# Study Note 2 : 5G Security ###### tags: `Wireless Communications` ![](https://i.imgur.com/EY6jjvs.png) ## :notebook_with_decorative_cover: Studying Plan - [x] [Security Considerations of Open RAN (23/03)](https://www.ericsson.com/4a4b77/assets/local/security/security-considerations-open-ran.pdf) - [x] [O-RAN Security Task Group (23/03)](https://www.o-ran.org/blog/2020/10/24/the-o-ran-alliance-security-task-group-tackles-security-challenges-on-all-o-ran-interfaces-and-components) - [x] [A guide to 5G network security (23/03)](https://www.ericsson.com/48fcab/assets/local/news/2018/10201291-04_gir_report_broschure_dec2018_webb_181212.pdf?_ga=2.63593709.33572225.1614428136-783979408.1614428136) - [x] [5G Security: Forward Thinking (24/03)](https://www.huawei.com/minisite/5g/img/5G_Security_Whitepaper_en.pdf) - [x] [Securing the 5G Era (24/03)](https://www.gsma.com/security/securing-the-5g-era/) - [x] [Security Considerations for the 5G Era (24/03)](https://www.5gamericas.org/wp-content/uploads/2020/07/Security-Considerations-for-the-5G-Era-2020-WP-Lossless.pdf) <br> ## :notebook_with_decorative_cover: Introduction :::info 5G is one of latest generation of mobile network technology that enable us to achieve a newer, faster, and more reliable telecommunication system. There are 3 main cases that 5G want to deliver, they are : - Enhanced Mobile Broadband (eMBB) - Ultra-Reliable Low Latency Communication (URLLC) - Massive Machine Type Communication (MMTC) Not only that, another technology is currently on progress and will help radio access network virtualization called as Open-RAN or ORAN. With these two big things being developed, of course there will be many data being sent and received. **It is important that a risk-based approach is taken**, and now we will talk about the security risk in 5G and ORAN. ::: <br> ## :notebook_with_decorative_cover: Security Consideration --- ### <center> **Security Consideration of Open RAN**</center> --- ![](https://i.imgur.com/Lu0k4hE.png) :::info O-RAN architecture introduces new functions. This interfaces and nodes, and the decoupling of hardware and software, expands the threat and attack surface of the network. **Increasing interface increases the threat surface [1,2]**. There are 4 main components that could be a main security risk based on Ericsson and O-RAN Alliance Security Group, they are [1,2]: - Lower Layer Split (LLS) 7-2x. - Near-RT RIC including xApps. - Disaggregation of software and hardware using cloud. - Additional interfaces (O1, O2, and Open Fronthaul M-Plane). And for areas of concern not exclusive to open networks there are some main concern, they are [1,2]: - Increased exposure to public exploits due to use of Open Source code. - Lack of defense from physical attacks. - The use of AI in the RAN may lead to unanticapted consequences. - Dramatic growth in the number of IoT devices. Now we will go on the components security concern one-by-one ::: <br> <i class="fa fa-book fa-fw"></i> **Lower Layer Split (LLS) 7-2x** ![](https://i.imgur.com/XMifbV2.png) :::info The idea of LLS is to increase the flexibility and competition on the telecom market by **splitting the Radio Unit (RU) and Distributed Unit (DU)**. **The threat become visible when we have two different vendors**, the O-RU and O-DU needs to be managed as different entities but cannot fully control each other [1,2]. Instead, the O-DU will have to bridge the management traffic between the management system and the O-RU. **Possibilities to reach the northbound system beyond the O-DU and unprotected Open Fronthaul opens the risks of Man-In-The-Middle (MITM) attacks over this interface [1]**. ::: <br> <i class="fa fa-book fa-fw"></i> **Near-RT RIC** ![](https://i.imgur.com/YjMmhZ6.png) :::info Near-RT RIC has potential security vulnerabilities, such as [1,2] : - Near-RT RIC signalling conflicts with gNodeB. - Near-RT RIC xApps signalling can conflict. - xApp Root of Trust. - UE identification in the RIC. ::: <br> <i class="fa fa-book fa-fw"></i> **Disaggregation Using Cloud** ![](https://i.imgur.com/pDYTb4r.png) :::info Virtualization and the use of cloud platform give the possibility to utilize hardware resources better between different application, **but it will also introduce security as isolation between applications are only "logical" in software** without physical isolation across hardware resources [1]. Decoupling increases threat to trust chain. ::: <br> <i