In 2020, many telecommunication companies will debut their first commercial 5G networks. The 5G mission has become a hot-button topic for the entire telecom community. But these networks have inherited many threats from their 3G and 4G forebears. Long-known weaknesses in security protocols and algorithms have been baked into new 5G systems. This creates a perfect storm for threat actors to target 5G security weaknesses using their old tricks.
Watch the webinar recording, where PT experts Paolo Emiliani, Head of Pre-Sales Engineering team, and Jun Kim, Managing Director, Korea, help you to navigate the tricky path to 5G deployment and:
explain new 5G trust and service delivery models
assess the evolving 5G threat landscape and privacy issues
explore realms of 5G protection with a focus on real-life cases
discuss new and emerging 5G threats affecting telecom infrastructure and end devices
explain why roaming protection in 5G is a game-changer
underline essential mitigation techniques for 5G security
Follow us on LinkedIn to keep up with our upcoming webinars and events: https://www.linkedin.com/company/positive-tech/
2. Today’s “Houston base”
Global PreSale Head
Paolo Emiliani –
paolo.emiliani@positive-tech.com
Telecommunication Engineer
Broadband/Distributed Network Designer
(DWDM technology)
Works and having fun in pre-sale engineering
team @ Positive Technologies, since 2012
5G & IoT Security Analyst
Managing Director, Korea
Jun Kim –
Jun.Kim@positive-tech.com
Network Security Solution SW Engineer
Mobile phone SW Engineer
Ringback Tones Mobile service, Sr. Program
Manager (RealNetworks, Inc.)
Working, having fun in a team of eager security
@ Positive Technologies, since 2014
App Security & 5G Security Analyst
3. Positive Technologies
Diverse security expertise
Web
Banking
ERP
Telecom
IoT
ICS
18 years
of experience
in security development
and research
200+
zero-day vulnerabilities
discovered yearly
Recognised global security driving force
+ others
4. Positive
Technologies
GSMA Fraud and Security Group
(FASG) (virtual) meeting #17
(2-4 June 2020)
Meeting Theme: Facing the New World
Examining mobile cyber security and risk management
concerns in vertical applications of mobility: from heavy
industry to agriculture
positive-tech.com
5. Agenda & topics to cover
New 5G Trust and service delivery models
5G Threat landscape and Privacy issue
5G Protection with real-life cases
5G Roaming Protection – game changer
Essential mitigating techniques for 5G security
7. New 5G Trust
Securing a network with no borders:
5G networks are complex
5G introduces an entire new characteristic
5G Security must be flexible
So Zero Trust is Essential:
5G is transformational
There is no such thing as a “secure system”
8. New 5G Trust - Evolution in trust model
New Trust Model and Identity Management:
Service
User Network NetworkUser
Service
Trust
Trust
Trust
TrustTrust
4G Network 5G Network
9. New 5G Trust
Building trust in 5G:
Key differentiator: Trust and Security
Attract more customers
Inspire loyalty
everything will — and must — start and end with trust
10. Mobile generations history
Mobile
generation
years features Speed
1G 1980’s Analog, Voice only 14,4Kbps
2G 1990’s Digital, Data with voice,
mms, Web browser
Up to 115kbps
3G 2000’s Videocall, wi fi Up to 14,4Mbps
4G 2011-12 HD streaming, High speed
internet wi fi
100Mbps-1Gbps
5G 2020’s It – Services Convergence Up to 20Gbps
11. 5G actual definition / roll out
Far East, Usa
Europe
Roll out
3GPP
Specification
3GPP is the mobile communication specification group
3GPP SA3 is the working group that develops security specifications
14. 5G Enhanced Subscriber privacy
AMF SEAF
S
E
P
P
S
E
P
P SIDF
UDR
AUSF UDM ARPF
Home NetworkServing Network
