[go: up one dir, main page]

WO2025210200A1 - Mitigating decommissioned-network bidding-down attacks in a wireless system - Google Patents

Mitigating decommissioned-network bidding-down attacks in a wireless system

Info

Publication number
WO2025210200A1
WO2025210200A1 PCT/EP2025/059203 EP2025059203W WO2025210200A1 WO 2025210200 A1 WO2025210200 A1 WO 2025210200A1 EP 2025059203 W EP2025059203 W EP 2025059203W WO 2025210200 A1 WO2025210200 A1 WO 2025210200A1
Authority
WO
WIPO (PCT)
Prior art keywords
access device
network
policy
access
selection configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2025/059203
Other languages
French (fr)
Inventor
Noureddine SABAH
Oscar Garcia Morchon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips NV filed Critical Koninklijke Philips NV
Publication of WO2025210200A1 publication Critical patent/WO2025210200A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions

Definitions

  • This invention and its embodiments relate to method, apparatuses, and systems for operating a wireless device such as a user equipment to improve network security and/or improve the way wireless devices select an access device and connect to different radio access technologies and networks.
  • a wireless device such as a user equipment
  • the methods and devices detailed in this document are used to improve the network security in the context of coexistence of different network generations or technologies, for example to mitigate decommissioned-network bidding-down attacks in a wireless system such as a cellular system, a WiFi network or the like.
  • a primary station serves a plurality of secondary stations located within a cell served by this primary station. Wireless communication from the primary station towards each secondary station is done on downlink channels. Conversely, wireless communication from each secondary station towards the primary station is done on uplink channels.
  • the wireless communication can include data traffic (sometimes referred to User Data), and control information (also referred sometimes as signalling). This control information typically comprises information to assist the primary station and/or the secondary station to exchange data traffic (e.g. resource allocation/requests, physical transmission parameters, information on the state of the respective stations).
  • the primary station is referred to a base station, or a gNodeB (or gNB) in 5G (NR) or an eNodeB (or eNB) in 4G (LTE).
  • the eNB/gNB is part of the Radio Access Network RAN, which interfaces to functions in the Core Network (CN).
  • the secondary station corresponds to a mobile station, or a User Equipment (or a UE) in 4G/5G, which is a wireless client device or a specific role played by such device.
  • the term “node” is also used to denote either a UE or a gNB/eNB.
  • This relay node is a wireless communication station that includes functionalities for relaying communication between a primary station, e.g. a gNB and a secondary station, e.g. a UE.
  • This relay function for example allows to extend the coverage of a cell to an out-of-coverage (OoC) secondary station.
  • This relay node may be a mobile station or could be a different type of device.
  • the Proximity Services (ProSe) functions are defined inter alia in TS 23.303, and TS 24.334 to enable - amongst others -connectivity for the cellular User Equipment (UE) that is temporarily not in coverage of the cellular network base station (eNB) serving the cell.
  • UE User Equipment
  • eNB cellular network base station
  • This particular function is called ProSe UE-to-network relay, or Relay UE for short.
  • the Relay UE relays application and network traffic in two directions between the OoC UE and the eNB.
  • the relay node relays the communications between UE devices.
  • UEs may connect to the core network through a base station when in-coverage.
  • the relay devices may receive and store some information for some time before forwarding it towards the target device.
  • This information that may be stored and forwarded may be discovery messages received from a source UE whereby the relay UE may release them at some point of time later.
  • This information that may be stored and forwarded may be a SIB that may contain a timestamp.
  • cellular networks are evolving to enable more mobile access devices such as satellites, unmanned aerial vehicles, buses or trains that are capable of storing data for some time before forwarding it further.
  • An example relates to a satellite that receives and stores certain data when it is close to a terrestrial gateway and only releases it when the receiving party becomes in coverage.
  • Such mobile access devices may work in a transparent manner or in a regenerative manner. In a transparent mode, the mobile access device acts as a reflector/smart repeater that retransmits the communication sent by, e.g., a gateway, e.g., a Non-Terrestrial Network gateway, towards a UE.
  • a gateway e.g., a Non-Terrestrial Network gateway
  • the mobile access device works as a base station and is able to set up a connection with a UE.
  • the mobile access device may be able to cache some data obtained from the UE or NTN gateway, and transmit it when it is within communication range of the receiver.
  • Wireless telecommunication network systems have undergone tremendous evolution over the years to meet consumers' increasing demands for high-speed, low-latency, secure, and reliable wireless connectivity.
  • 1G first-generation
  • 5G fifth generation
  • technologies are being rapidly deployed worldwide, offering unprecedented levels of data speed, network capacity, and low-latency connectivity to support a range of emerging applications and services, such as loT, autonomous vehicles, virtual and augmented reality, and industrial automation.
  • different types of radio access network technologies are being supported, including terrestrial and nonterrestrial networks. The goal of these advancements is simple: to provide consumers with seamless, ubiquitous, and secure wireless connectivity that meets the ever-growing demands of modern digital life.
  • UEs In their attempt to compromise subscribers’ UEs, malicious actors could leverage existing procedures to trick UEs into connecting to Fake Base Stations (FBS) running older generation networks (e.g., 2G/3G), thus intentionally exposing the UEs to the many known attacks pertaining to these older generation networks (e.g., 2G/3G).
  • FBS Fake Base Stations
  • UEs may not always be able to use all networks or radio access technologies, e.g., because some networks or radio access technologies may not be available, or they may be restricted by the network (e.g., as a form of access technology utilization control in e.g., national roaming scenarios).
  • An aim of the invention is to address the above problems by providing solutions mitigating decommissioned-networks bidding-down attacks and/or by providing means to improve how a UE can select a network or a radio access technology and/or perform a mobility procedure between networks and/or radio access technologies.
  • a receiver adapted to receive an access device selection configuration or policy
  • controller adapted to select an access device and/or performing a handover procedure based on the access device selection configuration or policy.
  • a method for access device selection assistance comprising:
  • an apparatus for access device selection assistance comprising: - a receiver adapted to receive a request for an access device selection configuration or policy from a first device,
  • controller adapted to determine whether the access device selection configuration or policy is available locally, and if not request and receive the access device selection configuration or policy and/or selection configuration from a core network
  • a transmitter adapted to send the access device selection configuration or policy to the first device.
  • informing the second access device, by the first access device, about the access device selection configuration and/or policy of the first device is performed in:
  • an apparatus for access device selection assistance comprising a controller adapted
  • a seventh aspect of the invention it is proposed a computer program for selecting an access device, wherein the program comprises instructions implementing the apparatus of the second and fourth aspects of the invention.
  • the access device selection configuration or policy includes at least one of: - a whitelist of one or more access devices or one or more groups of access devices,
  • the method comprises receiving, by the UE, the access device selection configuration or policy in a registration accept message, such that the restriction may be based on one of, or a multitude of information elements, which include: a list of at least one decommissioned PLMN; and/or a list of at least one decommissioned cell identifier; and/or a list of at least one RAN area code; and/or a list of location information (e.g., tracking area codes) corresponding to at least one (de)commissioned older generation network access device or access device type.
  • information elements include: a list of at least one decommissioned PLMN; and/or a list of at least one decommissioned cell identifier; and/or a list of at least one RAN area code; and/or a list of location information (e.g., tracking area codes) corresponding to at least one (de)commissioned older generation network access device or access device type.
  • the access device selection configuration or policy is received by a UE in message such as a NAS reject message and the message is not integrity protected, the UE discards the message including the access device selection configuration or policy therein according to a rejection policy.
  • the access device selection configuration or policy is signed by an entity managing the access device selection configuration or policy
  • the method comprises the UE verifying by access device selection configuration or policy based on the public key of the entity managing the access device selection configuration or policy.
  • the access device selection configuration or policy is updated periodically, or on-demand, and/or in a conditional manner.
  • the access device selection configuration or policy contains a whitelist and/or a blacklist of access devices or groups of access devices and wherein the whitelist and/or blacklist are determined and provisioned to the UE based on the historical mobility pattern or real-time location and/or movement trajectory of the UE.
  • the method comprises predicting, by a UE, the tracking areas/cells towards which the UE is moving to, and based on whether: a) the UE is configured with whitelists corresponding to the predicted tracking areas/cells; and/or b) the status of the older generation network access devices within the predicted tracking areas/cells has changed (i.e., configured whitelists at the UE became outdated); wherein the whitelists configured at the UE, corresponding to the older generation network access devices within the predicted tracking areas/cells are updated accordingly.
  • the access device selection configuration or policy is updated on-demand or in a conditional manner and wherein the method further comprises: determining, by the network, the configuration for the UE; predicting, by the network, the tracking areas/cells towards which the UE is moving, based on historical mobility data, and/or real-time location information, and/or movement direction/trajectory information, and/or velocity; and determining, by the network, whether the whitelists configured at the user equipment need to be updated, wherein the whitelists correspond to the older generation network access devices within the predicted tracking areas/cells.
  • the method further comprises the steps of:
  • the method for network (re-)selection with network assistance further comprises: receiving, by the UE, signals from different network access devices which may correspond to different network generations; and compiling, by the UE, measurement reports corresponding to signals received from the different network access devices and ordering said measurement reports based on its selection criteria; selecting, by the UE, the most recent network generation access device available to access the network and performing the initial access procedure; communicating, by the UE, the ordered list of measurement reports to the network in a request message, e.g., the registration/attach request; receiving, by the UE, in a response message, e.g., the registration response message, the ordered list of network access devices prioritized according to the network, and indicating the status of each network access device, and based on said ordered list, performing, by the UE, cell (re-)selection or network access through the pre-selected access device.
  • the method further comprises the steps of:
  • the method comprises requesting, by the UE, if inconclusive selection of an access device, network assistance to determine the access device legitimacy.
  • the method is such that:
  • the pilot signal is a synchronization signal of the device, and/or
  • pilot signal features include the signal strength, and/or - the access device selection configuration or policy is determined, and adapted or updated by an Al model, and/or
  • the access device selection configuration or policy is a threshold value or range of a configured similarity measurement.
  • the method comprises requesting, by a UE lacking the status of one or more older generation networks, network assistance to determine the network status of one, or multiple older generation networks during the random-access including an indication of the cell or cell generation to check.
  • the method comprises receiving, by the user equipment, a response with an access device selection configuration and/or policy that may include: a bitstring whose length corresponds to the number (N) of cell IDs indicated by the user equipment, and whose bits correspond respectively to the legitimacy evaluation results of said cell IDs; and/or the cell IDs, or an indication thereof, of the cells whose legitimacy verification failed.
  • the configuration or policy comprises one or more of: a cryptographic function, a secret key, input parameters to the cryptographic function comprising at least one of o an input identifier (e.g., cell ID, tracking area ID); o Cell/RAT type; o Network generation; o Cell location information (e.g., longitude and latitude); o Current time (e.g., UTC time) and/or time resolution; expected output values of the cryptographic function, and the step of selecting, by the UE, an access device based on the access device selection configuration and/or policy comprises: receiving or obtaining input parameters, computing an output value by using the cryptographic function taking as input the received or obtained input parameters and the secret key; and performing one of: o comparing the computed output value to an expected output value saved at the device as part of the configuration; or o querying the network using the computed output value to determine the network access device validity and legitimacy.
  • a cryptographic function e.g., a secret key, input parameters to the cryptographic function comprising at least one of
  • the method comprises allowing selecting, by the UE, a blacklisted access device based on the access device selection configuration and/or policy when the UE requires emergency services.
  • Figure 2 illustrates signal strength levels associated with different base stations, as monitored by a User Equipment
  • Figure 3 describes an exemplary procedure to request the network to verify and assist a User Equipment in access device selection.
  • Figure 4 schematically represents cells corresponding to different network generations and the mobility patterns of a set of UEs across these cells.
  • Embodiments of the present invention are now described based on a cellular communication network environment based on cellular communication technologies, such as 2G, 3G, 4G, 5G or 6G.
  • the present invention and its embodiments may also be used in connection with other wireless technologies, and in particular to the connection setup of devices trying to access a wireless network.
  • Atypical example is a cellular network, for example a 5G network, possibly including some relay nodes.
  • These relay nodes may be implemented by UEs, such as Sidelink compatible UEs which can operate as relay nodes, or by other types of repeaters.
  • the CN is the communication network’s core part, which offers numerous services to customers who are interconnected via the RAN. More specifically, it directs communication streams over the communication network and possibly other networks.
  • Wireless telecommunication network systems have undergone tremendous evolution over the years to meet consumers' increasing demands for high-speed, low-latency, secure, and reliable wireless connectivity.
  • 1G first-generation
  • 5G fifth generation
  • the goal of these advancements is simple: to provide consumers with seamless, ubiquitous, and secure wireless connectivity that meets the ever-growing demands of modern digital life.
  • MNOs Mobile Network Operators
  • This phasing out, or decommissioning, of older generation networks happens gradually, and may be subject to several criteria e.g., demand, availability and coverage of newer generation RANs, population distribution, etc.
  • MNOs have announced the decommissioning of their 2G or 3G networks in favor of 4G/5G networks and given the weaker protection in these (older) generations (e.g., 2G/3G), this initiative could have a significant impact on the security of subscribers’ User Equipments (UE), as newer generation networks feature, among other functionalities, security enhancements as well.
  • UE User Equipments
  • the invention described herein aims at addressing the security threats associated with decommissioned older generation networks and provide future proof methods and solutions to mitigate and prevent bidding down attacks in that context.
  • older generation networks e.g., 2G/3G
  • 2G/3G may be decommissioned, or generally restricted (e.g., in a particular area or across a network)
  • the UE may fall victim to a bidding down attack launched by a malicious actor, or failure cases that could have otherwise been avoided by checking restrictions.
  • the UE does not currently have any filtering criteria and/or means to determine whether an older network generation (e.g., 2G/3G) is decommissioned and is, therefore, not to be considered when performing the BS selection.
  • the lack of said means enables malicious actors to set up Fake Base Stations (FBS) launch Bidding down attacks to lure UEs to select the FBS to connect through. It is therefore the object of the following embodiments to alleviate the threat of Bidding down attacks in the context of Decommissioned older generation networks.
  • FBS Fake Base Stations
  • a UE may be provisioned/configured by the network with a list of whitelisted cells and/or tracking areas (TAs), and/or Registration Areas (RAs) in which access through older generation networks is still permitted, while the default behaviour the UE may be configured to exhibit when camping/roaming in non-whitelisted cells and/or tracking areas and/or registration areas is to ignore older generation networks given their decommissioning. For instance, in a Registration area where all cells are allowed to operate older generation base stations, the UE may be configured to have the entire registration area whitelisted.
  • TAs whitelisted cells and/or tracking areas
  • RAs Registration Areas
  • the UE may be configured to only allow older generation base station selection in these whitelisted TAs.
  • the UE may be configured with a list, in which only particular cells within a TA (or list of TAs) are whitelisted.
  • the UE may be provisioned/configured with nested lists, wherein the nested lists, if any, contain only the TAs/Cells which are to be whitelisted.
  • the UE may be provisioned/configured with the exemplary list below, wherein Registration Area 3 is entirely whitelisted (i.e., all Tracking Areas and cell within are whitelisted), whereas in Registration Area 1 , only Tracking Area 4 (i.e., all cells within) and Cells X and Y of the Tracking Area 2 are whitelisted.
  • the top -left drawing illustrates a networkwide (e.g., across a country) categorization of Registration Areas (RAs) and the Cells to be whitelisted therein.
  • the top-right and bottom drawings correspond to a heatmap illustrating areas in which UEs (i.e., UE1 , UE2, and UE3) are most active in, based on the analytics of their historical mobility data.
  • the network e.g., AMF
  • the network may provision/configure the UE with the whitelisted RAs and TAs/Cells within corresponding to all the RAs. For instance, UE2 seems to be more active in RA3 and RA4, the network may thus choose to provision/configure it with whitelists corresponding only to these two RAs.
  • a Network Function (NF) or the Operation, Administration and Maintenance (OAM) system may be responsible for the cell categorization based on the criteria described above. For example, a NF or the OAM may assign each cell a priority level and a whitelist flag indicating whether the cell is whitelisted or not.
  • Another NF may be responsible for the management of the UE Mobility Pattern, which may include collecting, storing, analyzing, and updating the historical and statistical data of the UE mobility. For example, this NF may be the AMF or a separate entity that interacts with the AMF.
  • the network may, based on a set of criteria e.g., UE historical mobility data, real-time location information, movement direction, velocity, RAT types providing coverage, and/or a change of RAT status (e.g., from operational to decommissioned), etc predict the RA/TAs/Cells the UE may be moving towards and determine the status of RATs within these areas, and in case the UE is not configured with the whitelists corresponding to these RAs/TAs/Cells, or if the whitelists are outdated, the network may trigger an update of the lists configured at the UE.
  • a set of criteria e.g., UE historical mobility data, real-time location information, movement direction, velocity, RAT types providing coverage, and/or a change of RAT status (e.g., from operational to decommissioned), etc predict the RA/TAs/Cells the UE may be moving towards and determine the status of RATs within these areas, and in case the UE is not configured with the whitelists corresponding to
  • the network may send a reject message which may have an indication of the failure cause, and/or a back-off timer to retry once the UE is closer to the TAs/Cells in question (e.g., if failure was due to being at a distance greater than the network defined one).
  • the network may do the opposite; that is, the network may provision the UE with the whitelists corresponding to the areas which the UE may be (or likely to be) the least active in.
  • This has the advantage of reducing potential signalling required to perform updates to the whitelists e.g., as the network detects and/or predicts that the UE is moving into an area that the UE is not configured with whitelists for.
  • the UE may not be able to make the distinction between Non-whitelisted areas (e.g., RAs/TAs/Cells), and areas that were not considered by the network (e.g., during UE configuration) in the whitelisting process.
  • areas e.g., RAs/TAs/Cell
  • Non-whitelisted areas e.g., RAs/TAs/Cells
  • the UE may by default consider that a RA3 (and the TAs/Cell therein) is not whitelisted, when it may, in fact, be partially (e.g., certain TAs and/or Cells) or fully whitelisted. This may occur for instance if the UE’s configured list of whitelisted areas is not updated, and the UE has moved to an area that is not covered by its configuration.
  • the UE may be configured to only consider the status of whitelisted RAs (and TAs/Cells therein) that it is configured with; that is, for Registration Areas which contain whitelisted TAs (or Cells), the default behavior of the UE with regards to other non-whitelisted TAs or Cells therein is to ignore/discard synchronization signals from older network generations in them, whereas for RAs that are not part of the list, the UE may be configured to perform/trigger a whitelist update procedure to include the new RA (and TAs/Cells therein) it is roaming in or moving towards.
  • the network may provision/configure the UE with whitelist(s) that are associated with an expiration time, after which the UE is required to renew the whitelists. For example, the network may send a message to the UE containing one or more whitelists and a validity period (e.g., in seconds, minutes, hours, days, etc.) for each whitelist.
  • the UE may store the whitelists and the validity period in its memory and use them to determine whether to ignore/discard synchronization signals from older generation networks in the corresponding areas. However, if the validity period of a whitelist expires, the UE may not use that whitelist anymore and may request the network to update it.
  • the UE may periodically request the network to update the whitelists regardless of their validity period, or the network may proactively update the whitelists without waiting for the UE's request.
  • the network may also provision/configure the UE with information about the operational schedule of (older generation) cells (e.g., 2G/3G) that are not permanently decommissioned but may operate only at certain times or days. For example, some cells may be turned off during nighttime or weekends to save energy or reduce interference, while others may be activated only when there is high demand or emergency situations.
  • the UE may receive from the network a message containing one or more whitelists that include not only the identities and locations of older generation cells, but also their operational schedule (e.g., start and end time, frequency, duration, etc.).
  • the UE may store this information in its memory and use it to determine whether to ignore/discard synchronization signals from older generation networks in the corresponding areas and times. For instance, if the UE receives a synchronization signal from an older generation cell that is supposed to be inactive according to its operational schedule, the UE may suspect that the signal is coming from a fake base station and may avoid camping on or connecting to it. Alternatively, the UE may request the network to verify the legitimacy of the older generation cell before camping on or connecting to it. This may prevent the UE from being lured by an attacker exploiting the temporal gaps in the older generation network coverage.
  • the AMF may indicate to the UE whether a network-generation (e.g., 2G) is Allowed or Not-Allowed (e.g., determined by TA Identity, or geolocation information, etc or a combination as described in the following embodiments) through Service Area Restriction Information, where restriction of services may be limited to a network generation (or a set of network generations), which may be indicated by a network generation (or set of network generations) indication (e.g., radio access technology type (RAT)) added to the Service Area Restriction Information.
  • a network-generation e.g., 2G
  • Not-Allowed e.g., determined by TA Identity, or geolocation information, etc or a combination as described in the following embodiments
  • Service Area Restriction Information e.g., a network generation (or a set of network generations) indication (e.g., radio access technology type (RAT)) added to the Service Area Restriction Information.
  • RAT radio access technology type
  • the network may selectively restrict access through older network generations to a set of UEs, while it allows access through the same network generations to other UEs (e.g., police, firefighters, etc), as such the restriction profile for (older) network generations may also be part of UE’s subscription in the UDM.
  • UEs e.g., police, firefighters, etc
  • the list of decommissioned PLMNs may be communicated to the UE upon a successful registration (e.g., in the Registration Accept message), although the list of PLMNs may not be sufficient as restriction may be location dependent (i.e., the same PLMN may allow access through an older generation network BS (e.g., RAT type) in one TA, but not in another), hence, the decommissioned PLMNs communicated to the UE in the registration access message may need to be enriched with location information (e.g., Tracking Area Code (TAC), or other geolocation information e.g., longitude/latitude), or specific cell identifiers, or RAN area code, or specific network generation.
  • location information e.g., Tracking Area Code (TAC)
  • TAC Tracking Area Code
  • specific cell identifiers e.g., longitude/latitude
  • RAN area code e.g., RAN area code
  • AMF may also provide UE with PLMN-ldentitylnfoList, as defined in TS 38.331 , corresponding to the whitelisted(Allowed) and/or blacklisted(Non- Allowed) PLMNs upon successful registration. Additionally, the list of decommissioned PLMNs enriched with location information, specific cell identifiers, RAN area codes, or specific network generation information may also be communicated to the UE in a registration reject message.
  • the UE may receive a confirmation or reject message. In particular, it may receive a reject message when the RAT is not supported.
  • this also poses a security risk if an attacker fakes (unprotected) reject messages.
  • the UE when the UE receives a policy or configuration (or the radio access technology (RAT) restriction information) determining the whitelisted (nonrestricted) and/or blacklisted (restricted) access technologies in a reject message (e.g., attach/registration reject message), the UE processes the message and retrieves the RAT restriction information depending on whether the reject message is (or is not) integrity protected. For instance, if the reject message contains a cause value indicating (1) that no suitable cells/access technology is available and/or (2) a list of access technology restriction information, and the message is not integrity protected, then the UE shall discard the received reject message.
  • RAT radio access technology
  • the configuration/policy determining which (legacy) access devices are allowed or disallowed may be exchanged between UEs, e.g., via SCI.
  • the network configuration associated with the older generation network access devices, or radio access technologies (RATs) i.e., which are allowed/not-allowed or whitelisted/blackl isted
  • RATs radio access technologies
  • the network configuration may be signed by the Home Network (HN), and message (e.g., SCI) may also include a HN key identifier, allowing the receiving UE to verify the received network configuration.
  • restrictions to access cellular networks through any older generation network access device(s) while the UE is roaming may be configured by default, where access may only be permitted through selected operators and/or countries.
  • the network may only whitelist specific MNC and/or MMC, such, while roaming, only access to/through network operators that are whitelisted, or are within a whitelisted country, is permitted.
  • MCC Mobile Country Codes
  • MCC Mobile Country Codes
  • the UE may be (pre-)configured, or have in store a configuration/policy (e.g., in the USIM/UICC) which determines for each of these MNOs whether access through an older generation network access device (e.g., 2G/3G base station) is, or is not allowed.
  • a configuration/policy e.g., in the USIM/UICC
  • the UE may have in store a list of these MNOs, indicating each MNO and for each RAT type supported by an MNO, whether it is whitelisted or blacklisted.
  • the UE may be configured to blacklist all older generation network access devices associated with MNOs of said category, in which case, the MCC (i.e., 901) may be blacklisted, as described in previous embodiments.
  • the identifiers (PLMN, cell IDs, RAN area codes) and/or location information that may be whitelisted or blacklisted may be determined by using a selection filter for more efficient encoding/transmission/storage. For instance, given an identifier, the identifier may be blacklisted or whitelisted if the identifier combined with the selection filter matches a whitelisted/blacklisted identifier.
  • PLMN MCC
  • PLMN XOR 000111 2001111
  • a similar approach may be used to allow/disallow other identifiers.
  • a user equipment is restricted from network access to, and/or through, a network operator, or the entirety of network operators within a specific country, wherein said restriction is based on blacklisting the Mobile Network Code (MNC) associated with the network operator to block, or on blacklisting the Mobile Country Code (MCC) associated with the country where network access is to be restricted.
  • MNC Mobile Network Code
  • MCC Mobile Country Code
  • all networks in a given country (MCC) of a given type may be blacklisted (e.g., by default), except specific networks (MNCs) that may be explicitly whitelisted.
  • an attacker may place a fake base station for country B in country A, where the base station of country B is for a legacy access device that is still in usage in country B, but not in A.
  • an attacker may still be able to lure a UE to a legacy access device even if all legacy access devices in country A have been decommissioned and UE has policies for country A stating this. Addressing this issue may be achieved by using the embodiments in this invention combined as follows.
  • a UE may have a configuration that whitelists networks for country A, and all other networks (of other countries) may be blacklisted.
  • a UE may be able to determine its location so that networks (and access devices associated to them) that do not belong to its current location are blacklisted, in particular, all access devices associated to a PLMN with a mobile country code that is not associated with the country where the UE is currently located are blacklisted, or are whitelisted/blacklisted based on whether their mobile network codes are whitelisted/blacklisted.
  • legacy wireless network generation access devices associated to a PLMN with a mobile country code associated with an international and/or satellite network operator that is different from the mobile country code used in the country where the UE is currently located are blacklisted by default (e.g., for all mobile network codes), or are whitelisted/blacklisted based on whether their mobile network codes, associated with the international and/or satellite network operator(s), are whitelisted/blacklisted.
  • the UE (300) receives messages/signals (e.g., Synchronization signals) transmitted by different base stations (i.e., 301 , 302, 303, and 304), which may belong to different network generations (i.e., different RAT types).
  • 301 and 304 are assumed to be older generations (e.g., 3G and 2G access devices, respectively), while 302 and 303 correspond to current generations (e.g., 5G and 4G access devices, respectively).
  • UE 300 sends a Registration Request (or Initial Attach in case the cell selected is a 4G BS) to a network function and/or OAM, e.g., mobility function (e.g., AMF where AMF is used next, without loss of generality) the AMF wherein UE 300 may include the measurement reports compiled in step 311 , its location, and may further indicate its preference and/or an ordered list of the cells sorted based on UE’s prioritization criteria (e.g., to use as an access device to the network).
  • a Registration Request or Initial Attach in case the cell selected is a 4G BS
  • OAM e.g., mobility function (e.g., AMF where AMF is used next, without loss of generality) the AMF
  • UE 300 may include the measurement reports compiled in step 311 , its location, and may further indicate its preference and/or an ordered list of the cells sorted based on UE’s prioritization criteria (e.g., to use as an access device to the
  • the network status check may be performed at a first stage (e.g., in Msg1), and following a positive network response (e.g., 11 ), UE (300) may want to further check whether the Cell ID corresponding to the access device from which the synchronization signals with the best signal quality is legitimate, in which case, 300 may in a second stage, request (e.g., in Msg3) the selected access device (e.g., 302) to perform a check on the legitimacy of the cell(s) (e.g., 301) by including the Cell ID(s) (or a part thereof, which is sufficient to uniquely identify the cell(s)), to which the access device may respond, upon verification, based on a (network) policy, with a bitstring wherein each bit corresponds to the legitimacy evaluation result.
  • a first stage e.g., in Msg1
  • a positive network response e.g. 11
  • UE (300) may want to further check whether the Cell ID corresponding to the access device from which the
  • Synchronization signals strength pattern matching for FBS detection
  • these conditions may also vary depending on the scenario applicable to a UE, e.g., conditions may be different for a UE performing handover than for a UE that is attempting to connect. Similarly, the conditions may vary depending on whether the UE is moving or not.
  • the UE may be conditionally triggered e.g., based on an increase in the number of received synchronization signals and/or detecting a new signal with a strength level that is above a pre-determined/configured threshold, to perform continuous monitoring and collection of data pertaining to the suspicious synchronization signal(s).
  • a UE may be stationary, and thus is expected to receive a fixed number of synchronization signals associated with the base stations in proximity.
  • the known base stations may be stored and may also be shared with the network.
  • UE may detect a new synchronization signal whose strength level may be higher in comparison to the rest of the synchronization signals received from other base stations, and as the initial strength level of the new synchronization signal is abnormally high, that may prompt the UE to categorize the BS from which said synchronization signal was received as Fake and/or checkwith the network, as described in previous embodiments (e.g., in relation to Fig. 3).
  • a UE may be moving, in which case, UE may be expected to continuously detect synchronization signals broadcasted from different base stations in its proximity, which may be continuously changing over time as the UE is moving.
  • the UE may be configured to detect the initial strength level associated with newly received synchronization signals, and based on whether the strength level is abnormally high (e.g, as in the Bottom figure), the UE may be triggered to continuously monitor and log the variation in the strength level of the corresponding synchronization signals for a pre-configured time window, then compare it to the baseline pattern associated with the UE’s mobility profile, as described in previous embodiments. Based on the similarity measure and the UE’s configuration, the UE may classify the base station as legitimate, fake, or trigger a checkwith the network, as described in previous embodiments (e.g., in relation to Fig. 3).
  • the UE may store a configuration or a policy that indicates whether it is authorized to connect to a given type of access device, or not, and the circumstances in which this is authorized.
  • the configuration may indicate that the UE is authorized to connect to a 4G access device, but not authorized to connect to a 3G access device unless a certain condition occurs, e.g., the UE requires emergency services.
  • This configuration ensures that the UE may not connect by mistake to old generation access devices (e.g., 3GPP 3G) since such networks may be/have been decommissioned and may be ran by an attacker in the form of a fake base station where the fake base station would be used to e.g., get the identity of the user.
  • This configuration may be determined by the home network or the user and may be updated or modified as needed. Based on this configuration, the UE may reject or accept the synchronization signals from different access devices, or request more information from the network before connecting. Similarly, a network may accept or reject a UE’s attempt to access it through a specific network generation’s access device, based on whether the UE meets the configuration/policy criteria or conditions permitting access. If not, an access device may send a reject message (e.g., RRC reject message during the random-access procedure), which may include a rejection cause (e.g., UE not permitted for access through UTRAN).
  • a reject message e.g., RRC reject message during the random-access procedure
  • rejection cause e.g., UE not permitted for access through UTRAN
  • the UE may receive the configuration or policy from the network when it registers for the first time, or when it changes its location to a new area.
  • the configuration or policy may also be pre-configured in the UE by the user or the manufacturer and updated periodically or on demand.
  • the configuration or policy may be stored in the UE memory, or in a secure element such as a SIM card or an eSIM.
  • the decommissioning configuration/policy may need to be updated periodically, on-demand, or in a conditional matter as described in previous embodiments. For instance, if the MNO has completely decommissioned a RAT (e.g., GERAN), it may indicate in the configuration it is fully decommissioned and update the decommissioning configuration/policy to restrict the RAT from the next generation (e.g., UTRAN), once the latter has been fully decommissioned by the MNO.