class="fa fa-book fa-fw"></i> **O1, O2, A1, and E2 Interfaces** ![](https://i.imgur.com/8PdiT12.png) :::info O1,O2,A1 and E2 are the new open interfaces that allow software programmability of RAN. But the way of accessing these interface doesn't show the best security practice [1,2]. **For example O1 does not meet industry best practice since we can access it via SSH [1]** ::: <br> --- ### <center> **Security Consideration of 5G**</center> --- :::info Based on several papers there are several problems that could be a security problem in 5G, they are [3,4,5,6]: - Crimeware (Attack Toolkits) Deployed By Internal Actors - Eavesdropping - Security breach from one part of the network to another - DDoS - Data Interception And Rerouting - Man In The Middle Attack - A False Base Station - Roaming Fraud - Microprocessor level vulnerabilities - AI-driven attacks - IMSI Tracking - 2G/3G Downgrade ::: <br> --- ### <center> **Security Consideration Conclusion**</center> --- :::info | First Reference | Second Reference | Third Reference | Fourth Reference | Fifth Reference | Sixth Reference | | -------- | -------- | -------- | -------- | -------- | -------- | | Lower Layer Split (LLS) 7-2x | Lower Layer Split (LLS) 7-2x | Crimeware (Attack Toolkits) Deployed By Internal Actors | DDoS | Man In The Middle Attack | IMSI Tracking | | Near-RT RIC including xApps. | Near-RT RIC including xApps. | Eavesdropping | Data Interception and Data Re-routing | A False Base Station | 2G/3G Downgrade Attack | | Disaggregation of software and hardware using cloud. | Disaggregation of software and hardware using cloud. | Security breach from one part of the network to another | | Roaming Fraud | Man In The Middle | | Additional interfaces (O1, O2, and Open Fronthaul M-Plane). | Additional interfaces (O1, O2, and Open Fronthaul M-Plane). | A False Base Station | | Eavesdropping and replay attacks | Expanded Threat Surface (O-RAN) | | Increased exposure to public exploits due to use of Open Source code. | The use of AI in the RAN may lead to unanticapted consequences. | | | Microprocessor level vulnerabilities | Management interfaces that may not be secured (ORAN) | | Lack of defense from physical attacks. | Dramatic growth in the number of IoT devices. | | | AI-driven attacks | Increased exposure to public exploits due to use of open-source code (ORAN) | Note : - 1st-2nd Reference Related To O-RAN - 3rd-6th Reference Related To 5G ::: <br> ## :notebook_with_decorative_cover: Possible Solution --- ### <center> **Possible Solution for Open RAN**</center> --- :::info There are several possible solution that could help for solving O-RAN security problem based on Ericsson and O-RAN Alliance Security Group, they are [1,2]: - Protect expanded threat surface due to more interfaces and functions. - Close security vulnerabilities with Near-RT RIC. - Address threat to trust chain introduced by decoupling of functions. - Ensure management interfaces are secured according to industry best practices using TLS and digital signing. - Practice a higher level of due diligence for exposure to public exploits use of Open Source code. - Implement defenses from physical attacks. - Applying authentication, integrity, and confidentiality to O1,A1 and Open Fronthaul M-Plane interfaces. - Applying 3GPP requirements to related 3GPP interfaces. - Applying PDCP for Open Fronthaul U-Plane. - Applying isolation for x/rApps. ::: <br> --- ### <center> **Possible Solution for 5G**</center> --- :::info There are several possible solution that could help for solving 5G security problem, they are [3,4,5,6]: - Mutual authentication - Confidentiality of user plane data - Privacy - Encryption and integrity protection - Identifying a false base station - Compartmentalization - Hybrid Authentication Management - Diversified Identity Management - Build E2E Security - Open Up Security Capabilities, And Provide Security as a Service - Isolate Virtual network Slices - Security Assessment - Low-Delay Mobility Security - User Privacy Protection - Removing any assumption of safety from overlaid products - Home Protocol - Security Edge Protection Proxy (SEPP) - New IT Protocol Stack - Software for Open-Source in 5G - Zero-Trust Security - Cyber Threat Intelligence for 5G - Enchancing Confidentiality, Integrity, Authentication, and Privacy - Anti-Bidding-down Between Architectures - Slicing - Edge-Data Security And for the next part we will talk about