An expert in mobile network security provided a summary of hacking 5G networks. Some key points include: 1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption. 2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure. 3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.

1. SRLabs Template v12
Tales of 5G Hacking
Karsten Nohl <nohl@srlabs.de>

2. as Logo Horizontal
Pos / Neg
whoami – telco hacker and defender
§ Conducting hacking research
in Berlin. We found
systematic weaknesses in a
range of technologies: GSM,
SIM cards, SS7, DECT phones,
payment protocols, …
§ Developed SRLabs into
leading boutique consultancy
for managing hacking risks
§ Jio – Largest and fastest
growing start-up in history
§ Acquired 100 million telco
customers in India in 6 months
§ Build a security team of 140
§ Axiata – Telco group with 300
million subscribers across Asia
§ Started central security team
Founder of SRLabs (2010-)
Interim CISO at Jio (2014-2017),
Interim CISO at Axiata (2017)
2
Karsten Nohl

3. as Logo Horizontal
Pos / Neg
We have been finding security issues in mobile networks for over a decade,
and regularly help to fix them
GSM
SRLabs shows that phone calls can be
intercepted and decrypted
Our topic today:
Hacking 5G networks
A5/1
RAN SS7
Core RCS
Cloud 5G
RCS
We show how hackers can still
listen in on your phone calls
Interconnect
SRLabs demonstrated how attackers can track
and eavesdrop phone calls remotely
Fix weak radio configurations
SRLabs helped clean up
crypto configurations globally
Telco network assurance
Secured the rollout of large all-IP
network against sophisticated attacks
Cloud infrastructure assurance
Hardening and validating new
virtualized network
The symbiosis of mobile network hacking research and risk management for mobile networks
Luca
Mele2e
Lead Telco
PracZce
Linus
Neumann
Lead
Consultant
Telco security heros
Jakob
Lell
Senior
Hacker
Sina
Yazdanmehr
Lead
Assurance

4. as Logo Horizontal
Pos / Neg
There are 3 different types of 5G network deployment
4
Upgraded legacy 4G
networks
(“NSA”)
NaCve
5G networks
Open RAN
5G networks
Single vendor
Cloudified
Chapter 2 Chapter 3
Chapter 1 – Common issues for all 5G deployment types
5G network
architecture
DisCnguishing
factor
What we
discuss today

5. as Logo Horizontal
Pos / Neg
Agenda
5
§ Issues affecting all 5G deployment scenarios
§ Issues in legacy 5G networks (“NSA”)
§ Issues in modern 5G architectures
§ Solution challenges

6. as Logo Horizontal
Pos / Neg
Why are we still talking about telco security in 2022? Shouldn’t telcos be secure by now?
6
Baseline telco standards
2G
3G
4G
5G
Believed to be secure
Major hacking issues
Security level

7. as Logo Horizontal
Pos / Neg
If implemented correctly, 5G standards can reduce well-known telco security risks
7
Local
Network
Generation
5G
2G
3G
4G
Intercept ImpersonaAon DoS
Remote Local Remote User Network
Less risk
More risk
5G standards theoretically reduce security risks

8. as Logo Horizontal
Pos / Neg
OS
Kubernetes
8
RU
RU
RU DU
DU
Cell sites RAN - Edge datacenters Core - Central datacenter
AMF
UPF
UDM
OS
Kubernetes
Software Defined
Network
NEF
SEPP
SMF NRF
Other
telcos
Private
network
User identity is never sent
over the air in cleartext
Control and user planes are
encrypted on air and wire
A B
External integrations are
provided through new APIs
and dedicated gateways
D
UPF
SMF
Users External networks
Internet
CU
CU
Slices, virtualization, and SDN
provide isolated network
domains for different users
E
Signaling and interconnect traffic
is encrypted and authenLcated
C
With 5G, many parts of the infrastructure have been upgraded to close previous security gaps
i
Core cluster
RAN cluster
5G improvements