  • a RAT e.g., GERAN
  • the MNO may update the decommissioning configuration/policy more frequently and/or in a conditional manner, e.g., in scenarios where the decommissioning is done in phases, in which case the MNO may regularly update the decommissioning configuration/policy based on whether it has decommissioned a RAT, in a certain location (e.g., Registration or tracking area, or an entire country).
  • a certain location e.g., Registration or tracking area, or an entire country.
  • the MNO may update the decommissioning configuration/policy on-demand; for instance, the protection against bidding down attacks may be on an opt-in bases, where the UE/User may request/retrieve e.g., through an MNO service portal, decommissioning configuration/policy, and only then it may be provided to the UE.
  • the MNO may also provide the UE/User (e.g., through a service portal) with countries and/or operators for which a decommissioning configuration/policy is available, such that if a User intends to travel (e.g., to another country), it may be able to retrieve a decommissioning configuration/policy from roaming partners which have service agreements with the home network associated with the USIM/UICC used by the user.
  • the UE/User e.g., through a service portal
  • countries and/or operators for which a decommissioning configuration/policy is available, such that if a User intends to travel (e.g., to another country), it may be able to retrieve a decommissioning configuration/policy from roaming partners which have service agreements with the home network associated with the USIM/UICC used by the user.
  • the configuration/policy may determine a time window during which the decommissioning configuration/policy is temporarily disabled; for instance, the USIM/UICC (or the UE, upon USIM/UICC request) may start a timer, set by the MNO, to determine when to re-enable the decommissioning configuration/policy.
  • the format of decommissioning configuration/policy information may need to be specified.
  • the list entries may include information associated with the PLMN (e.g., MCC and/or MNC), and a value indicatingthe decommissioned RATs; for instance, this value may be a bit-value in which each bit is associated with a RAT (e.g., 11000 indicating that only 4G and 5G RATs are allowed, while the rest are restricted); for instance, the bit-value may be a fixed number of bits (e.g., 8), wherein the MSB is associated with the most recent network generation supported by the MNO, while the rest of the LSBs are associated with previous generations (e.g., 11000000 which may indicate that only 4G/5G RATs are allowed, while any RAT associated with a network generation older that that is restricted).
  • the MNO may indicate in the decommissioning configuration/policy information only the minimum network generation it supports, it may as such be understood that all RATs associated with network generations older than the indicated minimum network generation are restricted, whereas access through network generations that are more recent than the minimum, is not restricted; this may for instance be indicated by using a number (e.g., 4) reflecting the minimum network generation (e.g., 4G in this case) whose RATs are not restricted.
  • the list entries described above may further include location information (as described in previous embodiments), which may have different restricted RATs (e.g., in cases where decommissioning is done in a phased manner, or due to lower population density). For instance, a list entry may be as follows:
  • only the home PLMN is allowed / authorized to update the decommissioning configuration/policy of a UE, e.g., in its UICC/USIM.
  • the UE may be configured to only access an “unknown” VPLMN (i.e., a VPLMN for which decommissioned RATs are unknown) through a safe/secure RAT.
  • the HPLMN may send a request to provide said configuration for a given area.
  • the VPLMN may provide said configuration to the HPLMN knowing the access device that UE used to connect. This configuration may be a partial configuration of the VPLMN’s decommissioning configuration/policy.
  • the VPLMN may not wish to share the (whole) decommissioning configuration / policy with the HPLMN.
  • the UE / LIICC / USIM may be configured to connect to the VPLMN only through a safe/secure generation RAT (e.g., as in previous example), and the VPLMN may get a token from the HPLMN authorizing the VPLMN to deploy its decommissioning configuration / policy to the UE / UICC / USIM.
  • This token may be a key derived from a root key (e.g., K_AUSF) and/or generated by means of a private key owned by the home PLMN and whose public key is known to the UE / UICC / USIM.
  • the symmetric key may be used to encrypt/authenticate (a part of) the decommissioning configuration/policy, e.g., a given amount of data (size of a decommissioning configuration / policy).
  • the USIM / UICC may run an application preventing that information from leaving a storage area in the USIM / UICC. This embodiment allows the UE / UICC / USIM to receive a decommissioning policy / configuration from the VPLMN in a secure way.
  • a decommissioning configuration/policy for a given RAT, or a combination of Tracking Area/RAT, etc may be associated with a date / time / validity time, i.e., a date until the Tracking Area / RAT/etc may be used by the UE / USIM / UICC to connect.
  • This embodiment is advantageous because it reduces the number of updates required in the UE / USIM / UICC when the decommissioning happens over time and new decommissioned RATs/ Tracking Areas are changing.
  • a UE / UICC / USIM may obtain its location by means of cellular positioning or GNSS, however, positioning signals may be spoofed, and position may not be accurate/trustworthy. On the one hand, positioning information can be used to improve the accuracy of the decommissioning / configuration policy; on the other hand, if an attacker tampers with the positioning signals, the attacker may still manage to get a UE connected to an old RAT.
  • the UE / USIM / LIICC may indicate the estimated location of a UE to the user when the UE is choosing a given RAT, e.g., an old generation RAT. The user may then verify this location. This may also be a configuration in the UE that gives the possibility to the user to verify the UE location.
  • the UE may apply the configuration or policy at different stages of its network connection process. For example, the UE may apply the configuration or policy when it is acquiring the synchronization signals from different cells and filter out the cells that do not match the configuration or policy. Alternatively, or in addition, the UE may apply the configuration or policy when it is performing handover (HO) from one cell to another (e.g., conditional HO), and reject the handover if the target cell does not comply with the configuration or policy e.g., as further detailed in some of the following embodiments. Similarly, a target access device may reject the handover if the UE does not comply with the configuration or policy, it has been provisioned with. The UE may also apply the configuration or policy when it is idle or in power saving mode, and avoid camping on cells that are not authorized/allowed by the configuration or policy.
  • HO handover
  • the UE may also apply the configuration or policy when it is idle or in power saving mode, and avoid camping on cells that are not authorized/allowed by the configuration or policy.
  • a mobility procedure e.g., handover
  • the latter may trigger a HO procedure wherein a target base station is selected by the source base station.
  • the HO procedure and/or the source base station may not account for the access technologies restricted at the UE side (e.g., due to the restriction information pertaining to the UE not being provided by MME and/or the UE).
  • the UE may, prior to considering an inter-RAT mobility procedure as initiated, check whether the indicated target cell/base station selected by the source base station is (non-)restricted. In an example, upon determining that the access type associated with the selected cell/base station is not restricted, does the UE consider the inter- RAT mobility as initiated and the UE attempts to access the target cell indicated by the inter-RAT message.
  • a UE is connected to an E-UTRA cell and the list of “PLMNs with associated RAT restrictions” at the UE indicates that NR/NG-RAN is restricted by the serving PLMN, then, upon receiving a mobility triggering message (e.g., MobilityFromEUTRACommand message as per 5.4.3.3 of TS 36.331 ) where the targetRAT-Type is set to NR, (in particular for the provided example, but generally, where targetRAT-Type is set to any restricted RAT type), then the UE may need to check that the targetRAT-Type indicated is not restricted before initiating the inter-RAT mobility. The UE may only start the inter-RAT mobility after a positive check.
  • a mobility triggering message e.g., MobilityFromEUTRACommand message as per 5.4.3.3 of TS 36.331
  • an inter-RAT mobility triggered by a E-UTRA cell fails due to the targetRAT-Type indicated by the source base station (i.e., serving E-UTRA cell) being a restricted RAT according to the list of “PLMNs with associated RAT restrictions” maintained by the UE, then the UE may indicate such a failure to the serving base station. For instance, the UE may send a failure message, e.g., a rejection or, e.g., comprising a failure cause indicating that the failure is due to the targetRAT-Type being restricted.
  • a failure message e.g., a rejection or, e.g., comprising a failure cause indicating that the failure is due to the targetRAT-Type being restricted.
  • the UE may provide fresh (i.e., recent, e.g., within a given time interval, e.g., the last T seconds) measurement reports pertaining to candidate target cells serving the area where the UE is located.
  • fresh measurement reports may be associated with access technologies that are not restricted based on the list of “PLMNs with associated RAT restrictions”, as described in previous embodiments. Note that the inter-RAT mobility failure may occur while the UE is moving, hence the need for fresh measurement reports.
  • base stations implement a communication interface that allows the transfer of RAT restriction associated to a UE. This information may be provided to the target base station once the handover is confirmed.
  • This information may also be transferred before (e.g., in HANDOVER request) so that the candidate target base station can determine whether it can fulfil the RAT restriction, also considering subsequent mobility procedures, transfer Mobility Restriction List IE information in HANDOVER REQUEST message from source NG-RAN node to target NG-RAN node, where RAT restriction should also be applied.
  • This embodiment may be applicable to, e.g., TS 36.423 X2AP orTS 38.423 XnAP.
  • Mobility Restriction List IE may further comprise RAT Restrictions included in Extended RAT Restriction Information IE which may contain RAT restriction information for E-UTRA satellite access technology as below.
  • Handover Restriction List IE may further comprise RAT Restrictions included in RAT Restriction Information IE which may contain RAT restriction
  • the M-NG-RAN node may check
  • the S-NG-RAN node is restricted by considering the RAT restriction information associated with PLMNs, and then decide whether to add the S-NG-RAN node or not depending on whether the access technology of the S-NG-RAN node is restricted or not, particularly the S- NODE ADDITION REQUEST message sent from M-NG-RAN node to S-NG-RAN node may contain the RAT restriction information associated with PLMNs in Mobility Restriction List IE.
  • a wireless device determines whether to initiate an inter-RAT mobility procedure towards a second target access device, upon receiving an inter-RAT mobility triggering message from a first serving access device, wherein determining whether to initiate the inter-RAT mobility procedure comprises the wireless device performing a check to verify whether the radio access technology type associated with the second target access device indicated by the first source access device is, or is not, restricted, based on an access device selection configuration, e.g., the “list of PLMNs with associated RAT restrictions”, maintained by the wireless device.
  • the mobility procedure triggered by the first access device towards the second target access device is an inter-PLMN mobility procedure
  • the check to be performed by the wireless device consists of checking whether the combination of PLMN-RAT, associated with the second target access device and the PLMN with which it is associated, is, or is not, restricted, based on the access device selection configuration, e.g., “list of PLMNs with associated RAT restrictions”, maintained by the wireless device.
  • the UE When the UE needs to access one of the emergency services on the list, it may temporarily override the configuration or policy that restricts it from connecting to older generation access devices and attempt to connect to the nearest available cell that can provide the service, regardless of its technology or legitimacy. The UE may also notify the network or the user of its decision to connect to a potentially unsafe cell, and request confirmation or verification before proceeding with the service. Alternatively, or in addition, the UE may use a different authentication or encryption mechanism when connecting to the older generation access device, to protect its identity and data from possible attacks. This embodiment ensures that the UE can access the emergency services when needed, while minimizing the risk of connecting to fake base stations.
  • the UE may be configured with a policy (or UE rules) that determines how it should connect to the network based on the features of the measured signals, the location of the UE, and/or the mobility status of the UE.
  • the policy may indicate which cells may be preferred or classified as potential FBS depending on the signal strength, frequency, technology, or other parameters of the received synchronization signals.
  • the policy may also take into account the geographical area where the UE is located, and whether the area is expected to have access devices associated with older or newer network generations.
  • the policy may consider whether the UE is moving or stationary, and adjust the criteria for selecting or rejecting cells accordingly.
  • the policy may be provisioned or configured bythe network, or by the user, or by both. Based on this policy, the UE may determine which cell it uses to connect, or whether it needs to perform additional checks or actions, such as reporting suspicious signals to the network or requesting more information from the network.
  • the UE may receive updates of the policy or configuration that determines how it should connect to the network based on the features of the measured signals, the location of the UE, and/or the mobility status of the UE.
  • the updates may be provided by the network, or by the user, or by both.
  • the updates may be triggered by a request from the UE or by an indication from the network or the user.
  • the updates may include the entire policy or configuration, or only a part of it.
  • Each update may be associated with an expiration date or time, which indicates how long the update is valid.
  • the UE may also receive information about whether the expiration date or time of the remaining part of the policy or configuration has changed or not. Based on this information, the UE may replace or merge the updated part with the existing policy or configuration, and apply the updated policy or configuration accordingly.
  • This embodiment allows the UE to adapt its connection behaviour to the changing network conditions and user preferences, and to avoid using outdated or irrelevant policy or configuration information.
  • the UE may use its location information to determine whether it can trust and use a certain type of access device. For example, the UE may receive or retrieve policies or configurations from a network operator, a service provider, or another trusted source that specify the location of the tracking area, registration area, cell identifier, or other geographic or logical areas associated with different types of access devices or networks, such as 2G, 3G, 4G, or 5G. The UE may store the policies or configurations in its memory or cache them for later use. When the UE is at a given location, it may compare its location information, such as GPS coordinates, with the policies or configurations to determine which types of access devices or networks are available and/or trusted in that location.
  • location information such as GPS coordinates
  • the UE may then use the policies or configurations to perform the comparison and selection of the cells as described above.
  • the UE may query the policies or configurations from a network operator, a service provider, or another trusted source based on its location information, and receive a response indicating which types of access devices or networks are available and/or trusted in that location.
  • the UE may then use the response to perform the comparison and selection of the cells as described above.
  • This embodiment improves the UE's ability to adapt to different network environments and avoid fake or outdated cells based on its location, and enhances the security and reliability of the network connection.
  • the UE may receive a configuration or policy from a network operator, a service provider, or another trusted source that specifies a list of identifiers for different types of cells or networks, such as 2G, 3G, 4G, or 5G.
  • the identifiers may include cell IDs, tracking areas, registration areas, PLMNs, or other features that can distinguish the cells or networks.
  • the configuration or policy may also specify a time pattern or schedule for each identifier, indicating when the identifier should be used by the corresponding cell or network.
  • the UE When the UE receives a synchronization signal, system information block or message (in general, signal) from a cell, it may check the identifier included in the signal and compare it with the configuration or policy to determine whether the identifier matches the expected identifier for the cell type and the current time slot.
  • the list of valid identifiers may be linked to a given location, and the UE may obtain it based on its own (known) location, e.g., known via GPS. If the identifier matches, the UE may consider the cell as valid and possibly select it for connection. If the identifier does not match, the UE may consider the cell as fake or outdated and ignore it.
  • the UE may query the configuration or policy from a network operator, a service provider, or another trusted source based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not for the cell type and the current time slot. The UE may then use the response to decide whether to connect to the cell or not.
  • This embodiment allows the UE to verify the legitimacy and currency of the cells based on their identifiers and the time pattern, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection.
  • a possible embodiment in which a list of Cell identifiers assigned to a UE could be UE-specific may be as follows.
  • the UE may generate or obtain a secret key K that is shared with a trusted network entity, such as a home operator or a service provider.
  • the key K may be derived from the UE’s identity, such as its International Mobile Subscriber Identity (IM SI) or Public Land Mobile Network Identifier (PLMN ID), or obtained through a secure protocol, such as a key agreement or authentication scheme.
  • IM SI International Mobile Subscriber Identity
  • PLMN ID Public Land Mobile Network Identifier
  • the UE may also receive or compute a function F that is known to the network entity and can produce a unique identifier based on the input parameters.
  • the function F may be a cryptographic hash function, such as a Hash-based Message Authentication Code (HMAC) or a Secure Hash Algorithm (SHA), or any other function that can generate an output that is hard to predict or invert without knowing the key K.
  • HMAC Hash-based Message Authentication Code
  • SHA Secure Hash Algorithm
  • the UE may store the key K and the function F in its memory or cache them for later use.
  • the UE may use the identifier included in the signal as an input for the function F, along with the other parameters, such as the cell type, the current time t, which may be set to a specific resolution (e.g., number of LSBs set to 0) determined by a configuration or policy, and the secret key K.
  • a specific resolution e.g., number of LSBs set to 0
  • the UE may compute F( I d e ntif ie r, Cell Type, t, K), where Identifier may be the Cell ID, Tracking Area Identifier (TAI), or Network Generation (NG) used by the cell.
  • the UE may then compare the output of the function F with the expected identifier for the current time slot, which may be stored in a configuration or a policy provided by the network entity. If the output matches the expected identifier, the UE may consider the cell as valid and possibly select it for connection. If the output does not match, the UE may consider the cell as fake or outdated and ignore it.
  • the UE may send a query to the network entity based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not forthe cell type and the current time slot. The UE may then use the response to decide whether to connect to the cell or not.
  • This embodiment allows the UE to verify the legitimacy and currency of the cells based on their identifiers and the secret key, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection.
  • This embodiment may be combined with other embodiments described herein or used independently, depending on the implementation and the desired functionality.
  • the UE may have a secret key Kthat is derived from its identity or obtained through a secure protocol with the network entity.
  • the UE may also receive or compute a function F that is known to the network entity and can produce a unique identifier based on the input parameters.
  • the function F may be a cryptographic hash function, such as an HMAC or a hash function such as SHA-2 or SHA-3, or any other function that can generate an output that is hard to predict or invert without knowing the key K.
  • the UE may store the key K and the function F in its memory or cache them for later use.
  • the UE When the UE receives a signal from a cell, it may use the identifier included in the signal as an input for the function F, along with the other parameters, such as the cell type and the network generation. For example, the UE may compute F(ldentif ier, Cell Type, NG, K), where Identifier may be the Cell ID, TAI, or NG used by the cell. Additionally, or alternatively the function F may also take (geo-)location information (e.g., latitude and longitude) as an input parameter, which may also be provisioned/configured at the UE and retrieved based on the identifiers (e.g., cell identity) received from the base station.
  • the identifier included in the signal may be an input for the function F, along with the other parameters, such as the cell type and the network generation. For example, the UE may compute F(ldentif ier, Cell Type, NG, K), where Identifier may be the Cell ID, TAI, or NG used by the cell.
  • the UE may then compare the output of the function F with the expected identifier for the cell, which may be stored in a configuration or a policy provided by the network entity. If the output matches the expected identifier, the UE may consider the cell as valid and possibly select it for connection. If the output does not match, the UE may consider the cell as fake or outdated and ignore it. Alternatively, or in addition, the UE may send a query to the network entity based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not for the cell type and the network generation. The UE may then use the response to decide whether to connect to the cell or not.
  • This embodiment allows the UE to verify the legitimacy and validity of the cells based on their identifiers and the secret key, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection.
  • This embodiment may be combined with other embodiments described herein or used independently, depending on the implementation and the desired functionality.
  • This embodiment can allow making the configurations device specific so that information about the whitelisted cells is not stored on the UEs, but only a function of them. This prevents the cell information (that can be operator sensitive) from leaking.
  • the AS layer may maintain a provided list of“PLMNs with associated RAT restrictions” for further use, e.g., for cell evaluation for the purpose of cell reselection.
  • RAT utilization control information e.g., List of“PLMN with associated RAT restrictions
  • the UE may receive further RAT utilization control information from a serving PLMN, thus impacting (e.g., by adding, updating, or deleting one or more entries) in the list of “PLMNs with associated RAT restrictions” stored in the UE, e.g., in the UE’s non-volatile memory, the list of “PLMNs with associated RAT restrictions” may be updated on the NAS layer, whereas the AS layer may continue using an outdated list of “PLMNs with associated RAT restrictions”, which may impact a mobility procedure, e.g., the cell reselection procedure. It is therefore the aim of some of the following embodiments to address this issue, to that end:
  • the AS layer(s) may request an update to the entry (i.e., RAT restrictions) associated with the serving PLMN (i.e., PLMN currently in use) or the entire list of “PLMNs with associated RAT restrictions” periodically (e.g., following a time period configured and/or provided by the network), or conditionally (e.g., following pre-defined conditions), as configured by the network, following a triggering event which includes, but is not limited to, the following: a change in the highest ranking cell according to cell reselection criteria, or
  • the UE may receive from a serving PLMN RAT utilization control information impacting (e.g., by adding, updating, or removing entry(ies) in the list of “PLMNs with associated RAT restrictions”) the list of “PLMNs with associated RAT restrictions” in general, and the entry in the list of “PLMNs associated with RAT restrictions” associated with the current serving PLMN, in particular.
  • the UE NAS layer may instruct and/or restrict, according to the updated RAT restrictions associated with the current serving PLMN in the list of “PLMNs with associated RAT restrictions” the AS layer(s) to/from performing cell search/evaluation for the purpose of cell reselection.
  • the AS layer(s) may periodically, or conditionally (as described in previous embodiments) request an update for the entry (i.e., RAT restrictions) associated with the current serving PLMN or the entire list of “PLMNs with associated RAT restrictions” thus ensuring only non-restricted AS layer(s) are performing cell search and evaluation for the purpose of cell reselection.
  • an update for the entry i.e., RAT restrictions
  • the AS layer(s) may periodically, or conditionally (as described in previous embodiments) request an update for the entry (i.e., RAT restrictions) associated with the current serving PLMN or the entire list of “PLMNs with associated RAT restrictions” thus ensuring only non-restricted AS layer(s) are performing cell search and evaluation for the purpose of cell reselection.
  • the request from AS layer(s) towards NAS layer associated with maintaining the lists of “PLMNs with associated RAT restrictions” may be a request for an update and/or a request for synchronization check (i.e., checking whether the list maintained by AS is valid still), to which the NAS layer may provide a response which acknowledges that the lists are in synch (e.g., if the list maintained by the AS layer(s) are valid still) or provides the updated entry (e.g., associated with the current serving PLMN) or the entire updated list of “PLMNs with associated RAT restrictions” (e.g., if the entry(ies) in the list maintained by the AS layer(s) is/are outdated) to the AS layer(s).
  • a request for synchronization check i.e., checking whether the list maintained by AS is valid still
  • the NAS layer may provide a response which acknowledges that the lists are in synch (e.g., if the list maintained by the AS layer(s) are valid still) or provides the updated
  • the request may be from one AS layer (e.g., EUTRAN AS layer), depending on the potential changes to the RAT restrictions associated with the current serving PLMN, the response may trigger one or more AS layer(s), depending on which RATs are a llowed/restricted .
  • EUTRAN AS layer e.g., EUTRAN AS layer
  • a list of “PLMNs with associated RAT restrictions” may be associated with an identifier that may allow identifying the PLMN and version, e.g., it may be, e.g., PLMN ID concatenated with date/time. This unique identifier may be used, e.g., to distinguish/determine whether the list available in the AS layer is outdated or not.
  • a wireless device may comprise multiple radio access technologies (e.g., 2G, 3G, 4G, 5G). Some of these RAT have frozen stacks, and thus, it is not feasible to update the stack so that the list of “PLMNs with associated RAT restrictions” is taken into account directly in the RAT stack, in other words, that the NAS layer sends it to the corresponding AS layer.
  • radio access technologies e.g., 2G, 3G, 4G, 5G.
  • AS layer may discard the running timer and consider the cell as a viable candidate for cell reselection.
  • the updated (entry or list) happens to restrict a cell, e.g., the highest ranking cell, it is barred or deprioritized as it is now restricted.
  • the selecting of the selected one or more access devices may comprise one or more of: the UE obtaining a second list comprising radio access technology utilisation control information from the one or more access device selection configuration received in the NAS layer; the UE determining a first list of configured Public Land Mobile Networks, PLMNs, / Radio Access Technology, RAT, with priority order stored in a Subscriber Identity Mobile such as a USIM or in a Mobile Equipment, ME, of the UE; the UE using the first list and the second list when performing or initiating PLMN and/or cell (re-)selection.
  • PLMNs Public Land Mobile Networks
  • RAT Radio Access Technology
  • the NAS layer sending the most recently received second listto the AS layer upon the occurrence of an event; wherein the event may be determined based on a configuration.
  • the UE may receive system information blocks (SIBs) from one or more access devices that include information identifying neighboring cells.
  • SIBs system information blocks
  • the UE may cross-reference and check the SIBs from the different access devices to determine whether a synchronization signal is being broadcasted from a legitimate or fake BS, and similarly for network status. For example, the UE may compare the cell identity, frequency, technology, or location of the neighboring cells reported by the SIBs, and identify any discrepancies or inconsistencies that indicate a possible fake or outdated cell.
  • the UE may also compare the network status, such as the network generation, configuration, or capabilities, of the neighboring cells reported by the SIBs, and identify any mismatches or anomalies that indicate a possible fake or outdated cell. Based on this comparison, the UE may select the cell that has the most consistent and reliable SIBs, and avoid the cells that are identified as conflicting or suspicious in the received SIBs. This embodiment improves the UE's ability to detect and avoid fake or outdated cells, and enhances the security and reliability of the network connection.
  • the network status such as the network generation, configuration, or capabilities
  • the UE may verify the received information from the access devices before using it to check the network status and the BS legitimacy.
  • the information may be protected with a digital signature that is issued by a trusted authority, such as a network operator or a certificate provider.
  • the UE may validate the digital signature of the information using a public key or a certificate that is stored in the UE or obtained from a trusted source. If the digital signature is valid, the UE may use the information to perform the comparison and selection of the cells as described above. If the digital signature is invalid or absent, the UE may discard the information or use other criteria to evaluate its reliability.
  • non-3GPP access technologies may also be decommissioned.
  • a given wireless access technology may deliver a lower performance/security level, and it may be decommissioned.
  • embodiments described in this invention may also be applicable to a UE when using a non-3GPP access technology.
  • Table 5.4.3.2-1 in TS 29.571 lists different types of 3GPP and non-3GPP RATs. Some RATs may be associated to a given network generation. In some cases, some RAT types may be decommissioned for a given network generation, while other RAT types may still be available. Thus, in an embodiment of the invention that may be used independently or combined with other embodiments, the access device selection configuration and/or policy may include details about the RAT types that are decommissioned/whitelisted/blacklisted.
  • Wi-Fi is a wireless technology that allows devices to connect to the Internet or to each other without using cables. Wi-Fi is based on radio waves that are transmitted and received by a device called a wireless access point (AP).
  • the AP acts as a hub that connects Wi-Fi enabled devices, such as laptops, smartphones, tablets, smart TVs, etc., to a wired network, such as a local area network (LAN) or the Internet.
  • LAN local area network
  • Wi-Fi is a trademark of the Wi-Fi Alliance, an industry association that certifies products that comply with the IEEE 802.11 standards for wireless local area networks (WLANs). These standards define the physical and data link layers of the communication protocol, such as the frequency bands, modulation schemes, encryption methods, authentication mechanisms, and data rates used by Wi-Fi devices.
  • Wi-Fi The most common Wi-Fi standards are based on IEEE 802.11a, 802.11 b, 802.11g, 802.11 n, 802.11ac, and 802.11ax, which operate in different frequency bands (2.4 GHz, 5 GHz, or both) and offer different levels of performance and compatibility.
  • a device needs to have a wireless network interface card (NIC) that can send and receive radio signals.
  • the NIC scans the available wireless channels and detects the presence of nearby APs.
  • the device selects an AP to connect to, based on factors such as signal strength, security settings, and network name (SSID).
  • the device and the AP exchange information, such as the MAC address, IP address, encryption key, and password, to establish a connection. This process is called association.
  • the device can communicate with the AP and other devices on the same network, or access the Internet through the AP.
  • IEEE 802.11 n Wi-Fi 4
  • IEEE 802.11 ac Wi-Fi 5
  • IEEE 802.11 ax WIFI-6
  • IEEE 802.11 ah introduced target wake time (TWT) to support low power loT applications by allowing STAs to go into sleep when not in a wake period after negotiation with AP.
  • IEEE 802.11 be Wi-Fi 7 aims at improving throughput and latency operating in unlicensed bands between 1 GHz and 7.125 GHz. Wi-Fi 7.
  • Some of the core ideas presented in this invention may be applicable to a wide range of wireless technologies used in wide or local area networks and using different types of radio access technologies, in particular, the ideas may apply to cellular technologies. Even if some embodiments have been described in terms of certain technologies, e.g., 5G, 4G or WiFi, they may also be applicable to other wireless technologies.
  • a cellular system is a wireless communication system that consists of three main components: user equipment (UE), radio access network (RAN), and core network (CN). These components work together to provide voice and data services to mobile users over a large geographic area.
  • UE user equipment
  • RAN radio access network
  • CN core network
  • a processor which controls the operation of the UE and executes the applications and services that the user requests.
  • the processor also communicates with the RAN and the CN using various protocols.
  • a microphone and a speaker which enable the user to make and receive voice calls, as well as use other audio features, such as voice mail, voice recognition, etc.
  • a memory which stores the data and programs that the user needs, such as the phone book, the messages, the photos, the videos, the applications, etc.
  • a UE may receive / transmit / trigger a configuration by means of different procedures:
  • RRC Command contains various messages that modify/configure RRC parameters and/or initiate, modify, or release the RRC connection or the radio bearers between the UE and the BS, such as the RRC connection setup, the RRC connection reconfiguration, the RRC connection release, the security mode command, the mobilityfrom E-UTRA command, the handoverfrom E-UTRA preparation request, etc.
  • the UE needs to respond to the RRC Command according to the RRC protocol and the configuration provided by the BS.
  • Non-access stratum (NAS) messages are used forsignalling between UE and core network (CN) on the non-access stratum (NAS) layer.
  • NAS messages enable functionality such as registration, session establishment, security, and mobility management.
  • the UE needs to respond to the NAS Command according to the NAS protocol and the configuration provided by the CN.
  • UE parameter update is a procedure between the UE and the home network that enables the home network to update configuration parameters in mobile phones and/or USIM usingthe UDM control plane procedure (TS 23.502).
  • the UE can receive Parameters Update Data from the UDM after the UE has registered in the 5G network.
  • SoR Steering of Roaming
  • SoR Steering of Roaming
  • UE user equipment
  • 3GPP TS.23.501 Release 15
  • 3GPP TS 24.501 Release 15
  • the 5G CP-SOR is activated during or after registration to update the UE's "Operator Controlled PLMN Selector with Access Technology" list via secure NAS messages, as directed by the home PLMN based on specific operator policies, such as preferred networks or UE location.
  • Radio access network is the part of the cellular system that connects the UEs to the CN via the air interface.
  • the RAN consists of base stations (BSs).
  • a base station (BS) is a fixed or mobile transceiver that covers a certain geographic area, called a cell.
  • a BS is also called a gNB (next generation node B).
  • a BS can serve multiple UEs simultaneously within its cell, by using different frequencies, time slots, codes, or beams.
  • a BS also performs functions such as power control, handover control, channel allocation, interference management, etc.
  • a base station can be divided into two units: a central unit (CU) and a distributed unit (DU).
  • CU central unit
  • DU distributed unit
  • the CU performs the higher layer functions, such as RLC, PDCP, RRC, etc.
  • the DU performs the lower layer functions, such as PHY and MAC.
  • the CU and the DU can be co-located or separated, depending on the network architecture and deployment.
  • a base station may be denoted, based on context, as a cell, or gNB.
  • the physical layer which defines the characteristics of the air interface, such as the frequency bands, the modulation schemes, the coding rates, the frame structure, the synchronization, etc.
  • Data may be encoded by the UE and/or BS to obtain data symbols and/or control symbols that may be exchanged over the wireless interface.
  • the conversion from digital data into analog symbols may be done by the transmission / reception communication unit
  • the user plane consists of two main functions: the user plane function (UPF) and the data network (DN).
  • the user plane function (UPF) is a device that forwards the data packets between the UEs and the DNs, as well as performs functions such as tunnelling, firewall, QoS, charging, etc.
  • the data network (DN) is a network that provides access to the services and applications that the UEs request, such as the Internet, the IMS, etc.
  • the long-term subscriber’s identifier known as Subscriber Permanent Identifier may not be exchanged in the clear, but instead, either a Subscription Concealed Identifier (SUCI) or a pseudonym known as GUTI are exchanged with the AMF of the serving PLMN.
  • the AMF of the PLMN may then forward the SUCI to the home PLMN so that the home PLMN decrypts/verifies it.
  • the described operations like those indicated in the above embodiments may be implemented as program code means of a computer program and/or as dedicated hardware of the related network device or function, respectively.
  • the computer program may be stored and/or distributed on a suitable medium, such as an optical storage medium or a solid-state medium, supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

