New Vulnerabilities in 5G Networks

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good afternoon welcome to new vulnerabilities in 5g networks here in South Pacific with your speaker I'll top shade before we begin a few brief notes please stop by the business Hall located in Mandalay Bay Oceanside and shoreline ballrooms on level 2 during the day and for the welcome reception tonight at 5:30 the black cap Arsenal is in the business hall on level 2 please join us for the pony Awards in lagoon JKL at 6:30 p.m. and don't forget the merchandise store on level 2 and session recordings from source source of knowledge they have a desk on every level of the conference please put all of your phones on vibrate which makes it easier for us to ignore the ringing while you wait for your voicemail to pick it up now please give a warm welcome to autopsy welcome back everybody I hope everybody has a had a great lunch maybe heavy lunch okay so I'm Altaf sake and I'm actually a PhD student at the Technical University of Berlin and my co-speaker Ravi Shankar a research scientist at the Cintas in Norway unfortunately he was not able to attend blackhead like some family emergency so I'll be doing the time so as the typing phase we found some new vulnerabilities in 5g network so we'll be talking about that we all know like the kind of pipe 5g has today I think even bigger than this room so everybody is talking about 5g what is it and even my friends like who doesn't know anything about technology who is working in banking sector i keeps asking me like what is 5g then what's happening in the news like I think you all know what's happening in the news regarding 5g and it's deployment so so it's kind of crazy where we found some new issues and then I'll be talking about that so beginning I just give a short overview of how 5g security looks like and the kind of threat landscape we have following that I talk about the kind of RMC catch is really possible in 5g and what can we expect in the future and I finished with the kind of new vulnerabilities we found in 5g and how we got them fixed and all this so basically pipe Jesus is for machine communication I mean not only machine communication but because like we had to G 3G and 4G everything which was used for human communication but 5g I think it takes another level where it's actually being designed for machines to communicate for example we take autonomous vehicles or even low latency communication devices like for example I would be so all this stuff it's it's made for machines so if we go a bit okay there is a lot of stuff about like 5g is so much bandwidth it's high speed all these things but putting them aside talking about security 5g had like some strong security requirements obviously it should be better than 4G so same way there are three elements in which I would like to present like in five disagree or if the first one is we have new use cases like so many use cases that are actually depending on 5g like autonomous vehicles I would be many many different industries many use cases ultra reliable low latency communication mission-critical communication so there's a lot which depends on 5g to actually facilitate the the fact or to have all these use cases successful we need different kind of technologies on the core network for example like we have different technologies like software-defined networking then NFV in the network like the virtualization technologies then network slicing features so these are some new features which are coming into the core networks which never existed in mobile mobile area or like mobile network area and they are somehow coming into reality with 5g plus we have the LT security requirements comparatively compared to 2g or 3G LT was much more secure although we saw so many attacks on LT but encryption and integrity protection wise like authentication wise it was much much stronger than what we saw in 2g and 3G so all these requirements build up the whole 5g requirement set and we have to see in the in the upcoming years like is 5g would would 5g be successful in actually making this requirements a reality or can the attacks in the past like repeat like for example in C catcher attacks or location-tracking attacks I think we have to wait and see for this okay so there are different elements in 5g security so I just brought it like three different ones the first one is the cell level where we have so many different devices not only phones we have cars then we have smart homes then we have different I go to devices then we have different type of base stations like previously it used to be a bit centralized now we have a mix of centralized way stations and then distributed base stations so there is a whole lot of like different devices will be scattered like millions of devices will be scattered around us and this will be managed by a kind of sorry kind of having the edge cloud which actually facilitates the speed of having different applications like you'll see in the future like how it's possible with with different applications then we have the central cloud which we call code Network but this will be completely changed into something like cloud base where you have all this virtualization technologies network slicing or for example let's take a simple case where and I would be provided like service provider would like to would receive an access or actually install his own applications directly on the network operators hardware so basically this is something we call like network slicing each kind of application is receiving a slice and the security of the slice or the operations the kind of speed all this could be configured in real time and this is something the operators and then the service provider like