expected to continuously detect synchronization signals broadcasted from different base stations in its proximity, which may be continuously changing over time as the UE is moving.
  • the UE may be configured to detect the initial strength level associated with newly received synchronization signals, and based on whether the strength level is abnormally high (e.g, as in the Bottom figure), the UE may be triggered to continuously monitor and log the variation in the strength level of the corresponding synchronization signals for a pre-configured time window, then compare it to the baseline pattern associated with the UE’s mobility profile, as described in previous embodiments. Based on the similarity measure and the UE’s configuration, the UE may classify the base station as legitimate, fake, or trigger a checkwith the network, as described in previous embodiments (e.g., in relation to Fig. 3).
  • the UE may store a configuration or a policy that indicates whether it is authorized to connect to a given type of access device, or not, and the circumstances in which this is authorized.
  • the configuration may indicate that the UE is authorized to connect to a 4G access device, but not authorized to connect to a 3G access device unless a certain condition occurs, e.g., the UE requires emergency services.
  • This configuration ensures that the UE may not connect by mistake to old generation access devices (e.g., 3GPP 3G) since such networks may be/have been decommissioned and may be ran by an attacker in the form of a fake base station where the fake base station would be used to e.g., get the identity of the user.
  • This configuration may be determined by the home network or the user and may be updated or modified as needed. Based on this configuration, the UE may reject or accept the synchronization signals from different access devices, or request more information from the network before connecting. Similarly, a network may accept or reject a UE’s attempt to access it through a specific network generation’s access device, based on whether the UE meets the configuration/policy criteria or conditions permitting access. If not, an access device may send a reject message (e.g., RRC reject message during the random-access procedure), which may include a rejection cause (e.g., UE not permitted for access through UTRAN).
  • a reject message e.g., RRC reject message during the random-access procedure
  • rejection cause e.g., UE not permitted for access through UTRAN
  • the UE may receive the configuration or policy from the network when it registers for the first time, or when it changes its location to a new area.
  • the configuration or policy may also be pre-configured in the UE by the user or the manufacturer and updated periodically or on demand.
  • the configuration or policy may be stored in the UE memory, or in a secure element such as a SIM card or an eSIM.
  • the decommissioning configuration/policy may need to be updated periodically, on-demand, or in a conditional matter as described in previous embodiments. For instance, if the MNO has completely decommissioned a RAT (e.g., GERAN), it may indicate in the configuration it is fully decommissioned and update the decommissioning configuration/policy to restrict the RAT from the next generation (e.g., UTRAN), once the latter has been fully decommissioned by the MNO.
  • a RAT e.g., GERAN
  • the MNO may update the decommissioning configuration/policy more frequently and/or in a conditional manner, e.g., in scenarios where the decommissioning is done in phases, in which case the MNO may regularly update the decommissioning configuration/policy based on whether it has decommissioned a RAT, in a certain location (e.g., Registration or tracking area, or an entire country).
  • a certain location e.g., Registration or tracking area, or an entire country.
  • the MNO may update the decommissioning configuration/policy on-demand; for instance, the protection against bidding down attacks may be on an opt-in bases, where the UE/User may request/retrieve e.g., through an MNO service portal, decommissioning configuration/policy, and only then it may be provided to the UE.
  • the MNO may also provide the UE/User (e.g., through a service portal) with countries and/or operators for which a decommissioning configuration/policy is available, such that if a User intends to travel (e.g., to another country), it may be able to retrieve a decommissioning configuration/policy from roaming partners which have service agreements with the home network associated with the USIM/UICC used by the user.
  • the UE/User e.g., through a service portal
  • countries and/or operators for which a decommissioning configuration/policy is available, such that if a User intends to travel (e.g., to another country), it may be able to retrieve a decommissioning configuration/policy from roaming partners which have service agreements with the home network associated with the USIM/UICC used by the user.
  • the configuration/policy may determine a time window during which the decommissioning configuration/policy is temporarily disabled; for instance, the USIM/UICC (or the UE, upon USIM/UICC request) may start a timer, set by the MNO, to determine when to re-enable the decommissioning configuration/policy.
  • the format of decommissioning configuration/policy information may need to be specified.
  • the list entries may include information associated with the PLMN (e.g., MCC and/or MNC), and a value indicatingthe decommissioned RATs; for instance, this value may be a bit-value in which each bit is associated with a RAT (e.g., 11000 indicating that only 4G and 5G RATs are allowed, while the rest are restricted); for instance, the bit-value may be a fixed number of bits (e.g., 8), wherein the MSB is associated with the most recent network generation supported by the MNO, while the rest of the LSBs are associated with previous generations (e.g., 11000000 which may indicate that only 4G/5G RATs are allowed, while any RAT associated with a network generation older that that is restricted).
  • the MNO may indicate in the decommissioning configuration/policy information only the minimum network generation it supports, it may as such be understood that all RATs associated with network generations older than the indicated minimum network generation are restricted, whereas access through network generations that are more recent than the minimum, is not restricted; this may for instance be indicated by using a number (e.g., 4) reflecting the minimum network generation (e.g., 4G in this case) whose RATs are not restricted.
