# 5G Security ###### tags: `Wireless Communications course` ## Note of Security Considerations of Open RAN(無線電存取網路)(Open Virtualized Radio Access Network) Reference:https://www.ericsson.com/4a4b77/assets/local/security/security-considerations-open-ran.pdf :::success reference:https://ictjournal.itri.org.tw/content/Messagess/contents.aspx?&MmmID=654304432061644411&CatID=654313611231473607&MSID=1071255233364531754 ## Basic-knowledge O-RAN基於NG-RAN架構進一步將5G基地台劃分三單元 * 1.Central Unit(CU) * 一個CU可以透過數個介面管理數個分佈單元. * 用於控制面的RRC和用戶面的IP,SDAP,PDCP運作. * 2.Distributed Unit(DU) * inclding the baseband processing of RLC,MAC and High-PHY * 3.Radio Unit(RU) * including the processing of RF signal and Low-PHY * DU and RU transmit data via evolved Common Public Radio Interface(eCPRI) and O-RAN define the interface between DU/RU open front-haul interface and including four transmit interface: * 1.Control Plane(C-plane)傳輸層 * 2.User Plane(U-plane)傳輸層 * 3.Synchronization Plane(S-plane) * 4.Management Plane(M-plane) ::: * 5G has technology of eMBB(enhanced Mobile Broadand)、URLLC(Ultra-Reliable Low Latency Communications), and mMTC(massive Machine Type Communications * Virtualization means that security needs to be handled in a new way. * Compare of Open RAN, v-RAN, O-RAN(p.4) * Open RAN is the industry's generic term for an open radio access network architecture. *has open interoperable interfaces, RAN virtualization, and support for big data and AI-enabled RAN. *Providers deploying an Open RAN can choose between a 3GPP or O-RAN architecture. * v-RAN leverages(利用) the 5G split-RAN architecture, interfaces, and security protection mechanisms. *refers to the virtualization of RAN functions,particularly the higher layer and lower layer function of the baseband unit. *With vRAN,5G becomes software-defined and programmable,generating additional RAN architecture flexibility,platform harmonization and operational simplication. * O-RAN is standardized by the O-RAN Alliance with new functions and open, interoperable interfaces. *The O-RAN standardized has 4 main objectives:OPEN Interfaces,Virtualization,Inteligence,and Interoperability. * (p.5)The introduction of additional interfaces and nodes expands the threat and attack surface of the network.These new security risks are explained in the following sections: * O-RAN LLS(Lower Layer Split) 7-2x *with the goal to increase the flexibility and completition on the telecom market *LLS refers to split between Radio Unit(RU) and Distributed Unit(DU). *eCPRI interface 比 CPRI 能夠有效利用根據封包的傳輸技術以及准許RAN payload 可以透過Ethernet技術攜帶. *通過開放式前傳介面到達O-DU之外的northbound systems成為一種可能的攻擊。 *開啟MITM(Man-in-the-Middle)attack * Near-RT RIC * disaggregation of software and hardware using cloud * additional interfaces(O1,O2,and Open Fronthaul M-Plane) -------------------------------------------------------- reference:https://www.ericsson.com/48fcab/assets/local/news/2018/10201291-04_gir_report_broschure_dec2018_webb_181212.pdf?_ga=2.63593709.33572225.1614428136-783979408.1614428136 :::success # Basic-knowledge ##### telecommunication networks 主要被分成4個logical parts: * radio access network * core network * transport network * interconnect network * connects different core networks with each other. ###### Each network part comprises three so-called planes.所有三個平面,皆可能面臨獨特的網路威脅 * Control plane carries the signaling traffic. * messages that are used to control user sessions are transported by signaling plane. * The porpuse of this(signaling traffic) is to obtain information such as the geographical position of a subscriber. * So modifiaction of this may be attempted to re-route calls or intercept SMS messages of a target for eavesdropping purposes or denying service. * Telecom signaling is regularly attacked. * User plane carries the payload traffic. * The contexts of a call or web page are transported by user plane. * Payload traffic contains actual data. * Without security, the privacy of user will be at a risk. * The hacker can manipulate and disturb network traffic and data by hacking this plane. * Management plane carries administrative traffic. * Management of monitoring, troubleshooting, configuration, and optimization of networks are included in management plane. #### types of access