Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Monday, 7 October 2019

Exploiting Possible 5G Vulnerabilities


The standards can try their best to ensure that the next generation of protocols is more secure than the previous one but there is always some way in which the protocols can be exploited. This is where researchers play an important role in finding such vulnerabilities before they can be exploited by hackers. Frankly I am quite sure that only a handful of these vulnerabilities are found and hackers always have something that may never be found.

In the recent HITBSecConf or the Hack In The Box Security Conference Altaf Shaik presented "4G to 5G: New Attacks". He along with Ravishankar Borgaonkar has been working to find out issues with security in cellular networks. In fact in the GSMA Mobile Security Hall of Fame, they both appear twice, individually.

From the talk narrative:

5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers. In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks. We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools. We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

Slides and Video is embedded below






Slides and Whitepaper can be downloaded from here.

Further Reading:

Saturday, 29 June 2019

Presentations from ETSI Security Week 2019 (#ETSISecurityWeek)


ETSI held their annual Security Week Seminar 17-21 June at their HQ in Sophia Antipolis, France. All the presentations are available here. Here are some I think the audience of this blog will like:


Looks like all presentations were not shared but the ones shared have lots of useful information.


Related Posts:

Sunday, 19 May 2019

VoLTE Hacking


The 10th Annual HITB Security Conference took place from the 6th till the 10th of May 2019 in The Netherlands. The theme for the conference this year is 'The Hacks of Future Past'. One of the presentations was on the topic 'VoLTE Phreaking' by Ralph Moonen, Technical Director at Secura.

The talk covered variety of topics:

  • A little history of telephony hacking (in NL/EU)
  • The landscape now
  • Intercepting communications in 2019
  • Vulnerabilities discovered: some new, some old
  • An app to monitor traffic on a phone

The talk provides details on how VoLTE can potentially be hacked. In a lot of instances it is some or the other misconfigurations that makes VoLTE less secure. One of the slides that caught my attention was the differences in VoLTE signaling from different operators (probably due to different vendors) as shown above.

Anyway, I am not going into more details here. The presentation is available here.


The thread in the Tweet above also provided some good references on VoLTE hacking. They are as follows:



Related Posts:


Monday, 29 April 2019

Evolution of Security from 4G to 5G


Dr. Anand Prasad, who is well known in the industry, not just as CISO of Rakuten Mobile Networks but also as the Chairman of 3GPP SA3, the mobile communications security and privacy group, recently delivered a talk on '4G to 5G Evolution: In-Depth Security Perspective'.


The video of the talk is embedded below and the slides are available here.



An article on similar topic by Anand Prasad, et al. is also available on 3GPP website here.


Related posts and articles:

Sunday, 21 April 2019

Wi-Fi 6 (a.k.a. 802.11ax) and other Wi-Fi enhancements

Last year I wrote about how Wi-Fi is getting new names. 802.11ax for example, the latest and greatest of the Wi-Fi standards is known as Wi-Fi 6. There were many announcements at MWC 2019 about WiFi 6, some of which I have captured here.

I came across a nice simple explanatory video explaining Wi-Fi 6 for non-technical people. Its embedded below.


The video is actually sponsored by Cisco and you can read more about Wi-Fi 6 and comparison of Wi-Fi 6 and 5G on their pages.

At MWC19, Cisco was showing Passpoint autoconnectivity on Samsung Galaxy S9, S9+ or Note 9 device. According to their blog:

Together, we’re working to provide a better bridge between mobile and Wi-Fi networks. At Mobile World Congress in Barcelona we’ll show the first step in that journey. Anyone using a Samsung Galaxy S9, S9+ or Note 9 device (and those lucky enough to have an early Galaxy S10) over the Cisco-powered guest wireless network will be able to seamlessly and securely connect – without any manual authentication. No portal, no typing in passwords, no picking SSIDs, no credit cards — just secure automatic connectivity.  How?  By using credentials already on your phone, like your operator SIM card.  Even if your operator doesn’t currently support Passpoint autoconnectivity, your Samsung smartphone will!  As a Samsung user, you already have an account for backups and device specific applications. This credential can also be used for a secure and seamless onboarding experience, supporting connectivity to enterprise, public and SP access networks.

