Security and Protocol Exploit Analysis of the 5G Specifications
share
The Third Generation Partnership Project (3GPP) released its first 5G security specifications in March 2018. This paper reviews the 5G security architecture, requirements and main processes and evaluates them in the context of known and new protocol exploits. Although the security has been enhanced when compared to previous generations, our analysis identifies some unrealistic system assumptions that are critical for security as well as a number protocol edge cases that render 5G systems vulnerable to adversarial attacks. For example, null encryption and null authentication are supported and can be used in valid system configurations and certain key security functions are still left outside of the scope of the specifications. Moreover, the entire 5G security architecture relies on the assumption of impractical carrier and roaming agreements and the management of public keys from all global operators. As a result, existing threats such as International Mobile Subscriber Identity (IMSI) catchers are prevented only if the serving network enforces optional security features and if the UE knows the public key of every single network operator. The comparison with 4G LTE protocol exploits reveals that the 5G security specifications, as of Release 15, do not fully address the user privacy and network availability concerns, where one edge case can compromise the privacy, security and availability of 5G users and services.
READ FULL TEXT