9. as Logo Horizontal
Pos / Neg
Security downgrade is possible since not all mobiles and SIM cards support 5G/SUCI
9
RU
RU
5G-SA
SS7/IPX
CORE
CORE
2G, 3G,
4G, 5G-NSA
A new SIM is
required for
all subscribers
UE is not supporting 5G-SA, or
roaming in legacy network
Home network
Roaming network
User identity (IMSI) is not
sent in cleartext
In order to implement
concealed user identities
(SUCI instead of IMSI), all SIM
cards would need to be
replaced and mobile should
support 5G SA
While roaming into an
older network generation,
the cleartext IMSI still needs
to be presented
Expected condition
Real world situation
A
1
2
1
2
5G standalone
core is required
1

10. as Logo Horizontal
Pos / Neg
Strong encryption for data in transit and at rest is often not enforced
10
RU
Over the air
traffic is well
protected
Both control and user plane
are encrypted end to end
User plane encryption is
generally applied over the air,
but considered not necessary
on front/mid/backhaul links,
as they are treated as private
segments
Data is rarely encrypted at
rest, in some cases the
protection key is stored on
the same disk
Expected condition
Real world situation
1
2
Other
MNO
No disk encryption or
data protected with a
locally stored key
IPSec is disabled to avoid
performance impact and
management overhead
No encryption on the wire
for performance reasons
Central
DC 2
Roaming traffic
is well protected
with IPSec VPNs
Edge
Regional
DC
Backhaul
Midhaul
Fronthaul
SS7/IPX
IP/MPLS
Central
DC 1
1 1
2
B

11. as Logo Horizontal
Pos / Neg
Sure enough, our hacking exercises still compromise telcos. Today we discuss how.
11
Spy on
customers
Control
over
network
mgmt
Take down
network
Access
customer
private
data

12. as Logo Horizontal
Pos / Neg
Today’s mobile networks are built from secure and insecure protocols
12
Minor hacking issues
Believed to be secure Major hacking issues
Common mobile telco standards
Data Voice/Text Interconnect
2G
SS7
3G
GRX
4G
IMS
(VoLTE,
VoWiFi)
RCS Diameter
5G
IT infrastructure
underpinning telco networks
Mostly Linux,
All-IP
Proprietary
Virtualized &
Automated

13. as Logo Horizontal
Pos / Neg
Agenda
13
§ Issues affecting all 5G deployment scenarios
§ Issues in legacy 5G networks (“NSA”)
§ Issues in modern 5G architectures
§ Solution challenges

14. as Logo Horizontal
Pos / Neg
Standard IT cyber assurance techniques uncover issues in upgraded legacy networks
14
Function Exposure scan Trace analysis OS check Config review Mgmt layer check
Mobility
mgmt
Misconfigured
firewalls allow
mobile users to
reach telco
nodes on
internal
network
• Radius is
protected
• OSPF is
protected
• SNMP is
protected
• 5GC traffic is
protected
• IPSec config
weak
• NTP is not
protected
• Missing OS
patches (2 years)
• No SELinux
• Shared
passwords across
nodes
• Shared private
keys across
nodes
• Many processes
running as root
• Auth forced on
attach
• Default cipher
is ZUC (EEA3) • Command
injection in
Web UI
• Lack of user
input validation
• Ineffective ACLs
to protect mgmt
interface
Session
mgmt
Separate APN for
CPE management
Data-
plane
router
Nodes
segregated into
VLANs for each
APN
User
directory
(not tested)
Missing OS patches
(3 years)
(not tested)
NE forces old Java
in clients
Billing
system
(not tested)
Missing OS patches
(3 years)
No issues found
§ In IT, it is standard practice to
conduct “pentest and
vulnerability analysis” (VAPT)
checks on IT infrastructures
at least once a year
§ The results of the VAPT
exercise are mitigated
through configuration
changes and process
adaptations (e.g. better
patching)
§ Knowledge on how to best
configure systems is further
collected in best practice
guides (e.g. CIS)
§ When applying the same
methodology to telco
infrastructures, a large best
practice gaps is uncovered
IT Security Assurance on
“Not-Stand-Alone” 5G core
(upgraded from 4G core)
Sanitized client example

15. as Logo Horizontal
Pos / Neg
Agenda
15
§ Issues affecting all 5G deployment scenarios
§ Issues in legacy 5G networks (“NSA”)
§ Issues in modern 5G architectures
§ Solution challenges

