5G Protocol Vulnerabilities and Exploits

The first protocol exploits against LTE were introduced in early 2016. Since then, security researchers have published a large number of excellent papers and talks identifying more and more critical vulnerabilities in the LTE protocol. 3GPP released the 5G specifications in 2018 and, by late 2019, a number of theoretical studies and formal verifications of the protocol have already identified several security issues. Despite a potential, yet optional, solution to prevent IMSI catching, 5G communication systems are still vulnerable to preauthentication message-based exploits. The 5G security architecture provides no means for mobile devices and base stations to verify cryptographically that they are not communicating with a malicious node until a substantial number of messages have been exchanged entirely in the clear. This talk will present the first security investigation of the 5G security specifications based on the analysis of real 5G traffic captures. Pre-authentication messages from real Release15-compliant 5G base stations, mobile devices and test tools, in both non-standalone (NSA) and standalone (SA) mode, will be analyzed. We will discuss ways in which an adversary could exploit these messages maliciously. The analysis will also demonstrate how certain exploits against LTE are still possible in 5G.

Presented by