5G Network Slicing Vulnerability: Location Tracking Attacks
5G networks have the potential to revolutionize society and dramatically alter our everyday lives. Industries will change and new business models will be created as mobile telecoms are transformed. But 5G technology brings with it significant security challenges that could lead to attacks such as location tracking.
With the huge increase of more sensitive and valuable data in the 5G core network, there is also an increase in the interest of fraudsters, hackers, and nation states in getting access to this data or other attacks impacting subscribers and networks. Dr. Silke Holtmanns, Head of 5G Security Research at AdaptiveMobile Security, previously outlined how best to protect mobile networks and subscribers during the migration from 4G to 5G.
In anticipation of rapid 5G expansion, AdaptiveMobile Security continued their 5G security research and recently published an in-depth analysis of the security the innovative Slicing technology at the heart 5G transformation. The full report can be accessed here.
Firstly, what is 5G Network Slicing and why is it important for 5G?
Network slicing allows a mobile operator to divide their network into multiple distinct logical blocks that provide different amounts of resources and prioritization to different types of traffic. Network slicing will allow operators to provide portions of their networks for specific customer use cases. As a result, the network is open to many partners and sliced into use cases and vertical specific blocks.
How secure is 5G Network Slicing?
The findings of our research showed massive vulnerabilities which left unaddressed, could potentially be exploited by cyber criminals. The fundamental vulnerability has the potential to allow three main attack scenarios, User data extraction (such as location tracking), denial of service against another network function and access to a network function and related information of another vertical partner.
In this post we look specifically at data extraction attacks that could allow location tracking of user equipment. We will review the other attack types in future blog posts.
Mobile networks have a long history of location tracking attacks.
AdaptiveMobile Security has exposed real-life location tracking attacks by mobile surveillance companies across other generations of mobile networks. Our CTO, Cathal McDaid recently presented on how location tracking is done via SS7, Diameter and Simjacker attacks.
Now we see gaps in the 5G network security standards that could allow further location tracking attacks on the next generation of mobile phone networks. It is worth noting that the accuracy of location tracking with 5G will in fact be much better.
Are data extraction and location tracking attacks possible in 5G Network Slicing Deployments?
Our research looked at the practicalities of 5G deployments according to the 3GPP standards and examined if the specifications are as watertight as necessary to secure user data? When we drilled down and figured out in a deployment scenario, with shared and part-shared networks, looking at the possible use cases, we found that location tracking is possible as security features are not as detailed as they should be. We assumed a deployment where part of the core network is shared between different network functions and there are network functions that are dedicated to a slice of the network. See the slicing scenario we navigated below.
How could a location tracking attack work?
Dr. Silke Holtmanns, explained how the location tracking attack could work, “In the scenario that we saw, assuming the current 3GPP specifications, security and standards are in place. Say there is a network function that wants to consume a service provided by another network function. This service consuming a network function needs an authorization ticket to use a service such as location tracking. For this attack, a misbehaving network function gets an authorization ticket and it sends a request to the location tracking server. In the request itself, the misbehaving network function puts the identifier of a victim user from slice 1 (i.e. another vertical customer of the operator). There is no correlation-matching between user identity and the authorization ticket, so the attacker can get the data such as device location. In other words, it is not checked if the user identity really belongs to the slice that is sending the request and related authorization token.”
5G core networks contain both shared and dedicated network functions, these ‘hybrid’ network functions support several slices but there is a lack of mapping between the application and transport layers identities. This flaw in the industry standards has the impact of creating an opportunity for an attacker to access data across multiple slices if they have access to the 5G Service Based Architecture. Which includes gaining access to a mobile phone location or International Mobile Subscriber Identity (IMSI).
A hacker comprising an edge network function connected to the operator’s service-based architecture could exploit a flaw in the design of network slicing standards to have access to both the operator’s core network and the network slices for other enterprises. The impact is that the operator and their customers are exposed and risk the loss of sensitive location data – such as user location tracking.
What is the likelihood of 5G mobile device locations being tracked?
The probability of location tracking attacks is currently low due to the limited number of mobile operators with multiple live network slices on their networks but as the verticals expand their service offerings on the 5G network we will see more scenarios whereby location tracking of mobile devices is possible.
Will this vulnerability impact the roll-out of 5G?
AdaptiveMobile Security has submitted these vulnerabilities as a Common Vulnerability Disclosure (CVD) to the GSM Association (GSMA). The 3rd Generation Partnership Project (3GPP) and GSMA are working on the mitigation of the presented vulnerabilities but this will require some time to be seen in products updates. As partners might be compromised in a sliced 5G network, it is prudent to monitor and filter to detect anomalies and attacks quickly and not to rely on the year-long cycle of standards and products. Mobile Network Operators need to be aware of these attack scenarios, as, be in no doubt, attackers will try and use them for nefarious purposes.
How could these potential data extraction attacks within 5G Network Slicing be resolved?
There are many identities in 5G when network functions talk to each other. The identities need to be consistent and cross-checked. Questions need to be asked, does this user belongs to this slice? Does this authorization token match IP address and the instance ID? etc. You need to make all these additional checks and create a system of how best these checks can be done.
The complexity of 5G offers unknown flexibility, but also provides a huge challenge in configuration and security validations. We recommend using an enhanced filtering and validation approach, which combines information from different layers, protocols and integrates external threat information. This kind of filtering and validation approach allows division of the network into security zones and safeguarding of the 5G core network. Cross-correlation of attack information between those security network functions maximizes the protection against sophisticated attackers and allows better mitigations and faster detection while minimizing false alarms.
In telecommunication networks there is often a presumption of trust, which is a mindset Mobile Network operators must move away from as we enter the next generation of 5G networks.