It's been a while since we created our security tutorial, back in 2018. One of the items we discussed in there were the fake cell towers or the fake base stations. The issues highlighted there still exist as highlighted by AIS CISO, Pepijn Kok at The Telecom Threat Intelligence Summit (TTIS) 2024.
The cyber threat actors exploited GSM authentication vulnerabilities to use fake base stations as part of SMS phishing attacks to steal from real bank accounts. In his talk Pepijn explains how AIS worked with ecosystem partners in Thailand to detect and block these attacks.
The talk described two case studies. The first one was a report from Dec 2022 where certain bank customers and online retail platform users were receiving SMS messages masquerading as the bank or online platform itself (something not typically possible). The messages contained links to malicious content. The second one is a recent case from April 2024 where AIS customers started receiving fake SMS with malicious links. It was obvious in that case that the SMS did not come from the AIS network which triggered AIS to start investigating as they were sure there was a fake base station in operation. The talk describes how in both the scenarios the gangs were caught.
The talk is embedded below:
You can learn more about TTIS here. The video of all the talks from day 1 is here and day 2 is here.
At DEF CON 31 last year, Tracy Mosley, Vulnerability Researcher at Trenchant presented a talk titled "Nothin’ but a G Thang - The Evolution of Cellular Networks" (background of title). The abstract of the talk says:
In this talk we will walk through each step of cellular evolution, starting at 2G and ending at 5G. The never-ending attack and defend paradigm will be clearly laid out. In order to understand the attack surface, I’ll cover network topology and protocol. For each cellular generation, I will explain known vulnerabilities and some interesting attacks. In response to those vulnerabilities, mitigations for the subsequent cellular generation are put in place. But as we all know, new mitigations mean new opportunities for attackers to get creative. While I will explain most cellular-specific terminology, a familiarity with security concepts will help to better understand this talk. Basic foundations of communications systems, information theory or RF definitely make this talk more enjoyable, but are absolutely not necessary. It’s a dense topic that is highly applicable to those working on anything that touches the cellular network!
It's been a while since I wrote about the ETSI Security Conference, which was known as ETSI Security week once upon a time. This year, ETSI’s annual flagship event on Cyber Security took place face-to-face from 16 to 19 October 2023, in ETSI, Sophia Antipolis, France and gathered more than 200 people.
The event this year focused on Security Research and Global Security Standards in action The event also considered wider aspects such as Attracting the next generation of Cyber Security standardization professionals and supporting SMEs.
Session 4: Regulation, Data Protection and Privacy, Technical Aspects
Day 2:
Session 1: Zero Trust, Supply Chain & Open Source
Session 2: IoT & Certification
Session 3: Zero Trust, Supply Chain & Open Source
Session 4: Quantum Safe Cryptography Session
Day 3:
Session 1: Experiences of Attracting Next Generation of Engineers and Investing in Future
Session 2: IoT and Certification Session
Session 3: IoT & Mobile Certification
Session 4: 5G in the Wild - Part 1
Day 4:
Session 1: 5G in the Wild - Part 2
Session 2: 6G Futures
Session 3: Augmented Reality and AI
You can see the detailed agenda here. The presentations from the conference are available here.
The CyberSecurity Magazine interviewed Helen L. And Jane Wright discussing diversity and careers in Cybersecurity. Helen, from the National Cyber Security Centre, has worked in Security for over 20 years and is a mentor at the CyberFirst programme. CyberFirst intends to inspire and encourage students from all backgrounds to consider a career in cybersecurity. Jane Wright is a Cyber Security Engineer at QinetiQ and has been participating in the CyberFirst. The interview, along with a video, is available here.
I had been meaning to add this session to the blog for a while. Some security researchers may find these useful.
At RSA Conference 2022, Bret Jordan, CTO, Emerging Technologies, Broadcom and Kirsty Paine, Advisor - Technology & Innovation, EMEA, Splunk Inc. presented a talk covering what they described as the most important, interesting and impactful technical standards, hot off the press and so 2022. From the internet and all its things, to the latest cybersecurity defenses, including 5G updates and more acronyms than one can shake a stick at.
3GPP Release 17 introduced a new feature called AKMA (Authentication and Key Management for Applications), the goal of which is to enable the authentication and generation of application keys based on 3GPP credentials for all UE types in the 5G System, especially IoT devices, ensuring to bootstrap the security between the UE and the applications in the 5G system.
