5G protocol vulnerabilities and exploits

Roger Piqueras Jover

@rgoestotheshows
ABOUT ME
● Things I do…
─ Fatherhood
─ Senior Security Architect in the Office of the CTO at Bloomberg LP
─ Wireless Security Research
─ Soccer, live rock/punk-rock/metal music, geek
● Mobile/wireless security research
─ Started 10 years ago with LTE
─ History of breaking/breaking-into things communicating over 802.11, BLE, ZigBee…
─ 5G security
● Random trivia/achievements
─ Saw every single game live on TV during World Cup 2006 and 2010
─ Seen the band Bad Religion live 22 times
● Very happy to be back at the ShmooCon stage 4 years later!
● More
─ http://rogerpiquerasjover.net/ @rgoestotheshows

© Portions Copyright 2020 Bloomberg L.P.

This work is unrelated to my day job. All opinions and views
expressed here are my own.

© Portions Copyright 2020 Bloomberg L.P.

WHAT AM I GOING TO TALK ABOUT?

© Portions Copyright 2020 Bloomberg L.P.

 MOBILE NETWORK SECURITY RETROSPECTIVE

Stronger (Optional)
“Old” encryption Strong encryption
encryption encryption of
No BS Mutual
Mutual IMSI
authentication authentication
authentication More secure?

Ask Karsten Nohl and Interestingly, research Broken in a number of So much buzz! Has
Sylvain Munaut… mostly skipped 3G… ways. Ask Rabi security improved?
Borgaonkar, David
Rupprecht, Syed Rafiul
Hussain, Yongdae Kim,
myself…

© Portions Copyright 2020 Bloomberg L.P.

MOBILE NETWORK SECURITY RETROSPECTIVE

● GSM
─ Deployment 1991, first crypto attacks 2004, first system attack 2009
─ Osmocombb, OpenBTS, OpenBSC, etc
● LTE
─ Standards 2008, deployment 2012, first system attacks early 2016
─ OpenLTE (12/31/2012), srsLTE (06/15/2015)
─ Lots of excellent research papers over the last 3 years
● 5G
─ Release 15 published 12/2017, 5G security specifications 03/2018, many vulnerabilities found since 2018
© Portions Copyright 2020 Bloomberg L.P.
SECURITY RESEARCH RAPIDLY MATURING
● Cellular security research ramping up rapidly!

18 years from deployment to first attacks

8 years from standards to first attacks, 3 years from deployment to first attacks

A number of vulnerabilities identified even before deployment!

© Portions Copyright 2020 Bloomberg L.P.

WHAT HAS CHANGED BETWEEN THEN AND NOW?
● Research ecosystem maturing
─ Maturity of open-source tools
─ Excellent work from academia over the last few years
─ Cellular security research hitting mainstream media

© Portions Copyright 2020 Bloomberg L.P.

MOBILE NETWORK SECURITY RETROSPECTIVE
● A topic that I am very interested in…
─ https://www.linkedin.com/pulse/reflection-history-cellular-security-research-outlook-piqueras-jover
─ https://www.eff.org/deeplinks/2019/06/history-cellular-network-security-doesnt-bode-well-5g
─ https://softhandover.wordpress.com/2018/12/06/the-current-state-of-affairs-in-5g-security/
─ https://www.linkedin.com/pulse/impact-open-source-mobile-security-research-roger-piqueras-jover/
─ https://arxiv.org/abs/1904.08394

© Portions Copyright 2020 Bloomberg L.P.

LTE protocol security redux…

© Portions Copyright 2020 Bloomberg L.P.

SOME BASIC JARGON

IMEI – “Serial number” of the device

IMSI – secret id of the SIM that should never be disclosed

SUPI – Subscriber Unique Private Identifier (“5G IMSI”)
SUCI – Subscriber Unique Concealed Identifier (SUPI encrypted with operator’s public key)
TMSI – temporary id used by the network once it knows who you are

XYZ-867-5309 MSISDN – Your phone number.

© Portions Copyright 2020 Bloomberg L.P.

LTE ARCHITECTURE

© Portions Copyright 2020 Bloomberg L.P.

