The standards body in charge of 5G wireless network security is drafting new requirements for addressing recently reported vulnerabilities in the technology that impact both end user devices and operator infrastructure.
The new requirements - which are expected to become available from the 3rd Generation Partnership Project (3GPP) with the next release of the 5G standard - specify how certain device information should be handled on the network.
Security researchers at the Technical University of Berlin and Kaitiaki Labs discovered the vulnerabilities earlier this year and presented details of their work at Black Hat USA.
The problem, according to the researchers, is that when a mobile device registers on a 5G network, details about the device and its technical capabilities are exchanged in an insecure manner. This gives attackers a way to intercept the device capability data and use it to identify specific devices, degrade performance, and drain batteries.
"The vulnerabilities are present in the 4G and 5G registration procedure that happens every time a device is turned on with SIM card," says Altaf Shaik, principal security researcher at Kaitiaki Labs and PhD student at the Technical University of Berlin.
During this procedure the device conveys its capabilities — such as its throughput categories, app data, radio protocol support, security algorithms, and carrier info — to the network, either in plain text or prior to establishing over-the-air security. This opens the procedure to both passive attacks and man-in-the-middle attacks, Shaik says.
"Attackers can obtain the capabilities and fingerprint specific devices or can modify the capabilities and cause downgrade or DoS [denial-of-service] attacks," he says.
Potential dangers include attackers being ab ..
Support the originator by clicking the read the rest link below.