- Home network Pub key is
store in USIM
15. Cloud, virtualization, anything-as-a-service:
Reduce costs, deploy and optimize services more rapidly vs
Increase dependency on secure software
Decoupling software and hardware means that software can
no longer rely on the security attributes of dedicated hardware
Telecom network Application Programming
Interfaces (APIs)
Mixing of provider with third-party applications,
shared and dedicated hardware platforms
Strong self-contained & isolation caracteristics are necessary
Wrapping up – 5G delivery models
17. 5G Threat landscape
5G Security Requirements
New Service
(Use Cases)
New Networking
Technologies
NFV/SDN, slicing, etc
Action AnalysisAssets Analysis
5G Threats Analysis
LTE Security
Requirement +
Enhancements
Actor Analysis
18. 5G Threat landscape
Now - 4G, 3G or even 2G
Mostly bare metal networks, with security measures primarily
based upon
- 3GPP defined mechanisms
- Perimeter security, Network zoning and Traffic separation
- Secure operation and maintenance
- Reactive Security Measures
- Network Element Security
5G Security landscape
- Complex ecosystem with multiple stakeholders requires
trusted and trouble-free interaction between them
- Migration to NFV/SDN introduces new security challenges
- Need for flexible security measures depending on use case
- Growing influence of availability and integrity of network
service on human security or even life
20. 5G Threat landscape - Assets
Asset Definition is starting point of Threats analysis:
Network Side
Core Network
Multi-access Edge Computing
Radio Access Network (RAN)
Physical Infrastructure
NFV, SDN
Subscriber Side
User equipment (UEs)
User/device identity
User session
Application data
- In storage, on network, in memory
APIs - Applications
Virtualisation
Management and orchestration
APIs - Interoperability
21. 5G Threat landscape - Actors
Who could be the attackers:
Internal side
Fake Administrator
Privileged persons on inside
User - intentional
User - accidental
External side
Government Actors
Cyber criminals
Hacktivists
Competitors
Former authorized user
22. 5G Threat landscape - Actions
What actors could do:
Action Type
Spoofing Identify [Authentication] Impersonating something or someone else
Tampering [Integrity] Modifying data or code
Repudiation [Non-repudiation] Claiming to have not performed an action
Information Disclosure [Confidentiality] Exposing information to unauthorized user
Denial of service [Availability] Deny or degrade service to users
Elevation of Privilege [Authorization] Gain capabilities without proper authorization
Lateral Movement [Least Privilege] Gain access by crossing control boundary
23. 5G Threat landscape - Threats
So what threats we are facing:
Same as in 4G
Fake access network node
IMSI Catching/SUPI (SUCI) Catching
Session hijacking
Signaling fraud on roaming networks
New or more critical in 5G
Abuse by rogue cloud service provider
Memory scraping in SDN
Network virtualization bypassing
False or rogue MEC gateway
(Edge) API exploitation Abuse of lawful interception
Abuse of remote access Lateral movement in the core network
25. 5G Threat landscape – NR
Mobile Access points could move
from the least scrutinised interface by
hackers to the most, as the barrier to
entry is lowered & at the precise time
when traffic is set to explode..
5G has to deliver a massive increase in connections for IoT (e.g. Massive MIMO).
This requires
more bandwidth. With higher millimetre wavelengths requiring a move to more small local base stations.
Utilization other non non-cellular access (e.g.WiFi6) to supplement coverage. Again short range devices.
Both drive more smaller, simpler, less physically secure 5G access points.
