While enthusiasts are anxiously waiting for the mass introduction of fifth-generation networks, cybercriminals are rubbing their hands in anticipation of new opportunities for profit. Despite all the efforts of developers, 5G technology contains vulnerabilities, the identification of which is complicated by the lack of experience in new conditions. We investigated a small 5G network and identified three types of vulnerabilities, which we will discuss in this post.
Object of study
Consider the simplest example - a model non-public 5G campus network (Non-Public Network, NPN), connected to the outside world through public communication channels. It is these networks that in the near future will be used as standard in all countries involved in the race for 5G. A potential environment for deploying networks of this configuration is smart enterprises, smart cities, offices of large companies, and other similar locations with a high degree of control.
NPN Infrastructure: A closed enterprise network is connected to the global 5G network through public channels. Source: Trend Micro
Unlike fourth-generation networks, 5G networks are focused on real-time data processing, so their architecture resembles a multi-layered pie. Layering allows you to simplify interaction by standardizing the API for interaction between layers.
Comparison of 4G and 5G architectures. Source: Trend Micro
The result is increased automation and scalability, which is critical for processing the vast amounts of information from the Internet of Things (IoT).
The layer isolation built into the 5G standard leads to a new problem: security systems that operate inside the NPN network protect the object and its private cloud, while external network security systems protect their internal infrastructure. Traffic between NPN and external networks is considered safe because it comes from secure systems, but no one actually protects it.
In our latest study we present several scenarios of cyberattacks on 5G networks that are exploited:
- SIM card vulnerabilities
- network vulnerabilities,
- identification system vulnerabilities.
Let's look at each vulnerability in more detail.
SIM card vulnerabilities
A SIM card is a complex device that even has a whole set of built-in applications - SIM Toolkit, STK. One of these programs, S@T Browser, can theoretically be used to view the operator’s internal sites, but in practice it has long been forgotten and has not been updated since 2009, since these functions are now performed by other programs.
The problem is that S@T Browser turned out to be vulnerable: a specially prepared service SMS hacks the SIM card and forces it to execute the commands needed by the hacker, and the user of the phone or device will not notice anything unusual. The attack was named and gives a lot of opportunities to attackers.
Simjacking attack on 5G network. Source: Trend Micro
In particular, it allows you to transfer to an attacker data about the location of the subscriber, his device identifier (IMEI) and cell tower (Cell ID), as well as force the phone to dial a number, send an SMS, open a link in a browser, and even disable the SIM card.
In the context of 5G networks, this vulnerability of SIM cards becomes a serious problem, given the number of connected devices. Although , in networks of the fifth generation is still . And since everything works anyway, you can’t expect a quick replacement of existing SIM cards.
Malicious use of roaming. Source: Trend Micro
The use of Simjacking allows you to force the SIM card to switch to roaming mode and force it to connect to a cell tower controlled by an attacker. In this case, the attacker will be able to modify the settings of the SIM card in order to listen in on telephone conversations, inject malware and carry out various types of attacks using a device containing a hacked SIM card. To do this, he will be allowed by the fact that interaction with devices in roaming occurs bypassing the security procedures adopted for devices in the "home" network.
Network Vulnerabilities
Attackers can change the settings of a compromised SIM card to achieve their goals. The relative ease and stealth of the Simjaking attack allows it to be carried out on an ongoing basis, seizing control over more and more new devices, slowly and patiently () cutting off pieces of the net like slices of salami (). Tracking such an impact is extremely difficult, and in a complex distributed 5G network, it is almost impossible.
Gradual introduction to the 5G network using Low and Slow + Salami attacks. Source: Trend Micro
And since 5G networks do not have built-in security controls for SIM cards, attackers will gradually be able to establish their own rules inside the 5G communication domain, using captured SIM cards to steal funds, network-level authorization, install malware and other illegal activities.
Of particular concern is the appearance on hacker forums of tools that automate the capture of SIM cards using Simjaking, since the use of such tools for fifth generation networks gives attackers almost unlimited opportunities to scale attacks and modify trusted traffic.
Identification vulnerabilities
The SIM card is used to identify the device on the network. If the SIM card is active and has a positive balance, the device is automatically considered legitimate and does not arouse suspicion at the level of detection systems. Meanwhile, the vulnerability of the SIM card itself makes the entire identification system vulnerable. IT security systems will simply not be able to track down an illegally connected device if it registers on the network using stolen credentials through Simjaking.
It turns out that a hacker who connects to the network through a hacked SIM card gains access at the level of the real owner, since IT systems no longer check devices that have been identified at the network level.
Guaranteed identification between the software and network layers adds another problem: criminals can deliberately create “noise” for intrusion detection systems by constantly performing various suspicious actions on behalf of captured legitimate devices. Since the work of automatic detection systems is based on the analysis of statistics, the alarm thresholds will gradually increase, ensuring that there is no reaction to real attacks. Long-term exposure of this kind is quite capable of changing the functioning of the entire network and creating statistical "blind spots" for detection systems. Criminals who control these areas can attack data within the network and physical devices, organize denial of service, and cause other harm.
Solution: Unified Identity Verification
The vulnerabilities of the studied 5G NPN network are a consequence of the fragmentation of security procedures at the communication level, the level of SIM cards and devices, as well as at the level of roaming interaction between networks. To solve this problem, it is necessary, in accordance with the principle of zero trust () ensure that devices connecting to the network are authenticated at every stage by implementing a federated identity and access control model ().
The principle of ZTA is to maintain security even when the device is out of control, moving or outside the network perimeter. A federated identity model is an approach to 5G security that provides a single, consistent architecture for authentication, access rights, data integrity, and other components and technologies across 5G networks.
This approach eliminates the possibility of introducing a “roaming” tower into the network and redirecting captured SIM cards to it. IT systems will be able to fully detect the connection of foreign devices and block spurious traffic that creates statistical noise.
To protect the SIM card from modification, it is necessary to introduce additional integrity checks into it, possibly implemented as a blockchain-based SIM application. The application can be used to authenticate devices and users, as well as to check the integrity of the firmware and settings of the SIM card, both in roaming and when working in a home network.
We summarize the
The solution to the identified 5G security problems can be represented as a combination of three approaches:
- implementation of a federated model of identification and access control, which will ensure the integrity of data in the network;
- providing full visibility of threats by implementing a distributed registry to verify the legitimacy and integrity of SIM cards;
- formation of a distributed security system without borders, which solves the issues of interaction with devices in roaming.
The practical implementation of these measures takes time and serious costs, however, the deployment of 5G networks is everywhere, which means that you need to start working on eliminating vulnerabilities right now.
Source: habr.com