LTE ATTACH PROCEDURE

© Portions Copyright 2020 Bloomberg L.P.

LTE ATTACH PROCEDURE

© Portions Copyright 2020 Bloomberg L.P.

LTE ATTACH PROCEDURE
RACH handshake
between UE and eNB
RRC handshake between
UE and eNB

Connection setup
(authentication, set-up of
encryption, tunnel set-up,
etc)

Encrypted traffic

© Portions Copyright 2020 Bloomberg L.P.

LTE (IN)SECURITY REDUX

Unencrypted and unprotected.

These messages can be intercepted
and spoofed with open-source tools
and low-cost radios

Other things sent in the clear:

• Base station config (broadcast
messages)
• Measurement reports
• Measurement report requests
• (Sometimes) GPS coordinates
• HO related messages
• Paging messages
• Etc

© Portions Copyright 2020 Bloomberg L.P.

LTE (IN)SECURITY REDUX

Regardless of mutual authentication and strong encryption, a mobile device engages in a substantial
exchange of unprotected messages with *any* LTE base station (malicious or not) that advertises
itself with the right broadcast information.

The vast majority of vulnerabilities identified in LTE are based on exploiting these pre-
authentication messages.

© Portions Copyright 2020 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION
● Capturing MIB and SIB broadcast messages
─ Identify base stations of a given operator
─ Identify ad-hoc base stations for first responders, etc
─ Optimal TX power for rogue base station
─ High priority frequencies
─ Etc

© Portions Copyright 2020 Bloomberg L.P.

 IMSI CATCHING
● Until late 2015, it was wrongly assumed to not be possible in LTE
─ Just a few lines of extra code in srsLTE
─ Not too long ago operators would still page devices using the IMSI in some cases

Roger Piqueras Jover. LTE protocol exploits. ShmooCon 2016.

© Portions Copyright 2020 Bloomberg L.P.
 DEVICE DoS AND SILENT DOWNGRADE TO GSM
● Rogue base station replying with Attach Reject and/or TAU Reject messages
● Brick a mobile device until reboot or toggle of airplane mode
● Silent downgrade to GSM

Hussain, Syed, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. "LTEInspector: A systematic approach for Shaik, Altaf, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. "Practical
adversarial testing of 4G LTE." In Network and Distributed Systems Security (NDSS) Symposium 2018. 2018.. attacks against privacy and availability in 4G/LTE mobile communication systems." In Network and
© Portions Copyright 2020 Bloomberg L.P.
Distributed System Security Symposium. Internet Society, 2016.
 DEVICE TRACKING
● Silent paging leveraging social networks (eg Whatsapp and FB Messenger)
● TMSI+RNTI-based tracking
● Device/identity fingerprinting capturing LTE traffic

Shaik, Altaf, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert. Jover, Roger Piqueras. "LTE protocol exploits." Shmoocon 2016 (2016).
"Practical attacks against privacy and availability in 4G/LTE mobile communication systems." In
Network and Distributed System Security Symposium. Internet Society, 2016.
© Portions Copyright 2020 Bloomberg L.P.
 DNS SPOOFING AND TRAFFIC HIJACK OVER LTE
● aLTEr Attack
─ Leverages my RNTI-based tracking/fingerprinting
─ For the record, 3GPP TR 33.899 V1.3.0 (2017-08) ignored me and claimed RNTI tracking was not a security issue…
● Poor implementation of AES cipher leads to cipher text modification attack
─ Flip bits in encrypted DNS responses, modify plain-text IP in DNS response and hijack user’s traffic
─ How to tell DNS requests/responses apart from other encrypted traffic?
• RNTI-based tracking, of course, which was clearly never a security issue…

Rupprecht, David, Katharina Kohls, Thorsten Holz, and Christina Pöpper. "Breaking LTE on layer
two." In IEEE Symposium on Security & Privacy (SP). 2019..
© Portions Copyright 2020 Bloomberg L.P.
UL FUZZING AND EXPLOITS WITHOUT ROGUE BS!
● IMSI extraction based on paging traffic and paging occasion analysis
● Signal overshadowing
● No need to set up a rogue base station to inject malicious LTE pre-authentication messages
● LTE uplink fuzzing!
─ Open-source tools and low-cost hardware to inject arbitrary traffic into cellular networks
─ NAS-layer traffic hits the MME
─ MME/core network fuzzing?