have to discuss so this is something we call its laconic like network as a service so today I will be talking more on the radio part the the over-the-air network level part so if you look in 5g there is lot of changes like there is improvement in integrity protection there is improvement in privacy like for example hiding the permanent subscriber identity which is MC then we have improved improvement in resilience like for example if what happens like when when certain messages like which are not protected are kind of misused like how do you deal with such kind of scenarios are somehow address in 5g so there was a lot of improvements and we will look into that mainly in this I would be talking in this region so if we go back just see how security has evolved from Fuji to 5g so first one to G the straight statement like there is no mutual authentication so false basestation attacks are are simply straight forward and even today like there are so many commercial in C catcher like stingray type of devices that still use 2g to intercept voice traffic and then we have 3G which improved there was a mutual authentication where the phone and the base station authenticate each other this somehow can eliminate ok this doesn't really eliminate the problem of fake base station still you can operate fake base stations then we have the 4g we have mutual authentication the same which was taken from GG then we have integrity protection for the control plane messages exchanged between phone and base station also similar thing applied in 5g but little bit improved in the terms of mutual authentication like trying to prevent fraud attacks like location fraud attacks the same kind of algorithms which were used in for cheaper reused in 5g they're also still working on 256 bit encryption algorithms but this is something I think we have to wait for the future so so security has changed a lot when we are moving from to G to 5g so obviously we expect that PI G should be really stronger than than 2 G so the when you talk about like attacks in cellular networks the the common device or the common thing you you call is like MC catcher so this is something in the beginning it used to be like a device which is harvested for collecting identities or SIM card identities or even IMEI s-- or not not only in C's but also IME eyes so this revealed information about the subscriber and the and later like they also use the term MC catcher for whites interception attacks or even location tracking or different kind of attacks but this one was mostly on the 8 interface attacks we have something else on the on the core network side like a c7 attacks or even diameter based ISEC attacks but that's a different story so if we look in on 2g like the in C and IMEI was available in clear text for for any kind of attacker like for example even the passive attacker can actually obtain in C and IMEI then we moved to through 3G the same like MC ni ma I was not given any protection maybe it was not a priority then then moving to 4G there was a kind of protection which was available for IMEI so any rogue attack that cannot actually access the IMEI of any phone or any kind of device this was protected in fortune moving to 5g both of them are hidden now so they kind of encrypt MC and trying to call it like soupy it's like a concealed identifier so the problem of MC catching like just the word MC catching is solved in 5g but encrypting the in C is something that's optional and it's up to the network operators like to implement because this takes a lot of effort because you need to have a kind of public key in the same card to actually encrypt the in C so this will take time to actually see it in practice so I'm actually still waiting for that like to see somebody implement that and then we can somehow give a test so talking about like 5g security yes it is definitely better than 4G and there were a lot of attacks which a lot of vulnerabilities which were fixed for example like the downgrade attacks or did some other denial of service attacks which were fixed in 5g then location tracking problems were fixed in 5g but the 5g was using the same algorithms but I would say like maybe a little bit enhanced like there could be new algorithms but but at the moment like there are the same algorithms from 4G they are reused and there could be a stronger ones which which might come up but it's something that's not fixed in 4G so obviously it's taken to 5g so why I said why I say this is because there are the similar kind of protocols which started from 2g then they were taken to 3G and 4G so the kind of way or the protocol stack that behaves in mobile networks like never actually changed but they have a lot of improvements in terms of like authentication encryption and integrity protection but if you don't fix the the main problem like you still see the attacks happening again and again so one kind of MC catcher attack in 5g be presented I think we actually presented this in last year blackhat so this was tracking the location of or attracting the presence of a particular SIM card in a particular location so this was still possible on 5g and there is still some discussion going on in the standards like trying to address this problem so I'm going to talk about something new which we figured out so this is called capabilities so when I'm telling like capabilities of a modem I'm not talking about the processor we have in the phone or the the speed of the RAM or nothing like this I'm exactly talking about the capabilities of a modem like what a modem is actually able to do so we have like two different capabilities of the modem like these are actually defined in the standards these capabilities are defined in the standards and like I also