This study addresses the critical security gap in 5G’s physical and MAC layers, which lack robust mechanisms to defend against lightweight control-message attacks that compromise device availability and energy efficiency. Leveraging a controlled experimental platform built with commercial user equipment and an open-source 5G base station, the work presents the first empirical demonstration of two novel lower-layer attacks: (1) manipulating SIB1 broadcast messages to prolong radio-frequency activity and thereby increase power consumption, and (2) injecting subtly falsified Timing Advance (TA) values during random access, where even minimal offsets reliably trigger radio link failure, leading to persistent reconnection attempts and denial of service. These findings expose the vulnerability of 5G lower-layer protocols to fine-grained control-message manipulation and underscore the urgent need for enhanced security design in these foundational layers.

As 3GPP systems have strengthened security at the upper layers of the cellular stack, plaintext PHY and MAC layers have remained relatively understudied, though interest in them is growing. In this work, we explore lower-layer exploitation in modern 5G, where recent releases have increased the number of lower-layer control messages and procedures, creating new opportunities for practical attacks. We present two practical attacks and evaluate them in a controlled lab testbed. First, we reproduce a SIB1 spoofing attack to study manipulations of unprotected broadcast fields. By repeatedly changing a key parameter, the UE is forced to refresh and reacquire system information, keeping the radio interface active longer than necessary and increasing battery consumption. Second, we demonstrate a new Timing Advance (TA) manipulation attack during the random access procedure. By injecting an attacker-chosen TA offset in the random access response, the victim applies incorrect uplink timing, which leads to uplink desynchronization, radio link failures, and repeated reconnection loops that effectively cause denial of service. Our experiments use commercial smartphones and open-source 5G network software. Experimental results in our testbed demonstrate that TA offsets exceeding a small tolerance reliably trigger radio link failures in our testbed and can keep devices stuck in repeated re-establishment attempts as long as the rogue base station remains present. Overall, our findings highlight that compact lower-layer control messages can have a significant impact on availability and power, and they motivate placing defenses for initial access and broadcast procedures.