  • the list entries described above may further include location information (as described in previous embodiments), which may have different restricted RATs (e.g., in cases where decommissioning is done in a phased manner, or due to lower population density). For instance, a list entry may be as follows:
  • only the home PLMN is allowed / authorized to update the decommissioning configuration/policy of a UE, e.g., in its UICC/USIM.
  • the UE may be configured to only access an “unknown” VPLMN (i.e., a VPLMN for which decommissioned RATs are unknown) through a safe/secure RAT.
  • the HPLMN may send a request to provide said configuration for a given area.
  • the VPLMN may provide said configuration to the HPLMN knowing the access device that UE used to connect. This configuration may be a partial configuration of the VPLMN’s decommissioning configuration/policy.
  • the VPLMN may not wish to share the (whole) decommissioning configuration / policy with the HPLMN.
  • the UE / LIICC / USIM may be configured to connect to the VPLMN only through a safe/secure generation RAT (e.g., as in previous example), and the VPLMN may get a token from the HPLMN authorizing the VPLMN to deploy its decommissioning configuration / policy to the UE / UICC / USIM.
  • This token may be a key derived from a root key (e.g., K_AUSF) and/or generated by means of a private key owned by the home PLMN and whose public key is known to the UE / UICC / USIM.
  • the symmetric key may be used to encrypt/authenticate (a part of) the decommissioning configuration/policy, e.g., a given amount of data (size of a decommissioning configuration / policy).
  • the USIM / UICC may run an application preventing that information from leaving a storage area in the USIM / UICC. This embodiment allows the UE / UICC / USIM to receive a decommissioning policy / configuration from the VPLMN in a secure way.
  • a decommissioning configuration/policy for a given RAT, or a combination of Tracking Area/RAT, etc may be associated with a date / time / validity time, i.e., a date until the Tracking Area / RAT/etc may be used by the UE / USIM / UICC to connect.
  • This embodiment is advantageous because it reduces the number of updates required in the UE / USIM / UICC when the decommissioning happens over time and new decommissioned RATs/ Tracking Areas are changing.
  • a UE / UICC / USIM may obtain its location by means of cellular positioning or GNSS, however, positioning signals may be spoofed, and position may not be accurate/trustworthy. On the one hand, positioning information can be used to improve the accuracy of the decommissioning / configuration policy; on the other hand, if an attacker tampers with the positioning signals, the attacker may still manage to get a UE connected to an old RAT.
  • the UE / USIM / LIICC may indicate the estimated location of a UE to the user when the UE is choosing a given RAT, e.g., an old generation RAT. The user may then verify this location. This may also be a configuration in the UE that gives the possibility to the user to verify the UE location.
  • the UE may apply the configuration or policy at different stages of its network connection process. For example, the UE may apply the configuration or policy when it is acquiring the synchronization signals from different cells and filter out the cells that do not match the configuration or policy. Alternatively, or in addition, the UE may apply the configuration or policy when it is performing handover (HO) from one cell to another (e.g., conditional HO), and reject the handover if the target cell does not comply with the configuration or policy e.g., as further detailed in some of the following embodiments. Similarly, a target access device may reject the handover if the UE does not comply with the configuration or policy, it has been provisioned with. The UE may also apply the configuration or policy when it is idle or in power saving mode, and avoid camping on cells that are not authorized/allowed by the configuration or policy.
  • HO handover
  • the UE may also apply the configuration or policy when it is idle or in power saving mode, and avoid camping on cells that are not authorized/allowed by the configuration or policy.
  • a mobility procedure e.g., handover
  • the latter may trigger a HO procedure wherein a target base station is selected by the source base station.
  • the HO procedure and/or the source base station may not account for the access technologies restricted at the UE side (e.g., due to the restriction information pertaining to the UE not being provided by MME and/or the UE).
  • the UE may, prior to considering an inter-RAT mobility procedure as initiated, check whether the indicated target cell/base station selected by the source base station is (non-)restricted. In an example, upon determining that the access type associated with the selected cell/base station is not restricted, does the UE consider the inter- RAT mobility as initiated and the UE attempts to access the target cell indicated by the inter-RAT message.
  • a UE is connected to an E-UTRA cell and the list of “PLMNs with associated RAT restrictions” at the UE indicates that NR/NG-RAN is restricted by the serving PLMN, then, upon receiving a mobility triggering message (e.g., MobilityFromEUTRACommand message as per 5.4.3.3 of TS 36.331 ) where the targetRAT-Type is set to NR, (in particular for the provided example, but generally, where targetRAT-Type is set to any restricted RAT type), then the UE may need to check that the targetRAT-Type indicated is not restricted before initiating the inter-RAT mobility. The UE may only start the inter-RAT mobility after a positive check.
