Leveraging Overshadowing for Time-Delay Attacks in 4G/5G Cellular Networks: An Empirical Assessment

Ensuring both reliable and low-latency communications over 4G or 5G Radio Access Network (RAN) is a key feature for services such as smart power grids and the metaverse. However, the lack of appropriate security mechanisms at the lower-layer protocols of the RAN–a heritage from 4G networks–opens up vulnerabilities that can be exploited to conduct stealthy Reduction-of-Quality attacks against the latency guarantees. This paper presents an empirical assessment of a proposed time-delay attack that leverages over-shadowing to exploit the reliability mechanisms of the Radio Link Control (RLC) in Acknowledged Mode. By injecting falsified RLC Negative Acknowledgements, an attacker can maliciously trigger retransmissions at the victim User Equipment (UE), degrading the uplink latency of application flows. Extensive experimental evaluations on open-source and commercial off-the-shelf UEs demonstrate the attack’s effectiveness in increasing latency, network load, and buffer occupancy. The attack impact is quantified by varying the bi-trate representing different applications and the number of injected negative acknowledgments controlling the attack intensity. This work studies a realistic threat against the latency quality of service in 4G/5G RANs and highlights the urgent need to revisit protocol security at the lower-RAN layers for 5G (and beyond) networks.


INTRODUCTION
The fifth-generation (5G) technology standard for cellular networks brings many improvements over its predecessor, including the reduction of latency on the Radio Access Network (RAN).Mobile network usages are evolving thanks to these improvements.For instance, the Metaverse [18,23], which can be defined as a convergence of physical, augmented, and virtual reality in a shared online space, stands for one of the cornerstone emerging usages.Metaverse-based applications induce new traffic flow properties [9,17], where latency is essential to the required Quality of Service (QoS).Besides, in several recent applications, including smart power grids and advanced manufacturing, latency must be guaranteed and protected against threats such as time-delay attacks [6,14] which stands for a novel and stealthier form of Denial of Service (DoS).
5G networks already exhibit a certain level of protection on the RAN, including confidentiality and integrity.Those mechanisms are applied in the Packet Data Convergence Protocol (PDCP) protocol at the Layer 2 (L2) part of the 5G New Radio (NR) protocol stack.However, some vulnerabilities still exist [4].Indeed, the PDCP mechanisms protect the upper RAN layers but leave those below out of comprehensive security mechanisms.Some research studies exploit this vulnerability through the use of a new attack vector named Man-on-the-Side (MotS), based on radio overshadowing [15,21,25].Its principle consists in sending a stronger signal than the legitimate one to overwrite it.In that way, an attacker can threaten the User Plane (UP) without triggering network service interruption and stealthily conduct a DoS on the RAN.
In this paper, we propose and implement an attack which introduces a delay on the Radio Link Control (RLC) layer to degrade the Uplink (UL) application traffic's latency.The attack principle consists in sending falsified RLC Negative Acknowledgement (NACK) inside a false RLC STATUS report by overshadowing, to trigger retransmissions at a victim User Equipment (UE).In compliance with the 3rd Generation Partnership Project (3GPP) definition of this protocol, the attack is seen by the UE as a legitimate message from the Base Station (BS, 5G Node Base station, gNB).Our attack mechanism stands for a variant of the overshadowing attack proposed on Cellular Internet of Things (IoT) networks [21] which drains IoT devices' battery by hijacking the RLC layer reliability mechanismbut, our variant allows to relax some hypothesis, making it plausible in a more realistic scenario.
We evaluate the impact on latency and other performance metrics of our proposed overshadowing-based attack as a function of two main input parameters: the bitrate, representing different application flows, and the number of injected NACKs, representing the stealthiness of the attacker.We performed an experimental evaluation campaign using an open-source-based and a Commercial Off-The-Shelf (COTS) UE and we demonstrated the effectiveness of the attack in substantially degrading the latency guarantee.
The contributions of this paper are the following: (1) We propose a variant of the overshadowing attack proposed in [21] to build a time-delay attack.In our proposal, the attacker can control the number of injected NACKs within certain limits to generate a delay.The rest of the paper is organized as follows.Section 2 provides the necessary 5G's technical background while Section 3 presents 5G protocol stack's vulnerabilities and related work on DoS on 5G.Section 4 describes the attack and Section 5 details the methodology of the experiment.Then, Section 6 presents the experimental scenarios and performance evaluation results.Finally, Section 7 concludes this paper and provides future perspectives.

