4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies


Level 32
Jan 9, 2020
The decades-old SS7 signaling system is one of numerous protocols exposing 5G networks to abuse.

BLACK HAT ASIA: Researchers have demonstrated how attackers can take advantage of a decades-old protocol to exploit 5G networks.

The next-generation wireless technology is expected to account for 21% of all wireless infrastructure investments over 2020. Pilots and official rollouts are underway worldwide -- despite the disruption caused by COVID-19 -- and many vendors now offer 5G-supporting devices in preparation for transitions from 4G to 5G.

While investment is pouring into 5G from all areas, security appears to be an afterthought, as fragmented and bolted-on telecoms technologies, protocols, and standards leave gaping holes for cyberattackers to exploit.

During a presentation at Black Hat Asia on Friday called "Back to the Future. Cross-Protocol Attacks in the Era of 5G," Positive Technologies security expert Sergey Puzankov highlighted how outstanding issues in the SS7 protocol still plague the telecommunications industry.

The Signaling System 7 (SS7) industry standard and set of protocols were developed in 1975 and hasn't moved on much from this decade -- and this includes its security posture. In 2014, the cybersecurity firm revealed exploitable security flaws in the protocol which could be used to conduct attacks ranging from intercepting phone calls to bypassing two-factor authentication (2FA).

Diameter and GTP are also commonly used in the telecoms industry for 3GPP, GSM, UMTS, and LTE networks. Mobile networks will often connect these protocols to provide a seamless experience for consumers when they shift between 3G, 4G, and 5G.

"This mishmash of technologies, protocols, and standards in telecom has implications for security," Puzankov says. "Intruders are attacking mobile networks from all possible angles, in part by leveraging multiple protocols in combined attacks."

Vendors are aware of these problems and have implemented various security measures to try and protect their networks, including signaling firewalls, frequent security assessments and audits, as well as implementing signaling IDS and SMS home routing. However, this doesn't always go far enough.

In a set of scenarios explained by the researcher during the presentation, Puzankov outlined how cross-protocol attack vectors could be used to manipulate data streams on 4G and 5G networks; intercept SMS and voice calls on 2G, 3G, and 4G, and potentially commit widespread financial fraud by signing up subscribers to value-added services (VAS) without their consent -- all from a signaling connection.

Each case has one thing in common: attacks begin with malicious action in one protocol that are continued in another, requiring specific combinations of actions and mixed-generation networks to succeed. Architecture flaws, misconfiguration, and software bugs exist that provide entryways for potential attacks.

In the first scenario, when firewalls are not in place, voice call interception was found to be possible via Man-in-the-Middle (MiTM) attacks. For example, threat actors could spoof billing websites, make contact with a subscriber, and then lure them to input their account details into the fraudulent domain. By jumping from SS7 to Diameter, it may also be possible to circumvent existing security barriers.

The second case outlined by Puzankov involves voice call interception on 4G and 5G networks by tampering with network packets. When a user is on a 4G or 5G network, signals are constantly sent in what the researcher calls an "always connected" mode, and if a threat actor jumps from Diameter to other protocols, they may be able to intercept subscriber profiles and data. If a victim is roaming, location requests can also be sent by attackers.

Finally, subscription fraud can be achieved by sending "random" requests to subscribers via the SS7 / GTP protocols. By exploiting security issues, attackers may be able to assign victims unwanted subscriptions generated via stolen subscriber profile data.

All of these attack vectors have been tested in real-world scenarios and reported to relevant industry bodies.

"It is still possible for attacks to take place on well-protected networks," the researcher commented. "In most cases, operators can protect their networks better without [additional] cost. They just need to check if their security tools are effective when new vulnerabilities are reported."



Staff member
Malware Hunter
Jul 27, 2015
Thanks for the share @security123 , a very interesting topic IMO.
I think Bruce Schneier sums it up pretty well :
keeping untrusted companies like Huawei out of Western infrastructure isn’t enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standardsthe protocols and software for 5Gensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.

To be sure, there are significant security improvements in 5G over 4Gin encryption, authentication, integrity protection, privacy, and network availability. But the enhancements aren’t enough.
The 5G security problems are threefold. First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it.

Second, there’s so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems.

Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.