This invention describes an apparatus and method for selecting an access device adapted to: - receiving, by a UE, an access device selection configuration or policy, - storing, by the UE, the access device selection configuration or policy, and - selecting, by the UE, an access device and/or performing a handover procedure based on the access device selection configuration or policy.

Description

MITIGATING DECOMMISSIONED-NETWORK BIDDING-DOWN ATTACKS IN A WIRELESS SYSTEM
FIELD OFTHE INVENTION
This invention and its embodiments relate to method, apparatuses, and systems for operating a wireless device such as a user equipment to improve network security and/or improve the way wireless devices select an access device and connect to different radio access technologies and networks. In particular, in some embodiments of this invention, the methods and devices detailed in this document are used to improve the network security in the context of coexistence of different network generations or technologies, for example to mitigate decommissioned-network bidding-down attacks in a wireless system such as a cellular system, a WiFi network or the like.
BACKGROUND OFTHE INVENTION
In conventional wireless networks, for example in cellular networks, a primary station serves a plurality of secondary stations located within a cell served by this primary station. Wireless communication from the primary station towards each secondary station is done on downlink channels. Conversely, wireless communication from each secondary station towards the primary station is done on uplink channels. The wireless communication can include data traffic (sometimes referred to User Data), and control information (also referred sometimes as signalling). This control information typically comprises information to assist the primary station and/or the secondary station to exchange data traffic (e.g. resource allocation/requests, physical transmission parameters, information on the state of the respective stations).
In the context of cellular networks as standardized by 3GPP, the primary station is referred to a base station, or a gNodeB (or gNB) in 5G (NR) or an eNodeB (or eNB) in 4G (LTE). The eNB/gNB is part of the Radio Access Network RAN, which interfaces to functions in the Core Network (CN). In the same context, the secondary station corresponds to a mobile station, or a User Equipment (or a UE) in 4G/5G, which is a wireless client device or a specific role played by such device. The term “node” is also used to denote either a UE or a gNB/eNB.
Additionally, for example, in the case of PC5 interface or Sidelink communication, it is possible to have Direct communication between secondary stations, here UEs. It is then also possible for UEs to operate as Relays to allow for example out of coverage UEs to get an intermediate (or indirect) connection to the eNB or gNB. To be able to work as a relay, a UE may use discovery messages to establish new connections with other UEs. Therefore, the role of a relay node has been introduced in 3GPP. This relay node is a wireless communication station that includes functionalities for relaying communication between a primary station, e.g. a gNB and a secondary station, e.g. a UE. This relay function for example allows to extend the coverage of a cell to an out-of-coverage (OoC) secondary station. This relay node may be a mobile station or could be a different type of device. In the specifications for 4G, the Proximity Services (ProSe) functions are defined inter alia in TS 23.303, and TS 24.334 to enable - amongst others -connectivity for the cellular User Equipment (UE) that is temporarily not in coverage of the cellular network base station (eNB) serving the cell. This particular function is called ProSe UE-to-network relay, or Relay UE for short. The Relay UE relays application and network traffic in two directions between the OoC UE and the eNB. The local communication between the Relay UE and the OoC UE is called device-to- device (D2D) communication or Sidelink (also known as PC5) communication in TS 23.303 and TS 24.334. Once the relaying relation is established, the OoC-UE is, e.g., IP or Layer 2 connected via the Relay UE and acts in a role of “Remote UE”. This situation means the Remote UE has an indirect network connection to selected functions of the Core Network as opposed to a direct network connection to all Core Network functions that is the normal case.
Further, it has been introduced the role of a UE to UE relay node, i.e., a relay node relaying the communication between two UE devices. The relay node relays the communications between UE devices. UEs may connect to the core network through a base station when in-coverage. In such relay scenarios, the relay devices may receive and store some information for some time before forwarding it towards the target device. This information that may be stored and forwarded may be discovery messages received from a source UE whereby the relay UE may release them at some point of time later. This information that may be stored and forwarded may be a SIB that may contain a timestamp.
Furthermore, cellular networks are evolving to enable more mobile access devices such as satellites, unmanned aerial vehicles, buses or trains that are capable of storing data for some time before forwarding it further. An example relates to a satellite that receives and stores certain data when it is close to a terrestrial gateway and only releases it when the receiving party becomes in coverage. Such mobile access devices may work in a transparent manner or in a regenerative manner. In a transparent mode, the mobile access device acts as a reflector/smart repeater that retransmits the communication sent by, e.g., a gateway, e.g., a Non-Terrestrial Network gateway, towards a UE. In a regenerative mode, the mobile access device works as a base station and is able to set up a connection with a UE. In store and forward mode, the mobile access device may be able to cache some data obtained from the UE or NTN gateway, and transmit it when it is within communication range of the receiver.
Wireless telecommunication network systems have undergone tremendous evolution over the years to meet consumers' increasing demands for high-speed, low-latency, secure, and reliable wireless connectivity. Beginning with first-generation (1G) analog cellular networks, the industry has progressed through several generations of digital cellular technologies, each providing substantial improvements in performance, coverage, capacity, and functionality. Today, fifth generation (5G) wireless networks are being rapidly deployed worldwide, offering unprecedented levels of data speed, network capacity, and low-latency connectivity to support a range of emerging applications and services, such as loT, autonomous vehicles, virtual and augmented reality, and industrial automation. Furthermore, different types of radio access network technologies are being supported, including terrestrial and nonterrestrial networks. The goal of these advancements is simple: to provide consumers with seamless, ubiquitous, and secure wireless connectivity that meets the ever-growing demands of modern digital life.
As newer generations of cellular technology and new radio access technologies are introduced, Mobile Network Operators (MNOs) shift their focus and investments towards these newest generation networks while phasing out older generations. This phasing out, or decommissioning/restricting, of older generation networks happens gradually, and may be subject to several criteria e.g., demand, availability and coverage of newer generation RANs, population distribution, etc. At the time of writing, many MNOs have announced the decommissioning of their 2G or 3G networks in favor of 4G/5G networks and given the weaker protection in these older generation networks (e.g., 2G/3G), this initiative could have a significant impact on the security of subscribers’ User Equipment (UE), as newer generation networks feature, among other functionalities, security enhancements as well. In their attempt to compromise subscribers’ UEs, malicious actors could leverage existing procedures to trick UEs into connecting to Fake Base Stations (FBS) running older generation networks (e.g., 2G/3G), thus intentionally exposing the UEs to the many known attacks pertaining to these older generation networks (e.g., 2G/3G). Furthermore, UEs may not always be able to use all networks or radio access technologies, e.g., because some networks or radio access technologies may not be available, or they may be restricted by the network (e.g., as a form of access technology utilization control in e.g., national roaming scenarios).
SUMMARY OF THE INVENTION An aim of the invention is to address the above problems by providing solutions mitigating decommissioned-networks bidding-down attacks and/or by providing means to improve how a UE can select a network or a radio access technology and/or perform a mobility procedure between networks and/or radio access technologies.
This is enabled by the apparatuses in second aspect, fourth aspect and sixth aspect of the invention, the methods in the first aspect, third aspect and fifth aspect of the invention and the computer program as in the seventh aspect of the invention as defined in the appended claims.
In a first aspect of the invention, it is proposed a method for selecting an access device, the method comprising:
- receiving, by a UE, an access device selection configuration and/or policy,
- storing, by the UE, the access device selection configuration and/or policy, and
- selecting, by the UE, an access device and/or performing a handover procedure based on the access device selection configuration and/or policy.
In a second aspect of the invention, it is proposed an apparatus for selecting an access device comprising:
- a receiver adapted to receive an access device selection configuration or policy,
- a memory adapted to store the access device selection configuration or policy, and
- a controller adapted to select an access device and/or performing a handover procedure based on the access device selection configuration or policy.
In a third aspect of the invention, it is proposed a method for access device selection assistance, the method comprising:
- receiving, by an access device, a request for an access device selection configuration or policy from a first device, and
- determining, by an access device, whether the access device selection configuration or policy is available locally, and if not request and receive the access device selection configuration or policy and/or selection configuration from a core network,
- sending, by an access device, the access device selection configuration or policy to the first device.
In a fourth aspect of the invention, it is proposed an apparatus for access device selection assistance comprising: - a receiver adapted to receive a request for an access device selection configuration or policy from a first device,
- a controller adapted to determine whether the access device selection configuration or policy is available locally, and if not request and receive the access device selection configuration or policy and/or selection configuration from a core network,
- a transmitter adapted to send the access device selection configuration or policy to the first device.
In a fifth aspect of the invention, it is proposed a method for access device (re- )selection assistance comprising the steps of:
- performing, by a first access device, a mobility procedure of a first device from the first access device to at least a second access device, and
- informing the second access device, by the first access device, about the access device selection configuration and/or policy of the first device,
- wherein informing the second access device, by the first access device, about the access device selection configuration and/or policy of the first device is performed in:
- an initial HANDOVER Request, or
- after confirmation of the HANDOVER to the second access device.
In a sixth aspect of the invention, it is proposed an apparatus for access device selection assistance comprising a controller adapted
- to perform a mobility procedure of a first device from the first access device to at least a second access device, and
- to inform the second access device about the access device selection configuration and/or policy of the first device, wherein informing the second access device about the access device selection configuration and/or policy of the first device is performed by the controller by causing a transceiver to exchange the access device selection configuration and/or policy in:
- an initial HANDOVER Request, or
- after confirmation of the HANDOVER to the second access device.
In a seventh aspect of the invention, it is proposed a computer program for selecting an access device, wherein the program comprises instructions implementing the apparatus of the second and fourth aspects of the invention.
In a first option that may be combined with the first aspect of the invention, the access device selection configuration or policy includes at least one of: - a whitelist of one or more access devices or one or more groups of access devices,
- a blacklist of one or more access devices or groups of access devices, wherein at least some of the access devices, and/or at least some of the groups of access devices in the whitelist and/or the blacklist are identified according to at least one of: a given cell ID of the access device, a tracking area and/or a registration area of the access device, an operational schedule of the access device, a wireless network generation of the access device, a list of at least one mobile country code, a list of at least one mobile network code.
In a further option that may be combined with the first option of the first aspect of the invention, it is proposed one or more of the following options: legacy wireless network generation access devices with mobile network codes of a mobile country code different from the mobile country code of the UE’s home PLMN are blacklisted, and/or legacy wireless network generation access devices with mobile network codes of a mobile country code different from the mobile country code of the UE’s home PLMN are whitelisted based on whether their mobile network codes, associated with the mobile country code, are whitelisted; and/or legacy wireless network generation access devices with mobile network codes of a mobile country code different from the mobile country code of the UE’s home PLMN are blacklisted based on whethertheir mobile network codes, associated with the mobile country code, are blacklisted/restricted; legacy wireless network generation access devices associated to a PLMN with a mobile country code equal to the mobile country code of the UE’s home PLMN are whitelisted, or are whitelisted/blacklisted based on whether their mobile network codes, associated with the mobile country code, are whitelisted/blacklisted; and/or legacy wireless network generation access devices associated with a PLMN with a mobile country code that is not associated with the country where the UE is currently located are blacklisted; and/or legacy wireless network generation access devices associated to a PLMN with a mobile country code associated with an international and/or satellite network operator that is different from the mobile country code used in the country where the UE is currently located are blacklisted, or are whitelisted/blacklisted based on whether their mobile network codes, associated with the international and/or satellite network operator(s), are whitelisted/blacklisted.
In a further option that may be combined with any option of the first aspect of the invention, the whitelist and/or blacklist included in the access device configuration or policy are stored along with a respective validity time.
In a further option that may be combined with the first aspect of the invention or other options of it, the access device selection configuration or policy includes an operational condition underwhich an access device may be blacklisted and/or whitelisted and the method is adapted to determining, by the UE, the operational condition(s), and selecting an access device, by the UE, based on the received pilot signals, the access device selection configuration or policy, and the operational condition.
In a further option that may be combined with the first aspect of the invention or other options of it, the method is adapted to receive or request, by the UE, the access device selection configuration or policy or choice with or through at least one of:
- a second UE,
- an access device,
- an access device of a more recent generation than the wireless generation access device preselected,
- a network function in a core network,
- a network function in the home network,
- an OAM,
- an application function, and
- USIM/UICC.
In a further option that may be combined with the first aspect of the invention or other options of it, the method comprises storing the access device selection configuration and/or policy in the USIM/UICC. In a further option that may be combined with the first aspect of the invention or other options of it, the method is adapted to receive or request, by the UE, the access device selection configuration or policy: when the UE is located in an area for which it lacks a valid access device selection configuration or policy, and/or when the access device selection configuration or policy has expired.
In a second option that may be combined with the first aspect of the invention or other options of it, the method is adapted to receive, by the UE, the access device selection configuration or policy: in an Information Element in an RRC message, and/or in a SIB, and/or in a paging message, and/or in a NAS message, and/or in an UPU message, and/or in an UCU message.
In a further option that may be combined with the second option of the first aspect of the invention, the method comprises receiving, by the UE, the access device selection configuration or policy in a registration accept message, such that the restriction may be based on one of, or a multitude of information elements, which include: a list of at least one decommissioned PLMN; and/or a list of at least one decommissioned cell identifier; and/or a list of at least one RAN area code; and/or a list of location information (e.g., tracking area codes) corresponding to at least one (de)commissioned older generation network access device or access device type.
In a further option that may be combined with the second option of the first aspect of the invention, the access device selection configuration or policy is received by a UE in message such as a NAS reject message and the message is not integrity protected, the UE discards the message including the access device selection configuration or policy therein according to a rejection policy.
In a further option that may be combined with the first aspect of the invention or other options of it, wherein the access device selection configuration or policy is signed by an entity managing the access device selection configuration or policy, and wherein the method comprises the UE verifying by access device selection configuration or policy based on the public key of the entity managing the access device selection configuration or policy.
In a further option that may be combined with the first aspect of the invention or other options of it, the access device selection configuration or policy is updated periodically, or on-demand, and/or in a conditional manner.
In a further option that may be combined with the first aspect of the invention or other options of it, the access device selection configuration or policy contains a whitelist and/or a blacklist of access devices or groups of access devices and wherein the whitelist and/or blacklist are determined and provisioned to the UE based on the historical mobility pattern or real-time location and/or movement trajectory of the UE.
In a further option that may be combined with the first aspect of the invention or other options of it, the method comprises predicting, by a UE, the tracking areas/cells towards which the UE is moving to, and based on whether: a) the UE is configured with whitelists corresponding to the predicted tracking areas/cells; and/or b) the status of the older generation network access devices within the predicted tracking areas/cells has changed (i.e., configured whitelists at the UE became outdated); wherein the whitelists configured at the UE, corresponding to the older generation network access devices within the predicted tracking areas/cells are updated accordingly.
In a further option that may be combined with the first aspect of the invention or other options of it, the access device selection configuration or policy is updated on-demand or in a conditional manner and wherein the method further comprises: determining, by the network, the configuration for the UE; predicting, by the network, the tracking areas/cells towards which the UE is moving, based on historical mobility data, and/or real-time location information, and/or movement direction/trajectory information, and/or velocity; and determining, by the network, whether the whitelists configured at the user equipment need to be updated, wherein the whitelists correspond to the older generation network access devices within the predicted tracking areas/cells.
In a further option that may be combined with the first aspect of the invention or other options of it, the method further comprises the steps of:
- obtaining, by the UE, pilot signals from one or more access devices, - selecting, by the UE, an access device based on the pilot signals and the access device selection configuration or policy.
In a further option that may be combined with the first aspect of the invention or other options of it, the method for network (re-)selection with network assistance further comprises: receiving, by the UE, signals from different network access devices which may correspond to different network generations; and compiling, by the UE, measurement reports corresponding to signals received from the different network access devices and ordering said measurement reports based on its selection criteria; selecting, by the UE, the most recent network generation access device available to access the network and performing the initial access procedure; communicating, by the UE, the ordered list of measurement reports to the network in a request message, e.g., the registration/attach request; receiving, by the UE, in a response message, e.g., the registration response message, the ordered list of network access devices prioritized according to the network, and indicating the status of each network access device, and based on said ordered list, performing, by the UE, cell (re-)selection or network access through the pre-selected access device.
In a further option that may be combined with the previous option, the method further comprises the steps of:
- analyzing, by the UE, the pilot signal features over a period of time and
- determining, by the UE, based on the access device selection configuration or policy the positive, negative or inconclusive selection of an access device.
In a further option that may be combined with the previous option, the method comprises requesting, by the UE, if inconclusive selection of an access device, network assistance to determine the access device legitimacy.
In a further option that may be combined with the previous option, the method is such that:
- the pilot signal is a synchronization signal of the device, and/or
- the pilot signal features include the signal strength, and/or - the access device selection configuration or policy is determined, and adapted or updated by an Al model, and/or
- the access device selection configuration or policy is a threshold value or range of a configured similarity measurement.
In a further option that may be combined with the first aspect of the invention or other options of it, the method comprises requesting, by a UE lacking the status of one or more older generation networks, network assistance to determine the network status of one, or multiple older generation networks during the random-access including an indication of the cell or cell generation to check.
In a further option that may be combined with the previous option, the method comprises receiving, by the user equipment, a response with an access device selection configuration and/or policy that may include: a bitstring whose length corresponds to the number (N) of cell IDs indicated by the user equipment, and whose bits correspond respectively to the legitimacy evaluation results of said cell IDs; and/or the cell IDs, or an indication thereof, of the cells whose legitimacy verification failed.
In a further option that may be combined with the previous option, wherein the configuration or policy comprises one or more of: a cryptographic function, a secret key, input parameters to the cryptographic function comprising at least one of o an input identifier (e.g., cell ID, tracking area ID); o Cell/RAT type; o Network generation; o Cell location information (e.g., longitude and latitude); o Current time (e.g., UTC time) and/or time resolution; expected output values of the cryptographic function, and the step of selecting, by the UE, an access device based on the access device selection configuration and/or policy comprises: receiving or obtaining input parameters, computing an output value by using the cryptographic function taking as input the received or obtained input parameters and the secret key; and performing one of: o comparing the computed output value to an expected output value saved at the device as part of the configuration; or o querying the network using the computed output value to determine the network access device validity and legitimacy.
In a further option that may be combined with the previous option, the method comprises allowing selecting, by the UE, a blacklisted access device based on the access device selection configuration and/or policy when the UE requires emergency services.
It shall be understood that a preferred embodiment of the invention can also be any combination of the dependent claims or above embodiments with the respective independent claim.
These and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter.
BRIEF DESCRIPTION OF THE DRAWINGS
In the following drawings:
Figure 1 schematically represents cells where serving base stations correspond to different network generations.
Figure 2 illustrates signal strength levels associated with different base stations, as monitored by a User Equipment
Figure 3 describes an exemplary procedure to request the network to verify and assist a User Equipment in access device selection.
Figure 4 schematically represents cells corresponding to different network generations and the mobility patterns of a set of UEs across these cells; and
Figure 5 schematically represents the overall cellular system including UEs, RAN, and core network.
DETAILED DESCRIPTION OF EMBODIMENTS
Embodiments of the present invention are now described based on a cellular communication network environment based on cellular communication technologies, such as 2G, 3G, 4G, 5G or 6G. However, the present invention and its embodiments may also be used in connection with other wireless technologies, and in particular to the connection setup of devices trying to access a wireless network. Atypical example is a cellular network, for example a 5G network, possibly including some relay nodes. These relay nodes may be implemented by UEs, such as Sidelink compatible UEs which can operate as relay nodes, or by other types of repeaters.
Throughout the present disclosure, the abbreviation “gNB” (5G terminology) or “BS” (base station) or the term “access device” is intended to mean a wireless access device such as a cellular base station or a Wi-Fi access point or a ultrawide band (UWB) personal area network (PAN) coordinator. The gNB may consist of a centralized control plane unit (gNB-CU-CP), multiple centralized user plane units (gNB-CU-UPs) and/or multiple distributed units (gNB- DUs). The gNB is part of a radio access network (RAN), which provides an interface to functions in the core network (CN). The RAN is part of a wireless communication network. It implements a radio access technology (RAT). Conceptually, it resides between a communication device such as a mobile phone, a computer, or any remotely controlled machine and provides connection with its CN. The CN is the communication network’s core part, which offers numerous services to customers who are interconnected via the RAN. More specifically, it directs communication streams over the communication network and possibly other networks.
Furthermore, the terms “base station” (BS) and “network” may be used as synonyms in this disclosure. This means for example that when it is written that the “network” performs a certain operation it may be performed by a CN function of a wireless communication network, or by one or more base stations that are part of such a wireless communication network, and vice versa. It can also mean that part of the functionality is performed by a CN function of the wireless communication network and part of the functionality by the base station.
Introduction
Wireless telecommunication network systems have undergone tremendous evolution over the years to meet consumers' increasing demands for high-speed, low-latency, secure, and reliable wireless connectivity. Beginning with first-generation (1G) analog cellular networks, the industry has progressed through several generations of digital cellular technologies, each providing substantial improvements in performance, coverage, capacity, and functionality. Today, fifth generation (5G) wireless networks are being rapidly deployed worldwide, offering unprecedented levels of data speed, network capacity, and low-latency connectivity to support a range of emerging applications and services, such as loT, autonomous vehicles, virtual and augmented reality, and industrial automation. The goal of these advancements is simple: to provide consumers with seamless, ubiquitous, and secure wireless connectivity that meets the ever-growing demands of modern digital life. As newer generations of the cellular tec nology are introduced, Mobile Network Operators (MNOs) shift their focus and investments towards these newest generation networks while phasing out older generations. This phasing out, or decommissioning, of older generation networks happens gradually, and may be subject to several criteria e.g., demand, availability and coverage of newer generation RANs, population distribution, etc. At the time of writing, many MNOs have announced the decommissioning of their 2G or 3G networks in favor of 4G/5G networks and given the weaker protection in these (older) generations (e.g., 2G/3G), this initiative could have a significant impact on the security of subscribers’ User Equipments (UE), as newer generation networks feature, among other functionalities, security enhancements as well. In their attempt to compromise subscribers’ UEs, malicious actors try to leverage existing procedures to trick UEs into connecting to Fake Base Stations (FBS) running older generation networks (e.g., 2G/3G), thus intentionally exposing the UEs to the many known attacks pertaining to these older generation networks (e.g., 2G/3G).
To address the threats and potential attacks which leverage bidding down attacks in the context of decommissioned older generation networks, the 3GPP SA3 Working Group (WG) has approved a new study, as part of the 3GPP Release 19 package, entitled “Study on mitigations against bidding down attacks” [1]. The objectives of this study are to:
Identify scenarios and threats in the context of decommissioning of 2G/3G networks, e.g., cell (re)selection or forced handovers on 2G or 3G once 4G and 5G signalling are blocked when 2G/3G networks are decommissioned; and,
Study solutions for the identified security threats and requirements.
As such, the invention described herein aims at addressing the security threats associated with decommissioned older generation networks and provide future proof methods and solutions to mitigate and prevent bidding down attacks in that context.