It's worth mentioning here that the WPA2 authentication algorithm is being upgraded to WPA3 and we will see broad adoption this year, in conjunction with 802.11ax. See the tweet for details

Broadcom announced their new BCM43752, Dual-Band 802.11ax Wi-Fi/Bluetooth 5 Combo Chip. Motley Fool explains why this is interesting news:

The chip specialist is rounding out its Wi-Fi 6 portfolio to address lower price points.

When Samsung announced its Galaxy S10-series of premium smartphones, wireless chipmaker Broadcom announced, in tandem, that its latest BCM4375 Wi-Fi/Bluetooth connectivity combination chip is powering those new flagship smartphones. That chip was the company's first to support the latest Wi-Fi 6 standard, which promises significant performance improvements over previous-generation Wi-Fi technology.

The BCM4375 is a high-end part aimed at premium smartphones, meaning that it's designed for maximum performance, but its cost structure (as well as final selling price) is designed for pricier devices that can handle relatively pricey chips.

Broadcom explains that the BCM43752 "significantly reduces smartphone bill of materials by integrating [radio frequency] components such as power amplifiers (PAs) and low-noise amplifiers (LNAs) into the device."

The idea here is simple: Since these components are integrated in the chip that smartphone makers are buying from Broadcom, those smartphone makers won't need to buy those components separately.

In the press release, Broadcom quoted Phil Solis, research director at the market research company IDC, as saying that this chip "reduced costs by going down to single core, 2X2 MIMO for Wi-Fi, integrating the PAs and LNAs, and offering flexible packaging options while keeping the same functionality as their flagship combo chip." 

Broadcom explains that this chip is targeted at "the broader smartphone market where high performance and total solution cost are equally important design decisions."

In addition to these, Intel showed a demo of Wi-Fi 6 at 6GHz. Most people are aware that Wi-Fi uses 2.4 GHz, 5 GHz & 60 GHz band. According to Wi-Fi Now:

So why is that important? Simply because 6 GHz Wi-Fi is likely the biggest opportunity in Wi-Fi in a generation – and because Intel’s demo shows that Wi-Fi chipset vendors are ready to pounce on it. The demonstration was a part of Intel’s elaborate Wi-Fi 6 (802.11ax) demonstration set at MWC.

“When this enhancement [meaning 6 GHz spectrum] to Wi-Fi 6 rolls out in the next couple of years, it has the potential to more than double the Wi-Fi spectrum with up to 4x more 160 MHz channel deployment options,” said Doron Tal, Intel’s General Manager Wireless Infrastructure Group, in his blog here. Doron Tal emphasises that the prospect of including 6 GHz bands in Wi-Fi for the time being realistically only applies to the US market.

Intel also says that a growing number of currently available PCs already support 160 MHz channels, making them capable of operating at gigabit Wi-Fi speeds. This means that consumers will get ‘a pleasant surprise’ in terms of speed if they invest in a Wi-Fi 6 home router already now, Intel says.

It may however take a while before US regulator FCC finally rules on allowing Wi-Fi to operate in the 6 GHz bands. Right now the FCC is reviewing dozens of response submissions following the issuing of the NPRM for unlicensed 6 GHz operation – and they will likely have their hands full for months while answering a litany of questions as to prospective new 6 GHz spectrum rules.

Also an important part of the 6 GHz story is the fact that the IEEE only weeks ago decided that – as far as the 802.11 standards are concerned – only Wi-Fi 6 (802.11ax) will be specified to operate in the 6 GHz band. That means 6 GHz will be pristine legacy-free territory for Wi-Fi 6 devices.

That brings us to the Wi-Fi evolution that will be coming after 802.11ax. IEEE 802.11 Extremely High Throughput (EHT) Study Group was formed late last year that will be working on defining the new 802.11be (Wi-Fi 7?) standards. See tweet below:

The interesting thing to note here is that the Wi-Fi spectrum will become flexible to operate from 1 GHz to 7.125 GHz. Of course the rules will be different in different parts of the world. It will also have to avoid interference with other existing technologies like cellular, etc.

