Cellular networks use UDP tunnels known as GTP-U (GPRS Tunneling Protocol – Userplane) to carry user data from base stations to the packet core. Tunneling provides support for core cellular features, such as session handovers while on the move. However, by their very nature, tunnels allow remote attackers to encapsulate attack packets and deliver them to private addresses through the internet. According to 3GPP standards, the Signaling plane in CT networks must have authentication, but the Data plane is exempt. Vendors may not implement cross-checks between the Control-Plane and Data-Plane either.
This research explores the consequences of the lack of cross-checks and demonstrates how a remote attacker can establish a two-way connection with devices in private subnets. These attacks were verified on commercial packet cores.
Navigating Cyber Risks in Private 5G Networks: Unveiling Vulnerabilities and Strengthening Security Measures
Organizations are increasingly exploring private 5G networks to facilitate digital transformation, given their advantages of low latency, high bandwidth, and capacity, making them ideal for applications like smart cities, college campuses, and smart factories. However, despite their nominal security benefits, private 5G networks can introduce new cyber risks that operators might not be familiar with.
Our latest research uncovered a vulnerability that could potentially allow attackers to breach a private network and exploit weaknesses in connected devices and the 5G core. This discovery sheds light on the cybersecurity risks posed by imperfect 5G core network infrastructure platforms, posing a challenge for enterprises. It emphasizes the importance of thoroughly assessing risks associated with private 5G networks and collaborating with third-party experts to identify and proactively mitigate previously unknown threats.
ZDI-CAN-18522 Vulnerability
This study uncovered the ZDI-CAN-18522 vulnerability targeting packet Reflection. The vulnerability could potentially allow hackers to exploit the exposed 5G core network interface, using internal terminal devices or external network resources as springboards to launch attacks on 5G enterprise private networks, putting business operations at risk.
The research has discovered a vulnerability in the User Plane Function (UPF), a key component of the 5G core network. In situations where two-way authentication is not implemented, hackers can exploit this vulnerability by using forged Tunnel Endpoint Identifier (TEID) to send malicious GTP-U traffic to the UPF. The UPF, in turn, processes the forged TEID and forwards the traffic, enabling attacks on internal terminal devices within the private network. Additionally, hackers can redirect traffic through the UPF to the Internet, establishing two-way connections with internal terminal devices, and allowing for more sophisticated attacks.
CVSS score of 8.3 with two other open source 5G Core network approved
The high severity vulnerability, ZDI-CAN-18522, with a CVSS score of 8.3, could allow a threat actor from anywhere on the internet to access a private 5G network and its devices. Additionally, the CTOne research team has verified two other open-source 5G core network architectures with vulnerabilities, highlighting the importance of prioritizing the security of the 5G private network core infrastructure.
To ensure a secure commercial 5G environment and prevent malicious activities by hackers leveraging this vulnerability, the CTOne research team recommends that enterprises actively implement appropriate network isolation measures to reduce the chances of hackers directly attacking the 5G core network configuration.
To read more about the research, please visit: A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks – Security News (trendmicro.com)
As 5G technology continues to mature, its openness, agility, and the overall network’s cloudification, open-source utilization, and unprotected IoT devices will bring diverse cybersecurity threats in the enterprise 5G application environment. While the 5G private network architecture is considered the most secure wireless communication standard nowaday, it has also led to a lack of integrated cybersecurity operations and security visibility across Information Technology (IT) and Communication Technology (CT) for many enterprises. Consequently, when cybersecurity risks occur, companies may find themselves ill-prepared to respond. Therefore, it is recommended that enterprises prioritize understanding the hidden information security threats within the overall 5G private network architecture to proactively mitigate risks.
– CEO of CTOne, Jason Huang