mention the standards in the bottom but but okay there are two different capabilities the first one is the coordinate for capabilities then the second one is the radio access capabilities so the first one is a core network so these are these capabilities include like the security algorithms that are supported by the modem then does the modern support voice voice calling features or does the modem support SMS features and does the modem support like v2x which is coming maybe in a couple of years the the automotive automated automotive vehicle features so we are going to say this in in 5g or maybe one or two years from now then talking about the radio access capabilities it the word itself this describes it like for example what kind of frequency bands it supports then the RX and TX features then does it supports like multi-input multi-output features so these are some of the features that are really responsible for the high speeds we see in 4G and also something called category so if you take the word category there are like 20 different categories in in LTE and each if you if you increase the number of the category for example if you take I phone 10 which is a cat 16 device or if you take Samsung Galaxy s4 it's a cat 4 device so as the the bottle up the model increases in its capacity or price the the category also increases so these are the to refer to different capabilities that exist in the model as a normal user as a smartphone user or we don't get to see them because they are inside the modem inside the basement processor so a little bit more detail maybe if you if you wanted you could actually access it when you're reading slide so so there are different coordinate four capabilities for example like the the like device calling capabilities the SMS supports or what kind of voice codecs it supports like AMR half-rate mr or full-rate mr or for example i when you take a USB stick USB dongle it doesn't support voice calling features like it only supports the data data features maybe SMS so so some of some of the new capabilities like which are coming in 5g for example we call it like ciot cellular i wanti this is not really 5g but this is like the I think the final varies of LT like release 13 and release 14 then we have v2x features which will show up in couple of years so these are really like 5g specific so these capabilities are existing in the model and then we have the radio access capabilities like I said there is a category for example this get this modem capabilities our category 4 and there are different capabilities like physical layer parameters RF parameters so there are like thousands of parameters or like feet optional features in defined for the modem so basically these are designed by the baseband manufactures for example a Qualcomm or whoever Intel or so they actually read the standards and then define it inside their modem like they program okay so basically these capabilities are actually sent to the network whenever your device is registering to the network so let's start with the basic registration procedure you turn it on and then the first one is like the coordinate for capabilities are sent to the network then the the core network is doing authentication and security very good then the core network is actually asking the device like send me the radio capabilities okay it sends the radio capabilities then it performs the over-the-air security like encrypting and integrity protecting the the communication which is happening between the phone and the base station so the encryption actually starts after sending the capabilities and then finally if everything goes well then registration success and then then you have data access and everything so what we see here is like these capabilities are actually sent before setting up the security so which means that an active attacker can actually obtain these capabilities or a passive attacker listening between the phone and the base station can also receive access to this capabilities so both passive and active attacks are possible in this case so we try to do some passive and active attacks in this one so what's the issue was like an issue was these capabilities are accessible by fake base stations you can easily set it up on 4G or 5g and then the second thing is like they are sent in plaintext to the network and then we found some standard and implementation problems like that allowed us to exploit these capabilities and then do some other at the attacks so we did like three types of attacks the first one was mobile network mapping we call it like MN map so this n map is this MN map is something similar to the N map that you see in traditional IP I'm gonna explain it like in the coming slides so then the second type of attack we are doing is the bidding down attacks bringing the user down from 40 to 2g or even from 5 D to G then we have battery drain attacks which is very very dedicated to to narrowband IOT networks I'm sure like you must have heard of this narrow band IOT term quite often these days so to do some attack like we try to set up the hole maybe we cater like a despot so we so like I said we did a man-in-the-middle attack because we are trying to modify the capability so I will explain you that so we use two different us our piece with this then we use some open source software that was available from SRS LT guys like thanks for the great work so we set up a whole man-in-the-middle relay so basically we have the the phone side then we have the base station side which is relaying all the traffic from a legitimate phone to the legitimate network then we tested this on some of the commercial networks actually across Europe and US and some other countries for testing we use so many devices I think