The Dark Skies of security concerns are forming over 5G - GSMA Mobile 360 Series

The Dark Skies of security concerns are forming over 5G

The Dark Skies of security concerns are forming over 5G

Pieter Veenstra, NetNumber Senior Manager for Product Development (Security and Routing)

NetNumber is an Industry Sponsor of Mobile 360 – Security for 5G, which will be held in the Hague, 28-29 May 2019.

Unquestionably 5G is a critical enabler for the next steps in the digital transformation of our society, private and business processes. The necessary network transformation and modernisation to 5G is revealing a proliferation of concerns regarding security, fraud and privacy—which if left unchecked will lead to significant problems, legal and financial penalties for progressive communication service providers.

As a counter-action the industry is turning to network vendors, governmental and standardisation bodies to come together, regulate and collaborate to keep our communications, data and privacy secure. Independently these interested parties along with service providers have their own contextual concerns and challenges.

In a recent webinar from Light Reading, I had the opportunity to discuss some essential research and a report on Securing 5G Networks with Jim Hodges of Heavy Reading. This blog adds depth, insight and conclusions to the survey responses and findings.

In 2016 I started my editor role in the GSMA Fraud and Security Group (FASG) for the definition of Signaling Firewall requirements for SS7 and Diameter, to enhance the protection of international roaming traffic between mobile networks worldwide. Today I am leading an investigation in the GSMA to identify and track the open issues for 5G Security.

Based on my extensive background in KPN, I am also actively involved in new use case definitions and core network simplification programs with customers, together with establishing new partnerships based on the NetNumber TITAN Centralized Signaling, Routing and Control (CSRC) paradigm.

Confidence in the industry’s ability to secure the 5G Control Plane

As a first discussion point from the report, concerning control plane considerations, there were open questions about the ability and relative confidence levels associated with securing the range of standard 5G security use-case cases that were utilized in the study.

While about half were “confident”, when you break down the numbers it translates into about 40% either only “somewhat confident” or “not confident” which is not a strong endorsement.

The increasing complexity of the control plane makes operators concerned about the impending paradigm shift and evolving trust model, with multiple actors, network slicing, distributed service execution and the use of internet protocols, etc. In conversations with our customers, NetNumber heard similar concerns as these, that come with different challenges. For example:

  • The potential for attacks such as signaling storms, malware etc. on the expected billions of IoT devices and sensors.
  • The multiplication of computer power that Mobile Edge Computing (MEC) brings, also introduces security risks when malware infiltrates with direct access to core elements
  • API exposure security, with a new trust model around distributed control over network resources.

Reasons for the industry’s low confidence in future 5G security

If we look deeper into why there are low relative levels of security confidence and based on the level of ‘agree’ responses, it’s clear that a majority of respondents see more fraud, more signaling storms in the core and RAN, multi-protocol attacks and even greater threats of CLI spoofing and robocalling.

The security of mobile roaming in a pure 5G eco-system is expected to be solved with the “security by design” Security Edge Protection Proxy (SEPP) and with signaling encryption over the N32 interface. However, fundamental issues arise with the co-existence of the existing SS7 and Diameter world that is less secure. The main risk is introduced when access to the IPX signaling network is via SS7 or Diameter and the receiving MNO assumes the same trust as if the traffic was secured via the advanced SEPPs and N32 methods.

Today operators are faced with a steep increase in fraud cases. 5G brings elementary enhancements in native 5G core networks with concealed (encrypted) identity, such as IMSI over the RAN and the 2-way verification of roaming network identity. But to begin with, there will be no native 5G core, so as the magnitude of devices connected to the network increases, so does the potential impact of security breaches.

Implementing 5G security – the expectations

In order to address control plane security challenges service providers are starting with the basics. This translates into supporting the Network Repository Function (NRF) to secure network discovery and Network Exposure Function (NEF) to secure applications at commercial launch. However, it’s notable that even here Machine Learning and automation had relatively high commercial scores. While the SEPP scored in third place, it did seem to drive a significant amount of discussion at the GSMA’s MWC Barcelona this year (2019), suggesting it will be deployed not long after commercial launch even before 5G roaming traffic starts to ramp up.

The SEPP will undoubtedly bring many security improvements for mobile roaming compared to the existing practices with SS7 and Diameter. However, there are still many issues not covered in 3GPP Release 15 that are fundamental for running an operational service like load distribution, error handling or failover mechanism, etc. These functions will first be available with 3GPP Release 16.

Consequently, our expectation is that 3GPP Release 15 is ready for deployment as 5G core within the domain of an operator (as 5G network islands). We need to wait for 3GPP Release 16 before 3GPP core networks will be interconnected and 5G roaming traffic starts to increase. We’ve seen a similar situation with VoIP and IMS networks in the past.

In parallel a secured version of Diameter for mobile roaming is close to finalization in the GSMA DESS group, that may bridge the time until 3GPP Release 16 implementations are ready to be deployed between operator networks. This may take some time because the 3GPP standardisation groups are still very occupied with the completion and error patching of the 3GPP Release 15 standards for 5G phase 1.

Existing firewall support for 5G capabilities

One other important topic the survey addressed was how does this 5G control plane security complexity impact the evolution path of existing 3G/4G control plane signaling firewalls? Based on “extremely important” response levels, HTTP/2 interworking with protocols such as Diameter is critical, while interworking with SIP and even SS7 is still very important.

Fraud via SIP is already starting to become a major concern to operators in 3G and 4G with vulnerability to CLI spoofing, robocalling and other forms of nuisance calls. Also, we see operators starting to ask for protection for the combination of SIP with mobile roaming services via SS7 and Diameter.

When 5G interconnection begins to roll-out, the thirty-year-old SS7 network will still be there – even bigger and carrying more roaming traffic than today. The steep uptake of mobile roaming will likely be due to developments such as ‘EU roaming as at home’ and roaming support for M2M and IoT services. This will include static devices because many operators deploy M2M services with roaming arrangements in foreign networks.

The other issue is how interworking between HTTP/2 and SS7 will be implemented. There is a certain preference to interwork SS7 via Diameter to HTTP/2 and in reverse; but this is a ‘poor-mans-solution’ as it may only partially cover the SS7 attack interface (enabling attackers with an entry point to the HTTP/2 core networks via imperfections of the two-stage interworking from SS7 via Diameter to HTTP/2).

In summary

Given the critical role of 5G in digital transformation and the more stringent legislation for data protection with e.g. GDPR, security in 5G is an absolute critical success factor for this new technology. However, the Light Reading report on Securing 5G Networks shows low confidence levels among the respondents that likely evolve as operators gain experience with the implementation of 5G core networks. 5G security will significantly improve but the interworking with legacy networks will ask for special attention.

NetNumber are hosting the Dark Skies Security Summit for Mobile Operators and Enterprises who are looking to meet and discuss these challenges with their peers. The summit will precede the Mobile360 Security Event on 28th and you can register for it here.

The views and opinions expressed in this piece belong to the author and do not necessarily reflect those of the GSMA.


Related posts