16. as Logo Horizontal
Pos / Neg
We are discussing how virtualization and automation change telco security
16
Our focus today
Virtualization /
Containers
Commodity hardware
(e.g., Open RAN)
Mobile networks
of the future
AutomaJon /
OrchestraJon
= + +

17. as Logo Horizontal
Pos / Neg
Future networks evolve continuously and thereby extend attack surface into
cloud infrastructure and software development
17
Production Operations Deployment
§ Telco networks become
more complex due to
new virtualization and
orchestration layers
§ Automation reduces
human errors in
operations, but creates
new possible error
sources in
development and
deployment
§ Telco networks evolve
constantly through
continuous
deployments
Today’s
mobile
networks
Operator
terminal
Periodic update
drops (1-2x per year)
Proprietary telco
equipment
Operator Vendor
Future
mobile
networks
Virtualization (Kubernetes)
Cloud server Operating bot Developer
Continuous
changes
Automated
real-time operations
Proprietary services on
commodity hardware
CI/CD
Main changes

18. as Logo Horizontal
Pos / Neg
Security question: Can a hacker break out of a hacked service and compromise other services?
18
§ Future telco networks, including
Open RAN, deploy dozens of
services from different vendors
§ Not all services can be secured to
the same level, and yet they often
run in shared environments
§ Note that this is the same
situation as in other cloud
deployments where tenants need
to be protected from one another
Can a hacker break out of one container to
compromise other containers or the
underlying infrastructure?
Kubernetes
Compromised
container
Other containers
Assumption The question we want to answer

19. as Logo Horizontal
Pos / Neg
A range of configuration choices can compromise Kubernetes cloud deployments
19
Further details and escalation examples: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation
Security impact
Kubernetes capability Hacking vector Run code View/encrypt data Take down system
Privileged container
Full control of Kubernetes host
sys_admin
docker.sock mountable
hostPID Kill host process
hostPID sys_ptrace Inject into host process
read-only
Search for passwords and tokens in
config and history files ( ) ( ) (( )
hostPath mount
(file system access)
read/write Add SSH key
hostNetwork or net_admin
K8s API access (Even localhost! Auth?) ? ? ?
tcpdump host traffic ?
Observed for majority of live deployments
Observed for some live deployment

20. as Logo Horizontal
Pos / Neg
Automation side effect: Network control and data is possible from more places
20
A2ack path
§ Incautious developers leak
sensitive data on the internet
§ API information, user credentials
and other internal details can be
leveraged to access exposed
applications
§ Due to software bugs and
improper limitation of privileges,
hackers can move laterally and
elevate their privilege up to take
controls of telco nodes and other
critical systems
§ Red Team exercises regularly
show that telcos are hackable
because of these issues
§ Employee credentials
§ Session tokens
§ API information
§ Application source code
§ Internal IP addresses
§ Information about
internal endpoints
§ API Keys
§ Subscriber data
Public domain
§ Employee credentials
Phishing
GitHub
Pastebin / forums
§ Direct login to portals
§ Admin access via
guessable/shared
credentials
§ Direct code execution
§ Unauthenticated and
deprecated endpoints
§ Testing endpoints
interacting with core
§ Re-use of API keys
§ Further information
disclosure, sometimes
including credentials
Internet facing application
Management portal
Exposed API
§ Unprivileged access
to management API
§ RCE on vulnerable
application behind
management API
§ Core nodes access via
management portal
and exposed APIs
§ Node takeover via
image replacement
Telco infrastructure
§ Info leak and control
of support systems
§ SensiZve data
exfiltraZon
RAN & Core nodes
OSS & BSS nodes

21. as Logo Horizontal
Pos / Neg
Recap: A red team exercise simulates real-world hacking
21
Red Teaming
=
Free-style hacking:
An invitation to hack a company, any
way you chose, …
and help that company improve their
defenses based on what you find

22. as Logo Horizontal
Pos / Neg
Red Team insight: Telco hacking has become a multi-step journey
Through Out / Down
In
RCE in web
portal
provides initial
foothold
Container
breakout
allows network
access outside
DMZ
Admin
credential leak
through internal
API
Customer SMS
visible in shared
elastic database
Spy on customers