According to Fierce Wireless, Huawei has completed a global deployment of its enterprise-class Wi-Fi 6 products under the new AirEngine brand. Speaking at the company’s Global Analyst Summit, Huawei said its Wi-Fi 6 products have been deployed on a large scale in five major regions worldwide.

Back at MWC, Huawei was showing off their Wi-Fi 6 enabled CPEs. See tweet below:

Huawei has many different enterprise networking products that are already supporting Wi-Fi 6 today. You can see the details along with whitepapers and application notes here. In addition, the Top 10 Wi-Fi 6 misconceptions are worth a read, available here.

Tuesday, 2 October 2018

Benefits and Challenges of Applying Device-Level AI to 5G networks


I was part of Cambridge Wireless CWTEC 2018 organising committee where our event 'The inevitable automation of Next Generation Networks' covered variety of topics with AI, 5G, devices, network planning, etc. The presentations are available freely for a limited period here.

One of the thought provoking presentations was by Yue Wang from Samsung R&D. The presentation is embedded below and can be downloaded from Slideshare.



This presentation also brought out some interesting thoughts and discussions:

  • While the device-level AI and network-level AI would generally work cooperatively, there is a risk that some vendor may play the system to make their devices perform better than the competitors. Something similar to the signaling storm generated by SCRI (see here).
  • If the device-level and network-level AI works constructively, an operator may be able to claim that their network can provide a better battery life for a device. For example iPhone XYZ has 25% better battery life on our network rather than competitors network.
  • If the device-level and network-level AI works destructively for any reason then the network can become unstable and the other users may experience issues. 

I guess all these enhancements will start slowly and there will be lots of learning in the first few years before we have a stable, mutually beneficial solution.

Related Posts:

Friday, 22 June 2018

5G and IoT Security Update from ETSI Security Week 2018

ETSI Security Week 2018 (link) was held at ETSI's Headquarters in Sophia Antipolis, South of France last week. It covered wide variety of topics including 5G, IoT, Cybersecurity, Middlebox, Distributed Ledger Technology (DLT), etc. As 5G and IoT is of interest to the readers of this blog, I am providing links to the presentations so anyone interested can check them out at leisure.


Before we look at the presentations, what exactly was the point of looking at 5G Security? Here is an explanation from ETSI:

5G phase 1 specifications are now done, and the world is preparing for the arrival of 5G networks. A major design goal of 5G is a high degree of flexibility to better cater for specific needs of actors from outside the telecom sector (e.g. automotive industry, mission-critical organisations). During this workshop, we will review how well 5G networks can provide security for different trust models, security policies, and deployment scenarios – not least for ongoing threats in the IoT world. 5G provides higher flexibility than legacy networks by network slicing and virtualization of functions. The workshop aims to discuss how network slicing could help in fulfilling needs for different users of 5G networks.

5G will allow the use of different authentication methods. This raises many interesting questions. How are these authentication methods supported in devices via the new secure element defined in ETSI SCP, or vendor-specific concepts? How can mission-critical and low-cost IoT use cases coexist side-by-side on the same network?

The 5G promise of higher flexibility is also delivered via its Service-Based Architecture (SBA). SBA provides open 3rd party interfaces to support new business models which allow direct impact on network functions. Another consequence of SBA is a paradigm shift for inter-operator networks: modern APIs will replace legacy signaling protocols between networks. What are the relevant security measures to protect the SBA and all parties involved? What is the role of international carrier networks like IPX in 5G?

