Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Penetration Testing of 5G Core Network Web Technologies

Filippo Giambartolomei, Marc Barceló, Alessandro Brighente, Aitor Urbieta, Mauro Conti

TL;DR

The paper addresses the lack of web-security assessment for 5G core networks by applying STRIDE threat modeling to identify web-centric attack vectors. It evaluates three open-source 5G core implementations (Open5GS, Free5GC, OpenAirInterface) using a broad security-testing toolkit to cover identified threats. The findings reveal vulnerabilities across all cores, with varying attack profiles, underscoring the need for hardened web interfaces and secure development practices in 5G core ecosystems. The work has practical significance for operators and researchers by highlighting concrete weaknesses and proposing actionable countermeasures to improve 5G core security postures.

Abstract

Thanks to technologies such as virtual network function the Fifth Generation (5G) of mobile networks dynamically allocate resources to different types of users in an on-demand fashion. Virtualization extends up to the 5G core, where software-defined networks and network slicing implement a customizable environment. These technologies can be controlled via application programming interfaces and web technologies, inheriting hence their security risks and settings. An attacker exploiting vulnerable implementations of the 5G core may gain privileged control of the network assets and disrupt its availability. However, there is currently no security assessment of the web security of the 5G core network. In this paper, we present the first security assessment of the 5G core from a web security perspective. We use the STRIDE threat modeling approach to define a complete list of possible threat vectors and associated attacks. Thanks to a suite of security testing tools, we cover all of these threats and test the security of the 5G core. In particular, we test the three most relevant open-source 5G core implementations, i.e., Open5GS, Free5Gc, and OpenAirInterface. Our analysis shows that all these cores are vulnerable to at least two of our identified attack vectors, demanding increased security measures in the development of future 5G core networks.

Penetration Testing of 5G Core Network Web Technologies

TL;DR

The paper addresses the lack of web-security assessment for 5G core networks by applying STRIDE threat modeling to identify web-centric attack vectors. It evaluates three open-source 5G core implementations (Open5GS, Free5GC, OpenAirInterface) using a broad security-testing toolkit to cover identified threats. The findings reveal vulnerabilities across all cores, with varying attack profiles, underscoring the need for hardened web interfaces and secure development practices in 5G core ecosystems. The work has practical significance for operators and researchers by highlighting concrete weaknesses and proposing actionable countermeasures to improve 5G core security postures.

Abstract

Thanks to technologies such as virtual network function the Fifth Generation (5G) of mobile networks dynamically allocate resources to different types of users in an on-demand fashion. Virtualization extends up to the 5G core, where software-defined networks and network slicing implement a customizable environment. These technologies can be controlled via application programming interfaces and web technologies, inheriting hence their security risks and settings. An attacker exploiting vulnerable implementations of the 5G core may gain privileged control of the network assets and disrupt its availability. However, there is currently no security assessment of the web security of the 5G core network. In this paper, we present the first security assessment of the 5G core from a web security perspective. We use the STRIDE threat modeling approach to define a complete list of possible threat vectors and associated attacks. Thanks to a suite of security testing tools, we cover all of these threats and test the security of the 5G core. In particular, we test the three most relevant open-source 5G core implementations, i.e., Open5GS, Free5Gc, and OpenAirInterface. Our analysis shows that all these cores are vulnerable to at least two of our identified attack vectors, demanding increased security measures in the development of future 5G core networks.
Paper Structure (10 sections, 1 figure, 2 tables)

This paper contains 10 sections, 1 figure, 2 tables.

Table of Contents

  1. Introduction
  2. System and Threat Model
  3. System Model
  4. Threat Model
  5. Tests implementation and results
  6. Chosen 5G Core
  7. Tools
  8. Results
  9. Countermeasures
  10. Conclusions

Figures (1)

  • Figure 1: Overview of the 5G Core architecture.