  • a mobility triggering message e.g., MobilityFromEUTRACommand message as per 5.4.3.3 of TS 36.331
  • an inter-RAT mobility triggered by a E-UTRA cell fails due to the targetRAT-Type indicated by the source base station (i.e., serving E-UTRA cell) being a restricted RAT according to the list of “PLMNs with associated RAT restrictions” maintained by the UE, then the UE may indicate such a failure to the serving base station. For instance, the UE may send a failure message, e.g., a rejection or, e.g., comprising a failure cause indicating that the failure is due to the targetRAT-Type being restricted.
  • a failure message e.g., a rejection or, e.g., comprising a failure cause indicating that the failure is due to the targetRAT-Type being restricted.
  • the UE may provide fresh (i.e., recent, e.g., within a given time interval, e.g., the last T seconds) measurement reports pertaining to candidate target cells serving the area where the UE is located.
  • fresh measurement reports may be associated with access technologies that are not restricted based on the list of “PLMNs with associated RAT restrictions”, as described in previous embodiments. Note that the inter-RAT mobility failure may occur while the UE is moving, hence the need for fresh measurement reports.
  • base stations implement a communication interface that allows the transfer of RAT restriction associated to a UE. This information may be provided to the target base station once the handover is confirmed.
  • This information may also be transferred before (e.g., in HANDOVER request) so that the candidate target base station can determine whether it can fulfil the RAT restriction, also considering subsequent mobility procedures, transfer Mobility Restriction List IE information in HANDOVER REQUEST message from source NG-RAN node to target NG-RAN node, where RAT restriction should also be applied.
  • This embodiment may be applicable to, e.g., TS 36.423 X2AP orTS 38.423 XnAP.
  • Mobility Restriction List IE may further comprise RAT Restrictions included in Extended RAT Restriction Information IE which may contain RAT restriction information for E-UTRA satellite access technology as below.
  • Handover Restriction List IE may further comprise RAT Restrictions included in RAT Restriction Information IE which may contain RAT restriction
  • the M-NG-RAN node may check
  • the S-NG-RAN node is restricted by considering the RAT restriction information associated with PLMNs, and then decide whether to add the S-NG-RAN node or not depending on whether the access technology of the S-NG-RAN node is restricted or not, particularly the S- NODE ADDITION REQUEST message sent from M-NG-RAN node to S-NG-RAN node may contain the RAT restriction information associated with PLMNs in Mobility Restriction List IE.
  • a wireless device determines whether to initiate an inter-RAT mobility procedure towards a second target access device, upon receiving an inter-RAT mobility triggering message from a first serving access device, wherein determining whether to initiate the inter-RAT mobility procedure comprises the wireless device performing a check to verify whether the radio access technology type associated with the second target access device indicated by the first source access device is, or is not, restricted, based on an access device selection configuration, e.g., the “list of PLMNs with associated RAT restrictions”, maintained by the wireless device.
  • the mobility procedure triggered by the first access device towards the second target access device is an inter-PLMN mobility procedure
  • the check to be performed by the wireless device consists of checking whether the combination of PLMN-RAT, associated with the second target access device and the PLMN with which it is associated, is, or is not, restricted, based on the access device selection configuration, e.g., “list of PLMNs with associated RAT restrictions”, maintained by the wireless device.
  • the UE When the UE needs to access one of the emergency services on the list, it may temporarily override the configuration or policy that restricts it from connecting to older generation access devices and attempt to connect to the nearest available cell that can provide the service, regardless of its technology or legitimacy. The UE may also notify the network or the user of its decision to connect to a potentially unsafe cell, and request confirmation or verification before proceeding with the service. Alternatively, or in addition, the UE may use a different authentication or encryption mechanism when connecting to the older generation access device, to protect its identity and data from possible attacks. This embodiment ensures that the UE can access the emergency services when needed, while minimizing the risk of connecting to fake base stations.
  • the UE may be configured with a policy (or UE rules) that determines how it should connect to the network based on the features of the measured signals, the location of the UE, and/or the mobility status of the UE.
  • the policy may indicate which cells may be preferred or classified as potential FBS depending on the signal strength, frequency, technology, or other parameters of the received synchronization signals.
  • the policy may also take into account the geographical area where the UE is located, and whether the area is expected to have access devices associated with older or newer network generations.
  • the policy may consider whether the UE is moving or stationary, and adjust the criteria for selecting or rejecting cells accordingly.
  • the policy may be provisioned or configured bythe network, or by the user, or by both. Based on this policy, the UE may determine which cell it uses to connect, or whether it needs to perform additional checks or actions, such as reporting suspicious signals to the network or requesting more information from the network.
  • the UE may receive updates of the policy or configuration that determines how it should connect to the network based on the features of the measured signals, the location of the UE, and/or the mobility status of the UE.
  • the updates may be provided by the network, or by the user, or by both.
  • the updates may be triggered by a request from the UE or by an indication from the network or the user.
  • the updates may include the entire policy or configuration, or only a part of it.
  • Each update may be associated with an expiration date or time, which indicates how long the update is valid.
  • the UE may also receive information about whether the expiration date or time of the remaining part of the policy or configuration has changed or not. Based on this information, the UE may replace or merge the updated part with the existing policy or configuration, and apply the updated policy or configuration accordingly.
