Mobile networks are now ubiquitous and part of our everyday lives. Due to their important role in public security and safety, they are classified as critical infrastructure and need to be protected accordingly. At the same time, 5G shifted from a closed system to a set of microservices designed to be deployed in dynamic environments such as (public) clouds. This large number of involved systems and components increases the risk of infiltration by bad actors through security flaws and supply chain issues. To understand how a compromised core network can be exploited, we described a steganography based system able to execute various attacks and implemented a proof-of-concept. This framework should now be extended and evaluated against state-of-the-art detection mechanisms.

Objectives:

• Implement the framework in an open source 5G core network (such as Open5GS, Free5GC and OpenAir-Interface).

• Perform tests on the feasibility of various attacks in this framework.

• Evaluate 5G intrusion detection and prevention approaches described in the literature.

• Basic understanding of cellular radio communication (such as LTE, 5G NR) specifically their architecture and protocols.

• Basic knowledge of network security.

• Solid knowledge of C/C++ and/or Golang.

Please include:

• a short CV

• a current overview of your grades

in your application.

For any questions or further details regarding this thesis and the application process, please don’t hesitate to contact:

• Julian Sturm (TUM), Email: julian.sturm@tum.de

Mobile networks are now ubiquitous and part of our everyday lives. Due to their important role in public security and safety, they are classified as critical infrastructure and need to be protected accordingly. At the same time, 5G shifted from a closed system to a set of microservices designed to be deployed in dynamic environments such as (public) clouds. Previous research shows, that often critical systems are identifiable from the internet with little to no protection (Bodenheim et al. 2014). For 5G however, such data is lacking.

Objectives:

• Develop methods to identify components of open source 5G core networks (such as Open5GS, Free5GC and OpenAirInterface), as well as commercial networks based on their network fingerprint.

• Perform internet scanning to search for publicly accessible networks.

• Evaluate the prevalence of deployed security mechanisms (if scans are successful).

• Basic understanding of cellular radio communication (such as LTE, 5G NR) specifically their architecture and protocols.

• Solid understanding of IP networks, specifically their architecture and protocols.

• Solid knowledge of Python or another suitable programming language.

Please include:

• a short CV

• a current overview of your grades

in your application.

For any questions or further details regarding this thesis and the application process, please don’t hesitate to contact:

• Julian Sturm (TUM), Email: julian.sturm@tum.de

The introduction of 5G technology is transforming the telecommunications industry, offering enhanced connectivity and supporting advanced use cases such as IoT, ultra-reliable low-latency communications, and enhanced mobile broadband. 

A key challenge in this ecosystem is enabling seamless 5G roaming between different mobile network operators (MNOs) across borders, which requires reliable interconnection via IP eXchange (IPX) networks.

This research internship aims to explore the feasibility of using Mininet, a network emulation tool, in conjunction with Open5GS, an open-source 5G core network implementation, to simulate basic IPX functionalities for supporting 5G Standalone (SA) roaming use cases. 

The focus will be on setting up the system, adding support for needed protocols and integrating the Mininet-IPX-setup into the current LKN 5G Roaming Testbed.

The primary objective of this internship is to extend Mininet’s capabilities to support basic IPX functionalities for a 5G SA setup. The research will focus on simulating the roaming scenario between a Visited Public Land Mobile Network (VPLMN) and a Home Public Land Mobile Network (HPLMN) using Open5GS.

Implementation objectives include (all would be nice, but if time runs out, then also a couple of them shall suffice):
• setting up Mininet and configuring it for this use-case
• adding support for MPLS
• adding support for HTTP Connect
• adding support for PRINS
• adding support for GTP-U
• adding support for IPUPS
• integrating the Mininet IPX into the 5g Roaming Testbed

5G is the newest generation of mobile networks, allowing for higher data rates, lower latency and many new features like network slicing. Its central element is the 5G Core, which is a network of specialised Network Functions (NFs). One of these NFs is responsible for roaming connections. Roaming allows subscribers to connect to the internet via other network operators’ networks if they have a roaming agreement. Between two Public Land Mobile Networks (PLMNs) there are two standardised roaming modes: Local Break Out and Home Routed Roaming.

A major part of both roaming modes is the Security Edge Protection Proxy (SEPP), a 5G NF designed to establish and maintain a secure control plane connection between two PLMNs. Implementing it, or extending the existing implementation of Open5GS, will be an important part of this work. The SEPP is connected to other NFs in the same PLMN via Service Based Interfaces (SBIs) and to other PLMN’s SEPPs via the N32 interface.

Two SEPPs connections are divided into the N32-c and N32-f interfaces. Via N32-c, the connection is established and the security capabilities of N32-f are negotiated. All control messages between NFs of the visited and the home PLMN are transmitted via N32-f. While N32-c is secured with an end-to-end Transport Layer Security (TLS) connection, N32-f either uses the same security or, alternatively, a new 5G protocol named PRotocol for N32 INterconnect Security (PRINS). PRINS uses end-to-end application layer encryption and additionally hop-to-hop TLS encryption. While one direct TLS connection is more secure, it relies on a direct link between both parties. Considering a roaming scenario with two countries separated by multiple thousand kilometres, direct links are not always feasible. Alternatively, two PLMNs are connected via IP Exchange Networks (IPXs). To be able to route the packets reliably to their respective destinations, the IPX providers have to have access to the packets’ data. PRINS aims to provide security for this option by using the Javascript Object Signing and Encryption (JOSE) framework.

