- 18 January، 2021
- Posted by:
- Category: Uncategorized
As 5G networks are being gradually rolled out in cities across the world, an analysis of its network architecture has revealed a number of potential weaknesses that could be exploited to carry out a variety of cyber hacks, including denial-of-service (DoS) attacks to deprive subscribers of Internet access and intercept sensitive data traffic.
New flaws in 5G let hackers track users’ locations & steal their data.
The findings form the basis of a new 5G core security research by a specialist London-based cybersecurity firm, exactly six months after it released Vulnerabilities in LTE and 5G Networks detailing high impact flaws in LTE and 5G protocols.
In the absence of key elements, the network becomes vulnerable to subscriber denial of service due to exploitation of vulnerabilities in the PFCP protocol. Other shortcomings could also lead to the disclosure of unique subscriber identifiers and profile information, and even use Internet services at a user’s expense without their knowledge.
Compromised 5G Security increases Geo-Poli-Cyber Risk Exposure
One of the supposed key security benefits offered by 5G is protection from stingray surveillance and encryption of International Mobile Subscriber Identity (IMSI) numbers — unique identifiers that come with every SIM card for the purpose of identifying users of a cellular network.
The 5G Core (5GC) also updates the IT protocol stack by using Transmission Control Protocol (TCP) as the transport layer protocol in place of Stream Control Transmission Protocol (SCTP), HTTP/2 as a substitute for Diameter protocol for application layer security, and an added TLS layer for encrypted communication between all network functions.
Deployed either in standalone or non-standalone modes depending on their reliance on 4G Evolved Packet Core (EPC) technology, the 5G mobile network is a framework consisting of as many as nine network functions (NFs) that are responsible for registering subscribers, managing sessions and subscriber profiles, storing subscriber data, and connecting the users (UE or user equipment) to the internet via a base station (gNB).
But the research indicate that this very stack of technologies potentially opens the door to attacks on subscribers and the operator’s network that could be exploited to stage man-in-the-middle and DoS attacks.
DoS and MitM Attacks
A problematic aspect of the system architecture is the interface devoted to session management (Session Management Function or SMF) via a protocol called Packet Forwarding Control Protocol (PFCP).
“A Geo-Poli-Cyber motivated hacker can exploit this vulnerability to compromise users, data, the 5G network operator, and the secuirty of the nation state itself” said an MLi Group Cyber Survivability and Security expert.
The expert added “They can choose to send a session deletion or modification request PFCP packet, causing a DoS condition that, in turn, leads to disruption of internet access (CVSS score 6.1) and even interception of web traffic (CVSS score 8.3) – and while this is a technical hacking process, the scale and magnitude of the damage can be huge if the hack is Geo-Poli-Cyber motivated, such as political, ideological, extremist, etc.”
The research also found issues with the part of the 5G standard that governs Network Repository Function (NRF), which enables registration and discovery of NFs in the control plane, noting that the adversaries could add an already existing network function in the repository to serve subscribers via an NF under their control and access user data (CVSS score 8.2).
In a different scenario, the lack of authorization in NRF could be abused to deregister critical components by deleting their corresponding NF profiles from the store, resulting in loss of service to subscribers. This can have dire consequences if exploited.
Hackers Can Secretly Spy on Subscribers’ Location
Also of note are a pair of subscriber authentication vulnerabilities that can be leveraged to disclose the Subscription Permanent Identifier (SUPI) allocated to each subscriber and serve the end-user using the leaked authentication information by spoofing a base station.
The experts also said “consider the user/subscriber is a government employee or senior political figure – the access to such data could severely compromise them by allowing the hacker to spy on their location without them knowing it and therefore put the national security at higher risk”
Last but not least, an attacker can impersonate the Access and Mobility Management Function (AMF) module that takes care of subscriber registration on the network by using a subscriber’s identification information to create new fake and unnoticeable internet sessions for which the subscriber will be billed.
Cyber Survivability & Security Risk Audits of your 5G network Needed ASAP
While 5G promises to bring security advances, it’s also known to bring with it new exploitable vulnerabilities which must be identified and patched very early and before they can be leveraged by financially or Geo-Poli-Cyber motivated hackers.
This will not happen by simply following the standard periodic audits or “best practice” policies. Your 5G standard must be constantly audited, patched and scrutinized 24/7.
Call to Action:
Click below to submit your Expression of Interest (EOI) to request your confidential consultation on conducting a Cyber-Survivability & Security Audit of your 5G network.
Your MLi Audit can be tailored to cover equipment configuration, technical implementation, and asses the Geo-Poli-Cyber risk exposure of your network architecture.