some of the solution more detail. ::: <br> <i class="fa fa-book fa-fw"></i> **Mutual Authentication** ![](https://i.imgur.com/Vrnj6Dg.png) :::info **For every end user that want to access 5G they have to be authencticated** to support charging for network access, accountability, and lawful intercept [3]. ::: <br> <i class="fa fa-book fa-fw"></i> **Confidentiality Of User Plane Data** ![](https://i.imgur.com/0aCeB9W.png) :::info **Data that is being transmitted is encrypted as the end-user data passes through the mobile network** to prevent eavesdropping over the air [3]. ::: <br> <i class="fa fa-book fa-fw"></i> **Privacy** ![](https://i.imgur.com/wuHCGD0.jpg) :::info Threats to end users are mitigated by mechanism that protect user identifiers. **Even thought 5G protects the privacy of the end-user (protecting messages sent by a messages sent by a social media user while they traverse through the 5G system), the social media service must itself ensure that the message is protected [3]**. ::: <br> <i class="fa fa-book fa-fw"></i> **Identifying A False Base Station** ![](https://i.imgur.com/ZS5ij5j.png) :::info Later generation mobile networks, starting 3G, prevent the eavesdropping attacks because the network is there authenticated to the user. However, IMSI catching attacks are still possbile in 3G and 4G. **In 5G this is prevented by using a technique where the user's long-term identifier is never trasmitter over the radio interface in clear text [3].** ::: <br> <i class="fa fa-book fa-fw"></i> **Compartmentalization** ![](https://i.imgur.com/OFQy5J6.png) :::info **Compartmentalization means that there is a function that aim to isolate possible security breaches from escalating from one part of the network to another [3]** . For example, there is a clear split between Radio Access Network and the core network function ::: <br> <i class="fa fa-book fa-fw"></i> **Hybrid Authentication Management** ![](https://i.imgur.com/oOeuBlG.png) :::info 5G networks and service providers face challenges in making access & service authentication simpler and less costly. Three authentication models would possibly co-exist in 5G are [4]: - Authentication by networks only - Authentication by service providers only - Authentication by both networks and service providers ::: <br> <i class="fa fa-book fa-fw"></i> **Diversified Identity Management** ![](https://i.imgur.com/F5nsEFh.png) :::info In 5G, equipments such as sensors, wearable devices, and smart home devices are possibly either too small or too cheap to accomodate (U)SIM [4]. The proposed way to manage those devices by using: - Combination of device identitty and service identity - From device-based management to user-based management ::: <br> <i class="fa fa-book fa-fw"></i> **Build E2E Security** ![](https://i.imgur.com/anlS3tE.png) :::info In End-to-end security there are 3 points that could be possible solution, they are [4] : - Differentiated security for different services. - Flexible security architecture to support security attributes for different network slices. - A uniformed security management framework for multi-vendor environment. ::: <br> <i class="fa fa-book fa-fw"></i> **Open Up Security Capabilities, and Provide Security As A Service** ![](https://i.imgur.com/Su9TkCG.png) :::info There are a lot of security management, for instance, managing identities, performing authentication, defending against denial of service (DoS) attacks, and protecting confidentiality and integrity of service traffic is a general request to vertical industries. **However, not all industry players have the capabilities to build security management on their own due to several challenges [4]**. With this security capabilities can be seamlessly built into business flows of vertical industries. ::: <br> <i class="fa fa-book fa-fw"></i> **Isolate Virtual Network Slices** ![](https://i.imgur.com/nI6jHl1.png) :::info For virtual network slices, every slices hadnles a different type of application service. **There is a need to isolate slices from each other to prevent their resources from being accessed by network nodes in other slices [4].