5g Security Issues
Executive summary
5G Non-Standalone is vulnerable to denial of service. Why? 5G Non-Standalone is a standard allowing to build a 5G network based on an existing LTE network core. This is the path most operators have taken. As a result, 5G networks inherit the vulnerabilities of LTE networks from the get-go. Research indicates that 100 percent of LTE networks are vulnerable to DoS through Diameter exploitation. This means that 100 percent of 5G Non-Standalone networks will be vulnerable to DoS, too.
Hacking 5G will be just as simple as hacking the web. The 5G network core will be based on SDN and NFV. Key elements of SDN and NFV interact by means of the HTTP and REST API protocols. The same Internet protocols will be used for interaction of network elements within the 5G network. These protocols are open and well-known. Tools for finding and exploiting vulnerabilities are available to any adversary. The IT and web industries on their part have developed a number of protection methods, but experience shows that well-protected applications are the exception rather than the rule. Software development is rife with mistakes that impact security. For instance, the average web application contains 33 vulnerabilities, and 67 percent of web applications contain high-risk vulnerabilities. Lowering the penetration threshold will pave the way for an upswing in attacks on 5G networks.
More flexibility. More configurations. More errors. When performing security analysis, whether of a mobile operator’s network or a corporate information system, we routinely find configuration flaws directly impacting security. Even now, not every operator succeeds in securely configuring their core network and protecting it from all angles. As SDN and NFV technologies are implemented as part of efforts to build a Network Slicing architecture, administration will become even more difficult. Flexibility in 5G networks is achieved by increased complexity and number of configurations, and, as a result, the probability of errors that cause vulnerabilities increases too.
Millions of connected IoT devices mean millions of potential botnet soldiers. The main subscribers of 5G networks will not be people, but IoT devices. By 2020, there will be about 20 billion such devices. The number of attacks on the IoT is increasing as well. Device protection is poor and malware distribution is easily scalable. In the last year alone, our experts found 800,000 vulnerable devices. Mirai was an example of the destructive capacity of a large botnet. To avoid a new Mirai that can leave regular users without communication, 5G network operators will have to develop new threat models more attuned to diverse device types
Introduction
Each new generation of mobile standards since 2G has been designed for one and the same goal: boost bandwidth on packet networks, to provide users with faster Internet access. The other changes were minimal. The voice codec in 3G changed only slightly. On 4G networks, voice traffic is transmitted over packet data using the IP Multimedia Subsystem (IMS), which many operators have not deployed (so the 4G network may not transmit voice at all, instead falling back on 2G/3G to make calls). Ever faster mobile networks of the latest generation have certain drawbacks even compared to their predecessors. 3G and 4G in particular are a less-than-ideal fit for the IoT, since compatible devices need to have high performance and corresponding high energy consumption. As a result, devices require frequent charging or battery swaps. This is unacceptable for many IoT devices: a number of tasks require battery life of up to 10 years without swapping or charging batteries.
5G networks are designed with account of requirements to communication of various types of connected devices, and are expected to be as flexible as possible, providing both superfast access with minimal latency and slow access not requiring a lot of computing resources at the end device.
According to 3GPP Release 15 for 5G which came out in summer 2018, the first wave of 5G networks and devices is classified as Non-Standalone (NSA). This is to say that 5G networks will be supported by existing 4G infrastructure. In other words, devices will connect to 5G frequencies for data transmission when needing greater bandwidth and lower latency (such as for communication between smart cars), or to reduce power draw on IoT-enabled devices, but will still rely on 4G and even 2G/3G networks for voice calls and SMS messaging. So, at least during the transition period, future 5G networks will inherit all the vulnerabilities of previous generations.
5G networks may add yet more security flaws, because deployment of the packet core and additional services is made simpler and faster by completely switching to virtualization technologies (NFV/SDN architecture). Replacing dedicated hardware with software-defined systems (some of them based on open-source projects) may prove a double-edged sword that makes mobile networks even more vulnerable to attacks.
One thing is for certain: availability, integrity, and confidentiality will remain the foremost concerns. As 5G begins to penetrate every area of life — such as industry, healthcare, and transport — we can be sure that emboldened malefactors will follow close behind.
5G overview
Even though the standard for 5G is not finalized yet, 5G networks are expected to initially rely on and integrate with previous-generation networks, gradually displacing them over time.
5G standardization
Standardization of 5G networks started with developing plans for future specifications in September 2015 at a workshop arranged by 3GPP. As planned, Phase 1 specifications should describe the architecture for meeting service requirements, while Phase 2 will detail the protocols for plementing that architecture.