  • This embodiment allows the UE to adapt its connection behaviour to the changing network conditions and user preferences, and to avoid using outdated or irrelevant policy or configuration information.
  • the UE may use its location information to determine whether it can trust and use a certain type of access device. For example, the UE may receive or retrieve policies or configurations from a network operator, a service provider, or another trusted source that specify the location of the tracking area, registration area, cell identifier, or other geographic or logical areas associated with different types of access devices or networks, such as 2G, 3G, 4G, or 5G. The UE may store the policies or configurations in its memory or cache them for later use. When the UE is at a given location, it may compare its location information, such as GPS coordinates, with the policies or configurations to determine which types of access devices or networks are available and/or trusted in that location.
  • location information such as GPS coordinates
  • the UE may then use the policies or configurations to perform the comparison and selection of the cells as described above.
  • the UE may query the policies or configurations from a network operator, a service provider, or another trusted source based on its location information, and receive a response indicating which types of access devices or networks are available and/or trusted in that location.
  • the UE may then use the response to perform the comparison and selection of the cells as described above.
  • This embodiment improves the UE's ability to adapt to different network environments and avoid fake or outdated cells based on its location, and enhances the security and reliability of the network connection.
  • the UE may receive a configuration or policy from a network operator, a service provider, or another trusted source that specifies a list of identifiers for different types of cells or networks, such as 2G, 3G, 4G, or 5G.
  • the identifiers may include cell IDs, tracking areas, registration areas, PLMNs, or other features that can distinguish the cells or networks.
  • the configuration or policy may also specify a time pattern or schedule for each identifier, indicating when the identifier should be used by the corresponding cell or network.
  • the UE When the UE receives a synchronization signal, system information block or message (in general, signal) from a cell, it may check the identifier included in the signal and compare it with the configuration or policy to determine whether the identifier matches the expected identifier for the cell type and the current time slot.
  • the list of valid identifiers may be linked to a given location, and the UE may obtain it based on its own (known) location, e.g., known via GPS. If the identifier matches, the UE may consider the cell as valid and possibly select it for connection. If the identifier does not match, the UE may consider the cell as fake or outdated and ignore it.
  • the UE may query the configuration or policy from a network operator, a service provider, or another trusted source based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not for the cell type and the current time slot. The UE may then use the response to decide whether to connect to the cell or not.
  • This embodiment allows the UE to verify the legitimacy and currency of the cells based on their identifiers and the time pattern, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection.
  • a possible embodiment in which a list of Cell identifiers assigned to a UE could be UE-specific may be as follows.
  • the UE may generate or obtain a secret key K that is shared with a trusted network entity, such as a home operator or a service provider.
  • the key K may be derived from the UE’s identity, such as its International Mobile Subscriber Identity (IM SI) or Public Land Mobile Network Identifier (PLMN ID), or obtained through a secure protocol, such as a key agreement or authentication scheme.
  • IM SI International Mobile Subscriber Identity
  • PLMN ID Public Land Mobile Network Identifier
  • the UE may also receive or compute a function F that is known to the network entity and can produce a unique identifier based on the input parameters.
  • the function F may be a cryptographic hash function, such as a Hash-based Message Authentication Code (HMAC) or a Secure Hash Algorithm (SHA), or any other function that can generate an output that is hard to predict or invert without knowing the key K.
  • HMAC Hash-based Message Authentication Code
  • SHA Secure Hash Algorithm
  • the UE may store the key K and the function F in its memory or cache them for later use.
  • the UE may use the identifier included in the signal as an input for the function F, along with the other parameters, such as the cell type, the current time t, which may be set to a specific resolution (e.g., number of LSBs set to 0) determined by a configuration or policy, and the secret key K.
  • a specific resolution e.g., number of LSBs set to 0
  • the UE may compute F( I d e ntif ie r, Cell Type, t, K), where Identifier may be the Cell ID, Tracking Area Identifier (TAI), or Network Generation (NG) used by the cell.
  • the UE may then compare the output of the function F with the expected identifier for the current time slot, which may be stored in a configuration or a policy provided by the network entity. If the output matches the expected identifier, the UE may consider the cell as valid and possibly select it for connection. If the output does not match, the UE may consider the cell as fake or outdated and ignore it.
  • the UE may send a query to the network entity based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not forthe cell type and the current time slot. The UE may then use the response to decide whether to connect to the cell or not.
  • This embodiment allows the UE to verify the legitimacy and currency of the cells based on their identifiers and the secret key, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection.
  • This embodiment may be combined with other embodiments described herein or used independently, depending on the implementation and the desired functionality.
  • the UE may have a secret key Kthat is derived from its identity or obtained through a secure protocol with the network entity.
  • the UE may also receive or compute a function F that is known to the network entity and can produce a unique identifier based on the input parameters.
  • the function F may be a cryptographic hash function, such as an HMAC or a hash function such as SHA-2 or SHA-3, or any other function that can generate an output that is hard to predict or invert without knowing the key K.
  • the UE may store the key K and the function F in its memory or cache them for later use.