3GPP TR 21.917 has an excellent summary as follows:
Authentication and key management for applications based on 3GPP credential in 5G (AKMA) is a cellular-network-based delegated authentication system specified for the 5G system, helping establish a secure tunnel between the end user and the application server. Using AKMA, a user can log in to an application service only based on the 3GPP credential which is the permanent key stored in the user’s tamper-resistant smart card UICC. The application service provider can also delegate the task of user authentication to the mobile network operator by using AKMA.
The AKMA architecture and procedures are specified by SA3 in TS 33.535, with the related study showing how its general principles are derived documented in TR 33.835. The AKMA feature introduces a new Network Function into the 5G system, which is the AKMA Anchor Function (AAnF). Its detailed services and API definitions are specified by CT3 in TS 29.535. Earlier generations of cellular networks include two similar standards specified by SA3, which are generic bootstrapping architecture (GBA) and battery-efficient security for very low throughput machine type communication devices (BEST). Since the AKMA feature is deemed as a successor of these systems, the work is launched by SA3 without the involvement of stage 1.
In the latest issue of 3GPP Highlights Magazine, Suresh Nair, 3GPP Working Group SA3 Chair, Saurabh Khare & Jing Ping (Nokia) has explained the AKMA procedure. The article is also available on 3GPP website here. The article lists the following as AKMA advantages:
Since the AKMA framework uses authentication and authorization of the UE leveraging the PLMN credentials stored on the USIM, this becomes as strong as the network primary authentication and subsequent keys derived further to UE and Application Function (AF) interface.
The Application Functions can leverage the authentication service provided by the AKMA Anchor Function (AAnF) without additional CAPEX and OPEX.
The architecture provides a direct interface between the UE and the AF where a customized application-specific interface can be built, including the key management, key lifetime extension, etc.
The Journal of ICT Standardization has a paper on Authentication Mechanisms in the 5G System. It details AKMA and much more. It's a great place to start for anyone new looking to understand different 5G Authentication Mechanisms.
Dr. Seppo Virtanen is an Associate Professor in Cyber Security Engineering and Vice Head of Department of Computing, the University of Turku, Finland. At 5G Hack The Mall 2022, he presented a talk on Cybersecurity and 5G.
In the talk he covered the following topics:
Cybersecurity and Information Security
The CIA (Confidentiality, Integrity and Availability) Model
Achieving the goals of the CIA model
Intrusion and Detection
Intrusion detection, mitigation and aftercare
Smart Environments
Abstraction levels
Cybersecurity in smart environments
Cyber security concerns in smart environments
Security concerns in Smart Personal Spaces
Security concerns in Smart Rooms and Buildings
Security concerns of a participant in a smart environment
Cyber Security Concerns in Smart Environments
Cyber Security in the 5G context
Drivers for 5G security
Securing 5G
This video embedded below is a nice introduction to cybersecurity and how it overlaps with 5G:
Not long ago we looked at the 'Impact of 5G on Lawful Interception and Law Enforcement' by SS8. David Anstiss, Senior Solutions Architect at SS8 Networks gave another interesting talk on Evolving Location and Encryption Needs of LEAs in a 5G world at Telecoms Europe Telco to Techco virtual event in March.
In this talk, David provided an insight into how 5G is impacting lawful interception and the challenges Law Enforcement Agencies face as they work with Communication Service Providers to gather intelligence and safeguard society. While there is an overlap with the previous talk, in this video David looked at a real world example with WhatsApp. The talk also covered:
Real-world problems with 5GC encryption
5G location capabilities and the impact on law enforcement investigations
Over the last couple of years, I keep on coming across Zero-Trust Architecture (ZTA). A simple way to explain is that the standard model of security is known as perimeter security model, where everything within the perimeter can be trusted. In zero-trust (ZT) model, no assumptions is made about trustworthiness and hence it is also sometimes known as perimeterless security model.
This short video from IBM clearly explains what ZT means:
This blog post from Palo Alto Networks also clearly explains ZT:
By definition, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Zero Trust for 5G removes implicit trust regardless of what the situation is, who the user is, where the user is or what application they are trying to access.
The impact of Zero Trust on network security specifically protects the security of sensitive data and critical applications by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention and simplifying granular user-access controls. Where traditional security models operate under the assumption that everything inside an organization’s perimeter can be trusted, the Zero Trust model recognizes that trust is a vulnerability.
In short, Zero Trust for 5G presents an opportunity for service providers, enterprises and organizations to re-think how users, applications and infrastructure are secured in a way that is scalable and sustainable for modern cloud, SDN-based environments and open-sourced 5G networks. Delivering the Zero Trust Enterprise means taking Zero Trust principles, making them actionable and effectively rebuilding security to keep pace with digital transformation.
