Notes On 5g Networks And Attacks

Abbreviations Used

• IMSI: International mobile subscriber identity
• RAN: Radio area network
• NGAP: Next-Generation Application Protocol
• GTP-U: GPRS tunneling protocol user plane

I found it convenient to document and order 5G network attacks that I have come across in my ongoing research. I am writing this post as both a reference and a tool to focus on the bigger picture of 5G network security. I approach this work from both a network security and a security perspective, as I have relatively little knowledge of what is required to be a telecom operator. If there are any places where corrections are necessary, feel free to email me or contact me on my socials. Like other posts on this site, this will be a living document until it’s completed.

5G Network Architecture Fundamentals

5th generation mobile network standard differs from previous network generations in the following ways:

• Network Slicing
• Enhanced broadband enabling high speed and large capacities
• Low latency Communication
• Improved Security Capabilities

From the perspective of packet flow in a 5G cellular system, mobile phones or IoT devices connect to a base station via radio waves. From the base station, the traffic then flows through the 5G core. After reaching the 5G core network, traffic is decoupled between the control and user planes. The control plan carries the signal and facilitates the traffic, whereas the user plane functions connect to and process user data from the RAN (radio area network) and provide functionality to ensure devices are handed off to the next connected base station. The flow of packets into the RAN, similar to the control plane traffic, is assumed to come after the device has connected to the base station.

Network slicing allows mobile operators to divide the core and radio networks into virtual blocks to provide different amounts and types of resources based on traffic type. The generality of 5G networks has motivated a wide range of industries to onboard devices ranging from automotive to critical infrastructure devices to 5G networks based on the promise of secure network slices. The decoupling process happens when the base station establishes a connection to the control plane via the NGAP (Next-Generation Application Protocol). The user’s traffic is then set to the user plane using the GTP-U (GPRS tunneling protocol user plane) before being routed to the external network.

The GTP-U protocol is a UDP protocol that carries user data from base stations to the packet core, which is providing the cellular features. This is also commonly referred to as the UPF plane. More information on the protocol can be found in its specification1 2 or in this overview.

This architecture ensures that the user and infrastructure networks are isolated from each other and cannot communicate with each other, which in turn reduces the attack surface exposed by user devices.

Attacks and Vulnerabilities

The unique composition of 5G networks can expose users to security concerns that they themselves may not be aware of. In this section, we attempt to provide attack scenario descriptions and references to highlight each type of attack. We will cover both user-centric attacks and attacks on core infrastructure based on the logical components described earlier.

Attacks on UPF Plane

The impact of this family of attack enable attackers to gain access to subscriber information and subscriber-specific network functions. Three types of recently discovered attacks demonstrate how IMSI capture devices like Stingrays can easily intercept phone conversations of users to detect their location via vulnerabilities in the security layers of the 4G and 5G protocols.

The attacks against the UPF that have a direct impact on users include the following 1:

• Torpedo Attack exploit a flaw in the paging protocol that alerts users of incoming texts and calls.
• Pierce Attack allows an attacker to determine the IMSI of a device a 4G network
• IMSI-Cracking is a brute force attack for cracking the encrypted IMSI number in both 4G and 5G networks

Attacks can leverage the tunneling functionality of the UPF to route traffic to private addresses while bypassing geo-fencing protections and other security enforcement utilities. This is largely due to the lack of authentication in the data plane and because of the lack of cross- checking the control and data plane of cellular networks. The recently discovered ZDI-CAN-18522 vulnerability takes this further by demonstrating how threat actors can access 5G devices regardless of security architecture and tunnel traffic through the network from anywhere on the internet to any address if authentication is not enabled.

Attacks on Infrastructure

Some examples of attacks on 5G infrastructure occur largely due to power security practices and implementations. The current recommendation requires the configuration of IPsec between the base station and UPF (user plane function), which implements the tunneling protocol GTP-U. The GPT -U protocol lacks encryption and requires strong security controls to provide users with promised security guarantees. The lack of encryption makes the protocol an entry point for threat actors if it is exposed. There is also no guarantee that implementations are verifying that packets are being received from trusted sources.

The lack of sufficient firewalls and security can result in the exposure of nodes implementing the GPT-U protocol, also called N3 nodes, to the internet. This led to the discovery of DoS exploits in the Open5GS implementation 1. Poor security implementation is also shown to allow hackers to craft and send malicious packets to N3 nodes, which can in turn leak infrastructure node information and locality.

Reports of Attacks Against 5G Networks

Given the security challenges faced by 5G networks, it should be assumed that these networks would be a hotbed for advanced threat activity. In this section, we provide links and limited overviews of current detected campaigns.

March 16. 2021 – Operation Diànxùn A campaign that targets the US, Europe and Southeastern countries, stealing technology using a phishing scheme. Additional sources: 1

October 19, 2021 – LightBasin

February 9, 2022 - Cyberattack against Vodafone Network. Source 1

December 9. 2023 – 5Ghoul is a reported vulnerability in the firmware of network modems used for the 5G mobile network.

February 27, 2024 – GTPDoor Novel backdoor tailored for covert access over the roaming exchange

Tools

• MITRE FiGHT
• toolkit5G
• 5g trace visualizer

  References

• Blog post: Major vulnerability exposes 5G core network slicing to DoS attacks
• Paper: Malicious Lateral Movement in 5G Core with Network Slicing and It’s Detection
• Blog post: Attacks on 5G Infrastructure From Users’ Devices
• Paper: Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information
• Report: Potential Threat Vectors to 5G Infrastructure
• Paper: Malicious Lateral Movement in 5G Core With Network Slicing And Its Detection
• Paper/Demonstration: Never Let Me Down Again: Bidding-Down Attacks and Mitigation’s in 5G and 4G
• Blog Post: An Emerging Threat: Attacking 5G Via Network Slices)
• Report: Attacks From 4G/5G Core Networks: Risks of The Industrial IoT in Compromised Campus Networks
• Presentation: Attacks From a New Front Door in 4G/5G Mobile Networks
• Documentation: 3GPP
• Book: Private 5G
• Blog Post

Updates

• 4/28/2024 - Added “Reports of Attacks on 5G Networks” section with sources
• 4/29/2024 - Updated References, Attacks, and Tools sections