roughly around 80 to 90 devices like different types of phone different types of modems allowed laptops because they also have modems inside so the first attack like we are trying to do nmap what does an nmap do it gives you information about the live host which are connected to your network the kind of information is like what kind of ports what kind of operating system it's running or what's actually happening with that device is in the read the internet in that network so we try to do the same thing like we try to run a fake base station or a passive attacker that's actually trying to receive the capabilities of all the devices in the surrounding and try to estimate or our inclusion we guess the kind of maker of the baseband the model of the baseband the operating system it's running and the kind of applications it's running and if poss we'll also find out the version of the operating system that's there so basically this is the kind of the the tree we build it it could be used at specific for example like I built the tree like this because I it was convenient for me maybe somebody else might find out something else differently so basically we are trying to find out the chip maker then the device model operating system application of the device then the basement software version also the application operating system version so first we find out the basement model then we find out if it's a cellular device or if it's and cellular I were to device if it's a cellular device is it a phone or is it some other device if it's a phone if it's an Android I was then if it's Android then what kind of Android is it Samsung HTC LG Nokia then if it's always like if it's a nice iPhone or an iPad or what is the operating system version there so we or we also try to get that then if it's other kind of device is it a car modem or if it's railway modem then is it a router USB dongle or is it a laptop or or is it the vending machine like a typical IOT device or so if it's not a cellular device it could be a cellular IOT device because these are the only two categories exist it could be either a narrowband IOT device and LTM device but these are quite new in the market I don't expect them to be in huge numbers compared to phones we have so so this is kind of the kind of like and map we are trying to do basically you can ask me the question like how is it possible so there are two things the first one like I said the baseband manufacturers implement these capabilities so there are handful manufacturers for example like maybe five we actually considered five in our experiments like Qualcomm Huawei Intel Samsung and MediaTek we find they have the big market so they implement the capabilities differently because the capabilities are optional to implement not all of them are mandatory some you can skip some you can implement it's up to you it's up to the baseband manufacture some can be enabled or some can be disabled then the second one is each target application requires a different set of capabilities mandatory for example you take a phone it definitely needs the voice codec facilities you take a USB stick it definitely needs the data capabilities like the data transmission reception capabilities you take a car like a latest car it needs the v2x capabilities so there are different capabilities that are that suits an application so these are some of the some of the like the fundamental things that allowed actually asked to do something of printing so we like I said we selected so many devices we also had some devices some some military devices which showed really different capabilities and the traditional or the the commercial ones which were using we also had modems from cars also like like you see on the left its it's full of phones different phones actually the list is very huge but I just put only some of them then we have different routers different different USB sticks different laptops different yeah so many devices think maybe it's somewhere around up to 80 so we actually collected the the capabilities of all these devices create a huge reference model and then when I'm actually saving these capabilities I try to save based on what was the baseband manufacturer because in this case I know I'm building the reference model so I know everything about in this device so once I have all these capabilities from so many devices I started analyzing like looking into that and trying to find fingerprints that allows me to actually differentiate between these devices so the first fingerprint was to actually identify different baseband vendors like to find who is the baseband maker so if you take this table so like we have different capabilities listed on the left if you take the second capability which is called II is 0 it's a null encryption algorithm it's actually optional to have this so if you take in this case Qualcomm was the only baseband manufacturer like to actually disable this in most of the devices maybe roughly like 99.9% devices we see it was disabled you the rest of the basement see like it was always enabled so this would be a good thing a printer actually identify if this is a qualcomm device you take other for example like there's something called extend measurement capability so this was used in 2g networks this was only enabled in media tech I don't know the reason why but it's it's up to the basement maker like so if I have to find out the reason why you implement and why you don't implement it takes I think so many ages like because there are like hundreds and thousands of capabilities which are optional and then mandatory or it's up to the baseband vendor to implement them so this is some something of brinstead to actually identify different base bands and once you know the