networks * 3GPP access networks: * GSM/GPRS * UMTS * EUTRAN * NG-RAN(5G) * satellite * non-3GPP access networks: * WiFi * fixed(wired) access network ::: ## What kind of threats do telecom networks meet? * trivial malware * Telecom networks can be attacked by trivial malware. * Crime-ware ## Security considerations of deployment scenarios of 5G System * System-wide security(horizontal security) -Network level -Slicing -Application level security -Confidentiality and integrity protection -Interconnect(SBA) * Be achieved by combining and coordinating a multitude of security controls across different domains in telecommunication network. * 5G funcion element deployments(vertical security) -NFV -Distributed clouds * about embedded systems or in virtual envirnments ------------------------------------------------ reference:https://www.o-ran.org/blog/the-o-ran-alliance-security-task-group-tackles-security-challenges-on-all-o-ran-interfaces-and-components * Open-RAN是透過分解傳統RAN(無線電接入網路)來利用SDN(軟件定義網路)與NFV(網路功能虛擬化),將他們部署在獨立的雲基礎設施上,並使用標準化接口將他們連接起來 * O-RAN的開放性和安全性有很多積極的影響,RIC O-CU-CP,O-CU-UP和O-DU等網路功能可以利用雲原生安全性進步,EX:硬件資源隔離,自動重新配置和自動安全性測試。 * 物聯網設備數量的急遽增長需要所有RAN部署來保護自己免受越來越多的受感染設備攻擊的可能性. * STG 認識到未受保護的管理接口會在 RAN 中提供易於利用的漏洞。因此,必須使用行業安全最佳實踐來保護 O-RAN 管理接口、O1 接口和開放式前傳 M 平面. * O-DU 和 O-RU 的分離在 RAN 中引入了一個潛在的新攻擊面,運行下層拆分 (LLS) 接口的開放式前傳接口。 * ![](https://i.imgur.com/ki9I32A.png) :::success ## 不懂的基礎知識(這張圖沒有方向性): * O-RAN Alliance是因為不想要讓原本的設備廠商佔有整台機檯的操作權,所以將機台變成開放介面,使得一些新創的小公司也可以處理整個架構的一些component,但效能不會比原本的設備廠商還好。 * CU.DU.RU * RU:把資料變成無線電 * DU:user equipment中資料的處理 * CU:user equipment中非資料的處理 * internet - core network - basestation - UE * fronthaul:基地台到打出去(basestation -> UE) * backhaul:基地台 到 internet <- * Non-Real Time RIC和Near-Real Time RAN inelligent Controller(RIC) * 管理CU.DU.RU * 取決於哪些Data需要及時傳出 * 5G basestation:GNB * 4G basestation:ENB * O1(similar API):name of interface ::: * ![](https://i.imgur.com/qWgJ7lr.png) ------------------------------------------------------------- reference:https://www.gsma.com/security/securing-the-5g-era/ * GSM協會(Groupe Speciale Mobile Association,GSMA)係於1995年成立的行業組織,目的為推動GSM行動電話系統的共通標準和建置,由行動通訊業者以及相關公司所贊助成立(reference:https://zh.m.wikipedia.org/zh-tw/GSM%E5%8D%94%E6%9C%83) * 5G提供了預防措施來限制對已知威脅的影響,但新網路的技術為行業帶來潛在的新威脅. ### Secure by Design * <font color="#f00">Use of mutual authentication</font> because 5G development has adopted 'Secure by Design' principles * <font color="#f00">A presumed "open" network</font> because confirming the trust is established by sender and receiver and the relationship is secured at end-to-end relationship. * <font color="#f00">An acknowledgment that all links could be tapped</font> because removing any assumption of safety from overlaid product(s) or process(es) ### 5G Development Models * The NSA(non-standalone mode),more precisely referred to as EN-DC,is the only option currently being deployed. * The next phase of 5G deployment will likely be Stand Alone(SA) mode , more precisely SA-NR, consisting of 5G new radio network(NR) connected to a 5G core network(5GC) ![](https://i.imgur.com/T8FORCX.png) ![](https://i.imgur.com/PEZC15F.png) ### Network Protection * 5G introduces a new network architecture element:SEPP(the Security Edge Protection Proxy).This protects the home network edge,acting as the security gateway on interconnections between the home network and visited networks. ![](https://i.imgur.com/qVS6fTx.png) * The SEPP is designed to: * <font color="#f00">Provide application layer security and protect against eavesdropping and replay attacks.</font> * <font color="#f00">Provide end-to-end authentication, integrity and confidentiality protection via signatures and encryption of all HTTP/2 roaming messages.</font> * <font color="#f00">Offer key management mechanisms for setting the required cryptographic keys and performing the security capability negotiation procedures.