5G, 5G RAN

5G RAN Security

Introduction

5G is not just about faster, bigger, or better. It’s about enabling a diverse new set of services and use cases affecting nearly every aspect of our lives. But to live up to their potential, 5G-enabled applications must be delivered securely.
For example, 5G will enable Massive Internet of Things (MIoT) applications such as the traffic sensors and Vehicle-to-Infrastructure (V2I) services that are the foundation for smart cities. It’s critical that hackers can’t access that data, hijack IoT devices, or disrupt the services with Distributed Denial of Service (DDoS) attacks.

With 5G, mobile takes that Security focus to another level with a wide variety of new, advanced safeguards as It is the first mobile architecture designed to support multiple, specific use cases, each with their own unique cybersecurity requirements. In the enterprise IT world, network segmentation is a common, proven way to mitigate security risks.

In addition to the new opportunities and capabilities, 5G creates new cybersecurity considerations. Its use of the cloud and edge computing, and convergence of mobile and traditional IT networks, create new attack vectors. So the question now is how 5G provides a new set of visibility and control elements to help operators protect their networks, business partners, and customers?

5G Security Architecture

3GPP defines the overall 5G security architecture as below

5G Security Architecture

This includes many network architectural elements and concepts such as:

  • Network access security (I), which is the set of security features that enables a UE to authenticate and access services via the network securely, including the 3GPP access and non-3GPP access, and in particular to protect against attacks on the radio interfaces. In addition, it includes the security context delivery from SN to UE for the access security.
  • Network domain security (II), which is the set of security features that enables network nodes to securely exchange signalling data, user plane data.
  • User domain security (III), which is the set of security features that secures the user access to mobile equipment.
  • Application domain security (IV), which is the set of security features that enables applications in the user domain and in the provider domain to exchange messages securely.
  • SBA domain security (V), which is the set of security features about the SBA security. These include the network element registration, discovery and authorization security aspects, and also the protection for the service-based interfaces.
  • Visibility and configurability of security (VI), which is the set of features that enables the user to be informed whether a security feature is in operation.

Security in 5G RAN deployments

The separation of RAN and core is critical to the evolution of 5G networks because gNBs terminate the encryption of user data, except when it is encrypted externally and is beyond the control of an operator’s 5G network.

Currently, we do not have any standard rules or guidelines for the separation of RAN and core functions, and the 3GPP standards are largely flexible; however, the actual separation of RAN and core functions depends on the 5G use cases in question as well as the commercial strategy of the operator dictating the specific network deployment situation. In addition, technical developments and initiatives, such as distributed RAN, split RAN, O-RAN and CPRI/eCPRI consortiums, also fragment and distribute the deployment of RAN functions, entailing a number of security implications.

5G RAN Security

Security in 5G networks is standardized where user data  is decrypted and encrypted in different functions within the  network. User data is (in most cases) encrypted in transit (over the network) but processed in cleartext in many functions.
The air interface is encrypted (and integrity protected) between the device and the gNB (5G base station). From the gNB over the backhaul network to the core network (normally via an edge router), the 3GPP defined IP security framework is used to protect the integrity and confidentiality of the user plane and control plane between the device, the gNB and the core network.

5G RAN Security (Ericsson)

In a 5G (and 4G) network, NAS (Non-Access Stratum) signaling is encrypted between the device and the core network. Moreover, both the control plane (Radio Resource Control, signaling between the device and RAN regarding radio configuration) and the user plane are encrypted and integrity protected between the device and the gNB (or a base station called eNB in the 4G case),  meaning that all user  data  is available unencrypted in the gNB(or eNB) . In many cases, user data can be encrypted at the application level, but this is not guaranteed by 3GPP 5G standards and is out of operator control.

Security in future RAN deployments

In 5G,  The ongoing development to separate the gNB in different functions is essentially aimed at deploying gNB functions in different ways. The 3GPP TS 38.401 specifies the possibility of a distributed gNB with a CU and DUs as below

3GPP distributed gNB (3GPP)

The DU  and CU are functions in the 3GPP-standardized 5G RAN. So, contrary to previous deployment conventions in 4G and earlier generations, in 5G, these RAN functions can be placed in different physical sites in an actual deployment of RAN, depending on the use case. This  enables RAN function distribution over different physical sites and, subsequently,   allows a breakout of RAN functions to support low-latency use cases as well as flexible implementations.

With the lower layer split, the termination point for encryption the CU function, which terminates PDCP on the network side. With this split, the RU and the DU are not able to access (that is, decrypt) the user plane and control plane, meaning that the RU and the DU are not as critical as the CU when it comes to the integrity and confidentiality of user data or the signaling.

Still, both the RU and the DU can affect the availability of mobile network access.

The Growing Need for RAN Security

RAN evolution and the overall current and future target market segments and use cases, enabled by 4G/5G technologies and infrastructures, have a strong impact on the need for growing RAN security:

  • To enable the growing scalability delivered by 5G, the deployment of a growing network of small cells is required. Many of these femtocells, picocells and microcells eNobeBs (eNB) and gNodeBs (gNB) will be located in the public domain and in other non-secure locations. These will also be, in most cases, connected to the MNO network via untrusted backhaul. These combined factors represent a
    growing risk factor contributing to the increase in overall attack surface and risk for traffic tempering, misuse and manipulation.
  • Mobile infrastructure critical use cases. As 5G brings to bear the ability to provide critical use cases and innovation in different industries, such as healthcare, energy and transportation. Unlike the previous mobile generation, mobile infrastructure “standardization” and the growing reliance on its services for some critical use cases will increase the cybercrime community’s “interest” in the mobile infrastructure as an attack vector and target and will further drive the growing need for RAN security.

5G RAN Threats

The fact that 5G will support many different access networks including 2G, 3G, 4G, and Wi-Fi means 5G perhaps inherits all the security challenges of those access networks.
In recent years, a large body of literature has revealed numerous security and privacy issues in 4G mobile networks. Most of the published attacks at the 4G RAN layer involve RBSs or IMSI catchers to target IMSIs during the UE’s initial attach procedure to the network, or paging attacks using the IMSI paging feature. In such attacks, the obtained information about particular IMSIs may be used later for other types of attacks.

5G will use Multiple -Input Multiple-Output (MIMO) antenna arrays and beamforming. In addition to other spectrum, many 5G systems will operate in millimeter wave (mmWave) spectrum. It is not expected that mmWave by itself is less secure than any other part of the spectrum. The data and signaling transmitted and received at the radio layer is expected to be appropriately encrypted and integrity protected at higher layers, whenever possible.

Despite 5G security enhancements, 5G networks could still be a target to RBS-based threats using, for example, the following threat vectors:
• An attacker can exploit 5G/LTE interworking requirement to launch a downgrade attack.
• A compromised 5G small cell can create an RBS threat to 5G networks and customers.
• An attacker can exploit a lack of gNB authentication in an idle mode to force the user to camp on an RBS which could lead to a denial of services.(such as public safety warnings, incoming emergency calls, real-time application server push services, and etcetera)

Resources:

  • 3GPP
  • Ericsson
  • Fortinet
  • 5GAmericas

Related Posts

Leave a Reply