Yang, Hojoon, Sangwook Bae, Mincheol Son, Hongil Kim, Song Min Kim, and Yongdae Kim.
"Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE." In 28th USENIX Security
Symposium (USENIX Security 19), pp. 55-72. 2019..
© Portions Copyright 2020 Bloomberg L.P.
How do things look like in 5G?

© Portions Copyright 2020 Bloomberg L.P.

(SIMPLIFIED) 5G ARCHITECTURE N13

N12

AUSF UDM
N2
N8 N10

N2
N11
AMF

Behold the IoT and Other nodes

N3
the connected world
N4

N2 N3

N6
PDN
N3 UPF

5G CORE
5G RAN

© Portions Copyright 2020 Bloomberg L.P.

5G ATTACH PROCEDURE
● Two types of deployment and operation of 5G
─ Non-standalone mode (NSA)
• 5G-NR RAN deployment
• LTE core infrastructure
• Everything like LTE but using the 5G high throughput RAN
• Architecture like LTE plus 5G gNodeB (base station)
─ Standalone mode (SA)
• Actual standalone 5G deployment
• Architecture like the one in the previous figure

© Portions Copyright 2020 Bloomberg L.P.

 5G NSA ATTACH PROCEDURE
● Start with basic LTE NAS attach…

UE signals to LTE core

that it supports 5G NR
via DCNR bit in
AttachRequest message

© Portions Copyright 2020 Bloomberg L.P.

 5G NSA ATTACH PROCEDURE
● Start with basic LTE NAS attach…

As shown earlier, the

initial NAS Attach on LTE
UE signals to LTE core is unprotected.
that it supports 5G NR
via DCNR bit in
AttachRequest message
(unprotected message)

© Portions Copyright 2020 Bloomberg L.P.

5G NSA ATTACH PROCEDURE
● Then switch 5G-NR RAN…

© Portions Copyright 2020 Bloomberg L.P.

5G NSA ATTACH PROCEDURE
● Then switch 5G-NR RAN…

Unprotected messages.

Unprotected messages.

© Portions Copyright 2020 Bloomberg L.P.

5G SA ATTACH PROCEDURE

For a more detailed message flow:

https://www.eventhelix.com/5G/standalone-
access-registration/5g-standalone-access-
registration.pdf

© Portions Copyright 2020 Bloomberg L.P.

 5G SA ATTACH PROCEDURE

Unprotected messages.

For a more detailed message flow:

https://www.eventhelix.com/5G/standalone-
access-registration/5g-standalone-access-
registration.pdf

© Portions Copyright 2020 Bloomberg L.P.

Gearing up to explore 5G’s security…

© Portions Copyright 2020 Bloomberg L.P.

CHALLENGES IN CAPTURING AND ANALYZING 5G TRAFFIC
● You cannot exploit any of these protocol vulnerabilities with any (known) open-source tool or standard
SW radios
─ Any statement otherwise is incorrect
─ Technology is just not there yet, but soon will be
─ Eg. 5G 100MHz BW
• Recall Nyquist and Shannon
• Your lab PC already sometimes struggles to tx/rx at 32Msps to/from your USRP for LTE 10MHz
• Imagine 5G at 2xBW!

© Portions Copyright 2020 Bloomberg L.P.

CHALLENGES IN CAPTURING AND ANALYZING 5G TRAFFIC
● Open-source 5G protocol stack
─ Exciting ongoing work
─ Commercial tools that cover the network core and/or parts of the NR-RAN Note: This list is not intended to be complete or in
any particular order, but just a sample of existing
options.