With the decommissioning of older generation networks (e.g., 2G/3G) occurring gradually, users and their user equipment(s), which are typically connected to newer generation networks (e.g., 4G/5G), may still be subject to the potential threats associated with older generation networks. Given the numerous procedures for UEs connected to 4G/5G to establish a connection with 2G/3G base stations i.e. interworking from 4G to 2G/3G particularly, and interworking between networks from different generations in general (including inter RAT handover procedure and RAU procedure), CSFB procedure (including redirection from 4G to 2G/3G), SRVCC from 5G to 3G, and cell selection once 5G and 4G is unavailable [1 ], UEs may be vulnerable to bidding down attacks e.g., a malicious actor may trick, or force, a UE into connecting to a 2G/3G Fake Base Station (FBS), thus exposing the UE to vulnerabilities and attacks (e.g., fraudulent SMS or phone calls, pertaining to these older generation networks. Furthermore, although older generation networks (e.g., 2G/3G) may be decommissioned, or generally restricted (e.g., in a particular area or across a network), if the UE is not aware of the decommissioning, and/or is not properly configured to avoid connecting to these restricted access networks, the UE may fall victim to a bidding down attack launched by a malicious actor, or failure cases that could have otherwise been avoided by checking restrictions.
Currently, in the context of decommissioned older generation networks (e.g., 2G/3G), the 3GPP specifications do not provide measures and/or mechanisms to protect the User Equipment (UE) against bidding down attacks. It is thus the object of the present invention to improve UEs’ capabilities and/or mechanisms to recognize whether the signals (e.g., synchronization signals) received from a network access device (e.g., base station) are associated with a decommissioned network, and provide measures aimed at protecting the UE and mitigating bidding down attacks. It is also the object of the present invention to provide the 3GPP system with a means to restrict access of UEs to the network through one or more access technologies, this may be used by network operators e.g., to control UEs using their resources in certain scenarios such as national roaming. For instance, by providing UEs with a configuration which restricts them from accessing selected access technologies, the network could save resources which would otherwise be used to handle repetitive attempts by UEs to access the network.
Hereafter, the following embodiments will elaborate on the several aspects of the invention.
It is worth noting that although the embodiments are described in reference to 2G/3G being the older network generations and 4G/5G being the newest network generations, reference to these network generations is in accordance with the operational network generations deployed at the time of writing, and it is as such meant to be exemplary, and thus not bound and/or limited to the network generations being referenced, nor is it bound to a particular use (e.g., decommissioning). The embodiments of the invention would be equally applicable by considering 5G as the (legacy or restricted) network for example compared to a network compatible with other network generations e.g., 6G or beyond or a future technology.
To access the network, a User Equipment (UE) (e.g., after turning on) monitors synchronization signals e.g., Synchronization Signal Blocks (SSBs) broadcasted by access devices (i.e., Base stations (BS) e.g., gNB, eNB, node B, Base Transceiver Station (BTS)) in its proximity, and based on these synchronization signals, the UE selects a cell/BS to which it will connect in such a way that the BS provides the best overall signal quality and network coverage for the UE’s service requirements. However, the UE does not currently have any filtering criteria and/or means to determine whether an older network generation (e.g., 2G/3G) is decommissioned and is, therefore, not to be considered when performing the BS selection. The lack of said means enables malicious actors to set up Fake Base Stations (FBS) launch Bidding down attacks to lure UEs to select the FBS to connect through. It is therefore the object of the following embodiments to alleviate the threat of Bidding down attacks in the context of Decommissioned older generation networks.
Whitelist-based approach for older generation access device selection
In a first embodiment that may be combined with other embodiments or used independently, and in reference to Fig. 1 , a UE may be provisioned/configured by the network with a list of whitelisted cells and/or tracking areas (TAs), and/or Registration Areas (RAs) in which access through older generation networks is still permitted, while the default behaviour the UE may be configured to exhibit when camping/roaming in non-whitelisted cells and/or tracking areas and/or registration areas is to ignore older generation networks given their decommissioning. For instance, in a Registration area where all cells are allowed to operate older generation base stations, the UE may be configured to have the entire registration area whitelisted. For instance, if access through older generation base stations is only allowed in certain Tracking Areas (TAs), the UE may be configured to only allow older generation base station selection in these whitelisted TAs. Similarly, the UE may be configured with a list, in which only particular cells within a TA (or list of TAs) are whitelisted. Additionally, or alternatively, the UE may be provisioned/configured with nested lists, wherein the nested lists, if any, contain only the TAs/Cells which are to be whitelisted. For instance, the UE may be provisioned/configured with the exemplary list below, wherein Registration Area 3 is entirely whitelisted (i.e., all Tracking Areas and cell within are whitelisted), whereas in Registration Area 1 , only Tracking Area 4 (i.e., all cells within) and Cells X and Y of the Tracking Area 2 are whitelisted.
In another embodiment that may be combined with other embodiments or used independently, and with reference to Figure 5 and Fig. 4, the network may selectively provision/configure UEs only with the whitelisted Cells/TAs/RAs that are relevant to the UE. That is, the network may rely on historical and statistical data of the UE mobility to determine UE Mobility pattern (as described in 5.3.4.2 of TS 23.501) and based on whether the whitelisted RAs/TA/Cells correspond to the areas/cells in which the UE is mostly active, the network may provision the UE with said whitelists. For instance, in Fig.4, the top -left drawing illustrates a networkwide (e.g., across a country) categorization of Registration Areas (RAs) and the Cells to be whitelisted therein. The top-right and bottom drawings correspond to a heatmap illustrating areas in which UEs (i.e., UE1 , UE2, and UE3) are most active in, based on the analytics of their historical mobility data. The network (e.g., AMF) may hence tailor the configuration of whitelisted RAs/TAs/Cells to the mobility profile of the UE. For instance, since UE1 seems to be active in most RAs, the network may provision/configure the UE with the whitelisted RAs and TAs/Cells within corresponding to all the RAs. For instance, UE2 seems to be more active in RA3 and RA4, the network may thus choose to provision/configure it with whitelists corresponding only to these two RAs.
In another embodiment that may be combined with other embodiments or used independently, a Network Function (NF) or the Operation, Administration and Maintenance (OAM) system may be responsible for the cell categorization based on the criteria described above. For example, a NF or the OAM may assign each cell a priority level and a whitelist flag indicating whether the cell is whitelisted or not. Another NF may be responsible for the management of the UE Mobility Pattern, which may include collecting, storing, analyzing, and updating the historical and statistical data of the UE mobility. For example, this NF may be the AMF or a separate entity that interacts with the AMF. The NF responsible forthe UE Mobility Pattern may request information about the cell categorization for a given UE from the NF or the OAM responsible for the cell categorization, after interacting with the previous NFs or the OAM. For example, the NF responsible for the UE Mobility Pattern may receive a Registration Request or a Tracking Area Update Request from the UE, and then query the NF or the OAM responsible for the cell categorization to obtain the priority levels and the whitelist flags of the cells in the areas where the UE is registered or moving to. The NF responsible for the UE Mobility Pattern may then provide the information about the cell categorization to the UE, along with the lists of whitelisted RAs/TAs/Cells that are relevant to the UE based on its mobility pattern. The UE may use this information to perform the cell selection/reselection procedures as described above.
In another embodiment that may be combined with other embodiments or used independently, the lists of whitelisted RAs/TAs/Cells provisioned/configured at the UE may be updated regularly (e.g., periodically) to reflect potential changes in UE’s mobility pattern during a period of time, and/or on-demand e.g., based on UE request, and/or in a conditional manner e.g., UE mobility towards a RA and/or TA that is not part of the UE’s configuration, in which case, the network (e.g., AMF) may trigger an update of said list to include the RAs/TAs which the UE may be moving towards. Additionally, or alternatively, the network may, based on a set of criteria e.g., UE historical mobility data, real-time location information, movement direction, velocity, RAT types providing coverage, and/or a change of RAT status (e.g., from operational to decommissioned), etc predict the RA/TAs/Cells the UE may be moving towards and determine the status of RATs within these areas, and in case the UE is not configured with the whitelists corresponding to these RAs/TAs/Cells, or if the whitelists are outdated, the network may trigger an update of the lists configured at the UE.
In another embodiment that may be combined with other embodiments or used independently, if the update for the whitelisted RAs/TAs/Cells is performed on-demand (i.e., on UE’s request), the UE may indicate to the network which TAs/Cells it requires an update for (e.g., in the registration/attach request message), in which case the network may verify whether the UE is allowed to get such updates based on network- defined criteria e.g., UE has to be located within a predefined distance from the TAs/Cells in question, configured by the network, or restriction due to the nature of area in question (e.g., military area), etc. Thus, if UE is not allowed to get such updates, the network may send a reject message which may have an indication of the failure cause, and/or a back-off timer to retry once the UE is closer to the TAs/Cells in question (e.g., if failure was due to being at a distance greater than the network defined one).
In another embodiment that may be combined with other embodiments or used independently, instead of provisioning/configuring the UE with whitelists corresponding to areas in which it is the most active, the network may do the opposite; that is, the network may provision the UE with the whitelists corresponding to the areas which the UE may be (or likely to be) the least active in. This has the advantage of reducing potential signalling required to perform updates to the whitelists e.g., as the network detects and/or predicts that the UE is moving into an area that the UE is not configured with whitelists for.
In another embodiment that may be combined with other embodiments or used independently, as the UE’s default behavior may be to discard/ignore synchronization signals from older generation access devices in areas (e.g., RAs/TAs/Cell) that are not whitelisted, the UE may not be able to make the distinction between Non-whitelisted areas (e.g., RAs/TAs/Cells), and areas that were not considered by the network (e.g., during UE configuration) in the whitelisting process. For instance, if a UE is only configured with whitelists corresponding to RA1 and RA2 (e.g., as UE is more/less active in those areas), the UE may by default consider that a RA3 (and the TAs/Cell therein) is not whitelisted, when it may, in fact, be partially (e.g., certain TAs and/or Cells) or fully whitelisted. This may occur for instance if the UE’s configured list of whitelisted areas is not updated, and the UE has moved to an area that is not covered by its configuration. To address this issue, the UE may be configured to only consider the status of whitelisted RAs (and TAs/Cells therein) that it is configured with; that is, for Registration Areas which contain whitelisted TAs (or Cells), the default behavior of the UE with regards to other non-whitelisted TAs or Cells therein is to ignore/discard synchronization signals from older network generations in them, whereas for RAs that are not part of the list, the UE may be configured to perform/trigger a whitelist update procedure to include the new RA (and TAs/Cells therein) it is roaming in or moving towards.
In another embodiment that may be used in combination with other embodiments or used independently, the network may provision/configure the UE with whitelist(s) that are associated with an expiration time, after which the UE is required to renew the whitelists. For example, the network may send a message to the UE containing one or more whitelists and a validity period (e.g., in seconds, minutes, hours, days, etc.) for each whitelist. The UE may store the whitelists and the validity period in its memory and use them to determine whether to ignore/discard synchronization signals from older generation networks in the corresponding areas. However, if the validity period of a whitelist expires, the UE may not use that whitelist anymore and may request the network to update it. This may ensure that the UE always has up- to-date information about the status and legitimacy of older generation networks in the areas it is roaming. Alternatively, the UE may periodically request the network to update the whitelists regardless of their validity period, or the network may proactively update the whitelists without waiting for the UE's request. In another embodiment that may be used in combination with other embodiments or used independently, the network may also provision/configure the UE with information about the operational schedule of (older generation) cells (e.g., 2G/3G) that are not permanently decommissioned but may operate only at certain times or days. For example, some cells may be turned off during nighttime or weekends to save energy or reduce interference, while others may be activated only when there is high demand or emergency situations. In such cases, the UE may receive from the network a message containing one or more whitelists that include not only the identities and locations of older generation cells, but also their operational schedule (e.g., start and end time, frequency, duration, etc.). The UE may store this information in its memory and use it to determine whether to ignore/discard synchronization signals from older generation networks in the corresponding areas and times. For instance, if the UE receives a synchronization signal from an older generation cell that is supposed to be inactive according to its operational schedule, the UE may suspect that the signal is coming from a fake base station and may avoid camping on or connecting to it. Alternatively, the UE may request the network to verify the legitimacy of the older generation cell before camping on or connecting to it. This may prevent the UE from being lured by an attacker exploiting the temporal gaps in the older generation network coverage.
In TS 23.501 , clause 5.3.4.1 .2, it is described a method by which the network restricts services to the UE. Namely, the UE’s subscription data in the UDM includes service area restriction which may contain either Allowed or Non-Allowed areas specified by using explicit Tracking Areas Identities and/or other geographical information (e.g., longitude/latitude, zip code, etc). The AMF provides the Service Area Restriction in the form of TA(s), which may be a subset of full list stored in UE's subscription data or provided by the PCF to the UE during the Registration procedure. The limited allowed areas could be pre-configured or dynamically assigned by the AMF to the UE. The same mechanism may be re-used to address the issue with decommissioned networks, thus in an embodiment, the AMF may indicate to the UE whether a network-generation (e.g., 2G) is Allowed or Not-Allowed (e.g., determined by TA Identity, or geolocation information, etc or a combination as described in the following embodiments) through Service Area Restriction Information, where restriction of services may be limited to a network generation (or a set of network generations), which may be indicated by a network generation (or set of network generations) indication (e.g., radio access technology type (RAT)) added to the Service Area Restriction Information. Furthermore, the network may selectively restrict access through older network generations to a set of UEs, while it allows access through the same network generations to other UEs (e.g., police, firefighters, etc), as such the restriction profile for (older) network generations may also be part of UE’s subscription in the UDM.
In another embodiment that may be combined with other embodiments or used independently, the list of decommissioned PLMNs may be communicated to the UE upon a successful registration (e.g., in the Registration Accept message), although the list of PLMNs may not be sufficient as restriction may be location dependent (i.e., the same PLMN may allow access through an older generation network BS (e.g., RAT type) in one TA, but not in another), hence, the decommissioned PLMNs communicated to the UE in the registration access message may need to be enriched with location information (e.g., Tracking Area Code (TAC), or other geolocation information e.g., longitude/latitude), or specific cell identifiers, or RAN area code, or specific network generation. AMF may also provide UE with PLMN-ldentitylnfoList, as defined in TS 38.331 , corresponding to the whitelisted(Allowed) and/or blacklisted(Non- Allowed) PLMNs upon successful registration. Additionally, the list of decommissioned PLMNs enriched with location information, specific cell identifiers, RAN area codes, or specific network generation information may also be communicated to the UE in a registration reject message.
In a scenario, if a UE tries to connect to a network via a given radio access technology (RAT), the UE may receive a confirmation or reject message. In particular, it may receive a reject message when the RAT is not supported. However, this also poses a security risk if an attacker fakes (unprotected) reject messages. Thus, in another embodiment that may be combined with other embodiments or used independently, when the UE receives a policy or configuration (or the radio access technology (RAT) restriction information) determining the whitelisted (nonrestricted) and/or blacklisted (restricted) access technologies in a reject message (e.g., attach/registration reject message), the UE processes the message and retrieves the RAT restriction information depending on whether the reject message is (or is not) integrity protected. For instance, if the reject message contains a cause value indicating (1) that no suitable cells/access technology is available and/or (2) a list of access technology restriction information, and the message is not integrity protected, then the UE shall discard the received reject message. Otherwise, a malicious actor may be able to restrict the UE(s) from accessing all access technologies except for the access technology corresponding to its fake base station (FBS), thus facilitating an FBS attack. In some cases, the rejection may be performed according to a rejection policy. For instance, if a given RAT generation does not allow the (integrity) protection of a reject messages, the rejection policy may determine that that specific RAT may be rejected, but e.g., no other RAT types that may allow protecting a rejection message. For instance, 4G may use a rejection message that is not integrity protected, and the rejection policy may determine that 4G RATs may be rejected with an unprotected rejection messages, but no RATs that allow protecting such a message. For instance, a rejection policy may determine that no RAT/network may be rejected by means of a non-integrity protected rejection message. For instance, the rejection message may include a Rejection timer determining how long the rejection holds and/or the rejection policy may include a Default Rejection timer. It is to be noted that a UE may be configured (e.g., by means of the rejection policy) to request the policy or configuration or RAT restriction information in an integrity protected message and/or to inform about the reception of the unprotected rejection message.
In another embodiment that may be combined with other embodiments or used independently, a configuration/policy determining which (legacy) access devices are allowed or disallowed may be configured via one or more of a UPU message, an UCU message, an Information Element in an RRC message, a SIB, a paging message, and a NAS message.
In some cases, the configuration/policy determining which (legacy) access devices are allowed or disallowed may be exchanged between UEs, e.g., via SCI. For instance, the network configuration associated with the older generation network access devices, or radio access technologies (RATs) (i.e., which are allowed/not-allowed or whitelisted/blackl isted) may also be transferred/exchanged between UEs as part of the SCI or RRC signaling. The network configuration may be signed by the Home Network (HN), and message (e.g., SCI) may also include a HN key identifier, allowing the receiving UE to verify the received network configuration.
In another embodiment that may be combined with other embodiments or used independently, restriction to access cellular networks may not only be PLMN specific, but operator specific and/or country specific. For instance, the network may decide to blacklist the MNC (Mobile Network Code) corresponding to another network operator such that UEs do not select network access devices associated with said operator (e.g., during roaming). For instance, the network may decide to blacklist the MCC (Mobile Country Code), such that access to/through all network operators within said country, which are using the blacklisted MCC, is prohibited.
In another embodiment that may be combined with other embodiments or used independently, restrictions to access cellular networks through any older generation network access device(s) while the UE is roaming (e.g., abroad) may be configured by default, where access may only be permitted through selected operators and/or countries. For instance, the network may only whitelist specific MNC and/or MMC, such, while roaming, only access to/through network operators that are whitelisted, or are within a whitelisted country, is permitted. Mobile Country Codes (MCC) are used to identify the country which a mobile subscriber belongs to, however, certain mobile network operators e.g., international or satellite networks/operators are assigned MCC(s) (e.g., 901 , 902, 995, etc) that are not associated with a specific country. Hence, in an embodiment that may be combined with other embodiments or used independently, mobile network operators (MNOs) falling within said category (i.e., are not associated with an MCC linked to a country), the UE may be (pre-)configured, or have in store a configuration/policy (e.g., in the USIM/UICC) which determines for each of these MNOs whether access through an older generation network access device (e.g., 2G/3G base station) is, or is not allowed. For instance, the UE may have in store a list of these MNOs, indicating each MNO and for each RAT type supported by an MNO, whether it is whitelisted or blacklisted. For instance, the UE may be configured to blacklist all older generation network access devices associated with MNOs of said category, in which case, the MCC (i.e., 901) may be blacklisted, as described in previous embodiments.
In another embodiment that may be combined with other embodiments or used independently, considering that the list of mobile network operators that are not associated with a particular country may grow (e.g., with new international/satellite operators joining) or shrink (e.g., due to existent MNOs becoming non-operational), the whitelists (or blacklists) associated with said MNOs, as configured at the UE, may need to be updated, in which case updates may be conditionally triggered based on whether a new MNO is introduced and/or an existent one is decommissioned. For instance, the configuration or policy determining the status (e.g., whitelisted/blacklisted) of the (older generation) network access devices may be updated following a successful UE registration (e.g., in the Registration Accept message).
In another embodiment that may be combined with other embodiments or used independently, the identifiers (PLMN, cell IDs, RAN area codes) and/or location information that may be whitelisted or blacklisted may be determined by using a selection filter for more efficient encoding/transmission/storage. For instance, given an identifier, the identifier may be blacklisted or whitelisted if the identifier combined with the selection filter matches a whitelisted/blacklisted identifier. For example, PLMN = MCC | MNC, and MCC and MNC are 2 or 3 bits long, and | represents concatenation. So given an identifier (e.g., PLMN) combined (e.g., by means of XOR) with a selection filter (e.g., the bitstring 000 111 ), the identifier may be allowed/disallowed if it matches (or not) a given whitelisted/blacklisted identifier, e.g., 001 111 , i.e.,
PLMN XOR 000111 =2001111 A similar approach may be used to allow/disallow other identifiers.
In general, it is described a method by which a user equipment is restricted from network access to, and/or through, a network operator, or the entirety of network operators within a specific country, wherein said restriction is based on blacklisting the Mobile Network Code (MNC) associated with the network operator to block, or on blacklisting the Mobile Country Code (MCC) associated with the country where network access is to be restricted.
In another embodiment that may be combined with other embodiments or used independently, all networks in a given country (MCC) of a given type (e.g., 2G) may be blacklisted (e.g., by default), except specific networks (MNCs) that may be explicitly whitelisted.
In some scenarios, an attacker may place a fake base station for country B in country A, where the base station of country B is for a legacy access device that is still in usage in country B, but not in A. Thus, an attacker may still be able to lure a UE to a legacy access device even if all legacy access devices in country A have been decommissioned and UE has policies for country A stating this. Addressing this issue may be achieved by using the embodiments in this invention combined as follows. In an example, a UE may have a configuration that whitelists networks for country A, and all other networks (of other countries) may be blacklisted. In an example, a UE may be able to determine its location so that networks (and access devices associated to them) that do not belong to its current location are blacklisted, in particular, all access devices associated to a PLMN with a mobile country code that is not associated with the country where the UE is currently located are blacklisted, or are whitelisted/blacklisted based on whether their mobile network codes are whitelisted/blacklisted. In another example, legacy wireless network generation access devices associated to a PLMN with a mobile country code associated with an international and/or satellite network operator that is different from the mobile country code used in the country where the UE is currently located are blacklisted by default (e.g., for all mobile network codes), or are whitelisted/blacklisted based on whether their mobile network codes, associated with the international and/or satellite network operator(s), are whitelisted/blacklisted.
In an embodiment that may be combined with other embodiments or used independently, a UE may determine the location of an access device, e.g., a mobile access device, e.g., a satellite, and check whether the access device is where it is supposed to be located. For instance, whether a satellite is where it is supposed to be located based on ephemeris data of the satellite that may have been made available during registration, in a SIB, orvia an out-of-band channel. Additionally, this information may be combined with other measurements (e.g., angle of arrival of the signals, TA, etc) which relate to the satellite location, hence allowing the UE to determine the likelihood of the mobile access device’s legitimacy.
Network assisted access device selection
As described in previous embodiments, a UE may not always be provisioned/configured with whitelist(s) that cover areas (RAs/TAs/Cells) in which the UE may be roaming. In such cases, the UE may not be able to determine whether the signals (e.g., Synchronization signals) received from an older generation network’s (e.g., 2G/3G) base station are coming from a legitimate base station and/or whether said older generation networks are decommissioned. It is thus needed a mechanism to allow the UE to obtain said whitelists and/or perform these checks, and as such, it is the object of the following embodiments to describe such a mechanism.
In an embodiment that may be used in combination with other embodiments or used independently, and in reference to Fig.3, in which entities 300, 301 , 302, 303, 304, and 305 correspond, respectively, to a UE, a first base station (e.g., Node B), a second base station (e.g., gNB), a third base station (e.g., eNB), a fourth base station (e.g., BTS), and the core network (or a function therein e.g., AMF), it is described a set of steps/messages, which may be not all be required, and/or some steps may be performed more than once and/or in a different order, with the aim of using network assistance in determining older network generation status (i.e., decommissioned or not) and/or establish the legitimacy of a base station. The steps/messages are as follows:
In steps 310-a, 310-b, 310-c, and 31 Od, the UE (300) receives messages/signals (e.g., Synchronization signals) transmitted by different base stations (i.e., 301 , 302, 303, and 304), which may belong to different network generations (i.e., different RAT types). 301 and 304 are assumed to be older generations (e.g., 3G and 2G access devices, respectively), while 302 and 303 correspond to current generations (e.g., 5G and 4G access devices, respectively).
As the UE (300) receives the signals described in the previous step, 300 may perform signal strength measurements (e.g., Received Signal Strength Indicator (RSSI), Reference Signal Received Power (RSRP)), and then in step 311 , 300 may process the received synchronization signals, determine the network generations to which each broadcasted synchronization signal belongs, and compile measurement reports corresponding to the received signals. Then, based on a network policy that may be (pre-)configured at the UE, 300 may prioritize initially the selection of an access device which corresponds to the current/most recent network generations (e.g., the gNB 302), granted that the cell selection criteria (i.e., RSRP corresponding to the synchronization signals received from 302 is greater than the minimum required RSRP, the cell is not barred and it belongs to a PLMN which UE is authorized to connect to) are met.
Following the cell selection in step 311 , the UE performs (part of) the (random) access procedure with the selected cell in step 312.
In step 313, UE 300 sends a Registration Request (or Initial Attach in case the cell selected is a 4G BS) to a network function and/or OAM, e.g., mobility function (e.g., AMF where AMF is used next, without loss of generality) the AMF wherein UE 300 may include the measurement reports compiled in step 311 , its location, and may further indicate its preference and/or an ordered list of the cells sorted based on UE’s prioritization criteria (e.g., to use as an access device to the network).