  • the UE When the UE receives a signal from a cell, it may use the identifier included in the signal as an input for the function F, along with the other parameters, such as the cell type and the network generation. For example, the UE may compute F(ldentif ier, Cell Type, NG, K), where Identifier may be the Cell ID, TAI, or NG used by the cell. Additionally, or alternatively the function F may also take (geo-)location information (e.g., latitude and longitude) as an input parameter, which may also be provisioned/configured at the UE and retrieved based on the identifiers (e.g., cell identity) received from the base station.
  • the identifier included in the signal may be an input for the function F, along with the other parameters, such as the cell type and the network generation. For example, the UE may compute F(ldentif ier, Cell Type, NG, K), where Identifier may be the Cell ID, TAI, or NG used by the cell.
  • the UE may then compare the output of the function F with the expected identifier for the cell, which may be stored in a configuration or a policy provided by the network entity. If the output matches the expected identifier, the UE may consider the cell as valid and possibly select it for connection. If the output does not match, the UE may consider the cell as fake or outdated and ignore it. Alternatively, or in addition, the UE may send a query to the network entity based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not for the cell type and the network generation. The UE may then use the response to decide whether to connect to the cell or not.
  • This embodiment allows the UE to verify the legitimacy and validity of the cells based on their identifiers and the secret key, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection.
  • This embodiment may be combined with other embodiments described herein or used independently, depending on the implementation and the desired functionality.
  • This embodiment can allow making the configurations device specific so that information about the whitelisted cells is not stored on the UEs, but only a function of them. This prevents the cell information (that can be operator sensitive) from leaking.
  • the AS layer may maintain a provided list of“PLMNs with associated RAT restrictions” for further use, e.g., for cell evaluation for the purpose of cell reselection.
  • RAT utilization control information e.g., List of“PLMN with associated RAT restrictions
  • the UE may receive further RAT utilization control information from a serving PLMN, thus impacting (e.g., by adding, updating, or deleting one or more entries) in the list of “PLMNs with associated RAT restrictions” stored in the UE, e.g., in the UE’s non-volatile memory, the list of “PLMNs with associated RAT restrictions” may be updated on the NAS layer, whereas the AS layer may continue using an outdated list of “PLMNs with associated RAT restrictions”, which may impact a mobility procedure, e.g., the cell reselection procedure. It is therefore the aim of some of the following embodiments to address this issue, to that end:
  • the AS layer(s) may request an update to the entry (i.e., RAT restrictions) associated with the serving PLMN (i.e., PLMN currently in use) or the entire list of “PLMNs with associated RAT restrictions” periodically (e.g., following a time period configured and/or provided by the network), or conditionally (e.g., following pre-defined conditions), as configured by the network, following a triggering event which includes, but is not limited to, the following: a change in the highest ranking cell according to cell reselection criteria, or
  • the UE may receive from a serving PLMN RAT utilization control information impacting (e.g., by adding, updating, or removing entry(ies) in the list of “PLMNs with associated RAT restrictions”) the list of “PLMNs with associated RAT restrictions” in general, and the entry in the list of “PLMNs associated with RAT restrictions” associated with the current serving PLMN, in particular.
  • the UE NAS layer may instruct and/or restrict, according to the updated RAT restrictions associated with the current serving PLMN in the list of “PLMNs with associated RAT restrictions” the AS layer(s) to/from performing cell search/evaluation for the purpose of cell reselection.
  • the AS layer(s) may periodically, or conditionally (as described in previous embodiments) request an update for the entry (i.e., RAT restrictions) associated with the current serving PLMN or the entire list of “PLMNs with associated RAT restrictions” thus ensuring only non-restricted AS layer(s) are performing cell search and evaluation for the purpose of cell reselection.
  • an update for the entry i.e., RAT restrictions
  • the AS layer(s) may periodically, or conditionally (as described in previous embodiments) request an update for the entry (i.e., RAT restrictions) associated with the current serving PLMN or the entire list of “PLMNs with associated RAT restrictions” thus ensuring only non-restricted AS layer(s) are performing cell search and evaluation for the purpose of cell reselection.
  • the request from AS layer(s) towards NAS layer associated with maintaining the lists of “PLMNs with associated RAT restrictions” may be a request for an update and/or a request for synchronization check (i.e., checking whether the list maintained by AS is valid still), to which the NAS layer may provide a response which acknowledges that the lists are in synch (e.g., if the list maintained by the AS layer(s) are valid still) or provides the updated entry (e.g., associated with the current serving PLMN) or the entire updated list of “PLMNs with associated RAT restrictions” (e.g., if the entry(ies) in the list maintained by the AS layer(s) is/are outdated) to the AS layer(s).
  • a request for synchronization check i.e., checking whether the list maintained by AS is valid still
  • the NAS layer may provide a response which acknowledges that the lists are in synch (e.g., if the list maintained by the AS layer(s) are valid still) or provides the updated
  • the request may be from one AS layer (e.g., EUTRAN AS layer), depending on the potential changes to the RAT restrictions associated with the current serving PLMN, the response may trigger one or more AS layer(s), depending on which RATs are a llowed/restricted .