A research paper looking at Intelligent ZTA (i-ZTA) provides an interesting approach to security in 5G and beyond. The paper can be downloaded from here. The abstract states:
While network virtualization, software-defined networking (SDN), and service-based architectures (SBA) are key enablers of 5G networks, operating in an untrusted environment has also become a key feature of the networks. Further, seamless connectivity to a high volume of devices in multi-radio access technology (RAT) has broadened the attack surface on information infrastructure. Network assurance in a dynamic untrusted environment calls for revolutionary architectures beyond existing static security frameworks. This paper presents the architectural design of an i-ZTA upon which modern artificial intelligence (AI) algorithms can be developed to provide information security in untrusted networks. We introduce key ZT principles as real-time Monitoring of the security state of network assets, Evaluating the risk of individual access requests, and Deciding on access authorization using a dynamic trust algorithm, called MED components. The envisioned architecture adopts an SBA-based design, similar to the 3GPP specification of 5G networks, by leveraging the open radio access network (O-RAN) architecture with appropriate real-time engines and network interfaces for collecting necessary machine learning data. The i-ZTA is also expected to exploit the multi-access edge computing (MEC) technology of 5G as a key enabler of intelligent MED components for resource-constraint devices.
Ericsson Technology Review covered Zero Trust in 5G Networks in one of their issues. Quoting from the article:
The 3GPP 5G standards define relevant network security features supporting a zero trust approach in the three domains: network access security, network domain security and service-based architecture (SBA) domain security.
The network access security features provide users with secure access to services through the device (mobile phone or connected IoT device) and protect against attacks on the air interface between the device and the radio node. Network domain security includes features that enable nodes to securely exchange signaling data and user data, for example, between radio and core network functions (NFs).
The 5G SBA is built on web technology and web protocols to enable flexible and scalable deployments using virtualization and container technologies and cloud-based processing platforms. SBA domain security specifies the mechanism for secure communication between NFs within the serving network domain and with other network domains.
While the new requirements and functionality introduced in the 5G specifications are already aligned with many of the zero trust tenets. It is already evident, however, that further technology development, standardization and implementation are needed in areas such as policy frameworks, security monitoring and trust evaluation to support the adoption of zero trust architecture in new telecom environments that are distributed, open, multi-vendor and/or virtualized.
While various technologies can support organizations in adhering to the guiding principles of zero trust as part of their total active defense strategy, it is important to remember that technology alone will never be sufficient to realize the full potential of zero trust. Successful implementation of a network based on zero trust principles requires the concurrent implementation of information security processes, policies and best practices, as well as the presence of knowledgeable security staff. Regardless of where a CSP is in its transition toward a zero trust architecture, the three pillars of people, processes and technology will continue to be the foundation of a robust security architecture.
Pentests or Penetration testing is ethical hacking that is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. They are performed to identify weaknesses or vulnerabilities, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.
Expected to be released in 2021, we only see the early stage of 5G-NR connectivity in rare places around the world and we cannot talk yet about "real 5G" as current installations are put on the Non-Standalone mode (NSA) using 4G infrastructures. But in the meantime, it is important to get prepared for this upcoming technology and ways we can practically simulate real-world attacks in the future, with Standalone (SA) mode-capable devices and networks. In this presentation, we will see how to conduct practical security assignments on future 5G SA devices and networks, and how to investigate the protocol stack. To begin the presentation, we briefly present the differences with 2G-5G in terms of security applied to security assessment contexts, i.e. the limit we are left with, and how to circumvent them. Then we see how a 5G-NR security testbed looks like, and discuss what type of bugs are interesting to spot. Third, we make more sense about some attacks on devices by showing attacks that could be performed on the core side from the outside. Finally, we briefly introduce how we could move forward by looking at the 5G protocol stack and the state of the current mean.
Slides are available here and the video is embedded below:
A post on their website also looks at penetration of standalone 5G core. The post contains a video as well which can also be directly accessed here.
A new white paper from 5G Americas provides nearly annual updates around the topic of security in wireless cellular networks. The current edition addresses emerging challenges and opportunities, making recommendations for securing 5G networks in the context of the evolution to cloud-based and distributed networks.
Additionally, the white paper provides insight into securing 5G in private, public, and hybrid cloud deployment models. Topics such as orchestration, automation, cloud-native security, and application programming interface (API) security are addressed. The transition from perimeter-based security to a zero-trust architecture to protect assets and data from external and internal threats is also discussed.
