European Court of Auditors Concern: EU’s Divergent Approach to Security of 5G Networks

EU nations are ‘progressing at different paces’ in terms of cyber security protocols introduced by the European Commission in order to ensure the safety of next-generation telecommunications networks, the European Court of Auditors has said.

The news comes at the beginning of a year-long probe into the EU’s security of 5G networks by auditors, while the European Commission has also confirmed to EURACTIV that nations across the bloc have missed deadlines set out in law, which had bound countries to assign 5G spectrum frequencies by the end of 2020.

Auditors say their research has already unearthed evidence of a divergent approach to 5G security across member states [1.], as well as differences in deployment timelines for the technology across the continent.  As part of a series of measures unveiled by the Commission in their 2020 5G Toolbox, member states were tasked with assessing the risk profile of telecom providers, with a view to applying restrictions for those vendors considered to be high-risk.

Note 1.  Of course, there is an inconsistent approach to 5G security as there are no standards for same from ITU and the 3GPP Release 16 specs for 5G Security are incomplete (delayed to Release 17).  That was all described in this IEEE Techblog post.

The toolbox highlighted that “a particular threat stems from cyber offensive initiatives of non-EU countries,” in a veiled reference to Chinese telecommunications providers Huawei and ZTE.

“Several member states have identified that certain non-EU countries (China?) represent a particular cyber threat to their national interests based on previous modus operandi of attacks by certain entities or on the existence of an offensive cyber program of a given third state against them,” the toolbox adds.

A progress report on the plans in July pressed member states to make ‘urgent progress’ on mitigating the risks to 5G telecommunications networks posed by certain high-risk suppliers.

Speaking on Thursday (7 January 2021), the European Court of Auditors’ Paolo Pesce, part of the team conducting the 12-month review, said harmonization across the bloc on such security standards had not happened yet.  “Member states have developed and started implementing necessary security measures to mitigate risks,” Pesce said. “But from the information gathered so far, member states seem to be progressing at a different pace as we implement this measure.”

Annemie Turtelboom, the ECA member leading the audit, added that the report will seek to probe the trade-off EU nations seem to be making with regards to security and speed of deployment.

“The coronavirus crisis has made electronic communications including mobile communications even more vital for the citizens and businesses while making it more difficult to timely prepare authorization procedures so that several member states have recently expressed their intention to delay their national spectrum auction procedures,” a spokesperson told EURACTIV.

“The Commission will follow the matter closely and take any difficulty into consideration considering the impact of the current public health crisis.”

However, it appears that the security concerns of contracting various suppliers have been just as relevant in the delays as has the coronavirus pandemic.

In one recent example, Sweden had to sideline auctions for its 3.4-3.6 GHz and 3.6-3.8 GHz bands, after telecoms regulators PTS prohibited the use of equipment from Chinese firms Huawei and ZTE.  Earlier this week, Huawei announced that it had lodged an appeal to the supreme administrative court for being frozen out of the auctions.

By mid-December, member states, including the UK, had assigned on average only 36.1% of the 5G pioneer bands, the European Commission informed EURACTIV.  Under the 2018 Electronic Communications Code, all spectrum in the 700MHz band should have been awarded by June 30, 2020, with allocations of 3.6GHz and 26GHz airwaves wrapped up by December 31, 2020.

References:

EU nations divided on 5G security, auditors say

Auditors to probe EU’s 5G network plans

Commission presses member states to take action on high-risk 5G vendors

5G Security Vulnerabilities detailed by Positive Technologies; ITU-T and 3GPP 5G Security specs

 

5G Security Vulnerabilities detailed by Positive Technologies; ITU-T and 3GPP 5G Security specs

Introduction:

Mobile network operators are mostly running 5G non-standalone networks (NSA), which are based on 4G LTE infrastructure.  Positive Technologies  said these 5G NSA networks are at risk of attack because of long-standing vulnerabilities in the Diameter and GTP protocols, which were reported on by Positive Technologies earlier this year.

“… true 5G security must go beyond the features built into standalone architecture,” said Pavel Novikov, head of the Positive Technologies’ telecom security research team. “Cost efficiencies can be gained by building a hybrid network that supports both 4G LTE and 5G which will enable a future-proofed next generation network in the longer term,” he added.