During preparation, it was decided to split Phase 1 into two parts. In December 2017 standardization of non-autonomous, or the so-called Non-Standalone, architecture for 5G New Radio (NR) was completed. This is the first official set of standards for 5G network which defines base station 5G NR which can interact with the existing LTE base network. That allowed the operators to connect 4G LTE network with the new radio communication technology, increasing the volume and speed of user data transmission with 5G NR.
In July 2018 the first stage of standardization for 5G Phase 1 radio network was completed. As part of 3GPP Release 15, NR Standalone architecture specifications were released, indicating how the proposed 5G radio network will work with a 5G network core. In addition to radio network standardization in 3GPP Release 15, work was also done to define the structure of most of the 5G network core.
Phase 2 of standardization of the 5G network core structure and usage scenarios is the priority for current work on 3GPP Release 16, which should be completed by December 2019.
It should be noted that the full picture of 5G networks security is currently not defined, because the network core is being standardized. However, the released standards allow us to make some assessments of 5G networks in terms of security. As background: issues with wireless security (such as use of weak encryption or lack of two-way authentication, which allowed attackers to intercept subscribers’ traffic) were almost completely resolved in 4G. The same cannot be said for robustness of the EPC core network.
Scenarios for using 5G networks
The 5G rollout is aimed primarily at advancing current services and providing all-new ones. At the moment, there are three main sets of scenarios for use of mobile technologies:
Enhanced Mobile Broadband (eMBB)
eMBB is an evolution of existing wireless broad-band access services, but with higher quality and bandwidth requirements.
Key network requirements: data transmission speed as high as 20 Gbit/s, with latency less than 7 ms.
Main usage scenarios:
- High-speed Internet access
- HD video streaming
- AR and VR services
- Support for large numbers of subscribers in a single location
Ultra-Reliable and Low-Latency Communications (URLLC)
URLLC may have an outsize impact on manufacturing, transport, healthcare, and commerce. URLLC services are subject to strict requirements regarding network reliability and quality, prioritizing low latency, reliability, and low probability of error in data transmission.
Key network requirements: probability of error from 10–5 to 10–8, latency less than 3 ms.
Main usage scenarios:
- Self-driving vehicles
- Telemedicine, including remote diagnostics and robotic surgery
- Remote control of industrial processes
Massive Machine-Type Communications (mMTC)
mMTC extends the IoT concept, bringing an even larger number of devices into the fold. Key factors for mMTC services are high reliability of data transfer, low power consumption, and support for a large number of devices in constrained spaces.
Key network requirements: density of up to 1 mllion devices per square kilometer and battery life of up to 10 years without recharging.
Main usage scenarios:
- Smart City systems
- Cargo transport monitoring
- Production and staff monitoring
- Other scenarios with exceptionally high concentration of IoT sensors
Examples of anticipated 5G usage scenarios are shown in the following graphic
Naturally, this description of 5G usage scenarios is not exhaustive. Additional, as of yet unforeseen scenarios may arise. This is why the 5G network architecture is designed to be adaptable to new scenarios with divergent requirements.
5G architecture
Changes will encompass all components of the network. The growing number of connected devices, plus the different demands placed on services under each of the described usage scenarios, require use of new technologies both in the radio network and in the network core.
Radio network
The requirements on 5G networks are high, and implementing them requires using a wide frequency band. But the main difficulty for operators was that available spectrum is very limited. Suitable frequency bands were already allocated for other uses. The solution was two-fold: 5G networks being assigned new millimeter-wave and centimeter-wave bands never used before for mobile communications, plus efficient management of shared spectrum. The new frequency bands brought a new problem: short millimeter waves do not travel well through obstacles. To compensate, a solution was devised with massive MIMO (Multiple-Input Multiple-Output) antennae comprised of hundreds of elements working in concert. Beamforming creates directional beams to efficiently serve individual subscribers. Each 5G network subscriber will get a spatially and temporally tailored signal from the base station antenna, which provides only the service needed by that particular subscriber. This technology allows using the base station more efficiently and increasing 5G radio bandwidth.
Core network
The described scenarios demonstrate that 5G networks will serve devices and applications with varying traffic profiles. It is important to accommodate the needs of applications and allocate network resources based on these diverse requirements. For that purpose, the 5G network is divided into logical segments, with each segment set up to best service certain devices. This is achieved by using two technologies: Network Function Virtualization (NFV) and Software-Defined Networking (SDN). Software-Defined Networking SDN abstracts the network control level from data transmission devices, allowing implementation in software.