At Telecoms Europe 5G 2021 event, David Anstiss, Senior Solutions Architect, SS8 Networks gave a talk on Impact of 5G on lawful interception and law enforcement. The talk provided an insight into how 5G is impacting lawful interception, and the challenges faced by intelligences agencies as they work with communication service providers to gather information, to safeguard society.
The talk, followed by Q&A is embedded below:
You may also find this blog post titled, 'Five Challenges of Gathering Digital Evidence in a 5G World' by David Anstiss, interesting.
The National Governors Association (NGA) in the USA is the voice of the leaders of 55 states, territories, and commonwealths. On May 24th, the Resource Center for State Cybersecurity featured a panel of experts from AT&T for a conversation on understanding the 5G ecosystem, security risks, supply chain resilience and the challenges and opportunities that exist around deployment.
The talk highlighted top 5G security areas of concern. The top three being:
Increased attack surface due to massive increase in connectivity
Greater number & variety of devices accessing the network
Complexity of extending security policy to new types of non-traditional and IoT devices
Some of the Security Advantages with 5G are highlighted as follows:
Software Defined Networking/Virtualization
Stronger 3GPP encryption for over-the-air encryption
Subscriber Identity Privacy
Roaming or network-to-network protection
Network Slicing
The slides of the talk is available here and the video is as follows:
5G & Security are both big topics on this blog as well as on 3G4G website. We reached out to 3GPP 5G security by experts from wenovator, Dr. Anand R. Prasad & Hans Christian Rudolph to help out audience understand the mysteries of 5G security. Embedded below is video and slides from a webinar they recorded for us.
You can ask any security questions you may have on the video on YouTube
Nokia recently delivered some lectures virtually to Bangalore University students. The talks covered a variety of talks from LTE to 5G, Security & IMS. The playlist from Nokia is embedded below. The video contains following topics:
Part 1: 5G - General Introduction and IoT Specific Features Part 2: 5G Overview Part 3: Network Security Practices and Principles Part 4: LTE Network Architecture - Interface and Protocols Part 5: IMS - IP Multimedia Subsystem
Mats Näslund is a cryptologist at the National Defence Radio Establishment outside Stockholm, an agency under the Swedish dept. of defence. As part of his work, he represents Sweden in technical LI standardization in 3GPP. Mats also has a part time appointment as adjunct professor at KTH. Her recently delivered a HAIC Talk on Lawful Intercept in 5G Networks. HAIC Talks is a series of public outreach events on contemporary topics in information security, organized by the Helsinki-Aalto Institute for Cybersecurity (HAIC).
The following is the description from HAIC website:
Our societies have been prospering, much due to huge technological advances over the last 100 years. Unfortunately, criminal activity has in many cases also been able to draw benefits from these advances. Communication technology, such as the Internet and mobile phones, are today “tools-of-the-trade” that are used to plan, execute, and even hide crimes such as fraud, espionage, terrorism, child abuse, to mention just a few. Almost all countries have regulated how law enforcement, in order to prevent or investigate serious crime, can sometimes get access to meta data and communication content of service providers, data which normally is protected as personal/private information. The commonly used term for this is Lawful Interception (LI). For mobile networks LI is, from a technical standpoint, carried out according to ETSI and 3GPP standards. In this talk, the focus will lie on the technical LI architecture for 5G networks. We will also give some background, describing the general, high-level legal aspects of LI, as well as some current and future technical challenges.
The 3G4G page contains a lot of useful papers and links to security here but we have also looked at evolution of security from 4G to 5G here. Rohde & Schwarz has a short 8-minute video in which wireless technology manager, Reiner Stuhlfauth, explains the key technology aspects ensuring 5G security. The video is embedded below.
SEPP (Security Edge Protection Proxy) is part of the roaming security architecture as shown in the figure above. Ericsson's article, "An overview of the 3GPP 5G security standard" describes the use of SEPP as follows:
The use of SBA has also pushed for protection at higher protocol layers (i.e. transport and application), in addition to protection of the communication between core network entities at the internet protocol (IP) layer (typically by IPsec). Therefore, the 5G core network functions support state-of-the-art security protocols like TLS 1.2 and 1.3 to protect the communication at the transport layer and the OAuth 2.0 framework at the application layer to ensure that only authorized network functions are granted access to a service offered by another function. The improvement provided by 3GPP SA3 to the interconnect security (i.e. security between different operator networks) consists of three building blocks:
Firstly, a new network function called security edge protection proxy (SEPP) was introduced in the 5G architecture (as shown in figure 2). All signaling traffic across operator networks is expected to transit through these security proxies
Secondly, authentication between SEPPs is required. This enables effective filtering of traffic coming from the interconnect
Thirdly, a new application layer security solution on the N32 interface between the SEPPs was designed to provide protection of sensitive data attributes while still allowing mediation services throughout the interconnect
The main components of SBA security are authentication and transport protection between network functions using TLS, authorization framework using OAuth2, and improved interconnect security using a new security protocol designed by 3GPP.