─ srsLTE already implements some 5G features since release 19.12 very useful for early fuzz tests of the 5G core protocol
• 5G RRC (https://github.com/srsLTE/srsLTE/blob/master/lib/include/srslte/asn1/rrc_nr_asn1.h)
• 5G NGAP (https://github.com/srsLTE/srsLTE/blob/master/lib/include/srslte/asn1/ngap_nr_asn1.h)

© Portions Copyright 2020 Bloomberg L.P.

CHALLENGES IN CAPTURING AND ANALYZING 5G TRAFFIC
● Software radio
─ A high end USRP X series has a BW of up to 120MHz
─ You know when you mess up with gnuradio and start saving raw IQ samples on disk?
─ Imagine at, say, 200Msps
• HUGE capture files
• Expensive to process
• On a standard PC, forget about processing them in real time
• Yes, no SDR-based 5G sniffing yet

© Portions Copyright 2020 Bloomberg L.P.

RELEASE 15 TRAFFIC CAPTURES FOR ANALYSIS
● All 5G captures shown here are from real Release15 5G lab mobile devices and base stations
● Captured with Sanjole 5G Wavejudge
─ Traffic analysis processing raw 5G IQ samples on Wavejudge’s SW
● 5G test and experimentation HW still in early stages of product life
─ High price
─ In constant development
● Capture limitations
─ Max capture duration of a couple of seconds at best (HUGE file anyways)
─ No real-time processing (no Wireshark-like traffic capture)
─ Hard to get an entire attach plus user traffic flow in such a short capture

If you are a prospect PhD student or PostDoc and would like to have access to such 5G security
analysis equipment, come talk to me after the talk or send me an email.

© Portions Copyright 2020 Bloomberg L.P.

5G protocol security analysis

© Portions Copyright 2020 Bloomberg L.P.

5G IMSI PROTECTION – SUPI/SUCI
● New unique secret identifier
─ SUPI (Subscriber Unique Private Identifier)
● (OPTIONAL) Feature to encrypt the SUPI in flight
─ SUCI (Subscriber Unique Concealed Identifier)

Public key of the

home operator
stored in the SIM SUCI = Encrypt[SUPI] AUSF UDM
Home operator’s 5G core
Base station from
home operator

© Portions Copyright 2020 Bloomberg L.P.

5G IMSI PROTECTION – SUPI/SUCI
● SUPI encryption also works in roaming scenarios
─ Devices authenticate only with their home operator
─ Only the home operator has the key material shared between the SIM and the operator
● If this is implemented, IMSI/SUPI catching not possible in 5G…

Roaming
Public key of the agreements
home operator
stored in the SIM Home operator’s 5G
Foreign operator’s core
Base station from 5G core
foreign operator

© Portions Copyright 2020 Bloomberg L.P.

5G IMSI PROTECTION – SUPI/SUCI
● SUPI encryption also works in roaming scenarios
─ Devices authenticate only with their home operator
─ Only the home operator has the key material shared between the SIM and the operator
● If this is implemented, IMSI/SUPI catching not possible in 5G…
─ Yeah, not so fast… Broken too.
● Flaws on LTE and 5G paging protocol
─ Trigger paging messages and intercept
─ Derive Paging Occasion
─ Bruteforce the IMSI or SUPI

Hussain, Syed Rafiul, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. "Privacy Attacks
to the 4G and 5G Cellular Paging Protocols Using Side Channel Information." In NDSS. 2019..
© Portions Copyright 2020 Bloomberg L.P.
5G SUPI PROTECTION?
Super secure vault in some
● Optional feature super secure location?
─ Optional features in previous cellular generations were generally left unimplemented
● So many key architectural elements left “outside of the scope” of the 3GPP specs Secret key of
─ Key management, key distribution, key rotation, key storage… the operator
─ Likely a deterrent from actual implementation

Public key of the

home operator
stored in the SIM

AUSF UDM

© Portions Copyright 2020 Bloomberg L.P.