The Internal Battle Lines
26. 5G Threat landscape – Core NW
Exploitation of misconfigured systems and
networks
Manipulation of network traffic and information
gathering
API and control functions exploitation
Abuse of remote access
Abuse of third party hosted network functions
Lateral movement
Malicious flooding of core network components
Registration of malicious network functions
27. 5G Threat landscape – Virtualize
Abuse on DCI (Data Centers Interconnect protocols)
Abuse of virtualized host
Network virtualization bypassing
Abuse of cloud resources
29. 5G Threat landscape – Cloud
Application Plane
VNF VNF VNF
NETWORK Node/SDN/MANO
VNFI / Hypervisor
Blade / Server
• Malware Injection Attack
• Rogue VM
• API Exploitation
e.g., Fuzzing
• SDN Surface
• Network Manipulation
• Traffic diversion/redirect
• Injection attacks
• Untrusted evacuation
• VM escape
• Rogue SW update
• Hardware focus
attacks (e.g. DDoS)
• Exploiting known
vulnerabilities
• App manipulation
• Password guessing
• Buffer overflow
• Privilege escalation
• VNF impersonation
• Route BGP/VRF
injection
• Traffic sniffing
• Data model injections
• VMI DKSM attacks
• Memory / Side
channel attacks
• Storage attacks
• External threats – Attacker can
use a vulnerability in the user’s
VM to take a control of it.
• Threats from a cloud provider
– Attacker can use a cloud
misconfiguration for escalation
of privileges or information
disclosure.
• Threats from another tenant –
Attacker can run an escalation
of privileges to escape their
VM and take a control over the
host and/or other tenants.
30. 5G Threat landscape – MEC
Main security Issues
Remote Location + Limited size.
Diverse technologies, services
and suppliers (hybrid cloud)
Attack Vectors
DoS
MitM
API threats
Inconsistent Security Policies
VM Manipulation Privacy Leakage
Unknowns!
32. IoT & Supply Chain
Hack of IoT Subsystem directly affects not only the service but potentially MNO
wider issue as more 3rd parties interact more
closely to the telecom infrastructure.
Issue for all industries and so all IoT verticals 5G will support
Applicable to 3rd, 4th party suppliers and partners
Source of considerable
research for Positive
Technologies over the last 18
months
33. Legacy 5G NSA roaming issues
Statistic are
conducted on
many
countries of all
continents
GTP
34. 5G SA Roaming – The IPX Conundrum.
Direct TLS
+’s Simple, Secure
-’s IPX not directly involved so not Value Added Services
PRINS (PRotocol for N32 INterconnect Security)
+’s IPX Value Added Services, Secure
-’s More Complex with policies and certificates to keep under control.
Outsource SEPP Functionality to IPX
+’s Outsourced so less effort for operator
-’s Security not in operators control, Roaming partner cannot ensure source
How will SEPP be deployed?
35. ENISA- 5G Threats & issues wrap up
https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks
Malicious code or software
Exploitation of flaws in the architecture,
design and configuration of the network
Denial of service
Abuse of Information Leakage
Abuse of remote access to the network
Exploitation of software, and/or hardware vulnerabilities
Abuse of authentication
Lawful interception function abuse
Data breach, leak, theft and manipulation of information
Unauthorized activities / network intrusions
Identity fraud / account or service
Spectrum sensing
Compromised supply chain, vendor and service providers
Abuse of virtualization mechanisms
Signaling threats
Manipulation of network configuration / data forging
Nefarious activity /
abuse of assets Threat
Eavesdropping /
Interception / Hijacking
Disasters
Unintentional damages
(accidental)
Outages
Failures /
malfunctions
Legal
Physical attacks
38. Top challenges to address for
MNO’s in 5G Security
Migration from static bare metal architecture to NFV /
Virtual / Cloud
MNO’s transformation from 4G and 5G-NSA to 5G-SA : Virtualization Security, Cloud security
1.
3. Edge computing means Applications & exposed API
security
MNO's core network interfaces security with partner networks/VAS providers to be controlled/secured
Handling backward compatibility with interconnected
older network generations
During 5G-NSA old 3-4G interconnections (SS7, Diameter/GTP).
2.
39. 5G Threats modelling methodology
• Per context threats analysis
• Per segment Impact analysis
• Cross context specific analysis
• How to achieve this..
