This blog will extend the thoughts outlined in the report 5G - The Security of things to come, and takes an even deeper technical view.
5G networks security risks
5G Radio Access Networks (RAN) are widely now in operation or deployment phases. 5G core networks are also coming and their deployments are announced by many large mobile operators.
With 5G roaming on the horizon, now is a good time to reflect on the categories of risk we may face in the future for 5G interconnection traffic. We have seen that interconnection attackers to 2G, 3G or 4G networks have been interested to perform:
- Location Tracking
- Authentication Vector Theft
- SMS Theft e.g. banking TANs
- Traffic data theft e.g. for fraud
- Profile modification e.g. for fraud
- Network data theft / Information extraction
- Ransomware (focus on the IT side of operators)
- DoS (for whatever reasons)
5G networks use a Service-Based Architecture (SBA). This is a “bus” architecture that connects all network functions in the core network with each other and allows communications between network functions e.g. to request information like user location.
Figure 1: 5G Service Based Architecture (SBA)
This bus is also accessible from partner operators and protected from rogue nodes by the Security Edge Protection Proxy (SEPP). The service-based interfaces use REST API, HTTP/2 and JSON, which are all pretty common Internet protocols. Unfortunately, these protocols are also widely attacked. The wide adoption and usage of these protocols should not give us any false sense of security.
Nation-state cybersecurity and telecom surveillance is a very specialized service, which requires highly skilled tools, knowledge and people. Commercially, there are service companies that can be contracted for this kind of task. Nation-State intelligence agencies are also living in an outsourcing task business world.
Cyber-attack techniques evolve with technology
It is a fair guess that in the future those attackers will continue to have an interest in those aims above and will adapt their methods according to the target 5G networks and the available information and services.
Telecommunication technologies evolve, but many of the underlying principles and functionalities still remain the same e.g. for user mobility. Therefore, one can find commands in different generations, which perform a similar action and might be exploited by an attacker, retooling an old attack or adjacent attack method with not that much of an additional effort:
Table 1: Examples of potential location tracking attacks to unsecured networks through the generations
GSMA: security guidance for network operators
The GSMA Association, where most of the operators of the world are represented, has raised awareness on security issues and provides mobile network operators with guidance on how to improve their security.
This association published for their members and also for non-members many specifications on how to improve the security of networks and all elements in it. AdaptiveMobile Security contributes to many of those efforts and brings in real-life security threats that we see and analyze.
For example, suspicious activities using diameter authentication and update location messages over the interconnection link:
Figure 2: Suspicious activities using the diameter protocol
5G network attacks
In the telecommunication space, the number of core network node suppliers is quite limited, attackers can be assumed to have toolboxes for each of the individual suppliers and for each protocol.
In the recent past, attackers learned to vary and modify their attacks to disguise their traces and circumvent firewalls and filters. 5G core network architecture is much more IT’ish than the previous generations of core networks. Due to the availability of IT hacking tools for common protocols, speed of security and rule updates and awareness of vulnerabilities are of uttermost importance, as we can assume that attackers will modify existing IT tools to develop faster and more sophisticated 5G network attacks.
Why ransom an individual hospital when you can shut down a whole 5G enabled smart city or switch off the heating for a whole region when it’s -28 degree Celsius? Therefore, we want to predict now what kind of technical threats we may face in future years…… let’s say 8 years….
Read now the second in a series of three 5G network security projections: Top 5G network security issues in 2028 >>
With extensive experience in the telecommunications industry and a specialty in mobile security research, Dr. Holtmanns holds a PhD in Mathematics, and her current research area combines data analytics, penetration testing and privacy. Investigating vulnerabilities and security attacks using SS7, Diameter and GTP protocols via the Interconnect lead her to develop new countermeasures for 4G/5G networks. She is actively supporting the evolution of 5G interconnection security with strong focus on 3GPP security and GSMA. As an expert on existing and future attack patterns for interconnection security, she provides advice to AdaptiveMobile Security, customers, standard boards, and regional and national regulating governmental bodies e.g. US FCC or EU ENISA.