Event Objectives
The workshop intends to:

  • Gather different actors involved in the development of 5G, not only telecom, and discuss together how all their views have shaped phase 1 of 5G, to understand how security requirements were met, and what challenges remain;
  • Discuss slicing as a means to implement separate security policies and compartments for independent tenants on the same infrastructure;
  • Give an update of what is happening in 3GPP 5G security;
  • Explain to IoT players what 5G security can (and cannot) do for them, including risks and opportunities related to alternative access credentials;
  • Understand stakeholders' (PMNs, carriers, GSMA, vendors) needs to make SBA both secure and successful. How can SBA tackle existing issues in interconnect networks like fraud, tracking, privacy breaches;
  • Allow vendors to present interesting proposals for open security questions in 5G: secure credential store, firewalling SBA's RESTful APIs;
  • Debate about hot topics such as: IoT security, Slicing security, Privacy, Secure storage and processing and Security of the interconnection network.


So here are the relevant presentations:

Session 1: Input to 5G: Views from Different Stakeholders
Session Chair: Bengt Sahlin, Ericsson

Hardening a Mission Critical Service Using 5G, Peter Haigh, NCSC

Security in the Automotive Electronics Area, Alexios Lekidis, SecurityMatters

Integrating the SIM (iUICC), Adrian Escott, QUALCOMM

Smart Secure Platform, Klaus Vedder, Giesecke & Devrient, ETSI SCP Chairman

Network Slicing, Anne-Marie Praden, Gemalto

Don't build on Sand: Validating the Security Requirements of NFV Infrastructure to Confidently Run Slices, Nicolas Thomas, Fortinet

5G Enhancements to Non-3GPP Access Security, Andreas Kunz, Lenovo

Security and Privacy of IoT in 5G, Marcus Wong, Huawei Technologies

ITU-T activities and Action Plan on 5G Security, Yang Xiaoya, ITU-T SG17

Wrap up: 5G Overview from 3GPP SA3 Perspective and What is There to Be Done for Phase 2, Sander Kievit, TNO


Session 2: Security in 5G Inter-Network Signalling
Session Chair: Stefan Schroeder, T-Systems

Presentation on SBA: Introduction of the Topic and Current Status in SA3, Stefan Schroeder, T-Systems

5G Inter-PLMN Security: The Trade-off Between Security and the Existing IPX Business Model, Ewout Pronk, KPN on behalf of GSMA Diameter End to End Security Subgroup

Secure Interworking Between Networks in 5G Service Based Architecture, Silke Holtmanns, Nokia Bell Labs

Security Best Practises using RESTful APIs, Sven Walther, CA Technologies

Identifying and Managing the Issues around 5G Interconnect Security, Stephen Buck, Evolved Intelligence

Zero Trust Security Posture in 5G Architecture, Galina Pildush, Palo Alto Networks (Missing)


Session 1 & 2 Workshop Wrap up: 5G Phase 1 Conclusions and Outlook Towards Phase 2 - Stefan Schroeder, T-Systems and Bengt Sahlin, Ericsson


Session 5: Benefits and Challenges of 5G and IoT From a Security Perspective
Session Chair: Arthur van der Wees, Arthur's Legal

Setting the Scene, Franck Boissière, European Commission

ENISA's View on Security Implications of IoT and 5G, Apostolos Malatras, ENISA

Smart City Aspects, Bram Reinders, Institute for Future of Living

The Network Operators Perspective on IoT Security, Ian Smith, GSMA


Related Links:

Tuesday, 3 April 2018

Some interesting April Fools' Day 2018 Technology Jokes

This year April Fools' Day wasn't as fun as the last one. Couple of reasons being that it was on a Sunday and it coincided with Easter Sunday. Here are some of the jokes that I found interesting.

Sprint's Magic Ball:

It was good to see that the US mobile operator joined the party this year. Their magicball (based on their highly successful Magic Box) advert was really good. Here is the video:



Good to see that they managed to squeeze in references to 5G and small cells

Official site: http://newsroom.sprint.com/sprint-magic-ball.htm


T-Mobile Sidekicks Re-booted:


T-Mobile USA has consistently come up with the best tech pranks. Last year they had the OneSie with Human HotSpot and BingeOnUp the year before. This year the re-booted sidekicks was the joke of the day. The video is embedded below. As the description says, T-Mobile’s Sidekick gets a remake! Inspired by the past but stepping boldly into the future, it has revolutionary AI, headphones that double as chargers, personalized GPS guidance by John Legere, and more!