TECHNICAL BACKGROUND
In this section, we present an overview of the 5G radio interface.We focus on the components and the mechanisms affected by the vulnerabilities we base our proposal on.

5G New Radio
The RAN is the air interface entry point of a UE.It is composed of numerous Base Station (BS).On the radio interface, each UE is identified with a Radio Network Temporary Identifier (RNTI).At every slot, the BS allocates radio resources to the UE.The allocation message is called Downlink Control Information (DCI).A DCI includes the number of resource blocks and the Modulation and Coding Scheme (MCS) to use.The UE can thus compute the Transport Block Size (TBS), which denotes the quantity of bytes allocated.

Air Interface Protocol Stack
Figure 1 shows the protocol stack of the 5G NR [3] RAN and we describe it in the following sections.

Physical
Layer.The bottom part of the stack is the Physical Layer, which includes the physical channels, and especially the parameters broadcasted by a BS for the user's access to be synchronized in frequency and in time.
2.2.2 Layer 2. The second part is the L2, composed by the Medium Access Control (MAC), RLC, PDCP and Service Data Adaptation Protocol (SDAP) layers.The MAC layer ensures some reliability with the Hybrid Automatic Repeat reQuest (HARQ) mechanism.The RLC layer, which can exhibit several instances, is in charge of segmentation.It can also include an Automatic Repeat reQuest (ARQ) mechanism when the Packet Error Rate (PER) provided by the MAC one is not small enough to provide the QoS level required by the upper application.This is achieved with the Acknowledged Mode (AM), which is the most frequently used mode.The Unacknowledged Mode (UM) can also be leveraged but is restricted to Voice over IP (VoIP) essentially.
The MAC and RLC layers are very similar in 4G and 5G.The main difference lies in the concatenation and re-sequencing at the receiver side, which have been dropped in 5G to improve latency.The MAC layer permits the UE to periodically send a Buffer Status Report (BSR) that notifies the BS about the amount of bytes in the UE UL buffer.This buffer contains the RLC Service Data Unit (SDU) delivered by the PDCP entity and the Packet Data Unit (PDU) already transmitted but not explicitly acknowledged.Note that the buffer thus contains PDU that were negatively acknowledged and that wait for re-transmission [1].
The PDCP layer includes ciphering to ensure confidentiality of the Control Plane (CP) and UP.The integrity control is enforced in the CP and optional in the UP.Confidentiality and integrity control are provided to layers above the PDCP one.Finally, the SDAP layer includes a tag to manage different QoS levels.

Radio Resource Control and
Non-Access Stratum.The last part of the 5G NR consists in the Radio Resource Control (RRC) and Non-Access Stratum (NAS) layers in the CP.The RRC layer exchanges radio management messages between a UE and a BS, with the Access Stratum (AS).The NAS layer is in charge of exchanging with other control entities of the network for mobility and authentication purposes, for instance.NAS packets are just forwarded by the BS.

Reliability on RAN
The RAN protocol layers have two types of reliability mechanisms.The first is provided by the MAC layer with HARQ, which stands for a parallel send-and-wait mechanism.The second is provided by the RLC AM, which is a selective-repeat protocol.The RLC layer depends on timers and configurable parameters that are defined by the 3GPP [1].
More specifically, the sender generally transmits several RLC PDU successively without waiting for an acknowledgement.It can ask the receiver to know which RLC PDU have been correctly received to selectively re-transmit those RLC PDU that have been lost.This is achieved with a Polling bit included in the RLC header.

RELATED WORK
The placement of the PDCP layer in the 5G NR RAN induces some security issues.The confidentiality and reliability cannot be applied to the RLC and MAC layers.Consequently, the reliability on RAN can not be ensured.In this section, we describe how these vulnerabilities have be exploited in the literature and we provide an overview of DoS attacks in 5G networks.