In step 314, the AMF may evaluate the measurement reports sent by UE 300 and in case any of the synchronization signals corresponds to an older network generation (e.g., 2G/3G), the AMF may verify, taking into account UE’s location, whether said older network generations are (or aren’t) decommissioned in the area where UE is located, and also whether the Cell ID(s) associated with the base station(s) from which the synchronization signals were received are legitimate (i.e., cell ID corresponds to a base station which is of the indicated RAT type, and whose coverage is expected in UE’s location).
In step 315, the AMF provides a response to the UE which includes an ordered list of the cells sorted based on AMF’s evaluation and prioritization criteria. For instance, if an older generation network (e.g., 3G) is not decommissioned, while another older generation network (e.g., 2G) is, the AMF may implicitly (e.g., by discarding it from the list of cells) or explicitly (e.g., by using an indication or a flag) indicate to the UE which cells aren’t allowed e.g., due to being decommissioned in that area. In this case, and based on UE’s requirements (e.g., coverage, signal quality) and the prioritization list provided by the network (e.g., AMF) in the registration response message (e.g., registration accept/reject message), UE 300 may perform cell reselection whereby it selects the access device providing the better service for its requirements.
In step 316, UE 300 may initiate an access procedure with 301 , following the network evaluation and recommendation. Alternatively, the UE performs primary authentication through the pre-selected network access device (i.e., 302).
In the above procedure, a UE may need to get connected to the network. The following embodiments may provide alternative solutions that may be combined, in general, with the previous procedure. In an embodiment , which may be combined with other embodiments or used independently, upon receiving the synchronization signals in step 310, the UE may determine the network generations to which these synchronization signals correspond, and in case one (or more) of said synchronization signals correspond to an older generation network (e.g., 2G/3G) forwhich the UE is not provisioned/configured/aware of the status, the UE 300 may, in step 312 request from the selected access device 302 (which corresponds to a recent network generation e.g., gNB) to provide it with the network status associated with one (or more) of the older generation networks it detected. For instance, a network status check/request may be indicated by a flag or a bit-value (e.g., 00: No checks, 01 : perform 2G network check, 10: perform 3G network check, 11 : perform 2G and 3G networks checks) to be included e.g., in Msg1 (RACH preamble) or Msg3 (RRC Setup Request) of the random access procedure; the selected access device may send as part of its response a network status response flag or bitvalue (e.g., 00: 2G and 3G both decommissioned, 01 : 2G decommissioned, 10: 3G decommissioned, 11 : 2G and 3G both allowed) indicating the status of (one or more) network generations. This flag may also be sent in the initial messages (random access procedure) with another cell (e.g., newer generation cell) with the purpose of obtaining a network status response for old generation cells in the area. The bit-value indicating the check/request, as described above, without loss of generality may correspond to more than two network generations. The length of the bit-value corresponds to the number of older network generations which the user equipment requires a check for, and the bit values correspond to older network generations based on their order; that is, the least significant bit corresponds to the older network generation which the network supports still, whereas the most significant bits correspond to the least old network generation (e.g., current network generation).
In another embodiment variant, which may be combined with other embodiments or used independently, the network status check may be performed at a first stage (e.g., in Msg1), and following a positive network response (e.g., 11 ), UE (300) may want to further check whether the Cell ID corresponding to the access device from which the synchronization signals with the best signal quality is legitimate, in which case, 300 may in a second stage, request (e.g., in Msg3) the selected access device (e.g., 302) to perform a check on the legitimacy of the cell(s) (e.g., 301) by including the Cell ID(s) (or a part thereof, which is sufficient to uniquely identify the cell(s)), to which the access device may respond, upon verification, based on a (network) policy, with a bitstring wherein each bit corresponds to the legitimacy evaluation result. For instance, if 300 transmitted N Cell IDs (e.g., Cell ID-1 , Cell ID-2 ... Cell ID-N) to 302, the response may be an N-bit value bitstring wherein the first bit (e.g., Most Significant Bit (MSB)) corresponds to the legitimacy check for Cell ID-1 , the second bit to Cell ID-2, and so on, down to the Least Significant Bit (LSB) which corresponds to Cell ID-N. Alternatively, To reduce signalling overhead, the verifying access device (i.e., 302) may, based on a (network) policy, only replay Cell IDs or an indication thereof, e.g., index of the Cell ID, partial Cell ID, etc which correspond to Fake Base Station(s) (FBS); that is, if the response received from 302 includes none of the Cell IDs ( nor an indication thereof), the UE (300) may conclude that all Cells for which a legitimacy check was requested are legitimate.
In another embodiment that may be combined with other embodiments or used independently, the UE may be (pre-)configured by the network with a limit L for how many Cell IDs it may request a check for at once. In which case, if the UE requests the status of N Cell IDs, where N is greater than L, the network may return a reject message, which may indicate the failure cause, and a back-off timer to retry sending a request which respects the limit set by the network.
In another embodiment variant, which may be combined with other embodiments or used independently, the UE 300 may be able to connect to and/or receive information from a current/new generation access device (e.g., 302) that does not correspond to its preferred serving network or home network. For instance, the UE 300 may detect synchronization signals from different access devices belonging to different networks or operators, and may select an access device (e.g., 302) that provides the best signal quality or coverage, even if it is not associated with the UE's home network or subscription. The UE 300 may then initiate a randomaccess procedure with the selected access device 302 and request for network information or assistance. The access device 302 may forward the request to the UE’s Home PLMN (via its core network) and upon receiving a response (from UE’s Home Network), respond by providing the UE 300 with the network status of the older generation networks (e.g., 2G/3G) that UE 300 has detected, as well as the legitimacy of the cells (e.g., 301 ) that broadcast the synchronization signals detected. The access device 302 may also provide (e.g., based on information provided by the Home PLMN of the UE 300) the UE 300 with a list of alternative access devices that are associated with the UE's home network or preferred serving network(s), that are available in the UE's location. The UE 300 may then use this information to perform cell reselection and connect to the most suitable access device based on its requirements and preferences. This embodiment may allow the UE 300 to benefit from the new generation access device's capabilities and services, even if it is not the UE's preferred network or operator.
In another embodiment variant, which may be combined with other embodiments or used independently, a new System Information Block (SIB) and/or information element (IE) transmitted in an RRC message or a paging message may be defined that allows the delivery of the network information to the UE. This new SIB or IE, etc may be defined for a new generation network (e.g., 5G), and may include information such as the network status of older generation networks (e.g., 2G/3G), and/or the legitimacy of cells broadcasting synchronization signals corresponding to these older generation networks, and the list of alternative access devices that are associated with the UE's home network or preferred serving network(s). This new SIB / IE may be distributed even if the UE is not connected to the network, or on demand (i.e., upon UE’s request). For example, the UE may request this new SIB from the selected access device by sending a message that includes its home network identity (and optionally a UE identifier, e.g., SUCI) and/or an indication (e.g., request flag) of said SIB/IE, in the random access procedure. The selected access device may then send the new SIB to the UE in a response message, which may also include a signature that allows the UE to verify the authenticity and integrity of the network information (in the area). The signature may be generated using a private (signing) key of the home network of the UE, which may be known to the selected access device through inter-network communication. The UE may then verify the signature using the public key of its home network, which may be stored in the UE or obtained through a certificate authority. If the signature verification fails, the UE may log the response message, including the signature, and the public key used to verify the signature, which could be subsequently provided to the network to audit; alternatively, the UE could discard the response message upon failing to verify the signature and request a new SIB. Otherwise, The UE may then use the network information in the new SIB to perform cell reselection and connect to the most suitable access device based on its requirements and preferences. This embodiment may allow the UE to obtain the network information in a secure and efficient way, without requiring additional signalling messages or network configuration. The synchronization signals and/or SIB1 or a base station may indicate whether this new SIB / IE is available (upon request) through the base station and it may also indicate a procedure to obtain it, e.g., send a given preamble/message at specific time/frequency resources or during the initial random access procedure.
Synchronization signals’ strength pattern matching for FBS detection
In a Bidding-down attack aimed at tricking and/or forcing a UE to down-grade into an older generation network (e.g., 2G/3G), a malicious attacker may typically set up a Fake Base Station (FBS) emulating a 2G/3G base station to which it may lure victim UEs. As such, it is crucial for a UE to be able to determine whether the signals (e.g., synchronization signals) received from a base station are likely to be coming from a FBS. It is hence the object of the following embodiments to describe means to assist and/or enable the UE to recognize potential FBS.
In an embodiment that may be used in combination with other embodiments or used independently, and in reference to Fig. 2, where a distinction may be made between signal strengths levels between a static UE (i.e., top drawing) and a moving UE (i.e., bottom drawing), a UE may be configured to monitor (e.g., continuously or periodically) received synchronization signals' strength levels received from the different base stations in its vicinity, taking into account UE’s mobility (or lack thereof), and the variation in said signals’ strength levels. Based on historical data of measurements performed and reported by UE(s) to the network, this latter may develop a set of baseline patterns for synchronization signals strength variation, which correspond to a set of mobility profiles (e.g., static, moving at different velocities falling within a set of pre-determined ranges); these baseline patterns may subsequently be provisioned to UE(s) to enable and/or assist them in determining whether a synchronization signal may be originating from a legitimate (or Fake) base station. Baseline patterns may also be determined by a pre-trained AI/ML model provisioned at the UE. For instance, a UE may compute a similarity measure (e.g., correlation coefficient) between the signal strength variation of a received synchronization signal over a pre-determined/configured time window, and that of the baseline pattern which corresponds to the UE’s mobility profile at the time of measurement. The UE may further be provisioned/configured with threshold values and/or ranges corresponding to the chosen similarity measure and are thus used to categorize/classify the synchronization signal and/or dictate a certain UE behavior. For instance, given a threshold range, UE may be configured to consider the Base station as legitimate above an upper boundary X, fake below a lower boundary Y, while a value falling in between these boundaries may require the UE to perform a different check, e.g., check with the network as described in previous embodiments (e.g., in relation to Fig. 3).
In another embodiment that may be combined with other embodiments or used independently, these conditions may also vary depending on the scenario applicable to a UE, e.g., conditions may be different for a UE performing handover than for a UE that is attempting to connect. Similarly, the conditions may vary depending on whether the UE is moving or not. In another embodiment that may be combined with other embodiments or used independently, the UE may be conditionally triggered e.g., based on an increase in the number of received synchronization signals and/or detecting a new signal with a strength level that is above a pre-determined/configured threshold, to perform continuous monitoring and collection of data pertaining to the suspicious synchronization signal(s). For instance, and in reference to the top drawing in Fig.2, a UE may be stationary, and thus is expected to receive a fixed number of synchronization signals associated with the base stations in proximity. The known base stations may be stored and may also be shared with the network. In instantTI , UE may detect a new synchronization signal whose strength level may be higher in comparison to the rest of the synchronization signals received from other base stations, and as the initial strength level of the new synchronization signal is abnormally high, that may prompt the UE to categorize the BS from which said synchronization signal was received as Fake and/or checkwith the network, as described in previous embodiments (e.g., in relation to Fig. 3). For instance, and in reference to the bottom drawing in Fig.2, a UE may be moving, in which case, UE may be expected to continuously detect synchronization signals broadcasted from different base stations in its proximity, which may be continuously changing over time as the UE is moving. As such, it may be more challenging to detect whether the synchronization signals correspond to a FBS; in this case, the UE may be configured to detect the initial strength level associated with newly received synchronization signals, and based on whether the strength level is abnormally high (e.g, as in the Bottom figure), the UE may be triggered to continuously monitor and log the variation in the strength level of the corresponding synchronization signals for a pre-configured time window, then compare it to the baseline pattern associated with the UE’s mobility profile, as described in previous embodiments. Based on the similarity measure and the UE’s configuration, the UE may classify the base station as legitimate, fake, or trigger a checkwith the network, as described in previous embodiments (e.g., in relation to Fig. 3).
Configuration-based prioritization of the selected cell
In another embodiment that may be combined with other embodiments or used independently, the UE may store a configuration or a policy that indicates whether it is authorized to connect to a given type of access device, or not, and the circumstances in which this is authorized. For instance, the configuration may indicate that the UE is authorized to connect to a 4G access device, but not authorized to connect to a 3G access device unless a certain condition occurs, e.g., the UE requires emergency services. This configuration ensures that the UE may not connect by mistake to old generation access devices (e.g., 3GPP 3G) since such networks may be/have been decommissioned and may be ran by an attacker in the form of a fake base station where the fake base station would be used to e.g., get the identity of the user. This configuration may be determined by the home network or the user and may be updated or modified as needed. Based on this configuration, the UE may reject or accept the synchronization signals from different access devices, or request more information from the network before connecting. Similarly, a network may accept or reject a UE’s attempt to access it through a specific network generation’s access device, based on whether the UE meets the configuration/policy criteria or conditions permitting access. If not, an access device may send a reject message (e.g., RRC reject message during the random-access procedure), which may include a rejection cause (e.g., UE not permitted for access through UTRAN).
In another embodiment that may be combined with other embodiments or used independently, the UE may receive the configuration or policy from the network when it registers for the first time, or when it changes its location to a new area. The configuration or policy may also be pre-configured in the UE by the user or the manufacturer and updated periodically or on demand. The configuration or policy may be stored in the UE memory, or in a secure element such as a SIM card or an eSIM.
In another embodiment associated with decommissioning configuration/policy that is stored in the USIM/UICC and/or ME, which may be combined with other embodiments or used independently, the decommissioning configuration/policy may need to be updated periodically, on-demand, or in a conditional matter as described in previous embodiments. For instance, if the MNO has completely decommissioned a RAT (e.g., GERAN), it may indicate in the configuration it is fully decommissioned and update the decommissioning configuration/policy to restrict the RAT from the next generation (e.g., UTRAN), once the latter has been fully decommissioned by the MNO. Additionally, or alternatively, the MNO may update the decommissioning configuration/policy more frequently and/or in a conditional manner, e.g., in scenarios where the decommissioning is done in phases, in which case the MNO may regularly update the decommissioning configuration/policy based on whether it has decommissioned a RAT, in a certain location (e.g., Registration or tracking area, or an entire country).
Additionally, or alternatively, the MNO may update the decommissioning configuration/policy on-demand; for instance, the protection against bidding down attacks may be on an opt-in bases, where the UE/User may request/retrieve e.g., through an MNO service portal, decommissioning configuration/policy, and only then it may be provided to the UE.
Additionally or alternatively, if the decommissioning configuration/policy is provided on-demand, the MNO may also provide the UE/User (e.g., through a service portal) with countries and/or operators for which a decommissioning configuration/policy is available, such that if a User intends to travel (e.g., to another country), it may be able to retrieve a decommissioning configuration/policy from roaming partners which have service agreements with the home network associated with the USIM/UICC used by the user. Additionally or alternatively, in cases where no such service agreements are in place between the home network associated with the USIM/UICC and a VPLMN, the VPLMN may still be allowed to update the decommissioning configuration/policy to include entries associated with its decommissioned RATs; for instance, the VPLMN may send a request to the home network of the USIM/UICC in the UE, and only upon receiving approval from the home network of the USIM/UICC in the UE, it may update the decommissioning configuration/policy; for instance, the home network may provide an authorization token to the VPLMN indicating, using e.g., a flag/bit-value(s) field in the token, the rights (e.g., append only) it has when updating the decommissioning policy; for instance, the home network of the USIM/UICC may provide assurance to the USIM/UICC that the VPLMN is allowed to make changes (e.g., append to configuration/policy) by signing a message, which may contain, but is not limited to: the VPLMN ID, authorization token, list of RATs, etc, which is verified by the USIM/UICC, and only if the verification is successful, the VPLMN is informed and allowed to update the decommissioning configuration/policy on the USIM/UICC; for instance, the VPLMN may instead provide the list of RATs and their status to the home network, as part of a service agreement, or upon UE connecting through the VPLMN, and the update of the decommissioning configuration/policy is performed by the home network of the USIM/UICC via the VPLMN. In this case, the update is protected end-to-end between the home network of the USIM/UICC and the latter.
In another embodiment that may be combined with other embodiments or used independently, the decommissioning configuration/policy may include conditions under which the restrictions on RATs to be considered are bypassed. For instance, the configuration/policy may be bypassed through user intervention, in which case, the user/subscriber may be requested by the USIM/UICC to provide a set of credentials configured at the USIM/UICC (e.g., enter the PIN associated with the USIM/UICC) before allowing the configuration/policy to be bypassed. For instance, the configuration/policy may be bypassed during emergency situations, in which case, the USIM/UICC may be configured to re-enable the decommissioning configuration/policy once the emergency session (e.g., call) is concluded. For instance, the configuration/policy may determine a time window during which the decommissioning configuration/policy is temporarily disabled; for instance, the USIM/UICC (or the UE, upon USIM/UICC request) may start a timer, set by the MNO, to determine when to re-enable the decommissioning configuration/policy. Additionally or alternatively, USIM/UICC may also be configured to automatically modify the decommissioning configuration/policy information (e.g., list of decommissioned RATs) in certain scenarios e.g., when entries are associated with a VPLMN on a temporary basis; for instance, the change of decommissioning configuration/policy information (e.g., list of VPLMN decommission RATs) may be triggered once the UE is no longer being served by the VPLMN (e.g., UE has moved back to its home network).
In another embodiment that may be combined with other embodiments or used independently, the format of decommissioning configuration/policy information (e.g., lists of RATs decommissioned) may need to be specified. For instance, the list entries may include information associated with the PLMN (e.g., MCC and/or MNC), and a value indicatingthe decommissioned RATs; for instance, this value may be a bit-value in which each bit is associated with a RAT (e.g., 11000 indicating that only 4G and 5G RATs are allowed, while the rest are restricted); for instance, the bit-value may be a fixed number of bits (e.g., 8), wherein the MSB is associated with the most recent network generation supported by the MNO, while the rest of the LSBs are associated with previous generations (e.g., 11000000 which may indicate that only 4G/5G RATs are allowed, while any RAT associated with a network generation older that that is restricted). For instance, the MNO may indicate in the decommissioning configuration/policy information only the minimum network generation it supports, it may as such be understood that all RATs associated with network generations older than the indicated minimum network generation are restricted, whereas access through network generations that are more recent than the minimum, is not restricted; this may for instance be indicated by using a number (e.g., 4) reflecting the minimum network generation (e.g., 4G in this case) whose RATs are not restricted. Additionally, or alternatively, the list entries described above, may further include location information (as described in previous embodiments), which may have different restricted RATs (e.g., in cases where decommissioning is done in a phased manner, or due to lower population density). For instance, a list entry may be as follows:
Which indicates that for the MNO with the included MNC allows access only through RATs belonging to the 3rd network generation or above. Another entry (e.g., associated with another network, or with a temporary VPLMN entry, may look as follows: which indicates that for the MNO with MCC-MNC values, access only through 2G network RATs and beyond are allowed, whereas in all other locations, only 4G network RATs and beyond are allowed. While MNO (e.g., associated with a VPLMN allowed a temporary entry in the list) with MCC'-MNC' allows access only through 3G network associated RATs and beyond in Tracking area 4, and through 2G network associated RATs and beyond in Tracking area 7, while all other locations require 4G network associated RATs and beyond. It is to be noted that the indication of the minimum network generation through which access is allowed is not necessarily a number, (e.g., 4), the field may for instance indicate the RAT type (e.g., GERAN, UTRAN, etc) as a string value.
In an embodiment that may be combined with other embodiments or used independently, only the home PLMN is allowed / authorized to update the decommissioning configuration/policy of a UE, e.g., in its UICC/USIM. The UE may be configured to only access an “unknown” VPLMN (i.e., a VPLMN for which decommissioned RATs are unknown) through a safe/secure RAT. A safe/secure RAT may be, e.g., 5G, e.g., by using a concealed subscriber identity such as the 5G SUCI, and the UE may only consider it secure only once the UE has authenticated the home PLMN by means of the primary authentication, and the UE has received confirmation from the HPLMN that the VPLMN is ok (after doing primary authentication). At this stage, the UE may request and/orthe home PLMN may provide the UE / USIM / UICC with a configuration for the VPLMN, e.g., for older generation RATs. This may require the VPLMN to provide the HPLMN with its decommissioning configuration / policy, that can then be deployed to the UE / USIM / UICC by the HPLMN. The HPLMN may send a request to provide said configuration for a given area. Additionally or alternatively, the VPLMN may provide said configuration to the HPLMN knowing the access device that UE used to connect. This configuration may be a partial configuration of the VPLMN’s decommissioning configuration/policy.
In some cases, the VPLMN may not wish to share the (whole) decommissioning configuration / policy with the HPLMN. Thus, in an embodiment that may be combined with other embodiments or used independently, the UE / LIICC / USIM may be configured to connect to the VPLMN only through a safe/secure generation RAT (e.g., as in previous example), and the VPLMN may get a token from the HPLMN authorizing the VPLMN to deploy its decommissioning configuration / policy to the UE / UICC / USIM. This token may be a key derived from a root key (e.g., K_AUSF) and/or generated by means of a private key owned by the home PLMN and whose public key is known to the UE / UICC / USIM. In the case of a symmetric key, the symmetric key may be used to encrypt/authenticate (a part of) the decommissioning configuration/policy, e.g., a given amount of data (size of a decommissioning configuration / policy). The USIM / UICC may run an application preventing that information from leaving a storage area in the USIM / UICC. This embodiment allows the UE / UICC / USIM to receive a decommissioning policy / configuration from the VPLMN in a secure way.
In an embodiment that may be combined with other embodiments or used independently, the HPLMN may also have a configuration with its preferred RATs that may also be applicable to VPLMNs. For instance, the HPLMN may have a preference of using 4G or 5G, so that even if the VPLMN indicates (e.g., as per previous embodiment) that 3G is not decommissioned yet, only 4G and 5G may be used.
In an embodiment that may be combined with other embodiments or used independently, a decommissioning configuration/policy for a given RAT, or a combination of Tracking Area/RAT, etc may be associated with a date / time / validity time, i.e., a date until the Tracking Area / RAT/etc may be used by the UE / USIM / UICC to connect. This embodiment is advantageous because it reduces the number of updates required in the UE / USIM / UICC when the decommissioning happens over time and new decommissioned RATs/ Tracking Areas are changing.
In an embodiment that may be combined with other embodiments or used independently, the date / time / validity time of a RAT /Tracking Area / etc may be complemented by a buffer period, a period of time during which the RAT /Tracking Area / etc may still be used (e.g., just in case that the decommissioning of a RAT took too long) but that indicates that a user may be connecting to a dangerous network.
A UE / UICC / USIM may obtain its location by means of cellular positioning or GNSS, however, positioning signals may be spoofed, and position may not be accurate/trustworthy. On the one hand, positioning information can be used to improve the accuracy of the decommissioning / configuration policy; on the other hand, if an attacker tampers with the positioning signals, the attacker may still manage to get a UE connected to an old RAT. To address this problem, in an embodiment that may be combined with other embodiments or used independently, the UE / USIM / LIICC may indicate the estimated location of a UE to the user when the UE is choosing a given RAT, e.g., an old generation RAT. The user may then verify this location. This may also be a configuration in the UE that gives the possibility to the user to verify the UE location.
The UE may apply the configuration or policy at different stages of its network connection process. For example, the UE may apply the configuration or policy when it is acquiring the synchronization signals from different cells and filter out the cells that do not match the configuration or policy. Alternatively, or in addition, the UE may apply the configuration or policy when it is performing handover (HO) from one cell to another (e.g., conditional HO), and reject the handover if the target cell does not comply with the configuration or policy e.g., as further detailed in some of the following embodiments. Similarly, a target access device may reject the handover if the UE does not comply with the configuration or policy, it has been provisioned with. The UE may also apply the configuration or policy when it is idle or in power saving mode, and avoid camping on cells that are not authorized/allowed by the configuration or policy.
In a related embodiment/example that may be combined with other embodiments or used independently, during a mobility procedure (e.g., handover) where a UE is connected to the network (e.g., LTE network) through an E-UTRA base station, the latter may trigger a HO procedure wherein a target base station is selected by the source base station. The HO procedure and/or the source base station may not account for the access technologies restricted at the UE side (e.g., due to the restriction information pertaining to the UE not being provided by MME and/or the UE). The UE may, prior to considering an inter-RAT mobility procedure as initiated, check whether the indicated target cell/base station selected by the source base station is (non-)restricted. In an example, upon determining that the access type associated with the selected cell/base station is not restricted, does the UE consider the inter- RAT mobility as initiated and the UE attempts to access the target cell indicated by the inter-RAT message.