  • EUTRAN AS layer e.g., EUTRAN AS layer
  • a list of “PLMNs with associated RAT restrictions” may be associated with an identifier that may allow identifying the PLMN and version, e.g., it may be, e.g., PLMN ID concatenated with date/time. This unique identifier may be used, e.g., to distinguish/determine whether the list available in the AS layer is outdated or not.
  • a wireless device may comprise multiple radio access technologies (e.g., 2G, 3G, 4G, 5G). Some of these RAT have frozen stacks, and thus, it is not feasible to update the stack so that the list of “PLMNs with associated RAT restrictions” is taken into account directly in the RAT stack, in other words, that the NAS layer sends it to the corresponding AS layer.
  • radio access technologies e.g., 2G, 3G, 4G, 5G.
  • AS layer may discard the running timer and consider the cell as a viable candidate for cell reselection.
  • the updated (entry or list) happens to restrict a cell, e.g., the highest ranking cell, it is barred or deprioritized as it is now restricted.
  • the selecting of the selected one or more access devices may comprise one or more of: the UE obtaining a second list comprising radio access technology utilisation control information from the one or more access device selection configuration received in the NAS layer; the UE determining a first list of configured Public Land Mobile Networks, PLMNs, / Radio Access Technology, RAT, with priority order stored in a Subscriber Identity Mobile such as a USIM or in a Mobile Equipment, ME, of the UE; the UE using the first list and the second list when performing or initiating PLMN and/or cell (re-)selection.
  • PLMNs Public Land Mobile Networks
  • RAT Radio Access Technology
  • the NAS layer sending the most recently received second listto the AS layer upon the occurrence of an event; wherein the event may be determined based on a configuration.
  • the UE may receive system information blocks (SIBs) from one or more access devices that include information identifying neighboring cells.
  • SIBs system information blocks
  • the UE may cross-reference and check the SIBs from the different access devices to determine whether a synchronization signal is being broadcasted from a legitimate or fake BS, and similarly for network status. For example, the UE may compare the cell identity, frequency, technology, or location of the neighboring cells reported by the SIBs, and identify any discrepancies or inconsistencies that indicate a possible fake or outdated cell.
  • the UE may also compare the network status, such as the network generation, configuration, or capabilities, of the neighboring cells reported by the SIBs, and identify any mismatches or anomalies that indicate a possible fake or outdated cell. Based on this comparison, the UE may select the cell that has the most consistent and reliable SIBs, and avoid the cells that are identified as conflicting or suspicious in the received SIBs. This embodiment improves the UE's ability to detect and avoid fake or outdated cells, and enhances the security and reliability of the network connection.
  • the network status such as the network generation, configuration, or capabilities
  • the UE may verify the received information from the access devices before using it to check the network status and the BS legitimacy.
  • the information may be protected with a digital signature that is issued by a trusted authority, such as a network operator or a certificate provider.
  • the UE may validate the digital signature of the information using a public key or a certificate that is stored in the UE or obtained from a trusted source. If the digital signature is valid, the UE may use the information to perform the comparison and selection of the cells as described above. If the digital signature is invalid or absent, the UE may discard the information or use other criteria to evaluate its reliability.
  • non-3GPP access technologies may also be decommissioned.
  • a given wireless access technology may deliver a lower performance/security level, and it may be decommissioned.
  • embodiments described in this invention may also be applicable to a UE when using a non-3GPP access technology.
  • Table 5.4.3.2-1 in TS 29.571 lists different types of 3GPP and non-3GPP RATs. Some RATs may be associated to a given network generation. In some cases, some RAT types may be decommissioned for a given network generation, while other RAT types may still be available. Thus, in an embodiment of the invention that may be used independently or combined with other embodiments, the access device selection configuration and/or policy may include details about the RAT types that are decommissioned/whitelisted/blacklisted.
  • Wi-Fi is a wireless technology that allows devices to connect to the Internet or to each other without using cables. Wi-Fi is based on radio waves that are transmitted and received by a device called a wireless access point (AP).
  • the AP acts as a hub that connects Wi-Fi enabled devices, such as laptops, smartphones, tablets, smart TVs, etc., to a wired network, such as a local area network (LAN) or the Internet.
  • LAN local area network
  • Wi-Fi is a trademark of the Wi-Fi Alliance, an industry association that certifies products that comply with the IEEE 802.11 standards for wireless local area networks (WLANs). These standards define the physical and data link layers of the communication protocol, such as the frequency bands, modulation schemes, encryption methods, authentication mechanisms, and data rates used by Wi-Fi devices.
  • Wi-Fi The most common Wi-Fi standards are based on IEEE 802.11a, 802.11 b, 802.11g, 802.11 n, 802.11ac, and 802.11ax, which operate in different frequency bands (2.4 GHz, 5 GHz, or both) and offer different levels of performance and compatibility.
  • a device needs to have a wireless network interface card (NIC) that can send and receive radio signals.
  • the NIC scans the available wireless channels and detects the presence of nearby APs.