Vulnerabilities
The attack presented in this paper uses two vulnerabilities.The first lies in the lack of cryptography, in particular confidentiality and integrity, for some RLC messages, , and the second in the reliability 3.1.1Cryptography.As shown in Figure 1, the location of the PDCP layer allows the application of cryptographic mechanisms solely on the upper layers of PDCP.The RLC and MAC layers implement neither confidentiality nor integrity protection.As such, an attacker can eavesdrop their messages and modify them.The RLC layer is consequenlty vulnerable to smart jamming [4,8] which consists for an attacker to tamper a selected part of the legitimate signal.This attack is especially called overshadowing [7,15,25].It is made possible thanks to the capture effect which implies that a UE receiving numerous signals on the same frequency listens to the strongest [24].In addition, the attacker can eavesdrop the Downlink (DL) and the UL to recover the victims' RNTI and the operator's cell parameters [16].
3.1.2Reliability.The MAC layer is the carrier of any RLC PDU.The RLC layer does not know if the MAC one has acknowledged some of its packets and keeps the concerned SN unacknowledged.
In addition, several PDU can be sent between two STATUS report.
As a consequence, an attacker can forge NACK list for a range of RLC SN even if the packets are already acknowledged by the MAC layer.

DoS Attacks on 5G
Given the scope of our Reduction of Quality (RoQ) attack on the RAN latency, we have studied the different methods an attack can follow to implement it.First, a False Base Station (FBS) can spoof a legitimate BS, copying its parameters.Second, a rogue UE attacks an entity of the network, impersonates a UE or sends any possible value in any field in an existing message by fuzzing.Third, MotS attack allows an attacker to overwrite a legitimate signal using overshadowing.Besides, some attacks target 4G or 5G instances where the vulnerabilities are errors in the implementation.Finally, some others target problems or vulnerabilities in the specification, which impact more implementations and are more challenging to patch.In the following, we provide a small literature review on those attacks.

Physical Layer.
The most popular DoS attack on the physical layer consists to eavesdrop on the broadcast of cell and system parameters to impersonate a BS and hijack a UE from network regular services by triggering a handover [5].This attack constitutes the first step of other chained attacks on the layers above.Other attacks use the lack of cryptography to overshadow broadcast parameters from the BS, e.g., the Signaling Storm [25], which forces the UE to send a useless location update to the BS.

Layer 2.
The attacks on L2 hijack the allocation of resources and reliability of the MAC and RLC layers on UP.They trigger useless re-transmission, send false acknowledgement, and overshadow the UE BSR to drain IoT batteries, break reliability, and drain radio resources [21], respectively.Other attacks use fuzzing (e.g., by sending malformed messages) trying to detect implementation errors, eventually triggering a crash from the BS [10].

RRC and NAS.
Attacks on RRC use fuzzing to find integrity problems on failure messages with a FBS or to send malformed messages using a rogue UE, which leads to the disconnection of the UE or the BS [26], or the crash of the BS [10], respectively.Other attacks use a FBS to target RRC and NAS integrity specification problem to send malicious messages that affect the UE network operation [12], which in turn downgrade or deny the UE services [20] or detach the UE from the network [11].NAS is also the target of replay on authentication_request from the network and malformed messages to the network, which can lead to a new authentication procedure from the UE [13] and a network entity crash, respectively.Even if some attacks are restricted to 4G, other research papers still consider them also valid on 5G [12,19].
In conclusion, we do not identify in the literature time-delay attacks on 5G whose purpose is to stealthily degrade an application flow.Indeed, a FBS and a rogue UE disconnect the UE from the network and crash the network entities, respectively.The attacks introduced on the physical layer, RRC and NAS, as well as the attacks from [10] on L2, lead to the interruption of services which can be detected through standard monitoring.In addition, even if the attacks on NAS are launched at RAN, given the definition of NAS, those attacks target the network's core.Consequenlty, we selected a MotS strategy because it keeps UE connected to the network.We adapted the attacks on L2 from [21] given the possibility of hijacking protocols by the UP and to target the specification vulnerabilities.Those choices constitute the opportunity to conduct a RoQ to degrade services without interrupting the network operating, making the attacker stealthy [25] and more challenging to detect.

ATTACK OVERVIEW
In this section, we introduce our attacker model and describe the attack and its implementation.