Official site: https://www.t-mobile.com/offers/sidekicks


The Chegg Osmosis Pillow:


"A top-secret team of Chegg engineers from Zurich spent two years developing a new patent-pending revolutionary proprietary method of making memory foam using special blends of matcha and lavender. Thanks to their discoveries, Chegg’s memory foam actually improves your memory. Got a final exam tomorrow? Sleep on it. Got a lab report due? Sleep on it. Need to outline your entire thesis? Sleep on it."

Official Website: https://www.chegg.com/play/memory-foam-pillow/


Pindrop TonguePrinting:


"Tongueprinting technology analyzes thousands of tiny bumps called papillae, as well as factors such as shape, size, and temperature to accurately identify yourself by licking your phone. This technology will be the mouthpiece of Pindrop’s latest authentication and anti-fraud solutions." Video:


Official website: https://www.pindrop.com/resources/video/video/tongueprinting/


Roku Happy Streaming Socks: "Do messy snack hands keep you from using your Roku remote? Meet the new Roku Happy Streaming Socks with built-in motion sensors, plus toe-toasting and anti-loss technology."


Official Website: https://blog.roku.com/roku-happy-streaming-socks


The other jokes were, well, not very funny but here are some worth mentioning...

Virgin Voyages Wa-Fi: "Here at Virgin Voyages we are excited to be bringing underwater WiFi, or as we call it “Wa-Fi” service, to all Virgin Voyages ships." Website: https://www.virginvoyages.com/wa-fi.html

Logitech BS Detection Software: "Today, I’m proud to announce that we are taking video calls to a whole new level with the introduction of Logitech Business Speak (BS) Detection software. Logitech BS Detection revolutionizes our meeting capabilities with built-in artificial intelligence (AI) that flags the…well…BS in business communications. "

Website: https://blog.logitech.com/2018/03/30/logitech-revolutionizes-business-communication-with-the-introduction-of-business-speak-detection-software/

Josh Ultra by Josh.Aihttps://www.cepro.com/article/josh.ai_josh_ultra_premium_voice_control

Jabra Sneakershttps://www.jabra.com/jabra-sneakers


Genetic Select by Lexus: Introducing Genetic Select by Lexus in partnership with 23andMe. The world’s first service that uses human genetics to match you with the car of your genes. http://www.lexus.com/geneticselect/

Google Maps is adding a Where’s Waldo? mini-game for the next week: Link.

Google Japan's Gboardhttps://japan.googleblog.com/2018/04/tegaki.html

Google Cloud Hummus API - Find your Hummus!: https://www.youtube.com/watch?v=0_5X6N6DHyk

Tech21 Flexichoc casehttps://twitter.com/Tech21Official/status/979392283106824192

Audi Downsizing Assistanthttps://twitter.com/AudiOfficial/status/979991696657203201

Lego VacuSorthttps://twitter.com/LEGO_Group/status/980369210789507072

Did I miss any good ones?


Related Posts:

Sunday, 25 March 2018

5G Security Updates - March 2018


Its been a while since I wrote about 5G security in this fast changing 5G world. If you are new to 3GPP security, you may want to start with my tutorial here.

3GPP SA3 Chairman, Anand R. Prasad recently mentioned in his LinkedIn post:

5G security specification finalized! Paving path for new business & worry less connected technology use.

3GPP SA3 delegates worked long hours diligently to conclude the specification for 5G security standard during 26 Feb.-2 Mar. Several obstacles were overcome by focussed effort of individuals & companies from around the globe. Thanks and congrats to everyone!

All together 1000s of hours of work with millions of miles of travel were spent in 1 week to get the work done. This took 8 meetings (kicked off Feb. 2017) numerous on-line meetings and conference calls.

Excited to declare that this tremendous effort led to timely completion of 5G security specification (TS 33.501) providing secure services to everyone and everything!

The latest version of specs is on 3GPP website here.

ITU also held a workshop on 5G Security in Geneva, Switzerland on 19 March 2018 (link). There were quite a few interesting presentations. Below are some slides that caught my attention.

