5G slicing security vulnerable to conspiracy, and cock-up

Slicing maturity in question as security flaws uncovered.

Security company Adaptive Mobile has identified potential security flaws in mobile Network Slicing architecture that could lead to leaks of sensitive user data and Denial of Service attacks.

The company said it has submitted its findings to the GSMA as a Common Vulnerability Disclosure (CVD) and that these have been accepted, with potential countermeasures proposed.

A white paper from the company stated, “Moving forward, MNOs will need to be cognizant of these attack scenarios, as, be in no doubt, attackers will try and use them for nefarious purposes.”

Dr. Silke Holtmanns, Head of 5G Security Research, AdaptiveMobile Security, told TMN that as most 5G slicing is in early trials and PoC stages, then the current impact on operator 5G core deployments is limited. But if vendors and operators do not address the recommendations then thing could go wrong in the future.

“Now it’s a bit of work to fix it but it can be fixed. If it’s not fixed, let’s say in three years when an operator has 15 slices say, which isn’t that many, then actually it’s a real big risk. With the vulnerability that we found, one vertical would be able to access data for the other vertical, tracking the people or assets from the other vertical, which could be something like police or logistics. So at the moment it’s not a huge issue but it really needs fixing.”

A significant aspect of the vulnerabilities is that they expose how the nascent business and commercial models enabled by slicing will require operators to rethink aspects of their operations. Holtmanns says that with critical communications and public safety users, operators cannot afford to “miss some cross checks inside the network” that could expose those users to security issues. Graeme Coffey, Head of Marketing, Adaptive Mobile, said that operators are used to thinking of the core as a “protected bubble”. But 5G opens that up and because of that operators must take different approach. “It is still a learning curve,” he added.

Adaptive Mobile found that network slicing sets up several vulnerabilities that security mechanisms designed into 5G’s Service Based Architecture are not currently resourced to detect and protect against.

The whitepaper says that current security mechanisms in 5G architecture are well-focussed on detecting and protecting against a malicious UE, but less so in filtering signalling between and within Network Functions and slices themselves.

That’s important because operators will share network functions between slices. Slices may also want to be able to communicate with each other. That creates a requirement for different security zones than operators currently delineate.

Network Functions on 5G’s Service Based Architecture (SBA) act as service providers to other functions, but also consume services from those other functions. The SBA has security features such as the Network Repository Function that acts as an authorisation function for elements on the SBA, and the SEPP (Secure Edge Protection Proxy) that protects against attacks via interconnected networks.

When an operator invokes network functions to build a slice, Adaptive Mobile assumes it will do so using a combination of dedicated and shared functions. Operators can create different security zones as groups of shared and unshared elements. But, says Adaptive Mobile:

“they are not completely separated on the signalling layer. All those network functions … are connected to the SBA and its interfaces. This is because all those network functions need to exchange signalling messages with each other. In some cases, two slices may want to communicate with each other, so they would use the common SBA. An example of such inter-slice communication is an automotive slice that wants to communicate with an entertainment slice for in-car entertainment purposes.”

The issue that Adaptive raises is that the NRF, which authorises functions on the SBA using lower layer TLS or IPSec, does not provide authorisation of service access or authorisation to access individual sensitive information elements.

The paper says, “Once a network function is regarded as trusted to use a service, it is trusted with everything that this service may encompass.”

Functions are authorised according to the slice identity information provided by the network function. But the specification does not correlate the slice ID (known as the Slice Differentiator) with the consumer of the network function. So ” a rogue network function may lie about this and present a slice identity of another slice. This means that a rogue function could in fact access the resources of another slice and, for example, be able to carry out a DoS attack.

Similarly, increasing complexity of protocols in 5G, and the usage of third party APIs, could mean that configuration errors, or human error such as leaving a Slice Differentiator unintentionally blank, could introduce signalling and load errors into the slicing architecture.

The paper also identifies potential issues with interworking between legacy standards (mainly 4G) and 5G slices.

“How will slicing security be dealt with e.g. slice specific service authorization, when the 4G interworking function converts communication from that 5G slice to the 4G network? . The 5G interworking function would potentially interface the whole 4G legacy node as one service to 5G network functions. Would the 5G slice be allowed to contact legacy nodes in the 4G network? These are issues which have not yet been addressed in the standards as they are specific to the migration approach an MNO takes”

As a result, for its primary recommendations Adaptive Mobile says that protection points should be secured so as to protect new secure zones with protection:

  • between the network and the interconnection network
  • between network slices (inter-slice communication)
  • between shared and non-shared network functions
  • between the dedicated network functions and the shared infrastructure, and
  • between the 5G network functions and elements of legacy generations such as 2G, 3G and 4G

Operators can give themselves the extra protection by enhancing the function known as the SCP (Service Communication Proxy). The SCP is a new function in the Service Based Architecture and it can assist the handling of inter-Network Function messages within the network. Adaptive Mobile says the extended SCP would sit at the edges of the security zones and protect the network by:
• Validating the correctness of message formats
• Enforcing service level agreement on information element, slice and node level
• Correlating information between layers and protocols
• Providing load-related functionality to prevent DoS attack.

Click here for full access to paper.