Attacker Model
We consider that the attacker uses a Software Defined Radio (SDR) and he/she is under the coverage of a cell.He/she is synchronized in frequency and time, and knows the victim's RNTI.He/she can

Attack Description
The objective of our attack consists in generating additional messages on the RAN between the victim UE and the BS, which can lead to an application latency increase.The attack operation is grounded by [21] which is deployed over IoT.The principle of [21] relies on avoiding the use of Discontinuous Reception (DRX), which allows a device to save battery power by managing listening cycles.To that aim, the attacker sends falsified RLC NACK to keep the devices in listening mode, draining their battery.By leveraging the same principle, our attack aims at triggering RLC re-transmissions, thus inducing latency increases for data packets.
Figure 3 describes the attack during a communication between a UE and a BS with a flow that uses RLC AM.During Phase 1, the attacker eavesdrops the UL and DL communication.The UE sends the  − 1 − ℎ SN and set the Polling bit (message 1).This triggers a STATUS report, brings the ACK_SN ( ) and gives the TX_Next_Ack information to the attacker.Some additional SN are sent by the UE (messages 3 to 4).In Phase 2 the attacker knows a range of possible SN for NACK.The valid range starts from the previously observed ACK_SN in message 2 (TX_Next_Ack),  , to the  −ℎ SN.The attacker forges a valid DCI to trigger the UE decoding message and the STATUS report (message 5).The reception of this STATUS report triggers useless re-transmissions in the range of messages tagged as NACK by the attacker (messages 6 and 7).
One can notice that for an ACK_SN set to  + we choose to limit the highest NACKS_SN to  +  − 1, because in a typical scenario the STATUS report is sent after the reception of a correct frame.Thus, we define the range of SN that an attacker can negatively acknowledge in a STATUS report as [ _ _, _ −1].The attacker can send a STATUS report before a Polling bit is set on the UE side or, in the worst case, when the valid STATUS report is sent by the BS.

EXPERIMENTAL SETUP AND METRICS
In order to assess the attack's effect and validity, we implemented it as an emulation on an SDR-based platform.The 4G and 5G RAN protocol stacks are fundamentally the same.The differences lie in the re-sequencing and the concatenation done by RLC in 4G, and the absence of integrity control on UP in 4G.Due to the maturity of the 4G network's existing implementation as compared to 5G, we chose to emulate our attack on a 4G network.In this section, we describe our experimental testbed and the measurement methodology we considered to assess the attack impact.The first operation is to check if the PDU will be sent to the UP.In this case, the subsequent operation is to fill the STATUS report with the amount of falsified NACK requested in the execution within the correct range.The difference with the scenario is that the attack is launched at the Polling bit's reception.Then, the correct range of NACK is located between the previous ACK_SN (TX_Next_Ack) and the current ACK_SN minus one.The last operation is to keep the current value of the ACK_SN in memory.In addition, some modifications in the main function of the evolved Node Base station (eNB) allows to activate and manage the emulation through some options.

Experimental Testbed
Those options enable the control of the falsified NACK limit and a counter to avoid the attack at the start of the communication.

Traffic generation.
We employ Iperf3.9 3 to generate the UL flows, with UDP as a transport protocol.The UE's machine executes the client and the server, the client generates the UDP flow to the server.

UL Latency Measurement.
As shown in Figure 4, a closed loop permits to observe the traffic sent and received on the same machine.
The UE sends the UDP flow through the air interface (tun_srsue) which is then received on the Ethernet interface (enp1s0).We use Tshark, a network analyzer, to tag the packets with a timestamp.The packet's latency starts from the air interface output and ends with the Ethernet arrival, which allows measuring the UL latency samples for one communication.

Metrology
Our experiments are executed in a clear box because we can access to all the metrics provided by srsLTE on the UE side including the radio link, the load on RAN, and the scheduling.In addition, we have access to all LTE protocol levels from srsLTE logs.For each test, the radio link quality is checked with the Signal-to-Noise Ratio (SNR) and Reference Signal Receive Power (RSRP).We ensure that the SNR is larger than 15 dB and the RSRP is in the [-82 dBm;-79 dBm] interval.

Metrics.
We use several logs from the different processes of the eNB, mainly at the RLC and MAC levels.In all the following, we use  as a time index (each time, a new log value is captured,  is incremented).Each time   a new RLC frame is transmitted on the radio interface,  is increased.We denote the frame number as  _  .Similarly, we denote the sequence number of frames that are retransmitted as  _  .We use  _  to denote the SN for which the UE received the th NACK in a STATUS report.At the MAC level, we denote the th allocation occurrence for UE's UL as  _  .Finally, at radio interface, we denote the bitrate generated by the UE application on UL RAN as  (for load).The load is given in Mbps.

