5G network security is an order of magnitude more complex than any previous mobile technologies. The attack surface is bigger, and the attack tools are more widely available. Security in 5G networks is not built-in and major vulnerabilities have already been exposed even before the technology has been deployed. In this article we address a network slicing attack scenario that could lead to fraud and data leakage.
What are the security vulnerabilities in 5G Networks?
In our recent white paper AdaptiveMobile Security experts shared the vulnerabilities and attack scenarios they uncovered. Our research focussed on the cutting edge, 5G Network slicing technology and exposed vulnerabilities which left unaddressed, could potentially be exploited by cybercriminals and surveillance companies.
The fundamental vulnerability has the potential to allow three main attack scenarios. We have discussed two of these scenarios in previous blog posts, user data extraction (such as location tracking) and denial of service against another network function. This third attack type is connected to a vertical partner’s access of services of a network function and related information of another vertical partner which could to fraud or data leakage.
In this post, we look specifically at the last attack type and its potential for fraud or data leakage caused by the potential to access a network function and related information of another vertical partner with the 5G Slicing architecture.
Use cases for 5G networks
5G is seen as an enabler for a connected industry and a large range of vertical use cases, for instance, automotive industry, smart cities, healthcare, entertainment and critical infrastructure. Now we look specifically at 5G Network Slicing and the vulnerability that could affect industry verticals leveraging this technology.
Let’s recap, what is Network Slicing and why is it important for 5G?
Network slicing allows a mobile operator to divide their network into multiple distinct logical blocks that provide different amounts of resources and prioritization to different types of traffic. Network slicing will allow operators to provide portions of their networks for specific customer use cases. As a result, the network is open to many partners and sliced into use cases and vertical-specific blocks.
What is the vulnerability found in the network slicing?
Our experts revealed a scenario within the current, 3rd Generation Partnership Project (3GPP) standards whereby one vertical can gain access to the services of a network function and related information of another vertical. This situation could be exploited and lead to fraud and/or data leakage.
How does the data leakage / service theft attack work?
In simple terms, when you request an authorization ticket, which is basically your entrance ticket to a service, on behalf of another vertical. The details that are within the request are not well specified which ultimately means within 3GPP standards, that everybody in the network can ask for any kind of ticket.
This means that for a shared network function, in the service request, when I request an authorization ticket, I could put in your identity (depending on implementation e.g. instance ID, slice ID or IP address) and then I would get your ticket. This scenario, depending on the services and information on the slices, could lead to serious fraud and sensitive data leakage of subscribers. See below a diagram showing the attack in action.
What is the impact of this 5G Network vulnerability on operators, enterprises and subscribers?
This vulnerability may allow impersonations of another vertical and depending on how operator charges verticals, this could lead to fraud. Depending on the services being utilized within the slices, a vertical could end up paying for a service it didn’t order or receive. The problem here is that attacks come from ‘trusted’ vertical partners. While 99% of traffic on the network is legitimate and we want the open relationship in order to enable business between verticals, there is that small percentage that is unwanted or indeed where a vertical partner has been compromised.
The lesson here is that authentication and communication security using TLS is not enough to secure the services and indeed trust is not enough to secure 5G networks.
Will these vulnerabilities be fixed?
The GSM Association (GSMA) have reacted quickly and reviewed the vulnerability which we shared in a standard co-ordinated vulnerability disclosure process. Improvement and tightening of the standards may happen in the ongoing 3GPP Release 17 the timeline for finalization the protocol code at the stage 3 freeze is Q3 2022.
Will 5G Networks be secure when this vulnerability is blocked?
The vulnerability we disclosed is only part of the security system for 5G and there are limits to what you can do with specifications. We are discovering vulnerabilities ahead of time, which is a positive thing, however it would obviously be better if it never happened at all.
5G network core technologies will be fundamentally insecure.
Due to the conversions of IP and telecom protocols in 5G, attackers already have access to the tools and techniques that are known to be effective and easily accessible. 5G networks have taken the game to the cybercriminals home field!
What can mobile network operators do to protect 5G networks?
Trust is an issue; it is not enough to know your partners. Mobile network operators need to be vigilant and constantly monitor activity, detect any threats, and most importantly they need faster reaction times to any infringements.
Security standards are important, but they do not provide the real-time threat detection and mitigation that is needed for 5G. Active signalling intelligence will allow them to defend against ever evolving 5G security threats.
Talk to our security experts to learn more and find out how to defend against the 5G mobile security threats. https://www.adaptivemobile.com/contact-us/5g-security
Máirín is an experienced marketeer and project manager with a passion for global business strategy. With over 15 years’ experience gained across technology, banking, pharma and professional services sectors. She has successfully planned and executed award-winning global marketing campaigns. Including management of product launches and international events for a range of clients from small blockchain start-ups to larger brands such as Bank of Ireland, LinkedIn and Novartis. Máirín heads up our Marketing Communications team, evangelising for our telecom managed threat protection, response and intelligence products and services, protecting more than 2.1 billion subscribers worldwide. Máirín holds a MSc in Management from UCD Michael Smurfit Graduate Business School and is a member of the Marketing Institute of Ireland.