P1 Security has developed in the two last years a set of tools and libraries to help with testing, and pentesting, 5G Core Networks. A dedicated commercial Signaling Scanner is also available since June 2021 for that purpose: the PTA 5GC product that can be directly used by operators.
Many operators are currently in the process of sourcing vendors for their 5G core network, and many of them ask themselves about the security of the different products.
P1 Security had the opportunity to work with customers to assess the security of provided solutions. On the other side, P1 Security Labs also have worked with 5G test-beds, using different open-source solutions. In this post, we explain what kind of test-beds we have setup, the solutions we have developed for proper security assessment, and the kind of issues one can find during such a security evaluation.
Testing with open-source solutions
When dealing with an open-source 5G network, there is not so much choices available:
There are two main core network projects, Open5GS and free5gc, and a gNodeB and terminal emulator UERANSIM. More projects can be found online, but they are far from working stable (even at all, some times). The gNodeB and terminal emulator connects to the core network and enables stable and reproducible connections scenarios.
In turn, this produces standard signalling exchanges between the different core network functions (which are numerous in 5G). One could argue that this kind of test-bed do not enable end-to-end testing, through a radio interface, but there are currently not so much stable 5G base-station open-source implementations (OAI and srsRAN are the 2 main projects in this area). Moreover, working with radio imposes several challenges in terms of physical installation (running the transmitters into a Faraday cage, or wiring everything through variable attenuators…) and generally induces less stable and reproducible scenarios.
Developing dedicated auditing software
While working with this kind of setup helps to investigate standard signalling and connection scenarios, it does not enable advanced security testing. In the 5G core network, the different types of telecom interfaces we want to test are:
- The N1/N2 interface between the RAN and the AMF, with NGAP and NAS signalling ; in the 5G core, note that the NAS signalling can propagate to other NFs, such as the SMF, the SMSF, the LMF…
- The N3 interface between the RAN and the UPF, with GTP-U ; it is, after all, a generic GTP-U interface, similar at what exists in 4G for the SGW and PGW.
- All the SBA interfaces, where the numerous 5G Core NFs exposes HTTP/2 services and APIs, hopefully formally documented with OpenAPI. Those can be accessed directly for ease of testing, or through a SEPP for more real-world scenarios of 5G roaming partners.
- The PFCP interface, where the UPF is controlled by the SMF. This interface is generally not as exposed as the 3 first in a 5G deployment, but still is important to consider.
Therefore, we have developed a custom gNodeB and terminal … Read More