Indicators. Let 𝑇 𝐴
and    be the time at which a packet  is transmitted on the air interface and received on Ethernet, respectively.The measured latency of a packet is given by:  We denote the bytes quantity in a UE BSR as .The average of UE BSR and thus the UE buffer size average is given by: Let   and   be the amount of bytes transmitted and re-transmitted by the UE, respectively.The re-transmission rate is given by: Let    be the time at which a STATUS report is sent by the BS.The delay between two consecutive STATUS report is given by: The number of SN that an attacker can negatively acknowledge in one STATUS report message is called the Injection Range and given by:  = (_ −  _ _ − 1) mod 1024 (5)

Experiment Configurations and Parameters
We generate a UL communication of 60 seconds for each execution of an experimental test.The UE's MCS is dynamic.However, the BS's MCS is fixed, to counter-balance the absence of DL flow generation in our experiment.After some tests the BS's MCS is set to 25 for the DL.We consider three parameters to form the space of our experimental campaign: the bitrate and payload size set in Iperf, and  .We define   as the limit of NACK in each STATUS report sent by the attacker.In other words, NACK are constrained in [ _ _ , min( _ _ +  , _ )].One can notice that some preliminary tests revealed that the variation of the payload size does not impact any of the collected results.It was therefore fixed to 1024 bytes which is the power of 2 closest to the Maximum Transmission Unit (MTU).

EXPERIMENTAL SCENARIOS AND PERFORMANCE EVALUATION RESULTS
This section presents our experimental campaign.Detailing, for each of the five experiments, the scenario, and its results and interpretations.All of the metrics and indicators we consider are those presented in Subsection 5.2.

Results Computation
To observe the UE's flow during the attack, we truncated the communication between 10 and 50 seconds for each experimental test (0.5, 2) ( (bitrate (Mbps), Nacks) experimental parameters results.The experimentation was conducted numerous times for each parameter, and observing the confidence interval ensured that we have no non-mastered random phenomena which could bias the results.However, in order to also avoid any noise of measurement, the evaluation results we present below are the mean of five to ten repetitions of each experimentation with a given set of parameters.

Experiment 1: Testbed Operation without
Attack (baseline) 6.2.1 Scenario.In this first experiment, the bitrate parameter takes values from 0.5, 1, 2, 4, to 8 Mbps, whose upper bound value avoids reaching the bitrate limit of the radio interface.The goal here is to measure the regular metrics and indicators on different types of flows in a baseline scenario, allowing to compare it with the measures of the subsequent experiments under attack.We performed this experiment five times.

