More than 100 security vulnerabilities discovered in 4G and 5G network deployment

According to researchers from the University of Florida and North Carolina State University in the US, a total of 119 security vulnerabilities were discovered, of which 97 were assigned unique CVE (Common Vulnerabilities and Exposures) identifiers.

These vulnerabilities affect seven 4G-LTE network implementations, including Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, and srsRAN, along with three 5G network implementations, Open5GS, Magma, and OpenAirInterface.

These findings are detailed in a study titled “RANsacked: A Domain-based Approach to Fuzzing 4G-LTE and 5G RAN-Core Interfaces.”

The research provides insight into how interfaces between the radio access network (RAN) and the core network can become weak points for attackers to exploit.

"The more than 100 vulnerabilities analyzed below have the potential to be exploited to completely disrupt all mobile communications, from calls, messages to data, on a city-wide scale," the researchers stressed.

"An attacker can easily disrupt the operation of the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF) in 4G/5G networks, simply by sending a small data packet as an unauthenticated user without the need for a SIM card," the researchers added.

The discovery is the result of a fuzzing test called RANsacked, which researchers conducted to test the core interfaces of RAN networks, the connection points capable of receiving data directly from mobile phones and base stations.

According to the researchers, some of the vulnerabilities discovered involved buffer overflows and memory corruption bugs. These bugs can be exploited to penetrate the core mobile network, allowing attackers to monitor the location of mobile devices, access connection information of all subscribers in a city, carry out targeted attacks on specific users, and conduct a variety of other malicious actions directly on the network.

Additionally, the vulnerabilities are divided into two main groups, including those that can be exploited by any unauthenticated mobile device and those that require the attacker to have taken control of the base station or femtocell to perform the intrusion.

Of the 119 vulnerabilities discovered, 79 affect MME deployments, 36 appear in AMF deployments, and 4 are related to service gateway (SGW) deployments. Notably, 25 vulnerabilities allow for pre-authentication attacks on the non-service layer (NAS), even against a single mobile device.

“The integration of femtocells into the home, coupled with the proliferation of more accessible gNodeBs in 5G deployments, marks a major shift in the cybersecurity landscape. RAN devices that were previously heavily protected physically are now vulnerable to physical attacks,” the study notes.

“Our work sheds light on these potential threats by focusing on performance fuzzing testing of interfaces that were previously considered secure by default, but are now facing increasing direct attack risks,” the researchers conclude.