Software-Defined Networking
SDN abstracts the network control level from data transmission devices, allowing implementation in software.
Key principles of SDN:
- Separation of data transmission from data management
- Centralization of network management with unified software
- Virtualization of physical network resources
The result is uniform automated control of network parameters on the operator’s distributed network, which allows the following:
- Centralized application of policies and administration of the network
- Easy and quick configuration of networks by managing whole networks rather than network devices
- Optimization of traffic (L2/L3) transmission through a larger number of backup paths
Network Function Virtualization
NFV allows virtualizing network host functions as elements. It is possible to mix and match such virtualized network functions on the software level to create various telecommunication services without resorting to additional hardware solutions. So an operator could launch a new service without purchasing new equipment or having to verify compatibility with what is already installed. With NFV, it is possible to split a single physical network into multiple virtual networks (slices) so that various devices get access only to certain services with the required parameters at the right times. This is called network slicing.
Each slice in the network is allocated its own resources, such as bandwidth and service quality. By design, all slices are isolated from each other, so errors or failures in one slice should not affect services in the other slices. Network slicing improves the efficiency of mobile networks and their quality of service.
5G security
The architecture of 2G, 3G, and 4G networks did not account for the possibility of an intruder inside the network or even one on a roaming network. The model of trust was absolute. Anyone with access to the inter-operator network gains access to the network of any operator, which is a serious security flaw.
The key security change in 5G is the new trust model. Its main difference is that the farther from the subscriber’s SIM card (Universal Subscriber Identity Module, or uSIM) and network core (Unified Data Management, or UDM; Authentication Credential Repository and Processing Function, or ARPF), the lower the trust. In other words, now only the subscriber’s uSIM and UDM with ARPF are trusted; all intermediate network hosts are considered untrusted.
A number of new security features were introduced, ensuring that the subscriber and the network interact in a verifiable and authenticated way, according to the updated model of trust
- Inter-operator security. Owing to fundamental vulnerabilities in the architecture of the SS7 and Diameter protocols, a number of security issues have been identified in 2G/3G and 4G networks. Inter-operator security in 5G will be provided by security proxy servers, which are essentially an evolution of 2G, 3G, and 4G signaling firewalls.
- Privacy. To prevent disclosure of subscriber identifiers, 5G networks will use the home network public key for asymmetric encryption.
- Primary authentication: mutual authentication of the network and devices in 5G.
- Secondary authentication: used in interaction with other data transmission networks outside the mobile operator domain, such as for Wi-Fi calling.
- Key hierarchy: to implement the updated trust model, 5G employs key separation. This limits the damage if a part of the infrastructure is compromised, and protects the integrity of data transmitted by the user.
- Radio network protection. In the gNB base station in 5G, the data processing module (Central Unit, or CU) and the radio module (Distributed Unit, or DU) are separated at the architecture level. The CU and DU interact via a secure interface. Such separation prevents the attacker from getting into the operator’s network, even if successful in gaining access to the radio module.
Taken together, these changes reflect how 5G networks are designed to be much more secure than previous-generation networks. Known security issues in SS7 and Diameter signaling networks have been considered and addressed. This does not mean, however, that 5G networks are unhackable. At this point, we will discuss potential security issues that may arise during implementation of the new standards. Integration of 5G networks into new areas, such as remote surgery, self-driving cars, and automated production processes, makes these networks a more tempting target, multiplying the potential damage and consequences.
5G security issues
Compatibility with previous generation networks
Telecom networks are very slow to change. Transitioning to a new generation usually occurs in several stages and takes years. This means that for a long while, 5G networks will be used side by side with 4G, and even 3G and 2G networks. We must also keep in mind that different operators and different countries will move from 4G to 5G at their own speeds. Mobile operators will have to take care of security not for only the 5G network itself, but for issues related to the transition and involving interaction with previous-generation networks.
As we know, previous-generation networks are prone to vulnerabilities allowing an adversary to implement attacks such as call and SMS interception, geotracking, and denial of service. For instance, in 2018 our experts managed to intercept voice calls on all tested 3G networks, and successfully intercepted SMS messages on 94 percent of tested networks. On all tested 4G networks it was possible to cause denial of service. These threats will remain even after 5G reaches the public.