For instance, if a UE is connected to an E-UTRA cell and the list of “PLMNs with associated RAT restrictions” at the UE indicates that NR/NG-RAN is restricted by the serving PLMN, then, upon receiving a mobility triggering message (e.g., MobilityFromEUTRACommand message as per 5.4.3.3 of TS 36.331 ) where the targetRAT-Type is set to NR, (in particular for the provided example, but generally, where targetRAT-Type is set to any restricted RAT type), then the UE may need to check that the targetRAT-Type indicated is not restricted before initiating the inter-RAT mobility. The UE may only start the inter-RAT mobility after a positive check. The UE may not start the inter-RAT mobility after a negative check and may report the event. The UE may only start the inter-RAT mobility after negative check, depending on further conditions in the “PLMNs with associated RAT restrictions” or exceptions indicated by the network, e.g., inter-RAT mobility may be allowed when triggered by an E-UTRA cell.
In another embodiment that may be combined with other embodiments or used independently, if an inter-RAT mobility triggered by a E-UTRA cell fails due to the targetRAT-Type indicated by the source base station (i.e., serving E-UTRA cell) being a restricted RAT according to the list of “PLMNs with associated RAT restrictions” maintained by the UE, then the UE may indicate such a failure to the serving base station. For instance, the UE may send a failure message, e.g., a rejection or, e.g., comprising a failure cause indicating that the failure is due to the targetRAT-Type being restricted. For instance, the failure message/cause may be indicated during the connection re-establishment procedure with the source base station (e.g., as per 5.4.3.5 in TS 36.331 ). It is to be noted that the source E-UTRA cell may need to interact with the target (NR/NG-RAN) cell. The target (e.g., NR/NG-RAN) cell may also inform the E-UTRA cell about the potential restrictions of the UE.
In another embodiment that may be combined with other embodiments or used independently, if a failure of inter-RAT mobility, as described in the previous embodiment (i.e., due to targetRAT-Type being restricted at the UE), occurs, the UE may provide fresh (i.e., recent, e.g., within a given time interval, e.g., the last T seconds) measurement reports pertaining to candidate target cells serving the area where the UE is located. For instance, the fresh measurement reports may be associated with access technologies that are not restricted based on the list of “PLMNs with associated RAT restrictions”, as described in previous embodiments. Note that the inter-RAT mobility failure may occur while the UE is moving, hence the need for fresh measurement reports. Additionally, or alternatively, if the UE is static, the UE may instead only indicate to the source base station (i.e., E-UTRA cell) the access technologies, and/or cell identifier(s), and/or an indication thereof, to enable the source base station to more efficiently determine a target base station, and provide the UE with another mobility triggering message (e.g., MobilityFromEUTRACommand message as per 5.4.3.3 of TS 36.331) where the targetRAT- Type is set to a non-restricted RAT. It is to be noted that the procedure described herein may be performed in case of a first failure to trigger inter-RAT mobility without requiring a connection reestablishment procedure with the source base station be performed. For example, this may be contingent on the link between the UE and the source base station being maintained. Alternatively, the procedure described herein may instead be performed following a connection re-establishment procedure being performed between the UE and the source base station.
In another embodiment that may be combined with other embodiments or used independently, during a mobility procedure from a source base station (e.g., E-UTRA) to a target base station(e.g., E-UTRA) associated with another PLMN (e.g., target PLMN), similar restriction checks, as described in previous embodiments, may be applicable, where instead of checking only the targetRAT-Type, the UE may instead check the combination of targetRAT-Type and (target) PMLN, and only upon determining that the combination is not-restricted may the UE trigger the inter-PLMN mobility procedure. Additionally, in case of a failure, for instance due to the targetRAT-Type and target PLMN combination being restricted at the UE, the UE may indicate such failure to the source base station through a failure message, which may indicate the failure cause (e.g., restricted PLMN-RAT combination), in which case fallback procedures, as described in previous embodiments may be performed.
When a UE performs mobility procedures between a source base station and a target access device, it is important that the source base station is aware of the RAT restrictions (PLMNs with associated RAT restrictions, also described as access device selection configuration or policy). If the source base station is not aware of this information, the source base station cannot determine the proper candidate target access devices. To address this need, in an embodiment of the invention that may be combined with other embodiments or used independently, base stations implement a communication interface that allows the transfer of RAT restriction associated to a UE. This information may be provided to the target base station once the handover is confirmed. This information may also be transferred before (e.g., in HANDOVER request) so that the candidate target base station can determine whether it can fulfil the RAT restriction, also considering subsequent mobility procedures, transfer Mobility Restriction List IE information in HANDOVER REQUEST message from source NG-RAN node to target NG-RAN node, where RAT restriction should also be applied. This embodiment may be applicable to, e.g., TS 36.423 X2AP orTS 38.423 XnAP.
In an embodiment that may be combined with other embodiments or used independently, during a handover procedure from the source NG-RAN node to the target NG-RAN node, in HANDOVER REQUEST message sent by the source NG-RAN node to the target NG-RAN node, it may contain Mobility Restriction List IE and Mobility Restriction List IE may further comprise RAT Restrictions included in Extended RAT Restriction Information IE which may contain RAT restriction information for E-UTRA satellite access technology as below.
5 In an embodiment that may be combined with other embodiments or used independently, during a handover procedure from the source eNB to the target eNB, in HANDOVER REQUEST message sent by the source eNB to the target eNB, it may contain Handover Restriction List IE and Handover Restriction List IE may further comprise RAT Restrictions included in RAT Restriction Information IE which may contain RAT restriction
10 information for NR access technology as below.
In an embodiment that may be combined with other embodiments or used independently, duringthe master NG-RAN node requesting secondary NG-RAN node to prepare of resources for dual connectivity operation for a specific UE, the M-NG-RAN node may check
5 whether the S-NG-RAN node is restricted by considering the RAT restriction information associated with PLMNs, and then decide whether to add the S-NG-RAN node or not depending on whether the access technology of the S-NG-RAN node is restricted or not, particularly the S- NODE ADDITION REQUEST message sent from M-NG-RAN node to S-NG-RAN node may contain the RAT restriction information associated with PLMNs in Mobility Restriction List IE.
10 In an embodiment that may be combined with other embodiments or used independently, duringthe mastereNB requestin en-gNB to prepare of resourcesfor EN-DC dual connectivity operation for a specific UE, the MeNB may check whether the en-gNB is restricted by considering the RAT restriction information associated with PLMNs, and then decide whether to add the en-gNB or not depending on whether the access technology of the en-gNB is restricted or not, particularly the SGNB ADDITION REQUEST message sent from MeNB to en-gNB may contain the RAT restriction information associated with PLMNs in Handover Restriction List IE.
In general, it is described a method by which a wireless device determines whether to initiate an inter-RAT mobility procedure towards a second target access device, upon receiving an inter-RAT mobility triggering message from a first serving access device, wherein determining whether to initiate the inter-RAT mobility procedure comprises the wireless device performing a check to verify whether the radio access technology type associated with the second target access device indicated by the first source access device is, or is not, restricted, based on an access device selection configuration, e.g., the “list of PLMNs with associated RAT restrictions”, maintained by the wireless device.
It is described another method wherein, the mobility procedure triggered by the first access device towards the second target access device is an inter-PLMN mobility procedure, and where the check to be performed by the wireless device consists of checking whether the combination of PLMN-RAT, associated with the second target access device and the PLMN with which it is associated, is, or is not, restricted, based on the access device selection configuration, e.g., “list of PLMNs with associated RAT restrictions”, maintained by the wireless device.
It is described another method wherein, upon determining that a second target access device indicated by a first source access device, during an inter-RAT mobility procedure triggered by the first source access device, is restricted according to the access device selection configuration, e.g., list of “PLMNs with associated RAT restrictions”, maintained by the wireless device, the wireless device may: transmit a failure message which may include one or more of the following: o an indication of failure, which may indicate the failure cause being due to RAT restrictions; o fresh measurement report(s) including radio signal measurements associated with access technologies received by the wireless device, which may be associated with non-restricted access technologies, o an indication of radio access technologies, or cells, that are non-restricted at the wireless device; and/or initiate a connection re-establishment procedure with the first source access device, wherein the wireless device indicates failure and/or includes fresh measurement report(s) and/or an indication of access technologies and/or cells that are non-restricted at the wireless device.
In another embodiment that may be combined with other embodiments or used independently, the UE may be configured with a list of emergency services that it may need access to in certain situations, such as calling 911 , sending an SOS message, or requesting medical assistance. The list of emergency services may be determined by the network, the user, or both, and may be updated or modified as needed. The list of emergency services may be stored in the UE memory, or in a secure element such as a SIM card or an eSIM.
When the UE needs to access one of the emergency services on the list, it may temporarily override the configuration or policy that restricts it from connecting to older generation access devices and attempt to connect to the nearest available cell that can provide the service, regardless of its technology or legitimacy. The UE may also notify the network or the user of its decision to connect to a potentially unsafe cell, and request confirmation or verification before proceeding with the service. Alternatively, or in addition, the UE may use a different authentication or encryption mechanism when connecting to the older generation access device, to protect its identity and data from possible attacks. This embodiment ensures that the UE can access the emergency services when needed, while minimizing the risk of connecting to fake base stations.
In another embodiment that may be combined with other embodiments or used independently, the UE may be configured with a policy (or UE rules) that determines how it should connect to the network based on the features of the measured signals, the location of the UE, and/or the mobility status of the UE. For example, the policy may indicate which cells may be preferred or classified as potential FBS depending on the signal strength, frequency, technology, or other parameters of the received synchronization signals. The policy may also take into account the geographical area where the UE is located, and whether the area is expected to have access devices associated with older or newer network generations. Furthermore, the policy may consider whether the UE is moving or stationary, and adjust the criteria for selecting or rejecting cells accordingly. The policy may be provisioned or configured bythe network, or by the user, or by both. Based on this policy, the UE may determine which cell it uses to connect, or whether it needs to perform additional checks or actions, such as reporting suspicious signals to the network or requesting more information from the network.
In another embodiment that may be combined with other embodiments or used independently, the UE may receive updates of the policy or configuration that determines how it should connect to the network based on the features of the measured signals, the location of the UE, and/or the mobility status of the UE. The updates may be provided by the network, or by the user, or by both. The updates may be triggered by a request from the UE or by an indication from the network or the user. The updates may include the entire policy or configuration, or only a part of it. Each update may be associated with an expiration date or time, which indicates how long the update is valid. When the UE receives an update of a part of the policy or configuration, it may also receive information about whether the expiration date or time of the remaining part of the policy or configuration has changed or not. Based on this information, the UE may replace or merge the updated part with the existing policy or configuration, and apply the updated policy or configuration accordingly. This embodiment allows the UE to adapt its connection behaviour to the changing network conditions and user preferences, and to avoid using outdated or irrelevant policy or configuration information.
In another embodiment that may be combined with other embodiments or used independently, the UE may use its location information to determine whether it can trust and use a certain type of access device. For example, the UE may receive or retrieve policies or configurations from a network operator, a service provider, or another trusted source that specify the location of the tracking area, registration area, cell identifier, or other geographic or logical areas associated with different types of access devices or networks, such as 2G, 3G, 4G, or 5G. The UE may store the policies or configurations in its memory or cache them for later use. When the UE is at a given location, it may compare its location information, such as GPS coordinates, with the policies or configurations to determine which types of access devices or networks are available and/or trusted in that location. The UE may then use the policies or configurations to perform the comparison and selection of the cells as described above. Alternatively, or in addition, the UE may query the policies or configurations from a network operator, a service provider, or another trusted source based on its location information, and receive a response indicating which types of access devices or networks are available and/or trusted in that location. The UE may then use the response to perform the comparison and selection of the cells as described above. This embodiment improves the UE's ability to adapt to different network environments and avoid fake or outdated cells based on its location, and enhances the security and reliability of the network connection. In another embodiment that may be combined with other embodiments or used independently, the UE may receive a configuration or policy from a network operator, a service provider, or another trusted source that specifies a list of identifiers for different types of cells or networks, such as 2G, 3G, 4G, or 5G. The identifiers may include cell IDs, tracking areas, registration areas, PLMNs, or other features that can distinguish the cells or networks. The configuration or policy may also specify a time pattern or schedule for each identifier, indicating when the identifier should be used by the corresponding cell or network. For example, the configuration or policy may assign an identifier A to a 4G cell and specify that the identifier A should be used from 00:00 to 00:15, from 00:30 to 00:45, and so on, every hour. Similarly, the configuration or policy may assign an identifier B to a 5G cell and specify that the identifier B should be used from 00:15 to 00:30, from 00:45 to 01 :00, and so on, every hour. The UE may store the configuration or policy in its memory or cache it for later use. When the UE receives a synchronization signal, system information block or message (in general, signal) from a cell, it may check the identifier included in the signal and compare it with the configuration or policy to determine whether the identifier matches the expected identifier for the cell type and the current time slot. The list of valid identifiers may be linked to a given location, and the UE may obtain it based on its own (known) location, e.g., known via GPS. If the identifier matches, the UE may consider the cell as valid and possibly select it for connection. If the identifier does not match, the UE may consider the cell as fake or outdated and ignore it. Alternatively, or in addition, the UE may query the configuration or policy from a network operator, a service provider, or another trusted source based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not for the cell type and the current time slot. The UE may then use the response to decide whether to connect to the cell or not. This embodiment allows the UE to verify the legitimacy and currency of the cells based on their identifiers and the time pattern, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection.
A possible embodiment in which a list of Cell identifiers assigned to a UE could be UE-specific may be as follows. The UE may generate or obtain a secret key K that is shared with a trusted network entity, such as a home operator or a service provider. The key K may be derived from the UE’s identity, such as its International Mobile Subscriber Identity (IM SI) or Public Land Mobile Network Identifier (PLMN ID), or obtained through a secure protocol, such as a key agreement or authentication scheme. The UE may also receive or compute a function F that is known to the network entity and can produce a unique identifier based on the input parameters. The function F may be a cryptographic hash function, such as a Hash-based Message Authentication Code (HMAC) or a Secure Hash Algorithm (SHA), or any other function that can generate an output that is hard to predict or invert without knowing the key K. The UE may store the key K and the function F in its memory or cache them for later use. When the UE receives a signal from a cell, it may use the identifier included in the signal as an input for the function F, along with the other parameters, such as the cell type, the current time t, which may be set to a specific resolution (e.g., number of LSBs set to 0) determined by a configuration or policy, and the secret key K. For example, the UE may compute F( I d e ntif ie r, Cell Type, t, K), where Identifier may be the Cell ID, Tracking Area Identifier (TAI), or Network Generation (NG) used by the cell. The UE may then compare the output of the function F with the expected identifier for the current time slot, which may be stored in a configuration or a policy provided by the network entity. If the output matches the expected identifier, the UE may consider the cell as valid and possibly select it for connection. If the output does not match, the UE may consider the cell as fake or outdated and ignore it. Alternatively, or in addition, the UE may send a query to the network entity based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not forthe cell type and the current time slot. The UE may then use the response to decide whether to connect to the cell or not. This embodiment allows the UE to verify the legitimacy and currency of the cells based on their identifiers and the secret key, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection. This embodiment may be combined with other embodiments described herein or used independently, depending on the implementation and the desired functionality.
In another embodiment that may be combined with other embodiments or used independently, the UE may have a secret key Kthat is derived from its identity or obtained through a secure protocol with the network entity. The UE may also receive or compute a function F that is known to the network entity and can produce a unique identifier based on the input parameters. The function F may be a cryptographic hash function, such as an HMAC or a hash function such as SHA-2 or SHA-3, or any other function that can generate an output that is hard to predict or invert without knowing the key K. The UE may store the key K and the function F in its memory or cache them for later use. When the UE receives a signal from a cell, it may use the identifier included in the signal as an input for the function F, along with the other parameters, such as the cell type and the network generation. For example, the UE may compute F(ldentif ier, Cell Type, NG, K), where Identifier may be the Cell ID, TAI, or NG used by the cell. Additionally, or alternatively the function F may also take (geo-)location information (e.g., latitude and longitude) as an input parameter, which may also be provisioned/configured at the UE and retrieved based on the identifiers (e.g., cell identity) received from the base station. The UE may then compare the output of the function F with the expected identifier for the cell, which may be stored in a configuration or a policy provided by the network entity. If the output matches the expected identifier, the UE may consider the cell as valid and possibly select it for connection. If the output does not match, the UE may consider the cell as fake or outdated and ignore it. Alternatively, or in addition, the UE may send a query to the network entity based on the identifier that it receives from a cell, and receive a response indicating whether the identifier is valid or not for the cell type and the network generation. The UE may then use the response to decide whether to connect to the cell or not. This embodiment allows the UE to verify the legitimacy and validity of the cells based on their identifiers and the secret key, and avoid connecting to fake or outdated cells that may compromise the security and reliability of the network connection. This embodiment may be combined with other embodiments described herein or used independently, depending on the implementation and the desired functionality. This embodiment can allow making the configurations device specific so that information about the whitelisted cells is not stored on the UEs, but only a function of them. This prevents the cell information (that can be operator sensitive) from leaking.
Synchronization of policies
In certain scenarios, following the NAS layer providing the AS layer with RAT utilization control information (e.g., List of“PLMN with associated RAT restrictions”), the AS layer may maintain a provided list of“PLMNs with associated RAT restrictions” for further use, e.g., for cell evaluation for the purpose of cell reselection. While the UE may receive further RAT utilization control information from a serving PLMN, thus impacting (e.g., by adding, updating, or deleting one or more entries) in the list of “PLMNs with associated RAT restrictions” stored in the UE, e.g., in the UE’s non-volatile memory, the list of “PLMNs with associated RAT restrictions” may be updated on the NAS layer, whereas the AS layer may continue using an outdated list of “PLMNs with associated RAT restrictions”, which may impact a mobility procedure, e.g., the cell reselection procedure. It is therefore the aim of some of the following embodiments to address this issue, to that end:
In an embodiment that may be combined with other embodiments or used independently, upon the UE receiving from a serving PLMN RAT utilization control information impacting (e.g., by adding, updating, or removing entry(ies) in the list of “PLMNs with associated RAT restrictions”) the list of “PLMNs with associated RAT restrictions”, the UE NAS layer may provide the updated list of “PLMNswith associated RAT restrictions” to the AS layer(s) performing cell evaluation for the purpose of cell reselection, thus ensuring the list of “PLMNs with associated RAT restrictions” maintained at both layers (i.e., NAS and AS) are synchronized. This action may be performed on immediately (e.g., as soon as the new list is received), or based on configuration (e.g., periodically, dependent on context, dependent on an action/change in NAS layer, etc).
In another embodiment that may be combined with other embodiments or used independently, to ensure procedures performed by the AS layer(s) (e.g., cell (re-)selection procedure) make use of the most up-to-date list of “PLMNs with associated RAT restrictions”, that is synchronized with the list of “PLMNs with associated RAT restrictions” maintained by the NAS layer and/or stored at the UE’s non-volatile memory, the AS layer(s) may request an update to the entry (i.e., RAT restrictions) associated with the serving PLMN (i.e., PLMN currently in use) or the entire list of “PLMNs with associated RAT restrictions” periodically (e.g., following a time period configured and/or provided by the network), or conditionally (e.g., following pre-defined conditions), as configured by the network, following a triggering event which includes, but is not limited to, the following: a change in the highest ranking cell according to cell reselection criteria, or
- a change in the best cell according to absolute priority reselection criteria, or
- a (back-off) timer (e.g., 300s) associated with not considering a candidate cell for cell reselection, as described in certain scenarios in 5.2.4.4 of TS 38.304 v18.4.0, running out.
Following any of the (configured) events, the NAS layer may indicate whether the list/entries have been updated, and/or the NAS layer may provide the AS layer(s) with the updated entry (i.e., RAT restrictions) associated with the serving PLMN and/or the entire list of “PLMNs with associated RAT restrictions”.
In another embodiment that may be combined with other embodiments or used independently, the UE may receive from a serving PLMN RAT utilization control information impacting (e.g., by adding, updating, or removing entry(ies) in the list of “PLMNs with associated RAT restrictions”) the list of “PLMNs with associated RAT restrictions” in general, and the entry in the list of “PLMNs associated with RAT restrictions” associated with the current serving PLMN, in particular. In this event, the UE NAS layer may instruct and/or restrict, according to the updated RAT restrictions associated with the current serving PLMN in the list of “PLMNs with associated RAT restrictions” the AS layer(s) to/from performing cell search/evaluation for the purpose of cell reselection. Additionally or alternatively, the AS layer(s) may periodically, or conditionally (as described in previous embodiments) request an update for the entry (i.e., RAT restrictions) associated with the current serving PLMN or the entire list of “PLMNs with associated RAT restrictions” thus ensuring only non-restricted AS layer(s) are performing cell search and evaluation for the purpose of cell reselection.
In another embodiment that may be combined with other embodiments or used independently, the request from AS layer(s) towards NAS layer associated with maintaining the lists of “PLMNs with associated RAT restrictions” may be a request for an update and/or a request for synchronization check (i.e., checking whether the list maintained by AS is valid still), to which the NAS layer may provide a response which acknowledges that the lists are in synch (e.g., if the list maintained by the AS layer(s) are valid still) or provides the updated entry (e.g., associated with the current serving PLMN) or the entire updated list of “PLMNs with associated RAT restrictions” (e.g., if the entry(ies) in the list maintained by the AS layer(s) is/are outdated) to the AS layer(s). Additionally, while the request may be from one AS layer (e.g., EUTRAN AS layer), depending on the potential changes to the RAT restrictions associated with the current serving PLMN, the response may trigger one or more AS layer(s), depending on which RATs are a llowed/restricted .
In another embodiment that may be combined with other embodiments or used independently, a list of “PLMNs with associated RAT restrictions” may be associated with an identifier that may allow identifying the PLMN and version, e.g., it may be, e.g., PLMN ID concatenated with date/time. This unique identifier may be used, e.g., to distinguish/determine whether the list available in the AS layer is outdated or not.
In some cases, a wireless device may comprise multiple radio access technologies (e.g., 2G, 3G, 4G, 5G). Some of these RAT have frozen stacks, and thus, it is not feasible to update the stack so that the list of “PLMNs with associated RAT restrictions” is taken into account directly in the RAT stack, in other words, that the NAS layer sends it to the corresponding AS layer. Thus, in another embodiment that may be combined with other embodiments or used independently, when the NAS layer receives the list of “PLMNs with associated RAT restrictions” and the NAS layer determines that some (legacy) RATs have restrictions in the current UE context, the NAS layer may (command to) fully disable the corresponding RAT technology when the NAS layer determines that the device is at a given location, or in general fulfils certain criteria. In an embodiment that may be combined with other embodiments or used independently, a wireless device (UE) may indicate the RATs that it capable of and/or the user has enabled and/or the wireless device prefers. This may be indicated in the UE Capabilities. This may allow receiving a list of “PLMNs with associated RAT restrictions” that only contains information required for the wireless device reducing the communication overhead. If the wireless device activates certain RATs, the wireless device may send the indication to the PLMN so that the PLMN may provide the current list with restrictions.
Note that these embodiments may be advantageous to make sure that a wireless device/UE has the latest information available. Otherwise, if the wireless device only updates the listof “PLMNs with associated RAT restrictions” regularly, e.g., every 300 seconds, attackers may be feasible. Consider, e.g., an attacker that deploys a 4G fake base station and jams 5G cells forcing wireless devices to connect through the 4G cell. Even if the network (PLMN) distributes very rapidly an update of the list of “PLMNs with associated RAT restrictions”, many UEs would not take it into account. However, if wireless devices (UEs) are forced to check for an update of the list before performing a mobility procedure (e.g., cell re-selection), this problem is avoided.
It is to be further noted that in situations where UE has to wait a given time, e.g., 300s, before determining a cell is not “barred, if NAS provides AS with an updated list of PLMNs or with updated entry associated with current serving PLMN, which lifts the restrictions on said cell, AS layer may discard the running timer and consider the cell as a viable candidate for cell reselection. Similarly, if the updated (entry or list) happens to restrict a cell, e.g., the highest ranking cell, it is barred or deprioritized as it is now restricted.
