Recent AdaptiveMobile Security 5G research shared massive vulnerabilities in the innovative Slicing technology at the heart of the 5G transformation. The full report can be accessed here.
Our report showed massive vulnerabilities which left unaddressed, could be exploited by cybercriminals. The fundamental vulnerability has the potential to allow three main attack scenarios, user data extraction (such as location tracking), denial of service against another network function and access to a network function and related services and information of another vertical partner.
Following on from our last blog, where we explored the threat of location tracking attacks on 5G Network Slicing architecture. In this post, we examine another potential attack type on a sliced 5G network, which is a Denial of Service (DoS) attack.
What are Denial of service (DoS) attacks?
"Denial of service" or "DoS" describes the ultimate goal of a class of cyber-attacks designed to render a service inaccessible. DoS attacks are often brought about by a service's underlying systems being overloaded. Denial of service (DoS) attacks are a major concern for telecommunication networks, as we know mobile network operators are providers of critical communications infrastructure so the impact of a DoS attack could be devastating combined with the loss of revenues associated with this kind of attack. The risks related to DoS attacks have become even greater and more complex as we see the rise of connectivity in mobile networks such as IoT (Internet of Things) devices (read our post on the role of network security in IoT apps as well).
Risks of Denial of Service (DoS) attacks on 5G networks
DoS attacks are potentially more damaging in a 5G environment, as we see more 5G use cases with enterprise partners and now many Mobile Network operators count Governments amongst their customers. Imagine if one partner runs a DoS attack against another government partner, this attack could reach part of critical national infrastructures such as energy, health, transportation, public services, and critical manufacturing. With all these important services and data in 5G networks, DoS blackmailing becomes of greater interest to cybercriminals and the potential damage caused by malicious activity could be catastrophic.
How could a DoS attack work on 5G networks?
Dr. Silke Holtmanns explains how the attack could work, “The 3rd Generation Partnership Project (3GPP) has a feature of an overload control indicator. It is important all the network functions can talk to each other, so a feature to avoid overload is important. An overload control indicator is like a do not disturb feature whereby, one network function tells another network function, do not disturb me for a while, I am busy right now. In 5G this overload indication is a special header you can put on top of any message. But the information in the header is not cross-checked with the sender identity. Theoretically, I could put a do not disturb sign for you and since there is no cross-checking, you would not be contacted with notifications or other messages during the time the ‘do not disturb’ request is active. The network functions would not talk to each other for some time, they would just use cached data. If you launched another attack during that time, it gives you some cover.” This kind of attack prevents synchronization of information and real-time updates and enforcement of policies.
More technical details of the possible DoS attacks
Our recent white paper examines this attack scenario in greater technical detail. This security challenge relates to the HTTP header of 5G messages sent between network functions as set out in TS 29.500, and the validation of the elements within the messages. As Silke described, 3GPP has an overload control indicator header information, which is part of the HTTP header and can be used to indicate overload from one network function to another during normal service operations.
Assuming a rogue Slice B wants to run a DoS Attack against Slice A, we can see the steps taken in the figure below.
Where is the security risk?
Currently, there is no requirement in the 3GPP specifications to validate if the slice identity provided in the 3GPP-SbiOci header matches the slice identity in the token for the service API usage. Note, that the slice identity or instance id or similar information in the token is not clearly specified in 3GPP right now as it requires the usage of the additional scope field in the AuthenticationTokenClaims which is not defined in detail and would not provide interoperability between network functions from different vendors. This kind of mismatching could potentially lead to misuse of the overload control features of 3GPP, could potentially result in partial network delays or outages. GSM Association (GSMA) send a liaison statement to 3GPP and requests them to investigate and improve their specifications. This may happen in the ongoing 3GPP Release 17 as we see time the timeline for finalization of the protocol code at the stage 3 freeze is Q3 2022.
How could these potential DoS attacks within 5G Network Slicing be resolved?
As with the potential for location tracking attacks that we covered in our last blog post. We recommend using an enhanced filtering and validation approach, which combines information from different layers, protocols and integrates external threat information. This kind of filtering and validation approach allows division of the network into security zones and safeguarding of the 5G core network. Cross-correlation of attack information between those security network functions maximizes 5G network protection against sophisticated attackers and allows better mitigations and faster detection while minimizing false alarms. Standardization is important but waiting for standardization to improve security might not be always a timely solution as we can see from the timeline of the 3GPP Release 17 Code freeze in 2022.
Will this vulnerability impact the roll-out of 5G?
AdaptiveMobile Security has submitted these vulnerabilities as a Common Vulnerability Disclosure (CVD) to the GSMA. 3GPP and GSMA are working on the mitigation of the presented vulnerabilities, but this will require some time to be seen in products updates. The success of 5G depends on the integration of partners from industry, automotive, entertainment etc. The opening up of the mobile core network poses the risk, that one of those partners might be compromised in a sliced 5G network. Therefore, it is prudent to monitor and filter to detect anomalies and attacks quickly and not to rely on the year-long cycle of standards and products. Mobile Network Operators need to be aware of these attack scenarios, as, be in no doubt, attackers will try and use them for nefarious purposes.
5G networks represent huge opportunities for mobile network operators to boost customer experience and grow revenues. But the technologies within 5G networks also bring significant security risks that need to be addressed now, to secure the future. In telecommunication networks, there is often a presumption of trust between business partners, which is a mind-set Mobile Network operators must move away from. Attackers have already penetrated the global mobile infrastructure. No network technology is secure even future 5G technologies.
Máirín is an experienced marketeer and project manager with a passion for global business strategy. With over 15 years’ experience gained across technology, banking, pharma and professional services sectors. She has successfully planned and executed award-winning global marketing campaigns. Including management of product launches and international events for a range of clients from small blockchain start-ups to larger brands such as Bank of Ireland, LinkedIn and Novartis. Máirín heads up our Marketing Communications team, evangelising for our telecom managed threat protection, response and intelligence products and services, protecting more than 2.1 billion subscribers worldwide. Máirín holds a MSc in Management from UCD Michael Smurfit Graduate Business School and is a member of the Marketing Institute of Ireland.