</font> * New IT Protocol Stack * 5GC moves to an IP based protocol stack,allowing interoperability with a wider number of services and technologies in the future. ![](https://i.imgur.com/5B8MKBt.png) * The these protocols are used in the wider IT industry Leading higher impact of vulnerabilities located within these protocols. * These changes(4G->5G protocols) may expand the potential pool of attackers. * Once the vulnerability reporting schemes,such as the GSMA CVD(Coordinated Vulnerability Disclosure) programme, is located,the shorter time will be need to patch for relevant vulnerabilities. ### 5G technologies #### Virtualisation * With this opportunity comes new threat vectors to contend with. * Suitable isolation controls reduce the risk of data leakage and the impact of virtualisation aware malware outbreaks. * do not house lower-level security tenants with high-level security tenants. * Therefore reducing the impact of availability attacks against the platform <font color="#f00">the host OS constrains the container’s access to physical resources, such as CPU, storage and memory, so a single container cannot consume all of a host’s physical resources.</font> * Mobile IoT * Most IoT services share a common architecture and as such the attacks each service will be subjected to are likely to fit within three common attack scenarios: * Attacks on service platforms * Attacks on the devices (endpoints) via the applications running on the device, remote attacks from the internet and via physical attack. * Attacks on the communications links * eSIM * An eSIM eliminates the need for a removable SIM card on the mobile device, with the data on that card instead being prepared on a remote SIM provisioning platform (SM-DP+) then downloaded in the form of an eSIM Profile via HTTPS into a secure element (eUICC) permanently embedded into the mobile device. * The system uses Public Key Infrastructure (PKI) certificates allowing the SM-DP+ and eUICC to mutually authenticate each other. ### GSMA 5G Security supporting * The following Programmes and services is supporting by GSMA: * 1.The Fraud and Security Group (FASG) who acts as the GSMA home of 5G Security, building and sharing industry best practice on 5G fraud risks and security controls. * 2.The Future Network Programme supports the industry with 5G implementation guidance. * 3.The GSMA CVD programme successfully manages disclosures into the 5G standards, cooperating with 3GPP this research has been used to create more secure 5G standards prior to deployment. * 4.The GSMA IoT Security Project which develops resources specifically targeted at addressing IoT security risks. * 5.The Networks Group (NG) who define network architecture guidance and functionality, including SEPP configuration and network slicing templates, for 5G. --------------------------------------------------- reference:https://dl.icdst.org/pdfs/files3/3cf6a75bd60cb3f6bbaf1259c6048034.pdf * Traditional security architectures focus on protection of voice and data and having the following security features in common: * User identity management based on (U)SIM * Mutual authentication between networks and users * Securing the path between communicating parties hop-by-hop * Based on network virtualization technology, a network could build different virtual network slices. Each virtual network slice could accommodate a particular service requirement and thereby may require differentiated security capabilities.5G security design may need to consider issues of how to isolate, deploy, and manage virtual network slices securely. #### Heterogeneous Access * The heterogeneous nature comes from the use of different access technologies and multi-network envirnment(不同網路的access network architecture不同,所以有不同的security architecture) * IoT devices 有不同access network 的方式: * directly connect to networks * via a gateway * D2D or Ralay fashion #### Privacy Protection * 為了提供differentiated QoS,networks可能需要去Sense user正使用什種的服務,但這種Sense service involves user privacy. #### E2E Security for Vertical Industries * Differentiated security protection * 安全保護的設計需要考量到如何去滿足不同的安全需求 * Flexibility * request flexible and high efficient E2E security deployment and adaptation. * Privacy protection * Security as service * 5G 可以把安全能力作為一個服務來繼續extend user trust #### Secure Infrastructure * Diversified system level protection of IT-aware infrastructure * IT(NFV or SDN) is used to protect against DDos or active attacks that may increase. * Identity management * In order to mitigate unauthorized access to network resources * Data protection * 提供完整性和機密性保護,防止被攔截or re-routed to 