baseband maker you can easily say based on the capabilities in that you can actually tell what kind of model is that for example like snapdragon 800 or Snapdragon 820 once you know that you can actually there's a nice wiki where you can actually see which devices are actually using this particular basement model so then you have a list of devices maybe maybe 1020 or it depends so once you get that now it's the time to identify the application of the device like a little bit more high 11 like what is the application is it a phone or is it like a router or something so there are some easy differences like to identify between a cellular device and an IOT device there are certain timers which are always active or mandatory should be present in IOT devices for example like PSM timer this is something mandatory for IOT which is not mandatory for because this is something to save power which we don't need for phones and cars or something then we have different because like we want to identify phone specifically because there are so many of them so phones obviously have this voice codec feature active then when it's connecting to the network it obviously enables the fact that it has voice domain preference others like sometimes like it is present or it's not present so then sometimes like you might be wondering okay normally like there are phones which used base bands only from a specific manufacturer like for example if they go away it only uses baseband from Huawei or Samsung only from I mean Samsung can also use PL for from basement but it also uses a Samsung basement then Apple only two options like either Intel Falcon then there was okay this was this went a bit tough like I'm trying to find out the difference between Android and I was like this is something really needed so there are like two features which somehow looks like the MS assisted GPS this was a feature in 2g and then this was actually disabled in I was maybe privacy reasons or I don't know but this was always enabled in most of the Android devices so okay this is the positive side of doing this fingerprinting like that would be also issues we faced for example like in cases when there's a sim car like the sim card can actually control the enablement or disablement of these capabilities like for example like you said maybe sim card can actually control what kind of bands can be active or what kind of codecs can be active there are bits which you can actually enable in the sim card which actually controls the baseband so SIM card could be a little bit tricky part when you are doing this fingerprinting so sometimes like there are there could be situations where the capability is between different devices are equally matching so there's no nothing to worry we have like thousands of capabilities to actually differentiate between them I just showed a subset here but if you literally if you refer to the white paper like there are so many different capabilities that actually allow you to differentiate easily between so many devices so what now so if you are able to find out the operating system version or the kind of operating system its running the kind of device it is you could plan a targeted attack or if you are looking for a specific device like I said some some devices for example if you take devices which are used in field testing they have completely different set of capabilities from the traditional devices which we see in the market so if you are looking for some specific devices it is easy to find with certain fingerprints or if you are looking for a military device it is also easily for I'm not showing them but if you're interested we can we talk about it so the and the good thing is like we are actually trying to release this tool just open it but not not the man in the middle doing thing part but but once you have the capabilities how we create an automated tool like that actually analyzes and then gives you an nmap like result like and then you just feed the capabilities and then it will give you what kind of device it is and then what what what does it do and all this stuff so this was the first fingerprinting MA attack then the second one was bidding down attack like I said the capabilities are actually the radio access capabilities which actually define the speed that that your device is receiving for example like you take an iPhone which is an iPhone 10 like it's it's supposed to receive speeds theoretically it's supposed to receive speeds up to 1 Gbps theoretically but some networks like they don't support that speeds yet so practically you might see maybe in busy hours like you might see maximum 60 M EPS or 70 it depends on the network operator and the kind of maybe if you are operating it on the midnight like you see maybe 200 Mbps very rare but if you're lucky so the radio is something that's actually controlling the speed of what the speed what your device is getting so if you try to kill that that radio thing you you are really affecting the service that's actually to this device so in this case like the network is actually asking the base station to get the capabilities so the phone would actually send the capabilities so if you are operating a man-in-the-middle relay so there's a relay in between which is trying to modify these capabilities because in this case the security is actually kicking in after the capabilities are sent to the network so this is not a standard defined procedure this was kind of an implementation specific but the standard also mentions that you can access these capabilities without even having security so it's up to the operator to implement this some operators can actually implement after having security some can do it before security so I will show some results after this