5G network exposed serious vulnerability: can steal other user data

The network slicing and virtualized network functions of the 5G architecture have security vulnerabilities, and malicious attackers may use this to launch data access and denial of service attacks across different network slices on the mobile operator’s 5G network.

5G network exposed serious vulnerability: can steal other user data

Mobile security company AdaptiveMobile reported the latest research findings to the GSM Association (GSMA) on February 4, and numbered the security vulnerability discovered this time as CVD-2021-0047.

  5G network slicing has vulnerabilities

5G is an evolved version of 4G LTE technology that uses a service-based architecture (SBA) to provide a modular framework for deploying a set of interconnected network functions. Users can use this to obtain and authorize access to services that are far beyond the reach of the past.

AdaptiveMobile said, “5G provides a number of security features based on a service-based architecture that incorporates valuable lessons learned from previous generations of network technologies. On the other hand, the 5G-based service-based architecture itself is still a new network concept, requiring the integration of The network opens up to new partners and services, and this inevitably brings new security challenges.”


According to the mobile security company, the new security risks brought by the 5G architecture are not only related to the rigid requirements to support traditional functions, but also to the “increased protocol complexity” brought about by the transition from 4G to 5G. Specifically, the design of the new architecture may leave opportunities for the following attacks:

• Malicious access to specific slices by forcing the use of slice specifiers. The slice discriminator is an optional value set by network operators to distinguish slices of the same type. Once abused, unauthorized attackers will be able to access information in specific slices of the same type through other slices, such as access and mobility management. function (AMF), location information of user equipment, etc.

● Use a compromised slice to perform a Denial of Service (DoS) attack against another network function.

The above attack is expected to work because 5G is designed based on the service architecture and lacks a check mechanism to ensure that the slice identities in the signaling layer request match the slice identities actually used in the transport layer. This allows attackers to access the 5G operator’s service-based architecture via network functions, thereby taking control of the core network and network slices.

It should be noted that the signaling layer belongs to the application layer specific to the telecommunication network and is used to exchange signaling messages between various network functions within different slices.


What is 5G network slicing?

An important method for coordinating service-based architectures in the core of 5G networks is the network slicing model mentioned earlier.

As the name implies, the basic idea of ​​network slicing is to “slice” the original network architecture into multiple independent logical virtual networks, and configure each network to ensure that each network can meet specific business goals. And this design puts forward strict requirements on the quality of service (QoS) of each slice.


In addition, each shard in the core network consists of logical groupings of network functions (NFs). We can assign these network functions exclusively to specific slices, or share specific functions among different slices.

In other words, this network slicing model enables network operators to build highly optimized custom solutions for specific industries by creating certain independent slices that prioritize certain characteristics, such as higher bandwidth.

For example, mobile broadband slicing can be used to facilitate entertainment and Internet-related services; IoT slicing is well suited to the operational needs of retail and manufacturing industries; and low-latency standalone slicing can adequately serve security industries such as healthcare and infrastructure .

how to respond

To address this threat, in addition to deploying signaling layer protection solutions, AdaptiveMobile recommends signaling security filters across different slices, between shared and non-shared network functions between the core network and external partners. In this way, the network can be divided into multiple different security zones, thus preventing the hidden danger of data leakage caused by the lack of association between different layers.

Although existing 5G architectures do not yet support such guard nodes, AdaptiveMobile recommends enhancing the Service Communication Proxy (SCP) in the research report to verify the correctness of the message format, perform information matching between layers and protocols, and coordinate with the load related functions to prevent DoS attacks.

The researchers concluded, “This filtering and verification method protects the 5G core network by dividing the network into multiple security zones. These security network functions can correlate attack information with each other to maximize protection against high-level attacks. In addition to significantly improving the speed of attack mitigation and detection, it minimizes the number of security false positives.”


The Links:   PN100RL1B060 LQ121X3LG02