It is also possible to attack from the radio interface. One of the latest examples was demonstrated by a group of researchers from the Korea Advanced Institute of Science and Technology who ran a fuzzing test of a 4G network by sending specially crafted messages to check how equipment handles non-standard data. Analysis of two mobility management entities (MMEs) revealed 51 vulnerabilities caused by incorrect protocol implementation by equipment manufacturers. The same test can be done on 5G networks: even the latest architecture has the potential to contain similar issues.
Welcome to the Internet Vulnerabilities in Rest API
New-generation mobile networks require new signaling protocols in the network core.
Unlike the previous generations reliant on the niche SS7 and Diameter protocols, the 5G network core is built on well-known Internet protocols (HTTP, TLS, and others). This change induces some anxiety because the fact that telecom protocols are somewhat closed was a sort of a natural barrier against attackers. Internet technologies, on the other hand, are open and well-studied, there are a lot of techniques to search for vulnerabilities, and there are many tools readily available that make it easier to exploit those vulnerabilities.
Web resources are a regular target for hackers. In 2018, such attacks accounted for a quarter of all security incidents.13 Software development is rife with mistakes that impact security. Our latest study shows that 67 percent of web applications contain high-risk vulnerabilities. Due to failure to correctly handle or sanitize inputs, a specially crafted JSON object may cause denial of service or allow the attacker to execute arbitrary code and get control of equipment (see, for instance, vulnerabilities CVE-2017–804615 and CVE-2017–1748516).
Lowering the penetration threshold will inevitably pave the way for an upswing in attacks on 5G networks. Hackers who did not want to study complex specialized protocols will turn their attention to networks built with already familiar technologies.
Security of network slicing
As described before, network slicing allows splitting a network into isolated slices and allocating separate resources (bandwidth, service quality, and so on) as well as unique security policies to each slice. Every network slice is to be isolated from the others, and therefore unable to impact the other slices and the network as a whole. But this architecture means increasing the number of configurable parameters proportionally to the number of slices, which in turn makes it more difficult to properly configure the network. This has significant security implications. This may be especially true when 5G network infrastructure is built jointly by several operators or when the 5G network operator’s network is used by several virtual mobile operators.
As indicated by our study of security of 3G and 4G networks, as well as corporate information systems,19 configuration errors are very common. For instance, in 2018 one out of every three successful attacks during 4G network testing was related to incorrect settings of network equipment and equipment responsible for security of signaling networks. Configuration flaws were found in all corporate systems tested by our company, and 75 percent of systems harbored critical or high-severity vulnerabilities based on CVSS v3.0 scoring. Moreover, in one out of every four external penetration testing projects, configuration flaws allowed pursuing the attack vector until access to the internal network was successfully obtained.
The more complex the system and the more components it contains, the greater the probability of an error when administering it. Increasing the number of slices on a 5G network may lead to more configuration errors and even deterioration of operator awareness, adversely impacting the overall security of the 5G network.
One out of every three successful attacks on 4G networks was related to incorrect configuration of equipment
Figure 6. Increase in number of vulnerabilities
Security of SDN and NFV
Networks built on SDN and NFV differ from traditional networks. For instance, on a traditional network, the task of copying signaling traffic for monitoring is handled by special hardware subsystems (ASICs) with no appreciable impact on network performance. On SDN/NFV networks, this task inevitably increases the CPU and memory burden on the virtual network because it is performed on the same infrastructure. Also, some hardware components may communicate with each other directly, which precludes mirroring of traffic. All this may cause operators to try to reduce the number of monitoring points and, as a result, blind spots may appear and make it impossible to detect malicious activity.
Switching to SDN/NFV entails a change in network infrastructure and appearance of new elements, such as an orchestrator and various control components. This lengthens the chain of trust and brings new risks.
Reduced isolation. In NFV most components can communicate with each other directly, at least on a physical level, but on traditional networks they are physically isolated.
Risk of sharing resources. A number of non-related components can draw on hardware resources, impacting each other’s performance. Attack on any virtual function can impact other virtual machines running on the same physical server.
Access control issues. How can credentials and access keys be distributed between functions to prevent access by an intruder?
All of these issues make it more difficult to detect, localize, and resolve security issues on SDN/NFV networks.
Internet of Things security
Gartner analysts expect that by 2020, there will be about 20 billion IoT devices worldwide. So by the time 5G goes commercial, its main subscribers will not be people (as with previous-generation networks), but IoT devices, such as industrial monitoring systems, or Smart City and Smart Home elements. 5G usage scenarios for IoT devices (URLLC and mMTC) will be quite different from the behavior of human subscribers.
