Cathal Mc Daid is the editor of the GSMA Fraud and Security Group’s (FASG’s) new FS.36 “5G Interconnect Security” reference document for GSMA members, as well as the editor of FASG’s FS.11 “SS7 Interconnect Security Monitoring and Firewall Guidelines”.
5G networks and their security are topics of huge interest at present. This is a massive difference from the launch of 3G and 4G networks in the past, where security was very much a secondary topic. Both for political and economic reasons, the eyes of the world are on 5G networks. Politically – because so much of each nation’s critical communication infrastructure will be carried over 5G networks, and economically, because a large percentage of a country’s wealth will be generated from these technologies and services.
To give an example of economic value generated from mobile networks, according to GSMA Intelligence it is expected that by 2024, mobile technologies and services will generate $5 trillion of added economic value (4.9% of GDP) globally – up from $4.1 trillion in 2019 – and that 5G technologies are expected to contribute $2.2 trillion to the global economy between 2024 and 2034 [1].
To support this value creation, it is estimated that the world’s mobile operators will invest around $1.1 trillion worldwide between 2020 and 2025, and that roughly 80 percent of that investment will be in 5G networks [2]. This investment will pay for the creation and global deployment of the two constituent parts of telecom networks: the radio access network (RAN) part and the core network part. Many 5G radio access networks are now being rolled out, covering limited geographies within urban areas initially, but they will expand over time. They work by connecting to the pre-existing 4G core network in order to route calls and allow data browsing. However, to get the greatest value from 5G networks, a 5G core network needs to be deployed to work with the 5G radio access network. This is the next stage of 5G rollout, and it is in this area that security is of the greatest concern, but also has the potential to be enhanced.
Inherent Trust is Flawed Trust
Previous versions of core mobile networks (e.g. 2G, 3G, 4G) suffered from a misplaced trust model, namely that only those who were entitled to access to the core network were actually provided with access. As has been documented since 2014, bad actors can get access, and have misused this access to execute attacks such as location tracking, communications interception, denial of service, fraud and other malicious activity. While security solutions have been developed since then that can be added to these 2G, 3G and 4G core networks, they rely on individual operators electing to install and properly configure them, and it is always more difficult putting in security after a network is deployed, as opposed to before or during. It has been the objective of the industry since then that 5G should not suffer the same fate.
The 3GPP standards for 5G contain many improvements in security, most focused on the radio side, but also include recommendations on inter-operator network security and advanced home control. However, multiple security risks remain, which if not understood and dealt with can give a false sense of security. Bad actors will always seek to get access to network traffic, so the motive to target networks will remain.
To give an example, 3GPP have specified that all links between 5G core networks must be authenticated. This has erroneously led to the conclusion for some that these links between mobile operators are safe and trusted, and 5G networks are, by default, secure. However, this trust model implicitly assumes that an authenticated user, is a good user, and not a malicious user; that somehow the traffic inside an encrypted tunnel is automatically safe despite the fact that the traffic itself may be rotten. This is not the case in the world today, and will not be the case for 5G networks.
Familiarity does not Ensure Security
Consider the following thought experiment. Alice and Bob are two people representing mobile operators in two different countries. They have talked for many years. However just because Alice knows Bob, and Bob knows Alice, this does not mean that Alice will always act in Bob’s best interests or vice versa. For example, Bob may decide to track Alice’s customers’ locations out of curiosity, and Alice may decide to sell network access to Mallory, a third party who executes fraudulent attacks against Bob. The trust model here – familiarity – does not ensure security. And if you think that the likelihood of mobile operators with access to 5G networks doing something unauthorised (or even malicious) to each other is low, consider that today, all 2G, 3G and 4G signalling network attacks are injected into signalling networks from a party that is trusted to have access to these networks at some point in the world. These attacks come from either a mobile operator or mobile virtual network operator (MVNO) that is compromised or that sells access to other companies who misuse the network, or through some other ways that malicious users gain access to these networks. With even more entities gaining access to core networks in the 5G era (due to network slicing and other features), we can expect that the attackers active on 2G, 3G and 4G will seek to execute the same types of attacks over 5G.
Building Defence in Depth
In order to deal with attacks over 5G interconnect networks, we need to know what are the risks, and what should be done to mitigate them. This is the purpose of the new GSMA “5G Interconnect Security” (FS.36) document, prepared jointly by industry specialists within the GSMA’s Fraud and Security Group (FASG), and available as a valuable reference for all GSMA members.
Under development for over a year, GSMA FS.36 aims to provide an understanding of potential risks, threats and countermeasures related to 5G interconnection security to GSMA members. Essentially, the FS.36 document is the 5G equivalent of GSMA documents already prepared on (the 2G/3G and 4G signalling protocols) SS7 and Diameter interconnect security (FS.11, FS.19). Specifically, on the interface side, it outlines recommendations on what mobile operators should do to protect themselves on inter-operator links between 5G networks. As well as this, FS.36 covers areas such as 5G core message categorisation and information element type classification, migration risks, error responses and more. This document is very much a living document – FS.36 describes attacks and countermeasures known to the authors at the time of publication, but future research may highlight possible new attacks at any time. Also, future versions will address new 3GPP release versions, new security use cases and so on.
This document closely references concepts defined by 3GPP, especially general security recommendations like 3GPP TS 33.501 which cover the 5G core and the use of nodes like the SEPP (Security Edge Protection Proxy). These 3GPP standards define some of what needs to be put in place to provide security – but documents like FS.36 are then needed to define how exactly security should be put in place practically for the traffic that goes across the interconnect, and what other areas need to be secured which may not be covered by the 3GPP specifications. The end result is a security solution that is not only standards-led, but takes into account the practical experience and learnings of the industry.
5G networks in themselves are not inherently secure. Like all complex networks, they require good security design and constant vigilance. We are now moving into the most critical phase of 5G network rollout. With the help of the recommendations in FS.36 and other ongoing work within the GSMA, mobile operators can build in security for themselves and their customers from the start.
1, 2 https://www.gsma.com/mobileeconomy/wp-content/uploads/2020/03/GSMA_MobileEconomy2020_Global.pdf