“OUT OF SCOPE”

This works for most wireless security specifications:

Ctrl+F for {“scope”,”out of scope”,”out of the scope”, etc}

In mobile communication standard documents

3GPP TS 33.501 - Security architecture and procedures for 5G system

● 5.2.5 – Subscriber privacy

─ “The provisioning and updating of the home network public key is out of the scope of the present document. It can be
implemented using, e.g. the Over the Air (OTA) mechanism.”
● 12.2 – Mutual authentication
─ “The structure of the PKI used for the certificate is out of scope of the present document.”
● C.3.3 – Processing on home network side
─ “How often the home network generates new public/private key pair and how the public key is provisioned to the UE
are out of the scope of this clause.”
● Many more…
© Portions Copyright 2020 Bloomberg L.P.
5G NSA ATTACH PROCEDURE

© Portions Copyright 2020 Bloomberg L.P.

 5G NSA ATTACH PROCEDURE

Unencrypted and
unprotected. These
messages can be
intercepted and spoofed.

Other things sent in the clear:

• Base station config (broadcast
messages)
• Some measurement reports
• Some measurement report requests
• Paging messages
• Etc
Sounds familiar?

© Portions Copyright 2020 Bloomberg L.P.

5G (IN)SECURITY RATIONALE

Regardless of mutual authentication and strong encryption, a 5G mobile device engages

in a substantial exchange of unprotected messages with *any* 5G base station
(malicious or not) that advertises itself with the right broadcast information.

© Portions Copyright 2020 Bloomberg L.P.

5G (IN)SECURITY RATIONALE

Regardless of mutual authentication and strong encryption, a 5G mobile device engages

in a substantial exchange of unprotected messages with *any* 5G base station
(malicious or not) that advertises itself with the right broadcast information.

Abusing these messages causes most LTE protocol exploits to still apply in 5G, renders SUPI
encryption potentially useless and allows to track 5G devices.

Are we there yet? The long path to securing 5G mobile communication networks
https://www.linkedin.com/pulse/we-yet-long-path-securing-5g-mobile-communication-piqueras-jover

© Portions Copyright 2020 Bloomberg L.P.

5G (IN)SECURITY RATIONALE
● 5G still does not provide any means to verify the validity of a base station before communicating with it
─ Operator’s public key in the SIM works for SUPI encryption
─ It does NOT work to prevent pre-authentication message-based exploits

Home operator
Note this is NOT what happens in 5G. Pre-
authentication messages are still
unprotected.

Pre-authentication
messages COULD be
signed with operator’s
secret key. Secret key of the
operator
Public key of the
home operator stored Roaming operator Home operator
in the SIM

In this scenario, what would

happen with pre-
Roaming operator does NOT have the home Secret key of the
authentication messages?
operator’s secret key operator © Portions Copyright 2020 Bloomberg L.P.
Trusted by default.
5G (IN)SECURITY RATIONALE
● 5G still does not provide any means to verify the validity of a base station before communicating with it
─ Operator’s public key in the SIM works for SUPI encryption
─ It does NOT work to prevent pre-authentication message-based exploits

Home operator
Note this is NOT what happens in 5G. Pre-
authentication messages are still
unprotected.

Pre-authentication
messages COULD be
signed with operator’s
secret key. Secret key of the
operator
Public key of the
home operator stored
in the SIM

Spoof MIB and SIB messages, exploit

unprotected pre-authentication
Rogue messages.
5G base
station
© Portions Copyright 2020 Bloomberg L.P.
SNIFFING 5G BASE STATION CONFIGURATION
● Capturing MIB and SIB broadcast messages
─ Identify base stations of a given operator
─ Identify ad-hoc base stations for first responders, etc
─ Optimal TX power for rogue base station
─ High priority frequencies
─ Etc
● Configure a rogue base station
● In all fairness, this is a very hard problem to solve

5G SIB1 message

© Portions Copyright 2020 Bloomberg L.P.

5G RNTI-BASED TRACKING
● RNTI-based device tracking and fingerprinting
─ Again, for the record, 3GPP TR 33.899 V1.3.0 (2017-08) claimed RNTI tracking was not a security issue in LTE…
─ Combination of RNTI with other layer 2 identities

© Portions Copyright 2020 Bloomberg L.P.

”Demo” time
Let’s look at some captures of real 5G traffic…

© Portions Copyright 2020 Bloomberg L.P.