What will be the 5G security issues/vulnerabilities when mobile network operators move to deploy 5G stand alone networks with a 5G core (rather than 4G EPC used in 5G NSA)?

Background:

Cellular network operators are gradually migrating to 5G standalone infrastructure [T-Mobile US has deployed 5G SA].  but this also has security considerations of its own. Gartner expects 5G investment to exceed LTE/4G in 2022 and that communications service providers will gradually add 5G standalone capabilities to their non-standalone 5G networks.  

PT 5G study

Source: Positive Technologies’ Standalone 5G core security research

………………………………………………………………………………………………………………………

Discussion:

Vulnerabilities and threats for subscribers and mobile network operators stem from the use of new standalone 5G network cores. The vulnerabilities in protocols HTTP/2 and PFCP, used by standalone 5G networks, include the theft of subscriber profile data, impersonation attacks and faking subscriber authentication.

The stack of 5G technologies potentially leaves the door open to attacks on subscribers and the operator’s network. Such attacks can be performed from the international roaming network, the operator’s network, or partner networks that provide access to services. 

For example, the Packet Forwarding Control Protocol (PFCP) that is used to make subscriber connections has several potential vulnerabilities such as denial of service, cutting subscriber access to the internet and redirecting traffic to an attacker, allowing them to downlink the data of a subscriber. Correct configuration of the architecture as highlighted in Positive Technologies GTP protocol research can stop these types of attacks. 

The HTTP/2 protocol, which is responsible for vital network functions (NFs) that register and store profiles on 5G networks, also contains several vulnerabilities. Using these vulnerabilities, attackers could obtain the NF profile and impersonate any network service using details such as authentication status, current location, and subscriber settings for network access. Attackers can also delete NF profiles potentially causing financial losses and damaging subscriber trust. 

In these cases, subscribers will be unable to take action against threats that lurk on the network, so operators need to have sufficient visibility to safeguard against these attacks.  

Dmitry Kurbatov, CTO at Positive Technologies commented: “There is a risk that attackers will take advantage of standalone 5G networks while they are being established and operators are getting to grips with potential vulnerabilities. Therefore, security considerations must be addressed by operators from the offset. Subscriber attacks can be both financially and reputationally damaging – especially when vendors are in high competition to launch their 5G networks. With such a diverse surface of attack, robust core network security architecture is by far the safest way to protect users.  

“5G standalone network security issues will be much further reaching when it comes to CNI, IoT and connected cities – putting critical infrastructure such as hospitals, transport and utilities at risk. In order to achieve full visibility over traffic and messaging, operators need to perform regular security audits to detect errors in the configuration of network core components to protect themselves and their subscribers,” 

Jimmy Jones, telecoms cybersecurity expert at Positive Technologies, said 5G users will need to increase their lines of communication with mobile operators, analysts and customers as 5G presents new threats and attack surfaces.

“They’re going to need to start speaking to the mobile operators as much as possible, because the mobile operators can secure things and will do everything to secure things. They just need to know what they’re securing,” Jones added.

[This author has spoken at length with Jimmy Jones and can attest to his vast knowledge and experience in cellular network security/vulnerabilities]

Photo of Jimmy Jones

Jimmy Jones, Positive Technologies Network Security Expert

Positive Technologies has published a new report titled “5G standalone core security assessment,” which details the vulnerabilities of those networks.

The report focuses on the SA (Standalone) mode of 5G network deployment. “The implementation is based on Rel 15 3GPP with the OpenAPI Specification providing detailed descriptions of each interface,” the researchers explain.

Again, almost all deployed 5G networks are based on NSA which depend on a “4G LTE anchor for all non radio functions, including the 4G EPC (Evolved Packet Core) technology.  The 5G core network architecture (but not implementation details) is specified by 3GPP and includes the following Technical Specifications:

TS 23.501 System architecture for the 5G System (5GS)
TS 23.502 Procedures for the 5G System (5GS)
TS 23.503 Policy and charging control framework for the 5G System (5GS); Stage 2

The 5G mobile network consists of nine network functions (NFs) responsible for registering subscribers, managing sessions and subscriber profiles, storing subscriber data, and connecting user equipment to the Internet using a base station.  These technologies create a liability for attackers to carry out man-in-the-middle and DoS attacks against subscribers.

