Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Penetration Testing of 5G Core Network Web Technologies (2403.01871v1)

Published 4 Mar 2024 in cs.CR

Abstract: Thanks to technologies such as virtual network function the Fifth Generation (5G) of mobile networks dynamically allocate resources to different types of users in an on-demand fashion. Virtualization extends up to the 5G core, where software-defined networks and network slicing implement a customizable environment. These technologies can be controlled via application programming interfaces and web technologies, inheriting hence their security risks and settings. An attacker exploiting vulnerable implementations of the 5G core may gain privileged control of the network assets and disrupt its availability. However, there is currently no security assessment of the web security of the 5G core network. In this paper, we present the first security assessment of the 5G core from a web security perspective. We use the STRIDE threat modeling approach to define a complete list of possible threat vectors and associated attacks. Thanks to a suite of security testing tools, we cover all of these threats and test the security of the 5G core. In particular, we test the three most relevant open-source 5G core implementations, i.e., Open5GS, Free5Gc, and OpenAirInterface. Our analysis shows that all these cores are vulnerable to at least two of our identified attack vectors, demanding increased security measures in the development of future 5G core networks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (22)
  1. “5G; System architecture for the 5G System (5GS) ,” ETSI, TS 123 501 v17.7.0, Jan. 2023.
  2. A. Padmanabhan, “5G ue data rate,” https://devopedia.org/5g-ue-data-rate, October 2023.
  3. H. Williams, “A timeline of 5G development: From 1979 to now,” https://www.techadvisor.com/article/724833/a-timeline-of-5g-development-from-1979-to-now.html, April 2020.
  4. Q. Tang, O. Ermis, C. D. Nguyen, A. De Oliveira, and A. Hirtzig, “A systematic analysis of 5g networks with a focus on 5g core security,” IEEE Access, vol. 10, pp. 18 298–18 319, 2022.
  5. S. Sullivan, A. Brighente, S. A. P. Kumar, and M. Conti, “5G security challenges and solutions: A review by osi layers,” IEEE Access, 2021.
  6. A. Lotto, V. Singh, B. Ramasubramanian, A. Brighente, M. Conti, and R. Poovendran, “Baron: Base-station authentication through core network for mobility management in 5G networks,” in Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2023, pp. 133–144.
  7. M. Chlosta, D. Rupprecht, C. Pöpper, and T. Holz, “5G suci-catchers: Still catching them all?” in Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2021, pp. 359–364.
  8. G. Holtrup, W. Lacube, D. P. David, A. Mermoud, G. Bovet, and V. Lenders, “5G system security analysis,” Cyber Defence Campus, August 2021.
  9. R. Pell, S. Moschoyiannis, E. Panaousis, and R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on mitre att&ck,” October 2021.
  10. B. I. M. Altariqi, “5G core and (nfvi) network functions virtualization infrastructure penetration testing,” 2020.
  11. A. Shostack, “Experiences threat modeling at microsoft.” MODSEC@ MoDELS, vol. 2008, p. 35, 2008.
  12. G. Brown, “Service-based architecture for 5g core networks,” Huawei White Paper, vol. 1, 2017.
  13. G. Mayer, “Restful apis for the 5g service based architecture,” Journal of ICT Standardization, pp. 101–116, 2018.
  14. OWASP, “Top 10 web application security risks,” https://owasp.org/www-project-top-ten/, 2021.
  15. F. J. de Souza Neto, E. Amatucci, N. A. Nassif, and P. A. M. Farias, “Analysis for comparison of framework for 5G core implementation,” 2021.
  16. Y. Liu, Q. Li, Q. Cao, Z. Huang, Y. Li, and Y. Fan, “Evaluation of free5gc forwarding performance on private and public clouds,” in 2022 IEEE Cloud Summit.   IEEE, 2022, pp. 9–16.
  17. T. Kim, J. Kim, H. Ko, S. Seo, Y. Jcon, H. Jeong, S. Lee, and S. Pack, “An implementation study of network data analytic function in 5g,” in 2022 IEEE International Conference on Consumer Electronics (ICCE).   IEEE, 2022, pp. 1–3.
  18. L. Mamushiane, A. Lysko, H. Kobo, and J. Mwangama, “Deploying a stable 5g sa testbed using srsran and open5gs: Ue integration and troubleshooting towards network slicing,” in 2023 International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD).   IEEE, 2023, pp. 1–10.
  19. O.-M. Dumitru-Guzu and C. Vlădeanu, “Analysis of potential threats in nextgen 5g core,” in 2022 International Symposium on Electronics and Telecommunications (ISETC).   IEEE, 2022, pp. 1–4.
  20. N. Nikaein, M. K. Marina, S. Manickam, A. Dawson, R. Knopp, and C. Bonnet, “Openairinterface: A flexible platform for 5g research,” ACM SIGCOMM Computer Communication Review, vol. 44, no. 5, pp. 33–38, 2014.
  21. CloudFlare, “What is the principle of least privilege?” https://www.cloudflare.com/learning/access-management/principle-of-least-privilege/, 2017.
  22. PortSwigger, “What is directory traversal and hot to prevent it,” https://portswigger.net/web-security/file-path-traversal, 2018.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets