Researchers urge telco industry to improve authentication controls before widespread deployment
Security researchers have discovered significant flaws in the architecture of 5G network slicing and virtualization technology.
More specifically, AdaptiveMobile Security uncovered three vulnerabilities in the way 5G uses OAuth to provision network slicing.
Network slicing allows a mobile operator to divide their network into multiple distinct virtual blocks that provide different amounts of resources and prioritization to different types of traffic.
A slice is a logical block in the 5G core network assigned to machine-to-machine communication, private networks, streaming, automotive, or a mobile virtual network operator (MVNO).
RECOMMENDED Isn’t it ironic: Exploiting GDPR laws to gain access to personal data
Using network slicing to provision different types of telecom service will be as important for mobile network security as using virtualization has become in allocating data center service, at least once 5G becomes more mainstream.
However, because of shortcomings in authentication, particular networks slices can get a lot more access than they should be able to, meaning that the compromise of any network node could have a spill-over effect.
The damage done
A compromised network node might be abused to crash network segments and extract user data, such as location information. AdaptiveMobile Security has identified three specific risks that stem from authentication shortcomings:
- User data extraction through location tracking attacks
- Denial of service against another network function
- Access to a network function and related information of another vertical
During the research, AdaptiveMobile Security researchers looked at 5G core networks that contain both shared and dedicated network functions.
They discovered that when a network has these ‘hybrid’ network functions that support several slices there is a lack of mapping between the application and transport layers identities.
An attacker who had gained access to an edge network function could potentially exploit security shortcoming in current 5G industry standards to gain access to both the operator’s core network and the network slices of other enterprises.
According to AdaptiveMobile Security, the “probability of attack is only currently low due to the limited number of mobile operators with multiple live network slices on their networks”.
Dr Silke Holtmanns, head of 5G security research at AdaptiveMobile Security, told The Daily Swig that the flaws are all actually “classical API authentication and authorization (telco OWASP)” issues, just with a 5G spin.
Holtmanns explained: “Identities in different parts of the messages need to be cross-checked for consistency. But of course, this is not as easy as it sounds. 5G is complex.”
Countermeasures
AdaptiveMobile Security said that it has been working in conjunction with the GSMA, operators and standards bodies to address the issue and update architectures to prevent exploitation.
In a research paper (registration required), AdaptiveMobile Security outlines its three-part recipe for improving the security of 5G network slicing.
First, authorization needs to be fine grained enough so that one cannot impersonate another user or network slice, a relatively easy fix.
Read more of the latest infosec research from around the world
Second, the receiving node needs to be able to validate information across layers. And lastly, networks need to take security into use and be configured accordingly.
5G security builds on, and is largely compatible with, key functions and frameworks developed in earlier technologies. Although 5G is more secure than 4G, it’s also a lot more complex and AdapativeMobile Security is far from the first to flag up potential problems.
For example, two years ago security researchers at Purdue University and the University of Iowa detailed security flaws that might potentially be abused to track a victim’s real-time location, spoof emergency alerts, or silently disconnect a 5G-connected phone from the network.