One of the main issues in the system architecture is the interface responsible for session management, known as SMF (Session Management Function). SMF is possible due to a protocol known as PFCP (Packet Forwarding Protocol):

To manage subscriber connections, three procedures are available in the PFCP protocol (Session Establishment, Modification, and Deletion), which establish, modify, and delete GTP-U tunnels on the N3 interface between the UPF and gNB. […] We will focus on the N4 interface. Testing of this interface revealed potential attack scenarios against an established subscriber session.

Other problems Positive Technologies discovered are based on subscriber authentication vulnerabilities. The researchers demonstrated that “subscriber authentication becomes insecure if the NRF does not perform authentication and authori-zation of 5G core network functions.”

In conclusion, this report only covers “a few examples” of how vulnerabilities in G5 can be exploited. “Just as with previous-generation networks, attackers still can penetrate operator networks by means of the international roaming network or partner networks. Therefore, it is vital to ensure comprehensive protection of 5G networks,” the report concludes.

For more information on vulnerabilities of standalone 5G networks, please download the Positive Technologies report here –after filling out a form. …………………………………………………………………………………………………………………..

Editor’s Note:  5G Security Standards (?) and Specifications

Most 5G “professionals” don’t realize that there are no standards for 5G security– either in the radio access network (RAN) or the core network.  As ITU is the official standards body for 5G (e.g. IMT 2020.SPECS for the RAN) you’d think the work would be done there.  There is some high level 5G security work being done in ITU-T SG 17/Q6, but the corresponding ITU recommendations won’t be completed till late 2021- 2o22 timeframe.

The real work on 5G security is being done by 3GPP with technical specification (TS) 33.501 Security architecture and procedures for 5G system being the foundation 5G security document.  That 3GPP spec was first published in Release 16, but the latest version dated 16 December 2020 is targeted at Release 17.  You can see all versions of that spec here.

3GPP’s 5G security architecture is designed to integrate 4G equivalent security. In addition, the reassessment of other security threats such as attacks on radio interfaces, signaling plane, user plane, masquerading, privacy, replay, bidding down, man-in-the-middle and inter-operator security issues have also been taken in to account for 5G and will lead to further security enhancements.

Another important 3GPP Security spec is TS 33.51 Security Assurance Specification (SCAS) for the next generation Node B (gNodeB) network product class, which is part of Release 16.  The latest version is dated Sept 25, 2020.

Here’s a chart on 3GPP and GSMA specs on 5G Security,  courtesy of Heavy Reading:

Question: When do you plan to implement the following 5G security specifications? (n=105-108) (Source: Heavy Reading)

Question to 5G network operators: When do you plan to implement the following 5G security specifications?   Source: Heavy Reading

“While 3GPP TS 33.511 had the greatest level of commitment to implementing before commercial launch (38% + 33%), the support for all nine specifications in the list is strong enough to confirm each one is relevant on some level for ensuring the security of 5G networks,” according to Heavy Readings’ Jim Hodges.

………………………………………………………………………………………………………………………

References:

https://positive-tech.com/about/news/vulnerabilities-in-standalone-5g-networks-could-allow-attackers-to-steal-credentials-and-falsify-subscriber-authentication/

https://sensorstechforum.com/new-5g-vulnerabilities-dos-mitm-attacks/

https://www.vanillaplus.com/2020/10/07/55221-road-5g-migration-starts-securing-4g-says-positive-technologies-report/

https://www.ericsson.com/en/blog/2020/6/security-standards-role-in-5g

https://www.itu.int/ITU-T/workprog/wp_search.aspx?&isn_sg=3935&isn_wp=6682&isn_qu=4216&details=0

https://www.3gpp.org/news-events/1975-sec_5g

https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169

https://www.3gpp.org/ftp//Specs/archive/33_series/33.501/

https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3444

https://www.3gpp.org/ftp//Specs/archive/33_series/33.511/

https://www.lightreading.com/5g/standalone-5g-core-security-standards-multiplicity-and-key-management-singularity-/a/d-id/766227?image_number=1

https://www.lightreading.com/5g/standalone-5g-core-security-standards-multiplicity-and-key-management-singularity-/a/d-id/766227?