  • the device selects an AP to connect to, based on factors such as signal strength, security settings, and network name (SSID).
  • the device and the AP exchange information, such as the MAC address, IP address, encryption key, and password, to establish a connection. This process is called association.
  • the device can communicate with the AP and other devices on the same network, or access the Internet through the AP.
  • IEEE 802.11 n Wi-Fi 4
  • IEEE 802.11 ac Wi-Fi 5
  • IEEE 802.11 ax WIFI-6
  • IEEE 802.11 ah introduced target wake time (TWT) to support low power loT applications by allowing STAs to go into sleep when not in a wake period after negotiation with AP.
  • IEEE 802.11 be Wi-Fi 7 aims at improving throughput and latency operating in unlicensed bands between 1 GHz and 7.125 GHz. Wi-Fi 7.
  • Some of the core ideas presented in this invention may be applicable to a wide range of wireless technologies used in wide or local area networks and using different types of radio access technologies, in particular, the ideas may apply to cellular technologies. Even if some embodiments have been described in terms of certain technologies, e.g., 5G, 4G or WiFi, they may also be applicable to other wireless technologies.
  • a cellular system is a wireless communication system that consists of three main components: user equipment (UE), radio access network (RAN), and core network (CN). These components work together to provide voice and data services to mobile users over a large geographic area.
  • UE user equipment
  • RAN radio access network
  • CN core network
  • a processor which controls the operation of the UE and executes the applications and services that the user requests.
  • the processor also communicates with the RAN and the CN using various protocols.
  • a microphone and a speaker which enable the user to make and receive voice calls, as well as use other audio features, such as voice mail, voice recognition, etc.
  • a memory which stores the data and programs that the user needs, such as the phone book, the messages, the photos, the videos, the applications, etc.
  • a UE may receive / transmit / trigger a configuration by means of different procedures:
  • RRC Command contains various messages that modify/configure RRC parameters and/or initiate, modify, or release the RRC connection or the radio bearers between the UE and the BS, such as the RRC connection setup, the RRC connection reconfiguration, the RRC connection release, the security mode command, the mobilityfrom E-UTRA command, the handoverfrom E-UTRA preparation request, etc.
  • the UE needs to respond to the RRC Command according to the RRC protocol and the configuration provided by the BS.
  • Non-access stratum (NAS) messages are used forsignalling between UE and core network (CN) on the non-access stratum (NAS) layer.
  • NAS messages enable functionality such as registration, session establishment, security, and mobility management.
  • the UE needs to respond to the NAS Command according to the NAS protocol and the configuration provided by the CN.
  • UE parameter update is a procedure between the UE and the home network that enables the home network to update configuration parameters in mobile phones and/or USIM usingthe UDM control plane procedure (TS 23.502).
  • the UE can receive Parameters Update Data from the UDM after the UE has registered in the 5G network.
  • SoR Steering of Roaming
  • SoR Steering of Roaming
  • UE user equipment
  • 3GPP TS.23.501 Release 15
  • 3GPP TS 24.501 Release 15
  • the 5G CP-SOR is activated during or after registration to update the UE's "Operator Controlled PLMN Selector with Access Technology" list via secure NAS messages, as directed by the home PLMN based on specific operator policies, such as preferred networks or UE location.
  • Radio access network is the part of the cellular system that connects the UEs to the CN via the air interface.
  • the RAN consists of base stations (BSs).
  • a base station (BS) is a fixed or mobile transceiver that covers a certain geographic area, called a cell.
  • a BS is also called a gNB (next generation node B).
  • a BS can serve multiple UEs simultaneously within its cell, by using different frequencies, time slots, codes, or beams.
  • a BS also performs functions such as power control, handover control, channel allocation, interference management, etc.
  • a base station can be divided into two units: a central unit (CU) and a distributed unit (DU).
  • CU central unit
  • DU distributed unit
  • the CU performs the higher layer functions, such as RLC, PDCP, RRC, etc.
  • the DU performs the lower layer functions, such as PHY and MAC.
  • the CU and the DU can be co-located or separated, depending on the network architecture and deployment.
  • a base station may be denoted, based on context, as a cell, or gNB.
  • the physical layer which defines the characteristics of the air interface, such as the frequency bands, the modulation schemes, the coding rates, the frame structure, the synchronization, etc.
  • Data may be encoded by the UE and/or BS to obtain data symbols and/or control symbols that may be exchanged over the wireless interface.
  • the conversion from digital data into analog symbols may be done by the transmission / reception communication unit
  • the user plane consists of two main functions: the user plane function (UPF) and the data network (DN).
  • the user plane function (UPF) is a device that forwards the data packets between the UEs and the DNs, as well as performs functions such as tunnelling, firewall, QoS, charging, etc.
  • the data network (DN) is a network that provides access to the services and applications that the UEs request, such as the Internet, the IMS, etc.
  • the long-term subscriber’s identifier known as Subscriber Permanent Identifier may not be exchanged in the clear, but instead, either a Subscription Concealed Identifier (SUCI) or a pseudonym known as GUTI are exchanged with the AMF of the serving PLMN.
