Over 100 Security Vulnerabilities in LTE and 5G Network Implementations Were Discovered by RANsacked

A group of scholars has revealed more than 100 security flaws that affect LTE and 5G deployments. An attacker might use these flaws to interfere with service and possibly penetrate the cellular core network. Assigned 97 distinct CVE identifiers, the 119 vulnerabilities cover three 5G implementations (Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN) and seven LTE implementations (Open5GS, Magma, OpenAirInterface, Athonet, and NextEPC), according to researchers from North Carolina State University and the University of Florida.

The results have been described in a report called "RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces." "Every one of the >100 vulnerabilities discussed below can be used to persistently disrupt all cellular communications (phone calls, messaging, and data) at a city-wide level," said the researchers. "An attacker can continuously crash the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF) in an LTE/5G network, respectively, simply by sending a single small data packet over the network as an unauthenticated user (no SIM card required)."

Researchers conducted a fuzzing experiment called RANsacked against Radio Access Network (RAN)-Core interfaces that may receive input directly from base stations and mobile phones, which led to the finding. Many of the vulnerabilities found, according to the researchers, are related to buffer overflows and memory corruption errors that could be used as a weapon to compromise the cellular core network. With that access, the researchers could track the location and connection details of every subscriber's cellphone across the entire city, launch targeted attacks on particular subscribers, and perform further malicious actions on the network itself.

Furthermore, the known vulnerabilities may be divided into two main groups: those that can be used by any unauthenticated mobile device and those that an adversary who has gained access to a base station or a femtocell can use as a weapon. MME implementations had 79 of the 119 vulnerabilities identified, AMF implementations had 36, and SGW implementations had four. Twenty-five flaws allow any cellphone to perform Non-Access Stratum (NAS) pre-authentication attacks.

"The introduction of home-use femtocells, followed by more easily-accessible gNodeB base stations in 5G deployments, represents a further shift in security dynamics: where once physically locked down, RAN equipment is now openly exposed to physical adversarial threats," the researchers wrote. "Our work explores the implications of this final area by enabling performant fuzzing interfaces that have historically been assumed implicitly secure but now face imminent threats."