Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

5G Puppeteer: Chaining Hidden Command and Control Channels in 5G Core Networks

Julian Sturm, Daniel Fraunholz, Oliver Zeidler, Katharina Schaar, Wolfgang Kellerer

Abstract

Mobile networks are essential for modern societies. The most recent generation of mobile networks will be even more ubiquitous than previous ones. Therefore, the security of these networks as part of the critical infrastructure with essential communication services is of the uttermost importance. However, these systems are still vulnerable to being compromised, as showcased in the recent discussion on supply chain security and other challenges. This work addresses problems arising from compromised 5G core network components. The investigations reveal how attacks based on command and control communication can be designed so that they cannot be detected or prevented. This way, various attacks against the security and privacy of subscribers can be performed for which no effective countermeasures are available.

5G Puppeteer: Chaining Hidden Command and Control Channels in 5G Core Networks

Abstract

Mobile networks are essential for modern societies. The most recent generation of mobile networks will be even more ubiquitous than previous ones. Therefore, the security of these networks as part of the critical infrastructure with essential communication services is of the uttermost importance. However, these systems are still vulnerable to being compromised, as showcased in the recent discussion on supply chain security and other challenges. This work addresses problems arising from compromised 5G core network components. The investigations reveal how attacks based on command and control communication can be designed so that they cannot be detected or prevented. This way, various attacks against the security and privacy of subscribers can be performed for which no effective countermeasures are available.

Paper Structure

This paper contains 27 sections, 3 equations, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. 5G Core Network Architecture and Security
  3. 5G Puppeteer Design
  4. Attacker Model
  5. Command and Control Channels
  6. Chaining Channels and Transient Messages
  7. Information Embedding Modes and Message Routing
  8. Information Embedding: 5GPP
  9. External interfaces
  10. Service-based Interfaces
  11. Uu, N2, and N1 Interfaces
  12. N4 Interface
  13. 5G Puppeteer Protocol
  14. Analysis and Evaluation
  15. Environment Representation
  16. ...and 12 more sections

Figures (4)

  • Figure 1: Overview of the 5G core network architecture TangSystematicAnalysis5G2022.
  • Figure 2: Signaling diagram for the implemented registration procedure. Blue solid: Registration procedure, black solid: identity sub-procedure, red dashed: AKA sub-procedure, green dash-dotted: SMC sub-procedure, yellow dashed: N4 u-plane configuration. Based on ZeidlerPerformanceEvaluationTransport2024
  • Figure 3: Simulation result of the attack success and path selection of 5G Puppeteer visualized in our simulation tool with the networkx library. Left: Overall 5G Network that is available with messages send. Center: Part of the 5G network that is available to 5G Puppeteer. Right: Actual attack path selected.
  • Figure 4: Performance of exemplary attacks at different payload sizes.