23. as Logo Horizontal
Pos / Neg
Red Team insight: Telco hacking has become a multi-step journey
Through Out / Down
In
RCE in web
portal
provides initial
foothold
Container
breakout
allows network
access outside
DMZ
Admin
credential leak
through internal
API
Customer SMS
visible in shared
elastic database
Secrets found in
internal GitLab,
cracked
Customer data
readable in KYC
database
Access customer private data

24. as Logo Horizontal
Pos / Neg
Control over network mgmt
Red Team insight: Telco hacking has become a multi-step journey
Through Out / Down
In
RCE in web
portal
provides initial
foothold
Container
breakout
allows network
access outside
DMZ
Admin
credential leak
through internal
API
Customer SMS
visible in shared
elastic database
Automation API
details leaked in
publicly
accessible
GitHub
Access to RAN
intelligent
controller
Control over
RAN elements
after container
breakout into
RAN Kubernetes
Secrets found in
internal GitLab,
cracked
Customer data
readable in KYC
database

25. as Logo Horizontal
Pos / Neg
Red Team insight: Telco hacking has become a mulX-step journey
Through Out / Down
In
RCE in web
portal
provides initial
foothold
Container
breakout
allows network
access outside
DMZ
Admin
credential leak
through internal
API
Customer SMS
visible in shared
elastic database
AutomaEon API
details leaked in
publicly
accessible
GitHub
Access to RAN
intelligent
controller
Control over
RAN elements
after container
breakout into
RAN Kubernetes
Secrets found in
internal GitLab,
cracked
Customer data
readable in KYC
database
Take down network

26. as Logo Horizontal
Pos / Neg
Agenda
26
§ Issues affecOng all 5G deployment scenarios
§ Issues in legacy 5G networks (“NSA”)
§ Issues in modern 5G architectures
§ SoluJon challenges

27. as Logo Horizontal
Pos / Neg
Harden your containers by restricting and using controls at several levels
27
Container
config
Privileged
Containers
Shared Host
Resources
Capabilities
Service Account
Do not use pods that allow privileged containers. Do not use
pods which are running as root inside the container.
Restrict host resources as much as possible. (hostNetwork,
hostPID, hostPath, hostIPC)
Take capabilities away from pods: Drop all capabilities (--cap-
drop=all), then add only the required ones (cap-add=xyz)
Do not mount default service account
Syscall policies Make use of AppArmor / SELinux, Seccomp
OS image
Disable bash history, remove files from build/sandbox stage
Minimal OS
Network policies Deny all by default
Limit history
Use a minimal set of OS packages (if possible do not include a
shell)
Area Best practice
§ The security of
Kubernetes
environments
depends on
strong
configuration /
hardening of
pods,
containers, and
OS images
§ The hardening
setting should
be checked
automatically as
part of the build
/ CI/CD pipeline
Take away

28. as Logo Horizontal
Pos / Neg
Best practice Recommended initiative
Secure by design
§ Implement a centralized access management solution across the whole deployment
§ Follow Zero Trust principles when designing the applications and network infrastructure
§ Avoid legacy protocols and parameters when integrating new nodes
§ Design and implement service redundancy and define a backup process
Defense in depth
§ Define and keep network zones separate (on a macro scale) using firewalls, proxies, VRFs
§ Assign individual interface to user, control & mgmt. plane, and set appropriate host ACLs
§ Deploy container policies to reduce application and OS abuse inside clusters
§ Encrypt data at rest and in transit using well-known standards to avoid unintentional leaks
Least privilege rule
§ Define user roles with appropriate privileges for each application
§ Simplify and document the user management grant/revoke processes
§ Implement periodic automatic checks on user roles
Continuous testing
§ Automate checks for service exposure, hardening and missing patches
§ Periodically let 3rd parties run end-to-end attack simulations and penetration tests
§ Perform code and image analysis at every software release (via CI/CD triggers)
Minimize time to
response
§ Make sure all systems create meaningful logs (network, access, operational, failures)
§ Centrally collect and correlate all events according to common attack scenarios
§ Extend and validate SIEM rules to cover both IT and telco-specific attacks
§ Create documentation and integrate appliances for incident response
In theory, 5G deployments can be secured through five best practices
28