未授權的destinations #### Hybrid Authentication Management * Three authentication models would possibly co-exist in 5G to address needs of different businesses. * Authentication by networks only * Authentication by service providers only * Authentication by both networks and service providers #### Diversified Identity Management * 傳統蜂窩式網路依賴(U)SIM卡去管理user identities and keys * Combination of device identity and service identity * Each device identity是全球唯一的,在製造階段時被分派給一個device * Service identities are assigned by 服務提供商 or networks. * A device identity may correspond to one or more service identities. * From device-based management to user-based management * 由用戶決定允許他們的哪些設備可以訪問網路,以及允許使用哪些服務 * EX:同一用戶的設備可以在線或離線時共享帶寬配額 #### Service-oriented Security * Build E2E Security * Differentiated security for different services * 5G systems are going to be service-oriented. * Offer differentiated security to different services. * Flexible security architecture to support security attributes for different network slices * If differentiated security is offered, then flexible security architecture is needed to support E2E protection for different service, based on network slicing architecture. * A Uniformed security management framework for multi-vendor environment * For the services and users, building an E2E data security chain could be a way to reduce the reliance on individual link security and simplifies security management #### Open Up Security Capabilities, and provide security as a Service * 並非所有行業參與者都有能力自行建構安全管理 ----------------------------------------------------------------------------- reference:https://www.5gamericas.org/wp-content/uploads/2020/07/Security-Considerations-for-the-5G-Era-2020-WP-Lossless.pdf ## 5G NSA p.10 * For initial eMBB service, any LTE threats and vulnerabilities will also exist in the 5G NSA network * these early 5G NSA networks are required to use the LTE control plane protocols and the LTE Evolved Packet Core (EPC) network ![](https://i.imgur.com/ceZGqNc.png) * A 5G SA network will leverage neither the same LTE control plane protocols nor the LTE EPC network ![](https://i.imgur.com/qDv8Sxf.png) #### Due to the design of 3GPP specifications for LTE and 5G NSA, these networks are vulnerable to the attacks described in the following: * 2G/3G Downgrade Attack * Downgrade attacks allow for adversaries to force an LTE connected UE to 2G or 3G, which has significantly less security controls. * Ultimately, adversaries could perform man-in-the-middle (MiTM) active attacks and/or a passive (e.g. eavesdropping) attacks to collect sensitive information. * IMSI Tracking (Privacy) * The IMSI (International Mobile Subscriber Identity) is a unique number that can be captured in the clear over-the-air. * These same, low-cost SDRs would more likely be used by an adversary to track and exploit higher-value targets for various reasons. * Man-in-the-Middle Attacks * This potentially translates to a scenario where a customer’s message and/or communication flow could be intercepted in the middle between the UE and the server. * If the customer’s communication is protected by end-to-end security encryption protocols (e.g. SSL, TLS, IPSec, VPN, etc), then this attack is impossible. * LTE Roaming * LTE roaming is heavily dependent upon the SS7 and Diameter protocols * As a transition from SS7, many operators have deployed voice over LTE (VoLTE), which uses Session Initiation Protocol / Real-time Transport Protocol (SIP-RTP) instead of SS7. * Diameter is still used in LTE for authentication, authorization and Policy Charging and Control (PCC) functions. * Some LTE roaming mobile network operators and mobile virtual network operators do not support VoLTE, so even if an operator has deployed VoLTE and its customer roams into an MNO/MVNO network that does not support VoLTE, then home networks must use SS7 for voice services for that roaming customer ## 5G SA * Network along with the implementation of 3GPP Release 16 specifications will allow for the commercialization of the Massive Machine-Type Communications (mMTC) and Ultra-Reliable Low Latency Communications (URLLC) use cases. * 5G hopes to use the concepts of SDN and NFV, and both come with unique threats and vulnerabilities * SDN * NFV