so basically the the relay is trying to modify these capabilities and the phone neither the phone not the base station not the core network can actually detect that this kind of modification actually happened so what happens the base station get the capabilities it will send it to the network like to the core network and the core network actually saves these capabilities how long it it depends on the configuration but what we have seen is up to until you restart your phone it's saving at that core network and then whenever the base station is actually asking for the capabilities it would send back because the base station needs these capabilities to do some optimization over the air so once the capabilities are modified for example like what kind of modification we do we change the first thing we change is like we change the category like I said higher processing device has higher category not exactly all the time but there are devices like cat 19 and cat 20 which were recently defined by the standard they are generally referred to IOT devices so if you are taking like the the higher processing device like like Samsung Galaxy S 9 something it is actually a cat 12 or cat 16 device so we are trying to replace the category we are trying to put it to cat one so cat one is nothing but the device like which operates like and I were to device so this category was defined for I would be and then you are trying to remove the capabilities for example like the carrier aggregation or the my more multi-input multi-output systems these are some of the new technologies which were used in 5g to actually boost speed so you receive signals from multiple places and then this actually helps boosting speed in 4G so we try to disable this then we remove frequency bands like if you are an LTE you you are you should support certain bands at least two so you can have handovers and stuff like this and then we have something called voiceover LTE which was specifically making voice calls or sip based voice calls on LTE or else you have to go back to 2g or 3G and then do voice calling so being a man-in-the-middle attack car we try to remove all these capabilities and completely go undetected because there was no integrity protection so a modification cannot be detected so this is a screen shot I have this special phone which actually shows you the traces that are actually happening between so this is from one Operator so what we see here is like the the capability is actually being the capabilities I request set before the security mode command so which gives an attacker an advantage to actually modify them so we try to test this on different networks even though it doesn't really matter like if you are having an elite SIM card because sometimes like if you are having a very very good SIM card or like any connection you get really good speed even if you are in a big fest or or a big venue like this because you are entitled to receive so even having an elite SIM card doesn't give you more speed if your device doesn't support so we tried some experiments with iPhone 8 and then also a Netgear router both are actually Qualcomm base so this doesn't really apply to Qualcomm but it applies to everybody so it's a problem with the with the network operators and it's not the problem with the baseband so what we see what we saw was like once the capabilities are modified the speed was reduced from I mean normally it was supposed to receive 48 MVPs but it actually receives like 2 Mbps this was somewhere in mid night but if you test in like normal high peak traffic time I think you cannot even open Gmail or which it makes it difficult it goes to kbps P so why so many calls are denied so whenever we make a voice call in the situation the phone is kicking back to 2g because it doesn't support voice or LT then handovers like it's not being handed over to a 4G base station but it's being handed over to a 2g base station because the phone doesn't support base it doesn't support LTE bands so these are like this is something like you're killing the service and then you are actually downgrading the device so to keep it simple like you're actually connecting a high-end device like like an I were to device and then you are killing the speed and then you're downgrading it so like it like I said we tried on different networks different different countries and different continents so trendy dude networks were actually requesting the capabilities before security so which are actually affected and then the main problem here was the persistence of the attack like because the network is actually storing these capabilities maybe seven days the kind of experiments we did so one week untimely until unless like I restart my device it's not gonna regain the service back um like I said like the radio is a bottleneck for high speed data services so this applies for any kind of high speed device you can also test it with IOT devices but anyways like a motor devices are made for operating on low speeds so it doesn't really affect them or it doesn't really bother I were to devices I think this is more targeted towards high speed devices so you might ask me like the question like okay why is the standard allowing you to actually send the capabilities before security so there are reasons for example like to do optimization prior to security like optimize the radio network so that the later data connection like goes smooth this was I think one of the reason we found in the standards yep so the third attack is something we are doing with the battery drain so there are new device in the market called narrowband IOT devices these are and they have a special feature something called power saving mode so basically the device and these are the