The patterns of human subscribers are more or less consistent; network activity and movement usually vary based on the time of day. But the behavior of IoT devices is absolutely different from device to device. For instance, sensors communicate and exchange data periodically regardless of the time of day, but they may remain entirely stationary. By contrast, other devices — for car sharing or any kind of logistics — are constantly moving. So the existing threat model, developed for identification of suspicious activity in the context of a human subscriber, will not work for the IoT.
At the same time, the number of malware campaigns targeting IoT devices has boomed by 50 percent in the last year. Perhaps the best-known example of the destructive capacity of such attacks is the Mirai botnet, which included over half a million devices. This botnet was responsible for a series of powerful DDoS attacks in 2016. These include an attack on the equipment of Deutsche Telekom that affected about 900,000 devices and caused mass disruption of communications in Europe, as well as an attack on DNS provider Dyn, which cut off access for U.S. and European users to major web services such as Amazon, GitHub, and PayPal. New variations of Mirai are still being discovered today, such as the IoTroop/Reaper botnet which struck financial institutions in 2018, or Yowai, discovered in early 2019.
The security of IoT devices is still poor, and malware distribution is easily scalable, because users rarely update device firmware and seldom change factory passwords. In 2018, Positive Technologies experts found vulnerabilities in ZTE CPE terminals allowing to remotely execute arbitrary code. At that time, on the Shodan search engine one could find over a million devices potentially vulnerable to incorporation in a new botnet even larger than Mirai.
There are many types of IoT devices and new ones appear every year. 5G network operators will have to develop new threat models more attuned to diverse device types.
5G security guidelines
Unfortunately, very often during testing and even during implementation operators build their networks with little or no thought to security. Security policies are applied only once the network is in use by paying subscribers. This expedites network deployment and may save some money initially, but in the long run ends up causing large financial headaches. Operators are forced to spring for equipment not in their original budget and then adapt the new solutions to their existing network architecture. As a result in such cases, fully meeting security requirements can become nearly impossible.
Based on our experience studying the security of previous-generation networks, as well as the potential security problems with 5G networks described already, we can provide some high-level recommendations for future 5G network operators.
Network protection: comprehensive approach
At first, 5G networks will be based on the 4G network core, thus inheriting the vulnerabilities of 4G networks. Another possibility is a cross-protocol attack, when hackers exploit vulnerabilities in multiple protocols at the same time. An attack can begin with exploitation of 4G or even 3G vulnerabilities, with the resulting information then used against 5G networks. For instance, the attacker can find a subscriber’s IMSI by exploiting vulnerabilities in 3G networks. In 2018, such vulnerabilities were found on 74 percent of tested networks. In addition, every tested 4G network allowed obtaining data about the operator’s network configuration.
This means that to build adequate protection for 5G networks, operators need to start with securing previous-generation networks. Operators should immediately start analysis of all signaling information crossing the border of their home network in order to ensure security and block illegitimate traffic. This analysis provides the data needed to keep security policies up to date. This comprehensive and systematic approach can enable securing 5G networks from day one.
Security audit
The service-oriented 5G network architecture with SDN/NFV and network slicing affords operators the flexibility needed to quickly adapt their networks to market requirements. But the downside is impaired manageability of architecture. This heightens the importance of performing a security audit to detect potential vulnerabilities and check whether security policies have been correctly configured and applied with respect to network elements. Security auditing is necessary both during initial 5G network deployment and regularly afterwards. This allows to track changes in network security and take timely action to address discovered vulnerabilities.
Security as a process
Security is a process, not a one-and-done goal: though much has been and is being done for security at the level of the 5G standard, issues still remain.
Operators must regularly study and implement 3GPP and GSMA recommendations for protecting their 5G networks. But recommendations must be implemented in a thoughtful way. They are usually generic, but every network is unique. Changes in security policies — whether based on recommendations, audits, or monitoring — need to be a part of an overall process. Verification of such changes must be performed before and after implementation.
In other words, 5G security is not just about the right architecture or the right choice of security equipment. It requires building workflows, procedures, and collaboration across teams.
Conclusion
Each new generation of mobile networks has tended to reduce information security risks. Known issues with SS7 and Diameter security were taken into account during development of the 5G network architecture. However, new technologies such as virtualization and novel usage scenarios bring new risks for network operators. For all the security mechanisms in 5G networks, the final result depends on the vendors of solutions, hardware, and software responsible for standards implementation, and on the operators responsible for proper configuration and compliance with recommendations.
Original of research here.