40. Positive Technologies helps
to address networks threats
Ensure application of baseline security
requirements
Reinforce available capabilities and
implementation of security measures in existing
5G solutions
Review or development of guidelines and best
practices on network security
Ensure secure 5G network
operation, management and
monitoring
Increase the security of
virtualized networks
Ensure strict access controls
Professional servicesProducts
42. Complete Telecom
Operator Security
Introduce security testing
Network Architecture and Implementation Audit /
Testing
Start monitoring
Impossible to prevent all network threats:
detection is the key
Implement Protection
Deploy appropriate protection mechanism
and get the most out of available solutions
Assess
Monitor
Protect
Auditing provides the essential
visibility to fully understand your
ever changing network risks.
Continual real
time monitoring
is essential to
measure network
security efficiency
and provide rapid
detection and
mitigation.
Completely secure your network by
addressing both generic vulnerabilities
and the threats that actually effect you
as an ongoing process.
43. Products Core network protection
Signaling firewalling
Control plane threat detection
Discovery of malicious activities in internal
traffic
Information security policy compliance
API integrity control & protection
Investigation of attacks
44. Professional services Active security testing
Roaming interconnections
OSS/BSS components
Virtualization infrastructure
Access network
Device and firmware
Fuzz testing
Api testing
45. Products
Function
Example of asset or infrastructure
component protected
Products
used
Signaling firewalling Core network, subscribers, billing TAD Next-Generation Signaling Firewall
Control plane threat
detection
Core network, subscribers, billing TAD Intrusion Detection System (Threat intelligence telecom)
Discovery of
malicious activities
in internal traffic
TMN components, OSS/BSS, remote
access/vpn, NFVI, Hypervisors, containers
management subsystems etc
Telecom Network Attack Discovery (Threat intelligence IT)
Information security
policy compliance
TMN components, OSS/BSS, remote
access/vpn, NFVI, MANO Hypervisors,
containers management subsystems etc
Telecom Network Attack Discovery (Threat intelligence IT)
API attacks
mitigation
MEC, VAS partners Telecom Network Attack Discovery
API Secure protection
Investigation
of attacks
All mentioned above TAD Intrusion Detection System
Telecom Network Attack Discovery
46. Service catalog
Testing Asset or infrastructure component to assess Type of assessment applicable
Roaming
interconnections
All Core network nodes exposed via SS7, Diameter,
GTP, PFCP, HTTP/2 interfaces
SS7 security assessment
Diameter security assessment
GTP security assessment
GSMA FS.11, FS.19, and IR.82 compliance testing
Anti-Fraud Security Assessment
OSS/BSS
components
TMN components, OSS/BSS, remote access/vpn OSS/BSS security assessment
External penetration testing
Virtualization
infrastructure
NFVI, Hypervisors, containers management
subsystems, VMs, containerized applications/services
Virtualization infrastructure security assessment
Access network gNobeB, fronthaul network, EU access, SecGW 5G RAN security assessment
External penetration testing
Device and firmware security assessment
(aka Supply chain)
Device and firmware
reverse
Any type of device or firmware/software
in the network
Device and firmware security assessment
(aka Supply chain)
Fuzz testing Any type of network function
with exposed interfaces
Fuzz testing of protocols network protocols and
interfaces
Pentest, Impact Test API / Applications API / Web / application pentest and impact evaluation
47. Recap
We’ve seen many risks inherited to extension of surface to be treated within context
specifications, NFV, API, IOT, Applications
o Simple configuration and security house keeping again shown to be a threat
o 5G’s technology consolidations needs fully inclusive cyber security approach
o E2E visibility & threat modelling per context are the keys for optimal visibility
Legacy protocols continue to be a risk in 5G NSA and potentially SA
Hackers methods are developing, security cannot be “deploy and forget”
As threat boarders multiply, many third parties companies software, device,
communications need to be constantly monitored and controlled
All Reports and White papers are available
from the Positive Technologies website:
https://positive-tech.com
End to End Telecom Network Security
48. Take a comprehensive security approach:
positive-tech.com/products/
positive-tech.com/services/
Learn more about telecom security:
positive-tech.com/articles/
New Webinar program
Positive in media:
Learn More from our experts
with more at
positive-tech.com
contact@positive-tech.com
@positive-tech Positive Technologies