  • the AMF of the PLMN may then forward the SUCI to the home PLMN so that the home PLMN decrypts/verifies it.
  • the described operations like those indicated in the above embodiments may be implemented as program code means of a computer program and/or as dedicated hardware of the related network device or function, respectively.
  • the computer program may be stored and/or distributed on a suitable medium, such as an optical storage medium or a solid-state medium, supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un appareil et un procédé de sélection d'un dispositif d'accès comprenant : la réception, par un UE, d'une configuration ou d'une politique de sélection de dispositif d'accès, le stockage, par l'UE, de la configuration ou de la politique de sélection de dispositif d'accès, et la sélection, par l'UE, d'un dispositif d'accès et/ou la réalisation d'une procédure de transfert sur la base de la configuration ou de la politique de sélection de dispositif d'accès.
PCT/EP2025/059203 2024-04-05 2025-04-04 Atténuation d'attaques de dégradation à un réseau mis hors service dans un système sans fil Pending WO2025210200A1 (fr)

Applications Claiming Priority (12)

Application Number Priority Date Filing Date Title
EP24168843.1 2024-04-05
EP24168843 2024-04-05
EP24174681 2024-05-07
EP24174681.7 2024-05-07
EP24187865 2024-07-10
EP24187865.1 2024-07-10
EP24195973 2024-08-22
EP24195973.3 2024-08-22
EP24210422 2024-11-01
EP24210422.2 2024-11-01
EP25158889 2025-02-19
EP25158889.3 2025-02-19

Publications (1)

Publication Number Publication Date
WO2025210200A1 true WO2025210200A1 (fr) 2025-10-09

Family

ID=95252072

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2025/059203 Pending WO2025210200A1 (fr) 2024-04-05 2025-04-04 Atténuation d'attaques de dégradation à un réseau mis hors service dans un système sans fil

Country Status (1)

Country Link
WO (1) WO2025210200A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071775A (zh) * 2017-05-15 2017-08-18 奇酷互联网络科技(深圳)有限公司 移动终端及其重定向接入基站的方法和装置
WO2019047170A1 (fr) * 2017-09-08 2019-03-14 华为技术有限公司 Procédé et terminal d'identification de pseudo-station de base
WO2020037665A1 (fr) * 2018-08-24 2020-02-27 Qualcomm Incorporated Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable
EP3866501A1 (fr) * 2018-10-31 2021-08-18 Shenzhen Heytap Technology Co., Ltd. Procedé et dispositif de gestion de pseudostation de base, terminal mobile, et support de stockage

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071775A (zh) * 2017-05-15 2017-08-18 奇酷互联网络科技(深圳)有限公司 移动终端及其重定向接入基站的方法和装置
WO2019047170A1 (fr) * 2017-09-08 2019-03-14 华为技术有限公司 Procédé et terminal d'identification de pseudo-station de base
WO2020037665A1 (fr) * 2018-08-24 2020-02-27 Qualcomm Incorporated Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable
EP3866501A1 (fr) * 2018-10-31 2021-08-18 Shenzhen Heytap Technology Co., Ltd. Procedé et dispositif de gestion de pseudostation de base, terminal mobile, et support de stockage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KARAKOC BEDRAN ET AL: "Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G", 28 June 2023 (2023-06-28), pages 1 - 12, XP093263917, Retrieved from the Internet <URL:https://dl.acm.org/doi/pdf/10.1145/3558482.3581774> *

Similar Documents

Publication Publication Date Title
CN110301154B (zh) 实现经优化用户面锚定的方法和装置
US10945201B2 (en) Method for selecting PLMN of terminal in wireless communication system and apparatus for same
KR101946868B1 (ko) 백색 공간 동작을 위해 모바일 엔티티의 인증을 위한 방법 및 장치
KR101488149B1 (ko) 로컬 인터넷 프로토콜 오프로드를 관리하기 위한 방법 및 장치
JP2022554017A (ja) Wtru-ネットワークリレー
US10772038B2 (en) Method whereby terminal selects PLMN in wireless communication system, and device for same
US20220312435A1 (en) Prioritization of uplink and sidelink transmissions
KR102804333B1 (ko) 재난 로밍 동안의 결정론적 plmn 선택
US20180092016A1 (en) Method for selecting plmn of terminal in wireless communication system and apparatus therefor
CN112956226B (zh) 在通信系统中隔离虚假基站
US20180007622A1 (en) Method whereby terminal selects plmn in wireless communication system, and device for same
WO2017001452A1 (fr) Appareil et procédé destinés à la demande/fourniture d&#39;informations de capacité servant à des réseaux spécifiques
KR102484072B1 (ko) 무선 통신 방법, 단말기 디바이스 및 칩
US20220225283A1 (en) Systems and methods for enhancement on sidelink power control
WO2025210200A1 (fr) Atténuation d&#39;attaques de dégradation à un réseau mis hors service dans un système sans fil
US12063512B2 (en) Systems and methods for securing wireless communication with device pinning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 25716437

Country of ref document: EP

Kind code of ref document: A1