Security research firm examines configuration of core components to spot weaknesses in PFCP and HTTP/2 protocols.
Global cybersecurity company Positive Technologies identified several potential vulnerabilities in 5G standalone networks that could result in denial of service for customers and trouble for network operators.
In the new report, “5G Standalone core security research,” researchers analyzed the security of the network architecture, interaction of network elements, and subscriber authentication and registration procedures. The report considered these possible security problems with 5G networks:
- Subscriber denial of service due to exploitation of vulnerabilities in the PFCP protocol
- Registration of new attacker-controlled network functions
- Subscriber denial of service due to mass deregistration of network elements
- Disclosure of subscriber unique identifier or subscriber profile information
The analysis considered standalone 5G installations that use only new components such as 5G New Radio and 5G Core Network. The report considers attacks that can be performed from the international roaming network, the operator’s network, or partner networks as well as core threats identified in the 5G deployment testbed.
SEE: Future of 5G: Projections, rollouts, use cases, and more (free PDF) (TechRepublic)
Dmitry Kurbatov, CTO at Positive Technologies, said in a press release that there is a risk attackers will take advantage of standalone 5G networks while they are being established and operators are identifying potential vulnerabilities.
“With such a diverse surface of attack, robust core network security architecture is by far the safest way to protect users,” he said. “5G standalone network security issues will be much further reaching when it comes to CNI, IoT and connected cities—putting critical infrastructure such as hospitals, transport and utilities at risk.”
The two major sections of the report consider security risks in the PFCP protocol and the HTTP/2 protocol.
The Packet Forwarding Control Protocol (PFCP) is used on the N4 interface between the control and the user planes. The security analysis found several potential attack scenarios against an established subscriber session. This includes:
- Denial of service via a Session Deletion Request
- Denial of service via a Session Modification Request
- Redirection of data via a Session Modification Request
The report said the key to avoiding these security risks is proper configuration of the N4 interface to keep this internal network from being accessible from the global network.
In this section of the report, the authors considered the Network Repository Function and subscriber authentication vulnerabilities. The Network Repository Function registers new network functions and stores profiles. It also receives requests for discovery of NFs that are available and meet certain criteria.
Positive Technologies looked at three procedures on the 5G testbed: Registering a new NF, obtaining the NF profile, and deleting the NF profile. The researchers found that “none of the components verify the TLS certificate when connecting to each other.”
When considering subscriber authentication vulnerabilities, the report writers review how subscriber authentication becomes insecure if the NRF does not perform authentication and authorization of 5G core network functions.
Improving 5G standalone security
The authors note that there are new mechanisms for securing 5G traffic, such as the Security Edge Protection Proxy and transport-level encryption. These protections are not foolproof, because “real life deployment always involves difficulties,” even full use of these security measures will not guarantee that a network can’t be breached from the outside.
Positive Technologies recommends that a security strategy include assessment, monitoring, and protection with a special emphasis on:
- Testing the core network because it is fully exposed to the IPx and the MEC
- Emphasizing rapid detection and mitigation
- Ensuring full visibility of the entire infrastructure
In addition to proper configuration of equipment and security monitoring, the report authors also recommend the use of firewalls on the network edge.