Download Outside Looking In: How Packet Reflection Vulnerabilities Allow Attackers to Infiltrate Internal 5G Networks
Written by Salim SI
5G technology is contributing to the digital transformation of the industrial sector in the Internet of Things (IoT) era, with modern factories now able to connect multiple devices simultaneously through their own 5G networks. However, despite the productivity and market opportunities that 5G networks offer, they are not immune to cyber-attacks.
Recent collaborative research efforts with CTOne include: Telecom Technology Center (TTC), Official Advisory Group of the Taiwan National Telecommunications Commission and the Ministry of DigitalLet’s investigate ZDI-CAN-18522, a packet reflection vulnerability in the UPF of 5G core (5GC). Since there is no authentication mechanism in the GTP-U protocol between the base station and the user plane of 5GC; ZDI-CAN-18522 It penetrates within the 5GC UPF and compromises 5G devices connected to the internal network.
ZDI-CAN-18522, Scored 8.3 on the Common Vulnerability Scoring System (CVSS); This allows cybercriminals from external networks to exploit GTP-U and attack connected 5G devices. After testing attack scenarios against his 5GC for two commercial and two open source vendors, we found that all vendors are at risk for these potential attacks as a result of this vulnerability. Ta.
A private enterprise’s 5G network deployment may have a variety of topologies. In certain topologies, the UPF interface remains exposed to the Internet and thus within reach of threat actors on external networks. ZDI-CAN-18522 allows cybercriminals to access 5G IoT devices through exposed 5GC interfaces, even if they are protected by a firewall, network address translation (NAT), or in an isolated environment. There is likely to be.
Expansion of attack target area
In a 5G network, every user device has at least one GTP tunnel to send and receive data traffic transferred between the 5GC on the cloud and the base station over these tunnels. The 5GC user plane identifies her GTP tunnels by the 32-bit Tunnel Endpoint Identifier (TEID), which forms part of the GTP header. 5G user devices also have separate TEIDs for uplink and downlink.
Through tunneling, the contents of GTP packets, which are created by adding a GTP header to the original packet, can be sent across subnets without modification. As long as the TEID is valid, GTP packets can be sent to 5G user devices from anywhere. A cybercriminal could send multiple pings to the target IP with different his TEIDs in GTP packets, of which he could rely on a smart guess to match one. TEID and IP.
lack of encryption GTP-U protocolIn effect, 5G is here.C The interface itself is a possibility point of entry for threat actors, GTP-U tunneling is an enterprise private Subnet accessed from external network(Figure 1). This security flaw is further exacerbated by the fact that many 5GC vendors do not have built-in mechanisms that allow UPF to verify that packets come from a trusted source. This is because it is not a required feature under the three regulations.rd Generation Partnership Project (3GPP) standard.
Figure 1. An attacker from an external network can access the private network through the factory network.
Potential attack vectors
During the course of this research, we identified the following attack vectors that attackers could use to compromise 5G networks via this vulnerability:
downlink
We discovered that in one attack scenario, attack packets (with the user device’s IP set as the destination and the Internet IP set as the source) could be encapsulated in a GTP packet and sent to UPF. (see arrow 1 in the figure). Figure 2). After retrieving the TEID, the UPF decapsulates the packet and sends it to the user device (arrows 2 and 3). The user device then responds to the Internet IP (arrows 4, 5, and 6). If the attacker has set the Internet IP to their own, this could allow them to establish a two-way connection with the device (Figure 3).
Figure 2. Cyber attack in which an attacker establishes a downlink connection with a 5G user device.
Figure 3. Attacker establishes a two-way connection with a 5G user device
uplink
Another type of attack involves an attacker creating a packet encapsulated in a GTP packet with the user device’s IP as the source and the Internet IP as the destination. This is sent to UPF (see arrow 1 in Figure 4), which looks up her TEID, decapsulates the inner packet, and forwards it to the Internet IP (arrow 2). The Internet server responds to the user device and sends the packet over the 5G network (arrows 3, 4, and 5).
Figure 4. Cyberattack where an attacker establishes an uplink connection on behalf of a 5G user device
5G security risk mitigation
As manufacturing sites become more connected, the points of entry for attackers also become more complex. Defending against new threats to networked factories requires a proactive and comprehensive security strategy. Use the following defense strategies to strengthen your defenses against security flaws like ZDI-CAN-18522.
- As suggested by the GSM Association (GSMA), enterprises can use Internet Protocol Security (IPsec) to secure GTP. This, or any other similar secure tunneling mechanism between the base station and his 5GC, helps thwart man-on-the-side (MoTS) attacks.
- Businesses can also reduce their attack surface by using external security devices that are capable of IP cross-checking. This is because many commercial 5GC vendors do not offer it.
Multi-layered security solutions, such as Trend Vision One™, a cybersecurity platform, can help protect your company’s infrastructure. Trend Vision One provides enterprises with a complete view of the attack surface and streamlined detection and response adapted for ICS and 5G. Assessing exposure to risks and automatically deploying controls to mitigate those risks generates lower-fidelity alerts and frees security teams to tackle strategically important tasks. I will make it possible.
As more companies adopt private 5G networks with low latency, high bandwidth, and high density capabilities, they need to protect their factory environments from potential cyberattacks. To this end, Trend Micro ICS/OT Security offers solutions built on the thorough threat intelligence and expertise of Zero Day Initiative, TXOne Networks, and Trend Micro Research. A suite of integrated IT, OT, and CT solutions enables early threat detection and response while reducing monitoring complexity, enabling manufacturers to better defend their industrial IT ecosystems.
About CTOne
CTOne, a global leader in cybersecurity in communications technology, provides enterprise cybersecurity solutions for next-generation wireless networks. His CTOne, a subsidiary of Trend Micro, enables digital transformation and strengthens the resilience of communications technology.
