Demystifying Privacy in 5G Stand Alone Networks (2409.17700v1)

Abstract: Ensuring user privacy remains critical in mobile networks, particularly with the rise of connected devices and denser 5G infrastructure. Privacy concerns have persisted across 2G, 3G, and 4G/LTE networks. Recognizing these concerns, the 3rd Generation Partnership Project (3GPP) has made privacy enhancements in 5G Release 15. However, the extent of operator adoption remains unclear, especially as most networks operate in 5G Non Stand Alone (NSA) mode, relying on 4G Core Networks. This study provides the first qualitative and experimental comparison between 5G NSA and Stand Alone (SA) in real operator networks, focusing on privacy enhancements addressing top eight pre-5G attacks based on recent academic literature. Additionally, it evaluates the privacy levels of OpenAirInterface (OAI), a leading open-source software for 5G, against real network deployments for the same attacks. The analysis reveals two new 5G privacy vulnerabilities, underscoring the need for further research and stricter standards.

• The paper highlights how 5G SA networks use SUCI to mitigate IMSI catching attacks, offering enhanced user privacy over NSA networks.
• It demonstrates that both 5G SA and NSA networks employ 5G-S-TMSI in paging to effectively counter IMSI paging attacks.
• It uncovers new privacy risks like unprotected GUTI reallocation and bidding-down attacks, urging strict encryption and standardization reforms.

Demystifying Privacy in 5G Stand Alone Networks

In Demystifying Privacy in 5G Stand Alone Networks, Eleftherakis et al. focus on critical privacy concerns associated with the transition from 5G Non-Stand Alone (NSA) to 5G Stand Alone (SA) networks. This paper presents a pioneering qualitative and experimental comparison between 5G NSA and SA networks and provides a detailed assessment of privacy enhancements against the most salient pre-5G attacks. It also evaluates the privacy features of OpenAirInterface (OAI), a notable open-source 5G software, against real-world deployments to identify new vulnerabilities.

Core Study and Key Findings

1. IMSI Catching: The research highlights that 5G SA networks support the Subscription Unique Concealed Identifier (SUCI), effectively mitigating IMSI catching attacks, which remain a concern in 5G NSA implementations. Multiple SUCI-based Identity Request transmissions were tested and validated only in 5G SA and OAI (Figures \ref{fig:5G_SA_SUCI} and \ref{fig:5G_OAI_SUCI}).
2. IMSI Paging: By employing a 5G S-Temporary Mobile Subscription Identifier (5G-S-TMSI) for paging instead of IMSI/SUPI, 5G networks (both NSA and SA) robustly defend against IMSI paging attacks, ensuring greater end-user privacy.
3. IMEI Catching: The shift to a secure channel for PEI transmission in 5G SA and NSA networks limits the risk of IMEI catching effectively. This new protocol maintains PEI confidentiality and integrity during transmission, countering previous exploits where IMEI was transmitted in plaintext.
4. TMSI Deanonymity: The paper identifies variation in GUTI reallocation policy adherence among 5G networks. Two out of three 5G SA networks implemented 3GPP-specified GUTI updates correctly, counter to the NSA network and OAI, which exhibited inadequate renewal schemes, thus being susceptible to TMSI deanonymity attacks.
5. RRC and NAS Ciphering: All experimental networks employed Null encryption for RRC and NAS messages, exposing vulnerabilities related to C-RNTI tracking and UE measurement reports. Mandatory encryption for these channels is underlined as a critical need to ensure comprehensive privacy protection.
6. Security Capabilities Integrity: While all networks replayed the UE's initial security capabilities, the operator networks showed a significant vulnerability due to the lack of Message Authentication Code (MAC) in the NAS Security Mode Command. This opens up vulnerabilities to advanced bidding-down attacks, a shortcoming not evidenced in OAI implementations, which included MAC capabilities, ensuring robust integrity checks.

New 5G Vulnerabilities

The paper surfaces two new privacy vulnerabilities specific to the 5G SA CN implementations:

1. 5G-GUTI Reallocation Command Attack: Notably, two 5G SA networks transmit the Configuration Update Command without integrity or encryption, posing threats of DoS attacks and potential user tracking. Realistically intercepting these unprotected commands facilitates the execution of such attacks.
2. Security Capabilities Bidding-Down Attack: As confirmed in the operator deployments, the omission of MAC in NAS SMC messages leads to susceptibility to a novel variation of the bidding-down attack. Such attacks downgrade network security, fortifying prior threats by exploiting weakened security protocols.

Implications and Future Directions

The paper’s implications are significant:

• Operational Enhancements: There is a clarion call for stricter operational policies mandating encryption of RRC and NAS messages. Operators must consider integrating integrity and ciphering by default to prevent recurring vulnerabilities inheritable from pre-5G networks.
• Standardization Rigor: The 3GPP should evaluate and possibly revise current standards to mandate these enhancements, ensuring that all entities fully adhere to the protocols, thus mitigating the outlined novel vulnerabilities.
• Open Source Utility: The OAI compliance with 3GPP standards in privacy features, barring the GUTI update mechanism, attests to its viability as a research and development tool for privacy and security evaluations, furthering academic and industrial applications.

Conclusion

Demystifying Privacy in 5G Stand Alone Networks delivers a meticulous comparative framework for analyzing 5G SA versus NSA privacy features. It stresses the importance of adhering to 5G-specific privacy enhancements while identifying and confronting new vulnerabilities. By ensuring rigorous compliance and operational modifications, the evolving landscape of 5G networks can achieve robust user privacy and security, crucial for the wide-scale deployment of future network technologies.