5G Protocol Vulnerabilities and Exploits

Explore the vulnerabilities and exploits in 5G protocols through this comprehensive conference talk from Shmoocon 2020. Delve into the evolution of mobile network security, from LTE to 5G, and examine real-world 5G traffic captures. Learn about pre-authentication message-based exploits, IMSI catching prevention, and the limitations of the 5G security architecture. Analyze potential adversary tactics and discover how certain LTE exploits remain applicable in 5G networks. Gain insights from Roger Piqueras Jover, a Senior Security Architect and wireless security researcher, as he presents findings on both non-standalone (NSA) and standalone (SA) 5G modes. Understand the challenges in capturing and analyzing 5G traffic, and explore topics such as SUPI protection, base station configuration sniffing, and RNTI-based tracking. Conclude with a discussion on the current state of 5G security and potential future improvements, including the use of digital certificates in cellular networks.

Intro
ABOUT ME
WHAT AM I GOING TO TALK ABOUT?
MOBILE NETWORK SECURITY RETROSPECTIVE
SECURITY RESEARCH RAPIDLY MATURING
SOME BASIC JARGON
LTE ARCHITECTURE
LTE ATTACH PROCEDURE
LTE (IN)SECURITY REDUX
SNIFFING BASE STATION CONFIGURATION
IMSI CATCHING
DEVICE DOS AND SILENT DOWNGRADE TO GSM
DEVICE TRACKING
DNS SPOOFING AND TRAFFIC HIJACK OVER LTE
UL FUZZING AND EXPLOITS WITHOUT ROGUE BS!
(SIMPLIFIED) 5G ARCHITECTURE
5G ATTACH PROCEDURE
5G NSA ATTACH PROCEDURE
5G SA ATTACH PROCEDURE
CHALLENGES IN CAPTURING AND ANALYZING 5G TRAFFIC
RELEASE 15 TRAFFIC CAPTURES FOR ANALYSIS
5G IMSI PROTECTION - SUPUSUCI
5G SUPI PROTECTION?
OUT OF SCOPE
5G (IN)SECURITY RATIONALE
SNIFFING 5G BASE STATION CONFIGURATION
5G RNTI-BASED TRACKING
UE CAPABILITY INQUIRY
THE CURRENT STATE OF AFFAIRS IN 5G SECURITY
ROOT CAUSE FOR MOST VULNERABILITIES
5G SECURITY ROADMAP?
DIGITAL CERTIFICATES IN CELLULAR NETWORKS?