In other words, it is proposed in this embodiment a method to ensure an entry to and/or the entire list of “PLMNs with associated RAT restrictions” maintained by the UE and/or NAS layer, and the entry to and/or the entire list of “PLMNs with associated RAT restrictions” maintained by AS layer(s) are synchronized, wherein the synchronization is performed: upon request from the AS layer(s), which may be performed periodically, or conditionally, and/or upon UE and/or NAS layer receiving an update to the list of “PLMNs with associated RAT restrictions” whereby the cell search and/or evaluation for cell (re-)selection is performed using an up-to-date list of “PLMNs with associated RAT restrictions” In accordance with a general definition of this embodiment, it is proposed a method by which, following a synchronization of the list of “PLMNs with associated RAT restrictions” between the UE and/or the NAS layer, and the AS layer(s) , one or more AS layer(s) are triggered to perform and/or are restricted from performing cell search and/or evaluation for cell reselection.
In other words, it is proposed for this embodiment a first method for selecting an access device comprising the steps of:
- receiving, by a UE, an access device selection configuration and/or policy,
- storing, by the UE, the access device selection configuration and/or policy, and
- selecting, by the UE, an access device based on the access device selection configuration and/or policy.
Optionally, the method may include receiving, by a UE, one or more access device selection configuration is received in the NAS layer.
Additionally, the selecting of the selected one or more access devices may comprise one or more of: the UE obtaining a second list comprising radio access technology utilisation control information from the one or more access device selection configuration received in the NAS layer; the UE determining a first list of configured Public Land Mobile Networks, PLMNs, / Radio Access Technology, RAT, with priority order stored in a Subscriber Identity Mobile such as a USIM or in a Mobile Equipment, ME, of the UE; the UE using the first list and the second list when performing or initiating PLMN and/or cell (re-)selection.
Additionally, the second list used by the UE when performing or initiating PLMN and/or cell (re-)selection may be ensured to be up-to-date by one or more of:
- the AS layer requesting the NAS layer the most recently received second list upon the occurrence of an event;
-the NAS layer sending the most recently received second listto the AS layer upon the occurrence of an event; wherein the event may be determined based on a configuration.
Miscellaneous In another embodiment that may be combined with other embodiments or used independently, the UE may have specific UE capabilities that enable it to check the network status and the base station (BS) / access device legitimacy before establishing a connection. For example, the UE may support Proximity Services (ProSe), which allow direct communication between nearby UEs without relying on the network infrastructure. The UE may use ProSe to exchange information with other UEs in its vicinity, such as the signal quality, cell identity, network generation, or location of the cells that they are connected to or have measured. Based on this information, the UE may identify the cells that are consistent with the expectations of the network and the user, and avoid the cells that are likely to be fake or outdated. Alternatively, or in addition, the UE may support Non-Terrestrial Networks (NTN), which allow communication via satellite or aerial platforms. The UE may use NTN to obtain network information from a trusted source, such as a satellite that broadcasts the network status and the legitimate BSs in a given area. Based on this information, the UE may verify the authenticity and validity of the synchronization signals that it receives from the terrestrial cells, and select the cell that matches the network criteria and the user preferences. This embodiment enhances the UE's ability to detect and avoid fake or outdated cells, and improves the security and reliability of the network connection.
In another embodiment that may be combined with other embodiments or used independently, the UE may receive system information blocks (SIBs) from one or more access devices that include information identifying neighboring cells. The UE may cross-reference and check the SIBs from the different access devices to determine whether a synchronization signal is being broadcasted from a legitimate or fake BS, and similarly for network status. For example, the UE may compare the cell identity, frequency, technology, or location of the neighboring cells reported by the SIBs, and identify any discrepancies or inconsistencies that indicate a possible fake or outdated cell. The UE may also compare the network status, such as the network generation, configuration, or capabilities, of the neighboring cells reported by the SIBs, and identify any mismatches or anomalies that indicate a possible fake or outdated cell. Based on this comparison, the UE may select the cell that has the most consistent and reliable SIBs, and avoid the cells that are identified as conflicting or suspicious in the received SIBs. This embodiment improves the UE's ability to detect and avoid fake or outdated cells, and enhances the security and reliability of the network connection.
In another embodiment that may be combined with other embodiments or used independently, the UE may verify the received information from the access devices before using it to check the network status and the BS legitimacy. For example, the information may be protected with a digital signature that is issued by a trusted authority, such as a network operator or a certificate provider. The UE may validate the digital signature of the information using a public key or a certificate that is stored in the UE or obtained from a trusted source. If the digital signature is valid, the UE may use the information to perform the comparison and selection of the cells as described above. If the digital signature is invalid or absent, the UE may discard the information or use other criteria to evaluate its reliability. Alternatively, or in addition, the UE may trust the information that is provided by the majority of the access devices in its vicinity, assuming that the legitimate access devices outnumber the fake ones. The UE may compare the information from different access devices and identify the common or consistent elements, such as the cell identity, frequency, technology, location, or network status of the neighboring cells. The UE may use the common or consistent information to perform the comparison and selection of the cells as described above. The UE may ignore or disregard the information that is provided by a minority of access devices or that is conflicting or inconsistent with the majority of the information. This embodiment improves the UE's ability to verify and use the information from the access devices, and enhances the security and reliability of the network connection.
Multiple embodiments in this invention have focused on banning / avoiding access through legacy (3GPP) access devices. However, non-3GPP access technologies may also be decommissioned. For instance, a given wireless access technology may deliver a lower performance/security level, and it may be decommissioned. Thus, embodiments described in this invention may also be applicable to a UE when using a non-3GPP access technology.
For instance, Table 5.4.3.2-1 in TS 29.571 lists different types of 3GPP and non-3GPP RATs. Some RATs may be associated to a given network generation. In some cases, some RAT types may be decommissioned for a given network generation, while other RAT types may still be available. Thus, in an embodiment of the invention that may be used independently or combined with other embodiments, the access device selection configuration and/or policy may include details about the RAT types that are decommissioned/whitelisted/blacklisted.
Background on wireless local area network technologies
Wi-Fi is a wireless technology that allows devices to connect to the Internet or to each other without using cables. Wi-Fi is based on radio waves that are transmitted and received by a device called a wireless access point (AP). The AP acts as a hub that connects Wi-Fi enabled devices, such as laptops, smartphones, tablets, smart TVs, etc., to a wired network, such as a local area network (LAN) or the Internet. The term Wi-Fi is a trademark of the Wi-Fi Alliance, an industry association that certifies products that comply with the IEEE 802.11 standards for wireless local area networks (WLANs). These standards define the physical and data link layers of the communication protocol, such as the frequency bands, modulation schemes, encryption methods, authentication mechanisms, and data rates used by Wi-Fi devices. The most common Wi-Fi standards are based on IEEE 802.11a, 802.11 b, 802.11g, 802.11 n, 802.11ac, and 802.11ax, which operate in different frequency bands (2.4 GHz, 5 GHz, or both) and offer different levels of performance and compatibility.
To use Wi-Fi, a device needs to have a wireless network interface card (NIC) that can send and receive radio signals. The NIC scans the available wireless channels and detects the presence of nearby APs. The device then selects an AP to connect to, based on factors such as signal strength, security settings, and network name (SSID). The device and the AP exchange information, such as the MAC address, IP address, encryption key, and password, to establish a connection. This process is called association. After the connection is established, the device can communicate with the AP and other devices on the same network, or access the Internet through the AP.
IEEE 802.11 n (Wi-Fi 4) provided new features such as MIMO and frame aggregation to increase throughput. IEEE 802.11 ac (Wi-Fi 5) introduced wider bandwidth and MU- MIMO. IEEE 802.11 ax (WIFI-6) included OFDMA and BSS color or spatial reuse to use spectrum resources more efficiently. IEEE 802.11 ah introduced target wake time (TWT) to support low power loT applications by allowing STAs to go into sleep when not in a wake period after negotiation with AP. IEEE 802.11 be (Wi-Fi 7) aims at improving throughput and latency operating in unlicensed bands between 1 GHz and 7.125 GHz. Wi-Fi 7. Increases bandwidths up to 320 MHz, 4096 QAM modulation, and supporting up to 16 spatial streams in MU-MIMO with an improved sounding procedure. Wi-Fi 7 also enables multiple resource units to be assigned to a single device. Furthermore, it includes an enhanced preamble with a universal SIG filed indicating the PHY version. It also extends the negotiated ack buffer size to 1024 bits. It also enables multilink operation (MLO) enabling multiple links between a station and an access point, for instance an AP can have two radios 2.4 and 5 GHz and use both of them for simultaneous transmission and/or reception with a multi-link capable device (MLD) capable station. Wi-Fi 7 also includes a restricted TWT providing predictable latency by assigning STAs to different rTWT types and making sure that other STAs do not transmit if they do not belong to a given rTWT type. Wi-Fi 7 also include multi-AP coordination performing, e.g., coordinated transmission, beamforming, or joint transmission. For instance, in references to Figure 5, devices 100, 101 and 102 can be Wi-FI access points and device 106 can be a wireless station. Station 106 and access point 101 are MLD and communicate with two links 126. Device 102 is a cellular capable residential gateway.
Application to cellular technologies
Some of the core ideas presented in this invention may be applicable to a wide range of wireless technologies used in wide or local area networks and using different types of radio access technologies, in particular, the ideas may apply to cellular technologies. Even if some embodiments have been described in terms of certain technologies, e.g., 5G, 4G or WiFi, they may also be applicable to other wireless technologies.
A cellular system is a wireless communication system that consists of three main components: user equipment (UE), radio access network (RAN), and core network (CN). These components work together to provide voice and data services to mobile users over a large geographic area.
User equipment (UE) is the device that a user uses to access the cellular system, such as a smartphone, a tablet, a laptop, loT device, or a wearable device. A UE typically may contain the following components:
- A universal integrated circuit card (UICC), which stores the user's identification and authentication information, such as the subscription permanent identifier (SUPI) or credentials.
- A transceiver, which converts the digital signals from the processor into analog signals for transmission and reception over the air interface. The transceiver also performs modulation, demodulation, coding, decoding, and other signal processing functions.
- A processor, which controls the operation of the UE and executes the applications and services that the user requests. The processor also communicates with the RAN and the CN using various protocols.
- Adisplay, which shows the userthe information and feedbackfrom the UE, such as the signal strength, the battery level, the call status, the messages, the contacts, the menu, etc.
- A microphone and a speaker, which enable the user to make and receive voice calls, as well as use other audio features, such as voice mail, voice recognition, etc.
- A keyboard and/or a touch screen, which allow the user to enter and select commands, text, numbers, etc. - A camera and/or a video recorder, which enable the user to capture and send images and videos, as well as use other multimedia features, such as video calling, video streaming, etc.
- A memory, which stores the data and programs that the user needs, such as the phone book, the messages, the photos, the videos, the applications, etc.
- A battery, which provides the power supply for the UE.
A UE access the cellular network via the radio access network, as described below. Certain UEs may communicate with each other by using device-to-device communication, also known as sidelink communication using the PC5 interface that may rely on physical sidelink (PS) broadcast channel, PS shared channel, PS control, etc.
A UE may receive / transmit / trigger a configuration by means of different procedures:
Downlink control information (DCI) is a type of control information that is sent from the BS to the UE on the physical downlink control channel (PDCCH). DCI contains various parameters that instruct the UE how/when to decode and transmit data on the physical downlink shared channel (PDSCH) and the physical uplink shared channel (PUSCH), such as the resource allocation, the modulation and coding scheme. The UE needs to monitor the PDCCH in each subframe to detect and decode the DCI that is addressed to it.
Uplink control information (UCI) is a type of control information that is sent from the UE to the BS on the physical uplink control channel (PUCCH) or the physical uplink shared channel (PUSCH). UCI contains various feedback signals that inform the BS about the status and quality of the downlink transmission, such as the HARQ acknowledgments (ACKs), the channel state information (CSI), and the scheduling requests (SRs). The UE needs to encode and transmit the UCI accordingto the configuration and timing indicated by the BS.
Sidelink control information (SCI) is a type of control information that is sent from the UE to another UE on the physical sidelink control channel (PSCCH) in device-to-device (D2D) communication scenarios. The main functions of SCI include resource allocation, synchronization, channel quality reporting, etc.
Medium access control (MAC) control element (MAC CE) is a type of control information that is sent from the BS to the UE or vice versa on the MAC layer. MAC CE contains various commands or indications that regulate the MAC layer functions, such as the buffer status report (BSR), the timing advance command (TAC), the discontinuous reception (DRX) command, etc. The UE needs to process the MAC CE according to the MAC protocol and the configuration provided by the BS. Radio resource control (RRC) command is a type of control information that is exchanged between the BS and the UE on the RRC layer. RRC Command contains various messages that modify/configure RRC parameters and/or initiate, modify, or release the RRC connection or the radio bearers between the UE and the BS, such as the RRC connection setup, the RRC connection reconfiguration, the RRC connection release, the security mode command, the mobilityfrom E-UTRA command, the handoverfrom E-UTRA preparation request, etc. The UE needs to respond to the RRC Command according to the RRC protocol and the configuration provided by the BS.
Non-access stratum (NAS) messages are used forsignalling between UE and core network (CN) on the non-access stratum (NAS) layer. NAS messages enable functionality such as registration, session establishment, security, and mobility management. The UE needs to respond to the NAS Command according to the NAS protocol and the configuration provided by the CN.
UE parameter update (UPU) is a procedure between the UE and the home network that enables the home network to update configuration parameters in mobile phones and/or USIM usingthe UDM control plane procedure (TS 23.502). The UE can receive Parameters Update Data from the UDM after the UE has registered in the 5G network.
Steering of Roaming (SoR) enables the home network to guide the user equipment (UE) when registering on a visited network. For detailed information about the interfaces and registration in the 5G System, refer to 3GPP TS.23.501 (Release 15) [17] and 3GPP TS 24.501 (Release 15) [18]. The 5G CP-SOR is activated during or after registration to update the UE's "Operator Controlled PLMN Selector with Access Technology" list via secure NAS messages, as directed by the home PLMN based on specific operator policies, such as preferred networks or UE location.
UE configuration update (UCU) is used to update configuration parameters as per TS 23.502 that may include Access and Mobility Management related parameters decided and provided by the AMF, UE Policy provided by the PCF. When AMF wants to change the UE configuration for access and mobility management related parameters the AMF initiates the procedure defined in clause 4.2.4.2. When the PCF wants to change or provide new UE Policies in the UE, the PCF initiates the procedure defined in clause 4.2.4.3. If the UE Configuration Update procedure requires the UE to initiate a Registration procedure, the AMF indicates this to the UE explicitly. The procedure in clause 4.2.4.2 may be triggered also when the AAA Server that performed Network Slice-Specific Authentication and Authorization for an S-NSSAI revokes the authorization. Radio access network (RAN) is the part of the cellular system that connects the UEs to the CN via the air interface. The RAN consists of base stations (BSs). A base station (BS) is a fixed or mobile transceiver that covers a certain geographic area, called a cell. In 5G, a BS is also called a gNB (next generation node B). A BS can serve multiple UEs simultaneously within its cell, by using different frequencies, time slots, codes, or beams. A BS also performs functions such as power control, handover control, channel allocation, interference management, etc. A base station can be divided into two units: a central unit (CU) and a distributed unit (DU). The CU performs the higher layer functions, such as RLC, PDCP, RRC, etc. The DU performs the lower layer functions, such as PHY and MAC. The CU and the DU can be co-located or separated, depending on the network architecture and deployment. In cellular systems, a base station may be denoted, based on context, as a cell, or gNB.
The cell may also refer to the coverage area of a base station. A BS may have different coverage areas such as a macro cell (e.g. several kilometres wide), a pico cell (e.g., for a given location such as a stadium) or a femto cell for a small location (e.g., a home or part of it).
A base station may communicate with the core network. Since there can be base stations for different cellular systems, different interfaces are required. For instance, a base station, eNB, in a 4G Long Term Evolution (LTE) system (also known as Evolved Universal Mobile Telecommunications Systems (UMTS) Terrestrial Radio Access Network (E-UTRAN)) may interface with the4G CN known as EPC through the corresponding interface. For instance, a base station, gNB, in a 5G system (i.e., 5G New Radio or Next Generation RAN) may communicate with the 5GC through a different interface. 4G and 5G base stations may communicate with each other directly or through their corresponding core networks.
The main protocols used between the UEs and the RAN are:
- The physical layer (PHY), which defines the characteristics of the air interface, such as the frequency bands, the modulation schemes, the coding rates, the frame structure, the synchronization, etc.
- The medium access control (MAC) layer, which regulates the access of the UEs to the shared radio channel, by using techniques such as orthogonal frequency division multiple access (OFDMA), time division duplex (TDD), frequency division duplex (FDD), etc.
-The radio link control (RLC) layer, which provides reliable data transmission over the radio channel, by using techniques such as segmentation, reassembly, error detection, error correction, retransmission, etc. - The packet data convergence protocol (PDCP) layer, which compresses and decompresses the headers of the data packets, encrypts and decrypts the data, and performs data integrity protection.
- The radio resource control (RRC) layer, which establishes, maintains, and releases the radio bearers between the UEs and the RAN, as well as exchanges the signaling messages for functions such as connection setup, handover, measurement reporting, security activation, etc.
Atransmission / reception communication unit ortransceiver may be used by BS and UE to transmit / receive data. Control data may be required for a physical broadcast channel, physical downlink control channel, etc. Data may be for the physical downlink shared channel.
Data may be encoded by the UE and/or BS to obtain data symbols and/or control symbols that may be exchanged over the wireless interface. The conversion from digital data into analog symbols may be done by the transmission / reception communication unit
A medium access control control-element (MAC-CE) is a MAC layer communication element that is used to control the communication between wireless devices. A MAC-CE may be exchanged in a shared channel, e.g., the physical downlink / uplink / sidelink shared channel.
The communication between a UE and a base station or the communication between UEs (when sidelink is used) may involve the exchange of reference signals. Reference signals may include primary synchronization signal (PSS), a secondary synchronization signal (SSS), a physical broadcast channel demodulation reference signal (DMRS), a channel state information reference signal (CSI-RS). Core network (CN) is the part of the cellular system that connects the RAN to other networks, such as the Internet, or other cellular systems. The CN consists of two main (control/user) domains. The control domain is responsible for providing signalling and control functions for the UEs, such as authentication, authorization, mobility management, session management, etc. The control plane consists of several network functions (NFs), such as the access and mobility management function (AMF), the session management function (SMF), the unified data management (UDM), the policy control function (PCF), the network exposure function (NEF), and the authentication server function (AUSF). The access and mobility management function (AMF) is a NF that handles the registration, deregistration, connection management, and mobility management for the UEs. The session management function (SMF) is a NF that handles the establishment, modification, and release of the sessions for the UEs. The SMF also communicates with the user plane devices to perform functions such as IP address allocation, tunnelling, QoS, etc. The unified data management (UDM) is a NF that stores and manages the user data, such as the SUPI, the service profile, the subscription status, etc. The policy control function (PCF) is a NF that provides the policy rules and charging information for the UEs, such as the access type, the service level, the data rate, the quota, etc. The network exposure function (NEF) is a NF that exposes the network capabilities and services to external applications and devices, such as the IMS, the Internet of Things (loT), etc. The authentication server function (AUSF) is a NF that performs the primary authentication with the by using credentials and the SUPI. The user domain is responsible for providing data and multimedia services to the UEs, by using packets and IP addresses. The user plane consists of two main functions: the user plane function (UPF) and the data network (DN). The user plane function (UPF) is a device that forwards the data packets between the UEs and the DNs, as well as performs functions such as tunnelling, firewall, QoS, charging, etc. The data network (DN) is a network that provides access to the services and applications that the UEs request, such as the Internet, the IMS, etc.
A residential gateway (RG) is a device that connects a home network to an external network, such as the Internet or a cellular system. An RG typically provides functions such as routing, switching, firewall, NAT, DHCP, DNS, VPN, etc. An RG can also support various types of interfaces, such as Ethernet, Wi-Fi, Bluetooth, USB, etc. A cellular-capable RG is an RG that has a cellular interface, such as a UICC slot, a cellular modem, or an antenna, that enables it to access the cellular system as a backup or an alternative to the wired or wireless broadband connection. A cellular-capable RG can provide benefits such as: (1) Enhanced reliability, by switching to the cellular connection in case of a failure or a degradation of the broadband connection; (2) Increased bandwidth, by aggregating the cellular connection and the broadband connection to achieve higher data rates or QoS.
A multi-SIM subscription is a subscription that allows a user to have multiple SIMs (or eSIMs) that are linked to the same account and service profile. A user can use the multi-SIM subscription to access the cellular system from different devices, such as a smartphone, a tablet, a laptop, or a wearable device, without having to switch the SIM card or the device.
In reference to Figure 5, devices 100, 102, and 128 can play the role of UEs. Device 102 is part of a cellular-capable RG providing connectivity to a home network 129 e.g., by means of a local area network and/or wireless local area network. Device 102 is served by base station 104.
The RAN 127 comprises base station 103 and serves UE 128. UE 128 may also be a UE to Network relay given access to remote UE 136 that is out of coverage of base station 103. UEs 134 and 136 also communicate with each other via a UE-to-UE relay 135. Within the RAN, the range of base station 103 is extended via smart repeater 137 and reflective intelligent surface (RIS) 138. Smart repeater 137 and RIS 138 give access to UE 142.
The RAN 143 includes base station 104 tand serves as wireless access infrastructure for the home network. Base station 104 also serves a mobile access device and/or UE as a UAV 139. UAV 139 may provide connectivity to remote UE 136.
Furthermore, a satellite gateway 141 is shown that connects to satellite 140 and may provide connectivity services to remote UE 136 or UE 100.
In Figure 5, the 5G core network 133 may include one or more an AMF 121 , SMF 123, UPF 122, AUSF 124, UDM 125, PCF 131 , NEF 132 and allows the connection to a data network 130.
In Figure 5, a second core network 142, e.g., a legacy core network as a 4G core network, is also shown that may interface with the 5G core network 133, interface with base stations, and provide a connection to the data network 130. The legacy 4G core network is denoted EPC and may include one or more mobility management entities (MME), a serving gateway, a multimedia broadcast multicast service gateway, a broadcast multicast service center, a packet data network gateway, etc. The mobility management entity may handle the signalling between UE and the 4G CN and may interact with the home subscriber server (HSS). The MME may provide connection management, similar to the AMF in 5G. The serving gateway may be used to exchange user internet protocol messages whereby the serving gateway may interact with the packet data network gateway that is connected to IP services.
A UE may connect to a serving network or serving Public Land Mobile Network (PLMN). A UE may have a subscription with a home PLMN, and during the registration procedure, the (AMF of the) serving PLMN may forward the registration request to the (AUSF of the) home PLMN that may perform an initial authentication procedure between home PLMN and UE. If the authentication procedure is successful, keys are derived and the home PLMN may share derived credentials with the serving PLMN, including K_SEAF, that may be used to derive K_AMF, from which NAS keys and AS keys are derived. The registration request sent by the UE includes an identifier that can be used by the home PLMN to identify the UE. To prevent privacy vulnerabilities, the long-term subscriber’s identifier known as Subscriber Permanent Identifier (SUPI) may not be exchanged in the clear, but instead, either a Subscription Concealed Identifier (SUCI) ora pseudonym known as GUTI are exchanged with the AMF of the serving PLMN. The AMF of the PLMN may then forward the SUCI to the home PLMN so that the home PLMN decrypts/verifies it. Furthermore, this invention can be applied to various types of UEs or terminal devices, such as mobile phone, vital signs monitoring/telemetry devices, smartwatches, detectors, vehicles (for vehicle-to-vehicle (V2V) communication or more general vehicle-to- everything (V2X) communication), V2X devices, Internet of Things (loT) hubs, loT devices, including low-power medical sensors for health monitoring, medical (emergency) diagnosis and treatment devices, for hospital use or first-responder use, virtual reality (VR) headsets, etc. It can also be applied generally in scenarios, where restrictions on access technologies are required by a serving network (e.g., for decommissioning purposes and/or restrictions for the purpose of national roaming) and may as such be configured by said serving network.
Other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single processor or other unit may fulfil the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. The foregoing description details certain embodiments of the invention. It will be appreciated, however, that no matter how detailed the foregoing appears in the text, the invention may be practiced in many ways, and is therefore not limited to the embodiments disclosed. It should be noted that the use of particular terminology when describing certain features or aspects of the invention should not be taken to imply that the terminology is being re-defined herein to be restricted to include any specific characteristics of the features or aspects of the invention with which that terminology is associated. Additionally, the expression “at least one of A, B, and C” is to be understood as disjunctive, i.e., as “A and/or B and/or C”. The same applies to the expressions “A or B” and “at least one of A or B”, i.e., they may indicate all possible combinations of the listed items.
A single unit or device may fulfil the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
The described operations like those indicated in the above embodiments may be implemented as program code means of a computer program and/or as dedicated hardware of the related network device or function, respectively. The computer program may be stored and/or distributed on a suitable medium, such as an optical storage medium or a solid-state medium, supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems.