4.2 Inter PLMN (N32) Interface The Inter-PLMN specification 3GPP TS 29.573 has been produced by 3GPP to specify the protocol definitions and message flows, and also the APIs for the procedures on the PLMN (Public Land Mobile Network) interconnection interface (i.e. N32) As stated in 3GPP TS 29.573 the N32 interface is used between the SEPPs of a VPLMN and a HPLMN in roaming scenarios. Furthermore, 3GPP has specified N32 to be considered as two separate interfaces: N32-c and N32-f. N32-c is the Control Plane interface between the SEPPs for performing the initial handshake and negotiating the parameters to be applied for the actual N32 message forwarding. See section 4.2.2 of 3GPP TS 29.573. Once the initial HTTP/2 handshake is completed the N32-c connection is torn down. This connection is End-to-End between SEPPs and does not involve IPX to intercept the HTTP/2 connection; although the IPX may be involved for IP level routing. N32-f is the Forwarding interface between the SEPPs, that is used for forwarding the communication between the Network Function (NF) service consumer and the NF service producer after applying the application level security protection. See section 4.2.3 of 3GPP TS 29.573. N32-f can provide Application Level Security (ALS) as specified in 3GPP TS 33.501 between SEPPs, if negotiated using N32-c. ALS provides the following protection functionalities: -
Message protection of the information exchanged between NF service consumer and producer
Forwarding of the application layer protected message from a SEPP in one PLMN to another PLMN by way of using IPX providers on the path. The IPX providers on the path may involve the insertion of content modification instructions which the receiving SEPP applies after verifying the integrity of such modification instructions.
The HTTP/2 connection used on N32-f is long lived; and when a SEPP establishes a connection towards another PLMN via IPX, the HTTP/2 connection from a SEPP terminates at the next hop IPX. N32-f makes use of the HTTP/2 connection management requirements specified in 3GPP TS 29.500. Confidentiality protection shall apply to all IE’s for the JOSE protected message forwarding procedure, such that hop-by-hop security between SEPP and the IPXs should be established using an IPSec or TLS VPN. If an IPX is not in the path between SEPPs, then an IPSec of Transport Layer Security, TLS VPN will be established directly. Note: N32-f shall use “http” connections generated by a SEPP, and not “https” The SEPP will act as a non-transparent Proxy for the NF’s when service based interfaces are used across PLMNs, however inside IPX service providers, an HTTP proxy may also be used to modify information elements (IE’s) inside the HTTP/2 request and response messages. Acting in a similar manner to the IPX Diameter Proxy used in EPC roaming, the HTTP/2 Proxy can be used for inspection of messages, and modification of parameters.
The standards can try their best to ensure that the next generation of protocols is more secure than the previous one but there is always some way in which the protocols can be exploited. This is where researchers play an important role in finding such vulnerabilities before they can be exploited by hackers. Frankly I am quite sure that only a handful of these vulnerabilities are found and hackers always have something that may never be found.
In the recent HITBSecConf or the Hack In The Box Security Conference Altaf Shaik presented "4G to 5G: New Attacks". He along with Ravishankar Borgaonkar has been working to find out issues with security in cellular networks. In fact in the GSMA Mobile Security Hall of Fame, they both appear twice, individually.
5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers. In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks. We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools. We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.
ETSI held their annual Security Week Seminar 17-21 June at their HQ in Sophia Antipolis, France. All the presentations are available here. Here are some I think the audience of this blog will like:
The 10th Annual HITB Security Conference took place from the 6th till the 10th of May 2019 in The Netherlands. The theme for the conference this year is 'The Hacks of Future Past'. One of the presentations was on the topic 'VoLTE Phreaking' by Ralph Moonen, Technical Director at Secura.
The talk covered variety of topics:
A little history of telephony hacking (in NL/EU)
The landscape now
Intercepting communications in 2019
Vulnerabilities discovered: some new, some old
An app to monitor traffic on a phone
The talk provides details on how VoLTE can potentially be hacked. In a lot of instances it is some or the other misconfigurations that makes VoLTE less secure. One of the slides that caught my attention was the differences in VoLTE signaling from different operators (probably due to different vendors) as shown above.
Anyway, I am not going into more details here. The presentation is available here.