The picture in the tweet above from China Mobile summarises the major 5G security issues very well. 5G security is going to be far more challenging than previous generations.

The presentation by Haiguang Wang, Huawei contained a lot of good technical information. The picture at the top is from that presentation and highlights the difference between 4G & 5G Security Architecture.


New entities have been introduced to make 5G more open.


EPS-AKA vs 5G-AKA (AKA = Authentication and Key Agreement) for trusted nodes


EAP-AKA' for untrusted nodes.


Slice security is an important topic that multiple speakers touched upon and I think it would continue to be discussed for a foreseeable future.

Dr. Stan Wing S. Wong from King’s College London has some good slides on 5G security issues arising out of Multi-Tenancy and Multi-Network Slicing.

Peter Schneider from Nokia-Bell Labs had good slides on 5G Security Overview for Programmable Cloud-Based Mobile Networks

Sander Kievit from TNO, a regular participant of working group SA3 of 3GPP on behalf of the Dutch operator KPN presented a view from 3GPP SA3 on the Security work item progress (slides). The slide above highlights the changes in 5G key hierarchy.

The ITU 5G Security Workshop Outcomes is available here.

ETSI Security Week 2018 will be held 11-15 June 2018. 5G security/privacy is one of the topics.

There is also 5GPPP Workshop on 5G Networks Security (5G-NS 2018), being held in Hamburg, Germany on August 27-30, 2018.

In the meantime, please feel free to add your comments & suggestions below.


Related Posts & Further Reading:

Thursday, 4 January 2018

Introduction to 3GPP Security in Mobile Cellular Networks


I recently did a small presentation on 3GPP Security, looking at the how the security mechanism works in mobile cellular networks; focusing mainly on signaling associated with authentication, integrity protection and ciphering / confidentiality. Its targeted towards people with basic understanding of mobile networks. Slides with embedded video below.



You can also check-out all such videos / presentations at the 3G4G training section.

Sunday, 20 August 2017

Enhanced 5G Security via IMSI Encryption


IMSI Catchers can be a real threat. It doesn't generally affect anyone unless someone is out to get them. Nevertheless its a security flaw that is even present in LTE. This presentation here is a good starting point on learning about IMSI Catcher and the one here about privacy and availability attacks.


This article by Ericsson is a good starting point on how 5G will enhance security by IMSI encryption. From the article:
The concept we propose builds on an old idea that the mobile device encrypts its IMSI using home network’s asymmetric key before it is transmitted over the air-interface. By using probabilistic asymmetric encryption scheme – one that uses randomness – the same IMSI encrypted multiple times results in different values of encrypted IMSIs. This makes it infeasible for an active or passive attacker over the air-interface to identify the subscriber. Above is a simplified illustration of how a mobile device encrypts its IMSI. 
Each mobile operator (called the ‘home network’ here) has a public/private pair of asymmetric keys. The home network’s private asymmetric key is kept secret by the home network, while the home network’s public asymmetric key is pre-provisioned in mobile devices along with subscriber-specific IMSIs (Step 0). Note that the home network’s public asymmetric key is not subscriber-specific. 
For every encryption, the mobile device generates a fresh pair of its own public/private asymmetric keys (Step 1). This key pair is used only once, hence called ephemeral, and therefore provide probabilistic property to the encryption scheme. As shown in the figure, the mobile device then generates a new key (Step 2), e.g., using Diffie–Hellman key exchange. This new key is also ephemeral and is used only once to encrypt the mobile device’s IMSI (Step 3) using symmetric algorithm like AES. The use of asymmetric and symmetric crypto primitives as described above is commonly known as integrated/hybrid encryption scheme. The Elliptic Curve Integrated Encryption Scheme (ECIES) is a popular scheme of such kind and is very suitable to the use case of IMSI encryption because of low impact on radio bandwidth and mobile device’s battery. 
The nicest thing about the described concept is that no public key infrastructure is necessary, which significantly reduces deployment complexity, meaning that mobile operators can start deploying IMSI encryption for their subscribers without having to rely on any external party or other mobile operators.