Claims

Claims
1 . A method for selecting an access device comprising the steps of:
- receiving, by a UE, an access device selection configuration and/or policy,
- storing, by the UE, the access device selection configuration and/or policy,
- and
- selecting, by the UE, an access device, or
- performing, by the UE, a handover procedure, based on the access device selection configuration and/or policy.
2. The method of claim 1 , wherein the access device selection configuration and/or policy includes at least one of:
- a whitelist of one or more whitelisted access devices or group of access devices,
- a blacklist of one or more blacklisted access devices or group of access devices, wherein at least some of the listed access devices or, group of access devices in the whitelist orthe blacklist may be identified or included according to one or a combination of: a given cell ID of the access device, a tracking area and/or a registration area of the access device, an operational schedule of the access device, a wireless network generation of the access device, a list of at least one mobile country code, a list of at least one mobile network code.
3. The method of claim 2, wherein
- legacy wireless network generation access devices with mobile network codes of a mobile country code different than the mobile country code of the UE’s home PLMN are blacklisted, and/or
- legacy wireless network generation access devices with mobile network codes of a mobile country code different than the mobile country code of the UE’s home PLMN are whitelisted based on whether their mobile network codes, associated with the mobile country code, are whitelisted/blacklisted; and/or - legacy wireless network generation access devices with mobile network codes of a mobile country code different than the mobile country code of the UE’s home PLMN are blacklisted based on whether their mobile network codes, associated with the mobile country code, are blacklisted; and/or
- legacy wireless network generation access devices associated to a PLMN with a mobile country code equal to the mobile country code of the UE’s home PLMN are whitelisted, or are whitelisted/blacklisted based on whether their mobile network codes, associated with the mobile country code, are whitelisted/blacklisted; and/or
- legacy wireless network generation access devices associated to a PLMN with a mobile country code that is not associated with the country where the UE is currently located are blacklisted; and/or
- legacy wireless network generation access devices associated to a PLMN with a mobile country code associated with an international and/or satellite network operatorthat is different from the mobile country code used in the country where the UE is currently located are blacklisted, or are whitelisted/blacklisted based on whether their mobile network codes, associated with the international and/or satellite network operator(s), are whitelisted/blacklisted.
4. The method of claim 2 or 3, wherein the whitelist and/or blacklists included in the access device configuration or policy are stored along with a respective validity time.
5. The method of any previous claims, wherein the access device selection configuration or policy includes an operational condition under which an access device may be blacklisted and/or whitelisted and the method comprises determining, by the UE, the operational condition(s), and selecting an access device, by the UE, based on the received pilot signals, the access device selection configuration and/or policy, and the operational condition.
6. The method of any previous claims, wherein the method comprises receiving or requesting, by the UE, the access device selection configuration and/or policy through at least one of:
- a second UE,
- an access device, - an access device of a more recent generation than the wireless generation access device preselected,
- a network function in a core network,
- a network function in the home network,
- an OAM,
- an application function, and
- USIM/UICC.
7. The method of any previous claim, wherein the method comprises storing the access device selection configuration and/or policy in the USIM/UICC or in the UE memory.
8. The method of any previous claims, wherein the step receiving or requesting, by the UE, the access device selection configuration or policy is performed: when the UE is located in an area for which a valid access device selection configuration and/or policy is lacking, and/or when the access device selection configuration and/or policy has expired.
9. The method of any previous claims, wherein the access device selection configuration or policy is received in one or more of the following: in an Information Element in an RRC message, and/or in a SIB, and/or in a paging message, and/or in a NAS message, and/or in an UPU message, and/or in an UCU message.
10. The method of claim 9, wherein the access device selection configuration or policy is received, by a UE, in a registration accept message whereby restriction may be based on one of, or a multitude of information elements, which include:
• list of at least one decommissioned PLMN; and/or
• list of at least one decommissioned cell identifier; and/or
• list of at least one RAN area code; and/or
• list of location information (e.g., tracking area codes) corresponding to (de)commissioned older generation network access devices or access device types.
11 . The method of claim 9, wherein if the access device selection configuration or policy is received by a UE in a NAS reject message that is not integrity protected, the UE discards the NAS reject message including the access device selection configuration or policy therein according to a rejection policy.
12. The method of any one of the previous claims, wherein the received access device selection configuration or policy is signed by an entity managing the access device selection configuration and/or policy and the method comprises the step of the UE verifying by access device selection configuration and/or policy based on the public key of the entity managing the access device selection configuration or policy.
13. The method of any previous claim, wherein the access device selection configuration or policy is updated periodically, or on-demand, and/or in a conditional manner.
14. The method of any previous claim, wherein the access device selection configuration or policy contains whitelisted or blacklisted access devices and wherein the whitelisted and/or blacklisted access devices are determined and provisioned to the UE based on
- the historical mobility pattern and/or
- real-time location and/or movement trajectory of the UE.
15. The method of claim 14, wherein the method comprises predicting, by a UE, the tracking areas/cells towards which the UE is moving to, and based on whether: a) the UE is configured with whitelists corresponding to the predicted tracking areas/cells; and/or b) the status of the older generation network access devices within the predicted tracking areas/cells has changed (i.e., configured whitelists at the UE became outdated); the whitelists configured at the UE, corresponding to the older generation network access devices within the predicted tracking areas/cells are updated accordingly.
16. The methods of claims 13, 14, and 15, wherein the access device selection configuration or policy is updated on-demand or in a conditional manner wherein the method comprises: determining, by the network, the configuration for the UE; predicting, by the network, the tracking areas/cells towards which the UE is moving, based on historical mobility data, and/or real-time location information, and/or movement direction/trajectory information, and/or velocity; and determining, by the network, whether the whitelists configured at the user equipment, wherein the whitelists correspond to the older generation network access devices within the predicted tracking areas/cells, need to be updated.
17. The method of any previous claim, comprising the steps of:
- obtaining, by the UE, pilot signals from one or more access devices,
- selecting, by the UE, an access device based on the pilot signals and the access device selection configuration or policy.
18. The method of any previous claim for network (re-)selection with network assistance comprising: receiving, by the UE, signals from different network access devices which may correspond to different network generations; and compiling, by the UE, measurement reports corresponding to signals received from the different network access devices and ordering said measurement reports based on its selection criteria; selecting, by the UE, the most recent network generation access device available to access the network and performing the initial access procedure; communicating, by the UE, the ordered list of measurement reports to the network in a request message, e.g., the registration/attach request; receiving, by the UE, in a response message, e.g., the registration response message, the ordered list of network access devices prioritized according to the network, and indicating the status of each network access device, and based on said ordered list, performing, by the UE, cell (re-)selection or network access through the pre-selected access device.
19. The method of claim 17, comprising the steps of:
- analyzing, by the UE, the pilot signal features over a period of time; and - determining, by the UE, based on the access device selection configuration or policy the positive, negative or inconclusive selection of an access device.
20. The method of claim 19, comprising requesting, by the UE, if inconclusive, network assistance to determine the access device legitimacy.
21. The method of claim 19 wherein:
- the pilot signal is the synchronization signal of the device, and/or
- the pilot signal features include the signal strength, and/or
- the access device selection configuration or policy is determined, and adapted or updated by an Al model, and/or
- the access device selection configuration or policy is a threshold value or range of a configured similarity measurement.
22. The method of any previous claims, whereby a UE lacking the status of one or more older generation networks requests network assistance to determine the network status of one, or multiple older generation networks during the random-access including an indication of the cell or cell generation to check.
23. The method of claim 22, comprising, by the UE, a response with an access device selection configuration and/or policy that may include: a bitstring whose length corresponds to the number (N) of cell IDs indicated by the user equipment, and whose bits correspond respectively to the legitimacy evaluation results of said cell IDs; and/or the cell IDs, or an indication thereof, of the cells whose legitimacy verification failed.
24. The method of any of the previous claims wherein the configuration or policy comprises one or more of: a cryptographic function, a secret key, input parameters to the cryptographic function comprising at least one of a) an input identifier (e.g., cell ID, tracking area ID); b) Cell/RAT type; c) Network generation; d) Cell location information (e.g., longitude and latitude); e) Current time (e.g., UTC time) and/or time resolution; expected output values of the cryptographic function, and selecting, by the UE, an access device based on the access device selection configuration and/or policy comprising: receiving or obtaining input parameters, computing an output value by using the cryptographic function taking as input the received or obtained input parameters and the secret key; and doing one of: comparing the computed output value to an expected output value saved at the device as part of the configuration; or querying the network using the computed output value to determine the network access device validity and legitimacy.
25. The method of any of the previous claims, comprising allowing selecting, by the UE, a blacklisted access device based on the access device selection configuration and/or policy when the UE requires emergency services.
26. An apparatus for selecting an access device comprising:
- a receiver adapted to receive an access device selection configuration or policy,
- a memory adapted to store the access device selection configuration or policy, and
- a controller adapted to select an access device and/or perform a handover procedure based on the access device selection configuration or policy.
27. A method for access device (re-)selection assistance comprising the steps of:
- receiving, by an access device, a request for an access device selection configuration and/or policy from a first device, and
- determining, by an access device, whether the access device selection configuration or policy is available locally, and if not available locally, requesting and receiving the access device selection configuration and/or policy and/or selection configuration from a core network, and
- sending, by an access device, the access device selection configuration and/or policy to the first device.
28. An apparatus for access device selection assistance comprising:
- a receiver adapted to receive a request for an access device selection configuration and/or policy from a first device, and
- a controller adapted to determine whether the access device selection configuration and/or policy is available locally, and adapted to, upon determination that the access device selection configuration and/or policy is not available locally, request and receive the access device selection configuration and/or policy and/or selection configuration from a core network, and
- a transmitter adapted to send the access device selection configuration and/or policy to the first device.
29. A method for access device (re-)selection assistance comprising the steps of:
- performing, by a first access device, a mobility procedure of a first device from the first access device to at least a second access device, and
- informing the second access device, by the first access device, about the access device selection configuration and/or policy of the first device,
- wherein informing the second access device, by the first access device, about the access device selection configuration and/or policy of the first device is performed in:
- an initial HANDOVER Request, or
- after confirmation of the HANDOVER to the second access device.
30. An apparatus for access device selection assistance comprising a controller adapted
- to perform a mobility procedure of a first device from the first access device to at least a second access device, and
- to inform the second access device about the access device selection configuration and/or policy of the first device, wherein informing the second access device about the access device selection configuration and/or policy of the first device is performed by the controller by causing a transceiver to exchange the access device selection configuration and/or policy in:
- an initial HANDOVER Request, or
- after confirmation of the HANDOVER to the second access device.
31 . A computer program for selecting an access device, wherein the program comprises instructions implementing the steps of the methods of claims 1-25 or 27 or 29, when executed on a computer.
32. A method for selecting an access device comprising the steps of:
- receiving, by a UE, an indication regarding access device selection configuration and/or policy, including a list of restricted access technologies for listed access devices,
- updating, by the UE, the access device selection configuration and/or policy stored by the UE,
- and - selecting, by the UE, an access device, or
- performing, by the UE, a handover procedure, based on the access device selection configuration and/or policy, including checking whether: the access device is listed in a list of allowed access devices, the access device is not listed in a listed of restricted devices, an access technology supported by the access device is not configured as a restricted access technology.
PCT/EP2025/059203 2024-04-05 2025-04-04 Mitigating decommissioned-network bidding-down attacks in a wireless system Pending WO2025210200A1 (en)

Applications Claiming Priority (12)

Application Number Priority Date Filing Date Title
EP24168843.1 2024-04-05
EP24168843 2024-04-05
EP24174681 2024-05-07
EP24174681.7 2024-05-07
EP24187865.1 2024-07-10
EP24187865 2024-07-10
EP24195973 2024-08-22
EP24195973.3 2024-08-22
EP24210422 2024-11-01
EP24210422.2 2024-11-01
EP25158889 2025-02-19
EP25158889.3 2025-02-19

Publications (1)

Publication Number Publication Date
WO2025210200A1 true WO2025210200A1 (en) 2025-10-09

Family

ID=95252072

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2025/059203 Pending WO2025210200A1 (en) 2024-04-05 2025-04-04 Mitigating decommissioned-network bidding-down attacks in a wireless system

Country Status (1)

Country Link
WO (1) WO2025210200A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071775A (en) * 2017-05-15 2017-08-18 奇酷互联网络科技(深圳)有限公司 Mobile terminal and its method and apparatus for redirecting access base station
WO2019047170A1 (en) * 2017-09-08 2019-03-14 华为技术有限公司 Pseudo base station identification method and terminal
WO2020037665A1 (en) * 2018-08-24 2020-02-27 Qualcomm Incorporated Techniques for use in identifying a base station as an untrusted resource
EP3866501A1 (en) * 2018-10-31 2021-08-18 Shenzhen Heytap Technology Co., Ltd. Method and device for handling pseudo base station, mobile terminal, and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071775A (en) * 2017-05-15 2017-08-18 奇酷互联网络科技(深圳)有限公司 Mobile terminal and its method and apparatus for redirecting access base station
WO2019047170A1 (en) * 2017-09-08 2019-03-14 华为技术有限公司 Pseudo base station identification method and terminal
WO2020037665A1 (en) * 2018-08-24 2020-02-27 Qualcomm Incorporated Techniques for use in identifying a base station as an untrusted resource
EP3866501A1 (en) * 2018-10-31 2021-08-18 Shenzhen Heytap Technology Co., Ltd. Method and device for handling pseudo base station, mobile terminal, and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KARAKOC BEDRAN ET AL: "Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G", 28 June 2023 (2023-06-28), pages 1 - 12, XP093263917, Retrieved from the Internet <URL:https://dl.acm.org/doi/pdf/10.1145/3558482.3581774> *

Similar Documents

Publication Publication Date Title
CN110301154B (en) Method and apparatus for implementing optimized user plane anchoring
US10945201B2 (en) Method for selecting PLMN of terminal in wireless communication system and apparatus for same
KR101946868B1 (en) Method and apparatus for authentication of a mobile entity for white space operation
KR101488149B1 (en) Method and apparatus for managing local internet protocol offload
JP2022554017A (en) WTRU - network relay
US10772038B2 (en) Method whereby terminal selects PLMN in wireless communication system, and device for same
KR102804333B1 (en) Deterministic plmn selection during disaster roaming
US20220312435A1 (en) Prioritization of uplink and sidelink transmissions
US20180092016A1 (en) Method for selecting plmn of terminal in wireless communication system and apparatus therefor
CN112956226B (en) Isolation of false base stations in a communication system
US20180007622A1 (en) Method whereby terminal selects plmn in wireless communication system, and device for same
WO2017001452A1 (en) Apparatus and method for requesting/providing capability information for specific networks
KR102484072B1 (en) Wireless communication method, terminal device and chip
US20220225283A1 (en) Systems and methods for enhancement on sidelink power control
WO2025210200A1 (en) Mitigating decommissioned-network bidding-down attacks in a wireless system
US12063512B2 (en) Systems and methods for securing wireless communication with device pinning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 25716437

Country of ref document: EP

Kind code of ref document: A1