 UE CAPABILITY INQUIRY
● Known vulnerability in LTE
─ Fingerprint the type of device based solely on the capabilities disclosed in this unprotected messages
─ Bidding down attacks, battery drain…
─ Implemented in LTE with SW radio and open-source LTE stack
● Also possible in 5G

Shaik, Altaf, and Ravishankar Borgaonkar. "New Vulnerabilities in 5G Networks.”. BlackHat 2019

© Portions Copyright 2020 Bloomberg L.P.

5G security roadmap?

© Portions Copyright 2020 Bloomberg L.P.

THE CURRENT STATE OF AFFAIRS IN 5G SECURITY
● An increasing number of vulnerabilities identified before 5G even goes live
─ This can be a good thing, things can still be fixed…
─ Topic that fascinates me
• https://softhandover.wordpress.com/2018/12/06/the-current-state-of-affairs-in-5g-security/
• Jover, Roger Piqueras. "The current state of affairs in 5G security and the main remaining security challenges." arXiv preprint
arXiv:1904.08394 (2019).

© Portions Copyright 2020 Bloomberg L.P.

 THE CURRENT STATE OF AFFAIRS IN 5G SECURITY
● Formal verification analysis of the 5G specifications
─ A number of new theoretical protocol vulnerabilities identified
─ Really exciting work going on in this area!
─ All vulnerabilities identified exist due to pre-authentication messages and other unprotected control traffic

Hussain, Syed Rafiul, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. "5GReasoner: A Property-Directed Security
and Privacy Analysis Framework for 5G Cellular Network Protocol." In Proceedings of the 2019 ACM SIGSAC Conference on Computer
and Communications Security, pp. 669-684. 2019.
© Portions Copyright 2020 Bloomberg L.P.
ROOT CAUSE FOR MOST VULNERABILITIES
● How do we fix the challenge with pre-authentication messages?
─ It has been a big security challenge in cellular throughout all Gs

I swear I am your
operator!

You would not trust a self-signed certificate on an eCommerce site and type in your login or credit card number.
Why would you trust a plain-text MIB/SIB message that claims a given tower is your operator?

© Portions Copyright 2020 Bloomberg L.P.

5G SECURITY ROADMAP?
● How do we fix the challenge with pre-authentication messages?
─ It has been a big security challenge in cellular throughout all Gs
─ Using public keys without defining how to manage them, rotate them, etc is NOT the right way

● PKI and Digital Certificates?

─ Mature technology
─ Makes the Internet “trustworthy” to use
• And by that I mean that I am personally ok to type my cc number in a
reliable site with a valid cert…

© Portions Copyright 2020 Bloomberg L.P.

5G SECURITY ROADMAP?
● PKI and Digital Certificates in cellular?
─ Why not?
─ Probably not a single root CA
• Each country runs and admins its own root CA?
• Each operator runs a sub CA?
• Flexibility for operators worldwide to decide who do they trust and who they don’t
• List of root CAs loaded in your browser  List of root CAs loaded on your SIM

● It is not easy
─ Global effort standards+industry
─ Cert revocation? (your phone is not always “online”)

● But it is definitively possible!

© Portions Copyright 2020 Bloomberg L.P.

DIGITAL CERTIFICATES IN CELLULAR NETWORKS?
● X509 certs in cellular
─ Just a few messages need to be signed
─ Perhaps SIB messages and RRC handshake plus responses to AttachRequest and TAURequest etc?

● Hussain, Syed Rafiul, Mitziu Echeverria, Ankush Singla, Omar Chowdhury, and Elisa Bertino. "Insecure
connection bootstrapping in cellular networks: the root of all evil." In Proceedings of the 12th
Conference on Security and Privacy in Wireless and Mobile Networks, pp. 1-11. ACM, 2019.
─ IMO, the greatest thing to happen in mobile network security research in years!

© Portions Copyright 2020 Bloomberg L.P.

 Thanks!

If you are a PhD student, PostDoc, professor, etc. interested in 5G security and in Roger Piqueras Jover
using similar 5G security research equipment, contact me! @rgoestotheshows
http://rogerpiquerasjover.net/