Results and Interpretations
. Table 1 presents the baseline values of the  metric, and the , , ,  and  indicators.The latency  and its standard deviation decrease as the bitrate increases, and we also observe a flat shape for the 1, 2 and 4 Mbps  mean.On the contrary, the ,   ,  and  increases.The  values demonstrate that the attacker power possibility increases as a function of the bitrate.The   values denote a constant occupation of the UL buffer, which is significant for 8 Mbps.The additional bytes between the bitrate and the load implied by the application packets encapsulation increases to 2 Mbps and start to decrease at 4 Mbps.The load values and   demonstrate that our experimental testbed does not reach the link capacity limit as defined in Subsection 5.1.The  follows the value of t-StatusProhibit except for 8 Mbps.In addition, the 8 Mbps present outliers on  standard deviation,  max and  mean.The decrease of  mean, and its huge difference between 0.5 and 8 Mbps, as well as the  standard deviation outlier from 8 Mbps could be explained by the allocation resource adaptation from the BS triggered by the UL buffer occupation increase and notified to the BS by the BSR.The  and  outliers are due to the constant UL buffer occupation, which might avoid the BS to send the STATUS report in time and let the  grow.The  values allows us to the set the   variation in the subsequent experiments.
6.3 Experiment 2: Attack Impact on the RLC Layer 6.3.1 Scenario.In this experiment, we observe the behaviour at the RLC layer without attack and under attack with   set to 8. The bitrate is set to 2 Mbps.
6.3.2Results and Interpretations.Figure 5a and Figure 5b present the SN values as a function of time.Figure 5a presents the protocol overview of RLC without attack.We observe an irregularity of  , which impacts the delay between  _.Thus, the  _ irregularity could explain the standard deviation presented in the results of Experiment 1 in Table 1. Figure 5b introduces the protocol overview under attack.This figure demonstrates that the reception of the  _ value triggers contiguous retransmissions.We observe the impact on the delay between two SN pairs ( _ = {14, 15} and {29, 30}) by 20.95 milliseconds, that reduces the UE regular transmissions ( _) as compared to Figure 5a.The attack triggers a contiguous delay due to the priority of the re-transmission induced by the re-sequencing of RLC SN ( _) in 4G.
6.4 Experiment 3: Impact of the Bitrate Variation 6.4.1 Scenario.In Experiment 3, we evaluate the impact of different bitrates under attack, and we compare it with the baseline values in Table 1.We consider some couples of bitrate and  , the latter being fixed at a power of 2 closest to the minimum of bitrate's  as provided in Table 1.We repeated the experiment nine times.
Let   and   the average of  as defined in Subsection 5.2 and measured for the tests without and with attack, respectively.We define the increase rate as follows: Similarly, we compute the relative increase of the Load and the Buffer size as defined in Subsection 5.2.We define them as   and   , respectively.6.4.2 Results and Interpretations.Figure 6 shows the observed  (  ), Load (  ) and Buffer (  ) percentage of increase according to the bitrate under attack, as compared to Experiment 1 in Table 1.These results demonstrate that the re-transmissions triggered by the NACK reception imply an increase of all observed metrics and indicators and they impact each observed bitrate.The comparison between each tuple of results denotes the correlation between the increase of the re-transmission triggered by   and the rise expansion of     (  ) and  (  ).The Load increase follows the same trend observed on results from Experiment 1 with an increase between each   up to 2 Mbps and a decrease starting from 4 Mbps.We do not present the 8 Mbps results in this experiment because the attack triggers a saturation of bandwidth.Regarding the latency, we exhibited in Subsection 6.3 that the re-transmissions are contiguous, so the delay should increase as a function of the re-transmission number.
6.5 Experiment 4: Impact of the   Increase 6.5.1 Scenario.In Experiment 4, we evaluate the attack impact when the   parameter increases.The bitrate value is fixed to 2 Mbps and represent a low video streaming flow.The   is now a variable parameter; its start from 0, up to the max  observed from Table 1 for this bitrate value, rounded by the power of 2. 6.5.2 Results and Interpretations.Figure 8 presents the empirical CDF of  where each curve denotes the   value used.We observe that the   increase raises the impacted UDP traffic proportion, which is almost between 70% and 90 %.The latency degradation follows the same trend.Let    9 be the last decile of  with its   parameter value.The attack increases  of 23.4 ms, between  0 9 and  32 9 , which denotes an efficient degradation of latency guarantee.
Figure 7a, Figure 7b and Figure 7c present the continuous increase of , , and  _, respectively, as a function of  .Their raise are correlated with the   increase and represents the side effects implied by an overuse of bandwidth and RLC buffer triggered by the re-transmissions.Figure 7c denotes a gap in the amount of traffic re-transmitted between 4 and 8  .In addition, the buffer does not suffer from the 1  .
Figure 8 and Figure 7c show that the impact starts to be significant from 4   with 21 % of traffic re-transmitted.It is therefore optional to re-transmit all the traffic to create a significant impact.

Experiment 5: Validation on a COTS UE
Finally, we performed an evaluation similar to Experiment 4 (Subsection 6.5) to validate and evaluate the impact of the overshadowing attack on a COTS UE.We executed this experimental evaluation three times.
6.6.1 Change in setup.The testbed changed on the UE side with an Asus Zenfone 8 that comes with Android 11, a Central Processing Unit (CPU) @2.8 GHz, and a System on a Chip (SoC) Qualcomm Snapdragon 888.The change on the BS side is the use of an omnidirectional antenna with LTE capabilities in place of cables, inside a Faraday cage.
We use tethering to measure the UL latency.We still have access to  load from the srsLTE's BS side and to our latency () measurement.
6.6.2Results and Interpretations.Figure 9a and Figure 9b present the  ECDF and the  average increase both as described in experiment 6.5, respectively, and bring the same meaning as Figure 8 and Figure 7a from Experiment 4. We observe almost the same range of UDP traffic impacted as in Experiment 6.5 on .The increase between  0 9 and  32 9 , is less from srsLTE, with a value of 17.66 ms.However, it still demonstrates the attacker's capacity to significantly degrade the latency guarantee.We also observe side effects on the , with its continuous increase as a function of  , which denotes an overuse of the UE resources, as was the case in Experiment 6.Overall, the attack impacts negatively the UE COTS, which is vulnerable to this attack.In addition, the impact is raised by the increase of  .However, the impact on  and  are less significant than on the srsLTE implementation.The significant impact on srsLTE starts from 4 NACK, while from 8 NACK on the UE COTS.Considering the time-delay objective, this slight decrease of the attack impact is not an issue for the attacker given that the impact is still sufficient to degrade the latency required for specific flows.