devices like you found in you find in like smart metering or or in applications where the device is sending just few bytes of data and then not and has nothing to do after that for maybe like one week or something also even smart grids so basically the device enables this power saving mode with the help of the network and then it sends some data and then goes off some defined amount of time maybe a week or something so basically being a man-in-the-middle what we are trying to do is like we are modifying the capabilities since there is no like I said since the security is actually kicking after the exchange of capabilities so we try to remove this the power saving mode so the problem here was like the phone is okay even though if the phone supports the power saving mode it doesn't activate unless until the network is telling to do so and the network doesn't activate the power saving mode unless until it knows that the device supports so what happens here is like the base station the the the relay or the the man in the middle is trying to disable it so network thinks that it doesn't support any power saving mode so the device is actually on for the rest of the period when it's on what what a modem is doing is like it's just trying to read neighbor cells like do some measurements always trying to scan for new new base stations and then trying to camp on them so this is kind of like wasting power actually which is not really the main purpose of designing these type of devices because they are destined to operate for 10 years on a single battery or on a triple a size like two batteries but what we saw in our experiments was like we are killing the battery life time by like five times and then again the problem is with the persistence like it doesn't go away if the attacker is gone because the capabilities are actually stored at the network so you have to manually restart the iwata device like which is I can imagine like hard to do it and then this drains the battery like very quickly and the problem was like this was not able this was this cannot be like detected either by the phone or the network so this was a problem that was existing in the first release of narrow binary devices like it was called release 13 then release 14 there was a fix for that so all these vulnerabilities like we actually reported to the GSMA and also the 3gpp sh3 which is doing security part and also all the effect that when and even operators and actually I should thank GSMA like the process of reporting the vulnerability was very smooth and then we could get the fix I think in one month so there was also like a fix in the standard by the sh3 so now the network has to replace the capabilities only after establishing a security so this this should be something done updated or by the by the operators too but even though with this fixed still the fingerprinting attacks are possible on hygiene I think I just forgot mentioned because the narrowband IOT testbed we used was something we don't have any like open-source implementation of the narrowband IOT network so we approached a vendor like an operator so we could borrow equipment and then do some man-in-the-middle attack with that but LT like for 4G like we have some kind of devices like some kind of open-source software which where we could actually do the attacks and see how it's working so like I said then the end map is still possible on 5g there was some kind of discussion which started in in 5g regarding fixing this capabilities because being a passive attacker you can actually listen to thousands of capabilities and just fingerprint like what device is this and everything but I hope maybe in a in one year or something there should be a fix for this but it's a basic problem it's a fundamental problem which was already it was there and which which might increase because it's 5g like you have more applications coming in and then you have more capabilities that are actually exactly defining what kind of device it is so you don't have to do this much of fingerprinting if you are going in for example like take 20 21 if you don't define this then the fingerprinting becomes more easy because the capabilities can really say just by looking at that you can really say what kind of devices so for fixes like like I said I think the current versions of narrowband IOT don't really have the fix for this the fixes like the device is sending the cable coordinate for capabilities to the network and the network would replay them back to the device after establishing the security so so that you can actually verify if the the capabilities they're actually modified in the beginning so like a hash of them so this is actually in there in the standards now but I haven't seen any any vendor actually implementing them so it's it's a release 14 so kind of quite quite new so maybe next year or something we should see and I'm not really aware of I'm actually aware of some operators like which are actually out of those 22 I'm actually aware of some of them but I don't really know who is the vendor or something because I couldn't get enough information from from the standards or the GSMA like it was kind of kept secret or so obviously you have to implement I we are not really sure if it's an implementation problem or if it's a configuration problem so both really have implications on this and changing them I think would really solve the the second and third attacks yeah so that's it about the new attacks we found on 5g networks and then I let's see what what comes in the in the future on five thank you

Info

Channel: Black Hat

Views: 5,467

Rating: 4.8762889 out of 5

Keywords:

Id: YpH3Zx-X5bM

Channel Id: undefined

Length: 43min 35sec (2615 seconds)

Published: Wed Jan 15 2020