While enthusiasts are anxiously awaiting the massive introduction of fifth-generation networks, cybercriminals are rubbing their hands in anticipation of new opportunities for profit. Despite all the efforts of the developers, 5G technology contains vulnerabilities, the detection of which is complicated by the lack of experience in the new environment. We examined a small 5G network and identified three types of vulnerabilities, which we will discuss in this post.
Object of study
Consider the simplest example – a non-public 5G campus network (Non-Public Network, NPN) connected to the outside world through public communication channels. It is such networks in the near future that will be used as typical in all countries included in the 5G race. The potential environment for deploying networks of this configuration is “smart” enterprises, “smart” cities, offices of large companies and other similar locations with a high degree of controllability.
NPN Infrastructure: The enterprise’s closed network is connected to the global 5G network through public channels. Source: Trend Micro
Unlike fourth-generation networks, 5G networks are focused on real-time data processing, so their architecture resembles a multi-layer cake. Separation into levels allows you to simplify the interaction by standardizing the API for interaction between layers.
Comparison of 4G and 5G architectures. Source: Trend Micro
The result is increased automation and scalability, which is critical for processing huge amounts of information from the Internet of Things (IoT).
The isolation of levels laid down in the 5G standard leads to a new problem: the security systems that work inside the NPN network protect the object and its private cloud, the security systems of external networks – their internal infrastructure. Traffic between NPN and external networks is considered safe, since it comes from secure systems, but in fact no one protects it.
In our latest study Securing 5G Through Cyber-Telecom Identity Federation we present several cyber attack scenarios on a 5G network that exploit
• SIM card vulnerabilities,
• network vulnerabilities,
• vulnerabilities of the identification system.
Consider each vulnerability in more detail.
SIM Card Vulnerabilities
A SIM card is a complex device on which there is even a whole set of built-in applications – SIM Toolkit, STK. One of such programs, S @ T Browser, can theoretically be used to view the operator’s internal sites, but in practice it has long been forgotten and has not been updated since 2009, since now other functions perform these functions.
The problem is that S @ T Browser turned out to be vulnerable: a specially prepared service SMS hackes the SIM card and forces it to execute the commands necessary for the hacker, and the user of the phone or device will not notice anything unusual. The attack is called Simjaker and gives a lot of opportunities to attackers.
Simjacking attack on a 5G network. Source: Trend Micro
In particular, it allows the attacker to transfer information about the location of the subscriber, his device identifier (IMEI) and cell tower (Cell ID), as well as forcing the phone to dial a number, send SMS, open a link in a browser and even disconnect a SIM card.
In the context of 5G networks, this vulnerability of SIM cards becomes a serious problem, given the number of connected devices. Though SIMAlliance and Developed New 5G SIM Standards for Enhanced Securityin fifth generation networks is still it is possible to use “old” SIM-cards. And since everything works this way, you don’t have to expect a quick replacement of existing SIM cards.
Malicious use of roaming. Source: Trend Micro
Using Simjacking allows you to force the SIM card into roaming mode and force it to connect to the cell tower that the attacker controls. In this case, the attacker will be able to modify the settings of the SIM card to listen to telephone conversations, introduce malware and conduct various types of attacks using a device containing a hacked SIM card. He will be able to do this by the fact that interaction with devices in roaming occurs bypassing the security procedures adopted for devices in the “home” network.
Attackers can change the settings of a compromised SIM card to solve their problems. The relative ease and stealth of the Simjaking attack allow it to be carried out on an ongoing basis, taking control of more and more new devices, slowly and patiently (low and slow attack) cutting pieces of the net like slices of salami (salami attack) Tracking this impact is extremely difficult, and in a complex 5G distributed network, it’s almost unrealistic.
Gradual introduction to the 5G network using Low and Slow + Salami attacks. Source: Trend Micro
And since 5G networks do not have built-in SIM-card security control mechanisms, attackers will gradually be able to set their own rules inside the 5G communication domain using captured SIM cards to steal funds, authorize at the network level, install malware and other illegal activities.
Of particular concern is the appearance on hacker forums of tools that automate the capture of SIM cards using Simjaking, since the use of such tools for fifth-generation networks gives attackers almost unlimited possibilities for scaling attacks and modifying trusted traffic.
A SIM card is used to identify the device on the network. If the SIM card is active and has a positive balance, the device is automatically considered legitimate and does not raise suspicion at the level of detection systems. Meanwhile, the vulnerability of the SIM card itself makes the entire identification system vulnerable. IT security systems simply will not be able to track an illegally connected device if it registers on the network using the identity stolen through Simjaking.
It turns out that a hacker who connected to the network through a hacked SIM card gains access at the level of the current owner, since IT systems no longer check devices that have been authenticated at the network level.
Guaranteed identification between the software and the network layer adds another problem: criminals can intentionally create “noise” for intrusion detection systems by constantly performing various suspicious actions on behalf of captured legitimate devices. Since the operation of automatic detection systems is based on the analysis of statistics, the threshold values for an alarm will gradually increase, ensuring that there is no reaction to real attacks. Long-term exposure of this kind is quite capable of changing the functioning of the entire network and creating statistical “blind spots” for detection systems. Criminals controlling such zones can attack data inside the network and physical devices, organize denial of service and do other harm.
Solution: Unified Identity Verification
Vulnerabilities of the investigated 5G NPN network are a consequence of fragmented security procedures at the communication level, the level of SIM cards and devices, as well as at the level of roaming interaction between networks. To solve this problem, it is necessary in accordance with the principle of zero confidence (Zero-Trust Architecture, ZTA) provide authentication of devices connected to the network at each stage by introducing a federal model of identification and access control (Federated Identity and Access Management, FIdAM)
The principle of ZTA is to maintain security even when the device is uncontrolled, moving or is outside the network perimeter. The federated authentication model is a 5G security approach that provides a single, consistent architecture for authentication, access rights, data integrity, and other components and technologies in 5G networks.
This approach eliminates the possibility of introducing a “roaming” tower into the network and redirecting captured SIM cards to it. IT systems will be able to fully detect the connection of extraneous devices and block spurious traffic that creates statistical noise.
To protect the SIM card from modification, it is necessary to introduce additional integrity checks into it, possibly implemented as a blockchain-based SIM application. The application can be used to authenticate devices and users, as well as to verify the integrity of the firmware and SIM card settings both when roaming and when working on a home network.
The solution to the identified 5G security problems can be represented as a combination of three approaches:
• implementation of a federal model of identification and access control, which will ensure data integrity in the network;
• ensuring full visibility of threats by implementing a distributed registry to verify the legitimacy and integrity of SIM cards;
• Formation of a distributed security system without borders that solves issues of interaction with devices in roaming.
The practical implementation of these measures requires time and serious expenses, but the deployment of 5G networks is everywhere, which means that you need to start working on fixing vulnerabilities right now.