'3GPP TR 33.899: Study on the security aspects of the next generation system' lists one such approach.


The Key steps are as follows:

  1. UE is configured with 5G (e)UICC with ‘K’ key, the Home Network ID, and its associated public key.
  2. SEAF send Identity Request message to NG-UE. NG-UE considers this as an indication to initiate Initial Authentication.
  3. NG-UE performs the following:
    1. Request the (e)UICC application to generate required security material for initial authentication, RANDUE, , COUNTER, KIARenc, and KIARInt.
    2. NG-UE builds IAR as per MASA. In this step NG-UE includes NG-UE Security Capabilities inside the IAR message. It also may include its IMEI. 
    3. NG-UE encrypts the whole IAR including the MAC with the home network public key.
    4. NG-UE sends IAR to SEAF.
  4. Optionally, gNB-CP node adds its Security Capabilities to the transposrt message between the gNB-CP and the SEAF (e.g., inside S1AP message as per 4G).
  5. gNB-CP sends the respective S1AP message that carries the NG-UE IAR message to the SEAF.
  6. SEAF acquirs the gNB-CP security capabilities as per the listed options in clause 5.2.4.12.4.3and save them as part of the temporary context for the NG-UE.
  7. SEAF follows MASA and forward the Authentication and Data Request message to the AUSF/ARPF.
  8. When AUSF/ARPF receives the Authentication and Data Request message, authenticates the NG-UE as per MASA and generates the IAS respective keys. AUSF/ARPF may recover the NG-UE IMSI and validate the NG-UE security capabilities.
  9. AUSF/ARPF sends Authentication and Data Response to the SEAF as per MASA with NG-UE Security Capabilities included.
  10. SEAF recovers the Subscriber IMSI, UE security Capabilities, IAS keys, RANDHN, COUNTER and does the following:
    1. Examine the UE Security Capabilities and decides on the Security parameters.
    2. SEAF may acquire the UP-GW security capabilities at this point after receiving the UP-GW identity from AUSF/ARPF or allocate it dynamically through provisioning and load balancing.
  11. SEAF builds IAS and send to the NG-UE following MASA. In addition, SEAF include the gNB-CP protocol agreed upon security parameters in the S1AP message being sent to the gNB-CP node.
  12. gNB-CP recovers gNB-CP protocol agreed upon security parameters and save it as part of the NG-UE current context.
  13. gNB-CP forwards the IAS message to the NG-UE.
  14. NG-UE validates the authenticity of the IAS and authenticates the network as per MASA. In addition, the UE saves all protocols agreed upon security parameters as part of its context. NG-UE sends the Security and Authentication Complete message to the SEAF.
  15. SEAF communicates the agreed upon UP-GW security parameters to the UP-GW during the NG-UE bearer setup.

ARPF - Authentication Credential Repository and Processing Function 
AUSF - Authentication Server Function 
SCMF - Security Context Management Function
SEAF - Security Anchor Function
NG-UE - NG UE
UP - User Plane 
CP - Control Plane
IAR - Initial Authentication Request 
IAS - Initial Authentication Response
gNB - Next Generation NodeB

You may also want to refer to the 5G Network Architecture presentation by Andy Sutton for details.

See also:

Tuesday, 25 July 2017

5G Security Updates - July 2017


Its been nearly 2 years since I last blogged about ETSI Security workshop. A lot has changed since then, especially as 5G is already in the process of being standardised. This is in addition to NFV / SDN that also applied to 4G networks.

ETSI Security Week (12 - 16 June) covered lot more than 5G, NFV, SDN, etc. Security specialists can follow the link to get all the details (if they were not already aware of).

I want to quickly provide 3 links so people can find all the useful information:

NFV Security Tutorialdesigned to educate attendees on security concerns facing operators and providers as they move forward with implementing NFV. While the topics are focused on security and are technical in nature we believe any individual responsible for designing, implementing or operating a NFV system in an organization will benefit from this session. Slides here.

