5G networks that incorporate legacy technology could be vulnerable to compromise via a lack of mapping between transport and application layers, according to a report by AdaptiveMobile Security.
Network slicing is central to realising many of 5G’s more ambitious capabilities because it enables individual access points or base stations to subdivide networks into multiple logical sections—slices—effectively providing entirely separate networks for multiple uses.
The slices can be used for different purposes—say, mobile broadband for end-users and massive IoT connectivity—at the same time, without interfering with each other. Researchers discovered a vulnerability that, if exploited, can enable an attacker on one slice to gain access to data being exchanged on another or, in some circumstances, gain access to the 5G provider’s core network.
One simulated attack described by AdaptiveMobile as a rogue network function belonging to one slice establish a TLS connection to a provider’s network repository function (NRF), a central store of all the 5G network functions in a provider’s network.
The rogue function request access to another slice on the same network, and the NRF checks to see whether the rogue slice is allowed. Because both slices share the same network function, as far as the NRF is concerned, it’s a valid request and a token for the target slice could be generated. This could grant the malicious slice access to a great deal of information on the other slice, including personal data.
According to AdaptiveMobile, this works because the current specification for the network-slicing function doesn’t require “layer matching” between different slices on the same network. Hence, the NRF, when confronted with this malicious request, merely sees an authenticated partner asking for a valid service request, and doesn’t check to see whether the correct slice is the one making that request.
Another potential vulnerability could allow a rogue slice to perform a phantom DoS attack against another slice by manipulating HTTP-based service requests to the NRF and tricking it into thinking that the target slice is overloaded and should not be contacted.
Moreover, a further lack of identity-checking among different users and slices on the same network could allow malicious users to gain access to other data, including critical information on other customers.
The solution isn’t simple because general TLS and IP-layer firewalls don’t have the capability to differentiate which layer is talking to which, according to AdaptiveMobile. The only alternative is enforcing additional validation on communications between different layers and between layers and the NRF to ensure that these potential attacks can’t function.