Limitations
The previously presented results validate the possibility to conduct a RoQ on latency with the hijacking of the RLC AM.However, our contribution comes with limitations in terms of assumptions.Indeed, we implemented the attack as an emulation on the BS side.Thus we do not proceed to a real overshadowing and the eavesdropping of prerequisites on RLC.In addition, we described the vulnerabilities of 5G, but we conducted the attack on 4G; even though the protocol stack is almost the same, our empirical approach does not strictly validate the feasibility on 5G networks.In addition, the 5G NR may not prioritise re-transmission without re-sequencing at RLC, and this changes the impact of our attack on the latency.

CONCLUSION AND FUTURE WORK
The results we exposed in this paper show that the latency increase impacts all of the observed bitrates of our experimental testbed.We also demonstrate that an attacker can increase the impact on the latency guarantee by controlling the NACKs quantity.The experimental tests highlight an overuse of the RLC buffer and the load generated over the RAN.In addition, it shows that we do not have to set the power of the attack at the maximum (i.e., highest number of NACKs) to obtain a notable degradation of the latency.
The attack against a COTS UE shows that it is also vulnerable and impacted by the attack on the latency guarantee and the load.
The following steps in our line of work consists in understanding the impact of our attack on a real application.We consider a Metaverse-like flow to extract a latency threshold from the required QoS, and verify if the impact on latency from our attack is a real threat.This should be further studied using a COTS UE running Metaverse-based applications and quantifying the latency-increase impact on application-oriented metrics.Furthermore, we plan to select a 5G implementation to check if our attack is still relevant.Finally, we also plan to conduct those experiments with other UEs in the same cell to check if the observed side effects are also a threat.
Regarding countermeasures, researchers have created a tool that monitors the UE flows and uses Deterministic Finite Automata (DFA) to check the correct behaviour between MAC and RLC layers [22].For example, if the frame has been acknowledged by the MAC layer, it cannot get a NACK at the RLC layer.However, this solution is external and requires additional equipment.Consequently, a perspective of our works would be to fix the L2's reliability's vulnerability exposed in this paper directly on the 5G (or beyond) standard to offer this protection to most users.
(2) We exhibit the behaviour of the RLC layer at the protocol level, with and without attack, over an experimental opensource-based UE.(3)We conduct an empirical analysis of the UL application latency, UL RAN load, and the UL RLC buffer, to quantify the attack's impact on an experimental open-source-based and a COTS UE.

FirefoxFigure 2 :
Figure 2: Example of an RLC AM re-transmission triggered by receipt of a STATUS report

Figure 4 :
Figure 4: Experimental testbed used to measure the UL latency of User Datagram Protocol (UDP) flows

5. 1 . 1
Implementation.The implementation we selected is srsLTE1 , with their UE, BS (evolved Node Base station, eNB), and core (Evolved Packet Core (EPC)).The attacker emulation is achieved directly in the code of the stack inside the RLC AM Long Term Evolution (LTE) part, in the function called at a Polling bit reception.

Figure 6 :
Figure 6: Experiment 3, increase of the average latency (  ), Load (  ) and Buffer size (  ) as compared to the baseline of Experiment 1 _ average increases

Figure 7 :
Figure 7: Experiment 4, impact on srsLTE UE  and , and  _ related to   variation

5 .Figure 9 :
Figure 9: Experiment 5, impact on COTS UE related to   variation The receiver answers with a STATUS report frame that carries the The bandwidth is set to 5 MHz and the UL and DL use Frequency Division Duplex (FDD), thus providing 25 Physical Ressource Block (PRB) on UL and DL with a maximum MCS of 13 for the UL.The maximum TBS that can be scheduled for the UE in this configuration is 1335 bytes [2].The theoretical limit of the throughput is 1335 × 8 × 1000 = 10.7 Mbps.