NFV Security: Network Functions Virtualization (NFV), leveraging cloud computing, is set to radically change the architecture, security, and implementation of telecommunications networks globally. The NFV Security day will have a sharp focus on the NFV security and will bring together the world-wide community of the NFV security leaders from the industry, academia, and regulators. If you want to meet the movers and shakers in this field, get a clear understanding of the NFV security problems, challenges, opportunities, and the state of the art development of security solutions, this day is for you. Slides here.



5G Security: The objectives of this event are to:
  • Gather different actors involved in the development of 5G, not only telecom, and discuss together how all their views will shape together in order to understand the challenges, threats and the security requirements that the 5G scenarios will be bringing.
  • Give an update of what is happening in:
    • 5G security research: Lot of research is on-going on 5G security and several projects exist on the topic.
    • 5G security standards: Standardization bodies have already started working 5G security and their work progress will be reviewed. Also any gap or additional standardization requirements will be discussed.
    • Verticals and business (non-technical) 5G security requirements: 5G is playground where different verticals besides the telecom industry is playing a role and their requirements will be key for the design of 5G security. In addition 5G is where "security" will become the business driver.
  • Debate about hot topics such as: IoT security, Advances in lightweight cryptography, Slicing security. Privacy. Secure storage and processing. Security of the interconnection network (DIAMETER security). Relevance of Quantum Safe Cryptography for 5G, Authorization concepts....
Slides for 5G Security here.

In addition, Jaya Baloo, CISO, KPN Telecom talks about 5G network security at TechXLR8 2017. Embedded is a video of that:


Sunday, 4 December 2016

5G, Hacking & Security


It looks like devices that are not manufactures with security and privacy in mind are going to be the weakest link in future network security problems. I am sure you have probably read about how hacked cameras and routers enabled a Mirai botnet to take out major websites in October. Since then, there has been no shortage of how IoT devices could be hacked. In fact the one I really liked was 'Researchers hack Philips Hue lights via a drone; IoT worm could cause city blackout' 😏.


Enter 5G and the problem could be be made much worse. With high speed data transfer and signalling, these devices can create an instantaneous attack on a very large scale and generating signalling storm that can take a network down in no time.

Giuseppe TARGIA, Nokia presented an excellent summary of some of these issues at the iDate Digiworld Summit 2016. His talk is embedded below:



You can check out many interesting presentations from the iDate Digiworld Summit 2016 on Youtube and Slideshare.

Related posts:


Friday, 30 September 2016

Quantum Technology and Future Telecommunications

Last year I posted an excerpt from an article in FT which implied that Quantum technology will play a big role in post-5G world. Earlier this month CW held their annual Technology & Engineering Conference (CW TEC). The topic was "The Quantum Revolution is coming". I have to admit that I knew next to nothing before the conference, however now I hope I know just enough to dabble in quantum technology related discussions.

The main question that I had before the conference was 'when will quantum technology be here?'. While there were different answers, depending on what you think Quantum is, I think the answer I feel comfortable is more like 2030 (just in time for 6G?)


There are already some great write-ups of the conference by others, please see links at the bottom of the post. Here are the presentations from the event:




Related Articles:

Sunday, 26 June 2016

Three Presentations on 5G Security


Here are three presentations from the 5G Huddle in April, looking at 5G security aspects. As I have repeatedly mentioned, 5G is in process of being defined so these presentations are just presenting the view from what we know about 5G today.



Monday, 24 August 2015

Some interesting presentations from ETSI Security workshop


ETSI held their security week from 22-26 June 2015 at their headquarters. There are lots of interesting presentations (see agenda [PDF]); I am embedding some here.


This is a good presentation providing a summary of the reasons for IoT security issues and some of the vulnerabilities that have been seen as a result of that.




The next one is The Threat landscape of connected vehicles and ITS (Intelligent Transportation Systems) integration in general



This presentation provides a good summary of the threats in the connected cars/vehicles which is only going to become more common. Some of these issues will have to be solved now before we move on to the autonomous vehicles in future. Security issues there will be catastrophic and many lives can be lost.

The final presentation is from 3GPP SA3 that provides a quick summary of security related work in 3GPP.