A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network.
The 119 vulnerabilities, assigned 97 unique CVE identifiers, span seven LTE implementations – Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN – and three 5G implementations – Open5GS, Magma, OpenAirInterface, according to researchers from the University of Florida and North Carolina State University.
The findings have been detailed in a study titled “RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces.”
“Every one of the >100 vulnerabilities discussed below can be used to persistently disrupt all cellular communications (phone calls, messaging and data) at a city-wide level,” the researchers said.
“An attacker can continuously crash the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF) in an LTE/5G network, respectively, simply by sending a single small data packet over the network as an unauthenticated user (no SIM card required).”
The discovery is the result of a fuzzing exercise, dubbed RANsacked, undertaken by the researchers against Radio Access Network (RAN)-Core interfaces that are capable of receiving input directly from mobile handsets and base stations.
The researchers said several of the identified vulnerabilities relate to buffer overflows and memory corruption errors that could be weaponized to breach the cellular core network, and leverage that access to monitor cellphone location and connection information for all subscribers at a city-wide level, carry out targeted attacks on specific subscribers, and perform further malicious actions on the network itself.
What’s more, the identified flaws fall under two broad categories: Those that can be exploited by any unauthenticated mobile device and those that can be weaponized by an adversary who has compromised a base station or a femtocell.
Of the 119 vulnerabilities discovered, 79 were found in MME implementations, 36 in AMF implementations, and four in SGW implementations. Twenty-five shortcomings lead to Non-Access Stratum (NAS) pre-authentication attacks that can be carried out by an arbitrary cellphone.
“The introduction of home-use femtocells, followed by more easily-accessible gNodeB base stations in 5G deployments, represent a further shift in security dynamics: where once physically locked-down, RAN equipment is now openly exposed to physical adversarial threats,” the study noted.
“Our work explores the implications of this final area by enabling performant fuzzing interfaces that have historically been assumed implicitly secure but now face imminent threats.”
