Is 5G dangerous? This question definitely has more than one connotation, but we are going to look at the cybersecurity risks it could pose. Security analysis recently revealed several potential weaknesses in 5G that could be exploited in denial-of-service (DoS) attacks that could interfere with Internet access and intercept data traffic.
The extensive analysis was published by Positive Technologies, and the report is called “5G Standalone core security research.” Earlier this year, the same company published another report dedicated to 5G – “Vulnerabilities in LTE and 5G Networks 2020”. In addition, a research published in 2018 revealed how attacks against LTE could occur. LTE (mobile communication standard) could be compromised in three attacks where an attacker collects meta-information about the user’s traffic, among other things.
Positive Technologies’ latest report talks about how the exploitation of vulnerabilities could affect subscribers. Consequences of successful exploitation include subscriber denial of service due to vulnerabilities in the PFCP protocol, registration of new attacker-controlled network functions, subscriber denial of service due to mass deregistration of network elements, disclosure of subscriber unique identifier (SUPI), disclosure of subscriber profile information, and creation of Internet sessions by attackers at subscriber expense.
What can mobile operators do to prevent any of the dangers listed above from happening? Companies “must employ timely protection measures, such as proper configura-tion of equipment, use of firewalls on the network edge, and security monitoring,” Positive Technologies says.
Report: 5G Standalone core security research
The report focuses on the SA (Standalone) mode of 5G network deployment. “The implementation is based on Rel 15 3GPP with the OpenAPI Specification providing detailed descriptions of each interface,” the researchers explain.
However, the 5G network can be deployed in standalone or non-standalone modes that depend on the 4G EPC (Evolved Packet Core) technology. The 5G mobile network consists of nine network functions (NFs) responsible for registering subscribers, managing sessions and subscriber profiles, storing subscriber data, and connecting user equipment to the Internet using a base station.
Man-in-the-middle and Denial of service attacks
These technologies create liability for attackers to carry out man-in-the-middle and DoS attacks against subscribers.
One of the main issues in the system architecture is the interface responsible for session management, known as SMF (Session Management Function). SMF is possible due to a protocol known as PFCP (Packet Forwarding Protocol):
To manage subscriber connections, three procedures are available in the PFCP protocol (Session Establishment, Modification, and Deletion), which establish, modify, and delete GTP-U tunnels on the N3 interface between the UPF and gNB. […] We will focus on the N4 interface. Testing of this interface revealed potential attack scenarios against an established subscriber session.
Threat actors could send a session deletion or modification request which could cause a denial-of-service condition, and eventually Internet access disruption and interception of web traffic. Other problematic areas in the G5 standard include Network Repository Function. NRF enables registration and discovery of network functions (NFs) in the control panel. Hackers could add an already existing NF in the repository to serve subscribers via a hacker-controlled NF. This could result in accessing user data.
Another attack scenario is based on the lack of authorization in NRF, which could be exploited to deregister critical components by deleting their corresponding NF profiles. This could lead to loss of service to subscribers.
Subscriber Authentication Vulnerabilities
Other problems Positive Technologies discovered are based on subscriber authentication vulnerabilities. The researchers demonstrated that “subscriber authentication becomes insecure if the NRF does not perform authentication and authori-zation of 5G core network functions.”
In conclusion, this report only covers “a few examples” of how vulnerabilities in G5 can be exploited. “Just as with previous-generation networks, attackers still can penetrate operator networks by means of the international roaming network or partner networks. Therefore, it is vital to ensure comprehensive protection of 5G networks,” the analysis concludes.
You can download the report for full technical disclosure.
Another report published in June, 2020 showcased serious vulnerabilities in the modern GTP communication protocol deployed by mobile network operators. The GTP protocol is used to transmit user and control traffic on 2G, 3G, and 4G networks. This was not the first time the researchers explored specific flaws in the GTP protocol.
That particular report explained how these vulnerabilities affected the security of mobile networks, and more specifically – their impact on 5G networks. The vulnerabilities could be exploited to intercept user data in various attack scenarios, including DoS, impersonation, and fraud.