** ::: <br> <i class="fa fa-book fa-fw"></i> **Security Assessment** ![](https://i.imgur.com/R1LvbHQ.png) :::info Security assesment is feasible only if specific and measureable security metrics are figured out for each network function unit. For instance, the metrics could be the password length and its complexity. **An important point to note is that the way for defining and measuring these security metrics [4]**. ::: <br> <i class="fa fa-book fa-fw"></i> **Low-Delay Mobility Security** ![](https://i.imgur.com/RIOMmo4.png) :::info In these scenarios, the 5G network may need to support high reliability while providing QoS guarantee with a delay not more than 1 millisecond, so as to prevent accidents such as vehicle collision and surgical operation errors. **To address these new challenges, mobility security may be redesigned and optimized for the 5G network to build an efficient, lightweight, and compatible mobility management mechanism [4]**. ::: <br> <i class="fa fa-book fa-fw"></i> **User Privacy Protection** ![](https://i.imgur.com/y46K9Nh.png) :::info User privacy information must be securely protected in the 5G network so that users and vertical industries can use the network **without worrying about information leakage [4]**. ::: <br> <i class="fa fa-book fa-fw"></i> **Home Protocol** ![](https://i.imgur.com/bfl1eZ0.png) :::info **It means the final device authentication to a visited network is completed after the home network has checked the authentication status of the device in the visited network [5]**. This enhancement will prevent various roaming fraud types ::: <br> <i class="fa fa-book fa-fw"></i> **Security Edge Protection Proxy (SEPP)** ![](https://i.imgur.com/6svICQU.png) :::info SEPP protects the home network edge, acting as the security gateway on interconnections between the home network and visited network. **And provide application layer security, provice end-to-end authentication, integrity, and confidentiality protection [5].** ::: --- ### <center> **Possible Solution Conclusion**</center> --- :::info | First Reference | Second Reference | Third Reference | Fourth Reference | Fifth Reference | Sixth Reference | | -------- | -------- | -------- | -------- | -------- | -------- | | Protect expanded threat surface due to more interfaces and functions |Applying authentication, integrity, and confidentiality to O1,A1 and Open Frounthaul M-Plane interfaces | Mutual authentication | Hybrid Authentication Management | Mutual Authentication | Software for Open-Source in 5G | | Close security vulnerabilities with Near-RT RIC | Applying 3GPP requirements to related 3GPP interfaces | Confidentiality of user plane data | Diversified Identity Management | Removing any assumption of safety from overlaid products | Zero-Trust Security | | Address threat to trust chain introduced by decoupling of functions |Applying PDCP for Open Fronthaul U-Plane | Privacy | Build E2E Security | Encryption and integrity protection | Cyber Threat Intelligence for 5G | | Ensure management interfaces are secured according to industry best practices using TLS and digital signing | Applying isolation for x/rApps | Encryption and integrity protection | Open Up Security Capabilities, And Provide Security as a Service | Home Protocol | Enchancing Confidentiality, Integrity, Authentication, and Privacy | | Practice a higher level of due diligence for exposure to public exploits use of Open Source code | | Identifying a false base station | Isolate Virtual network Slices | Confidentiality Of User Plane Data | Anti-Bidding-down Between Architectures | | Implement defenses from physical attacks | | Compartmentalization | Security Assessment | Securitry Edge Protection Proxy (SEPP) | Slicing | | | | | Low-Delay Mobility Security | | Edge-Data Security | | | | | User Privacy Protection | | | Note : - 1st-2nd Reference Related To O-RAN - 3rd-6th Reference Related To 5G ::: Reference :::info 1. [Security Considerations of Open RAN](https://www.ericsson.com/4a4b77/assets/local/security/security-considerations-open-ran.pdf) 2. [O-RAN Security Task Group](https://www.o-ran.org/blog/2020/10/24/the-o-ran-alliance-security-task-group-tackles-security-challenges-on-all-o-ran-interfaces-and-components) 3. [A guide to 5G network](https://www.ericsson.com/48fcab/assets/local/news/2018/10201291-04_gir_report_broschure_dec2018_webb_181212.pdf?_ga=2.63593709.33572225.1614428136-783979408.1614428136) 4. [5G Security: Forward](https://www.huawei.com/minisite/5g/img/5G_Security_Whitepaper_en.pdf) 5. [Securing the 5G Era](https://www.gsma.com/security/securing-the-5g-era/) 6. [Security Considerations](https://www.5gamericas.org/wp-content/uploads/2020/07/Security-Considerations-for-the-5G-Era-2020-WP-Lossless.pdf) :::