29. as Logo Horizontal
Pos / Neg
In practice, successful telco cyber defence is often hard as standard prevention and detection
controls are missing
Cyber risk areas Detection
Prevention
Defense best practices [examples]
System hacking
Abuse of insider
privileges
System hardening & patching
Privileged access management
1
2
Endpoint protection
3
Detailed on next slides
x
29

30. as Logo Horizontal
Pos / Neg
Needs hardening insights and regular
patches for proprietary systems
Adequate system maintenance is hard in both telco architectures, but for different reasons
Prevent system hacking
Objective
Harden & regularly patch critical systems
Best pracZce
+ Critical systems in Edge and Core are based on
standard Linux system for which knowledge and
tools for hardening and patching are readily
available
- However, vendors do not typically provide good
default settings or sufficient access for the telco to
execute hardening and patching activities, and do
not patch often enough themselves
Legacy/current telco networks
+ Systems are readily accessible as VMs or docker
containers, often already hardened
- The number of systems to harden and patch is
significantly higher due to micro virtualization and
container infrastructures
- Vendors often use proprietary (e.g. embedded
linux) systems for which hardening knowledge and
patching tools are rare
Future network (cloud-native, highly automated)
Complications
Ease of
implementations
Hard
Needs agreement with vendor on patch
responsibiliZes, system redundancy
Hard
1
30

31. as Logo Horizontal
Pos / Neg
Access to standard Linux telco nodes works
similarly to standard server access in IT
Standard PAM systems can protect core network nodes from rogue/hacked insiders
2
Prevent abuse of insider privileges
ObjecZve
Privileged access management
Best practice
+ Privileged Access Management (PAM) systems authenticate and monitor administrative access to servers, and can
be used for protecting network nodes
+ Most telco vendors prefer to use their proprietary EMS systems, but telcos should instead use well-established PAM
systems that are independent from the telco vendor
+ Since modern 5G nodes are Linux based and/or provide SSH authentication, PAM systems can readily be used
Constraints
Access to containers / VMs through SSH or
virtualization layer
Easy Easy
Future network (cloud-naZve, highly automated)
Legacy/current telco networks
Direct access Direct access
Ease of
implementation
PAM
Mgmt system PAM
Mgmt system
31

32. as Logo Horizontal
Pos / Neg
Standard Linux EDR software can be leveraged
Modern endpoint protection can be deployed easily on standard Linux, but not on
many VNFs in open network architectures
3
Detect system hacking
Objective
Modern endpoint protection (EDR*)
Best pracZce
+ Critical functions run on Linux and can be protected
from system hacking activity with standard EDR and/or
open source monitoring tools
- Possibly, a new vendor agreement is required to permit
the EDR installation and define incident response
procedures
Constraints
Ease of
implementation
Embedded systems / stripped down containers
require custom security tools
Easy Hard
*EDR: Endpoint Detection & Response
Future network (cloud-naZve, highly automated)
Legacy/current telco networks
- The proprietary distributions inside VNFs often do not
allow other software to be installed
+ At additional effort and with the help of the telco
vendor, open source security tools can be deployed
+ Once deployed, the virtualization infrastructure allows
for a high degree of automation
32

33. as Logo Horizontal
Pos / Neg
1
2
3
Take aways
Prevention
§ Security best practices are
missing from vanilla telco
architectures and need to be
added by each telco
§ The effort of implementing these
measures is largely independent
of the choice between open and
closed architectures
§ Protection knowledge can be
borrowed from the IT domain
Privileged
access
management
Detection
Legacy (closed) Future (cloud)
Hard Hard
Easy Easy
Easy
Architecture model
System
hardening &
patching
33
In summary: It is the telco's responsibility to realize important security practices, and few of
them are able to implement standard IT security controls
Hard
Endpoint
protection

34. as Logo Horizontal
Pos / Neg
Take aways
34
Questions?
Karsten Nohl <nohl@srlabs.de>
1
Mobile networks are becoming cloud
infrastructures – highly virtualized and
automated
2
The hacking surface moves and expands into
software development and virtualization
infrastructure
3
Hacking a mobile network realisEcally takes
several weeks, an effort many adversaries are
willing to invest