This work aims to implement N32-c and both options for the N32-f interface and investigate their differences regarding security, operability, and performance.

Basic understanding of 5G networks advantageous; especially of the 5G core network

– interest and motivation to learn the system are sufficient

• Programming knowledge in C useful (for Open5GS)
• Interest in roaming functionalities and their security

5G is the newest generation of mobile networks allowing for higher data-rates, lower latency and many new features like network slicing. Its central element is the 5G Core, which is a network of specialised Network Functions (NFs). Roaming allows subscribers to connect to the internet via other network operator’s networks if they have a roaming agreement. We are looking for a student to help implement and maintain a 5G Roaming testbed. At first, that is planned as an open source testbed leveraging Open5GS. Later, the plan is to connect this open source testbed to the LKN campus network.

This working student position may run parallel to Master Theses with more focused implementation and evaluation works. The working student is welcome to follow up on this work with his/ her own research internship or Master’s thesis.

Objectives

The primary objective of this work is to help implement and maintain a 5G Roaming testbed. This testbed shall then be used for investigation of security mechansims and performance measurements. Those are not the main job of the student, but the student is supposed to help.

1. Work into 5G Roaming

2. Implement missing Roaming functionalities into Open5GS

3. Maintain Roaming Testbed

4. Connect open source 5G Roaming testbed with Campus Network (once possible)

5. Aid in security investigations

6. Aid in performance measurements

7. Potentially add other NFs later

• Motivation and team spirit

• Basic understanding of 5G networks advantageous; especially of the 5G core network

    – interest and motivation to learn the system are sufficient

• Programming knowledge in C useful (for Open5GS)

• Interest in Roaming functionalities

• Interest in security

5G is the newest generation of mobile networks, allowing for higher data rates, lower latency and many new features like network slicing. Its central element is the 5G Core, which is a network of specialised Network Functions (NFs). One of these NFs is responsible for roaming connections. Roaming allows subscribers to connect to the internet via other network operators’ networks if they have a roaming agreement. Between two Public Land Mobile Networks (PLMNs), there are two standardised Roaming modes: Local Break Out and Home Routed Roaming. For Local Break Out Roaming, only the home network’s control plane is accessed from the visited network, while the user data is directly transmitted to the Data Network (DN). For Home Routed Roaming, the user data is routed through the home network to the DN. This thesis aims to implement both Roaming versions in an open-source core network and compare them regarding chosen KPIs, e.g., latency or throughput. Open5GS would be the primary choice for the open-source core network, as it already supports Local Break Out Roaming. Home Routed Roaming is not yet supported.

A major part of 5G roaming is the Security Edge Protection Proxy (SEPP), a 5G NF designed to establish and maintain a secure control plane connection between two PLMNs. Implementing it, or extending the existing implementation of Open5GS, will be an important part of this work. The SEPP is connected to other NFs in the same PLMN via Service Based Interfaces (SBIs) and to other PLMN’s SEPPs via the N32 interface.

The biggest difference between the two roaming scenarios lies in the data plane routing, so implementing the connection between two User Plane Functions (UPFs), the N9 interface, is necessary to connect two PLMNs. The newly introduced Inter PLMN User Plane Security (IPUPS) used for additional security on this connection is initially considered out-of-scope for this work but may be added later.

A security analysis regarding control and user plane for both roaming modes finishes this work’s contributions. Potential focal points are the control capabilities of the home PLMN operator in Local Break Out Roaming.

• Basic understanding of 5G networks advantageous; especially of the 5G core network

• interest and motivation to learn the system are sufficient

• Programming knowledge in C useful (for Open5GS)

• Interest in Roaming functionalities

• Interest in security would be nice, but is not needed (not the main focus of the work

Mobile networks have long provided mechanisms for localization. This capability has been improved with LTE and new features in 5G allow even better positioning.

While some positioning methods are hard to recreate in a lab environment (such as AoA), others are possible (e.g. E-CID). One goal is to identify which can be recreated on-site.

Additionally, not much is known about the prevalence of support for these localization mechanisms.

According to their documentation, the Amarisoft Callbox supports the NL1-Interface between an external LMF and the built-in AMF. This can be used for an early prototype.

Minimum goals:

·         Implement LMF that is able to interact with Amarisoft Callbox over NL1

·         Evaluate which localization methods are suitable for lab-based testing

·         Evaluate the prevalence of advertised localization mechanisms in commercial UEs

·         Evaluate the implementation status of localization mechanisms in commercial UEs

·         Evaluate if results can be explained by OS, Baseband or other factors

·         Find and evaluate possible attacks on the UEs location privacy

Extended goals:

·         Implement LPP into Open5GS with AmariRAN or Open5GS with OAI

·         Implement Demo into the 5GCube framework

Linkability of Failure Messages (LFM) is a security hole in the Authentication and Key Agreement (AKA) procedure.

The LFM flaw was first reported in 3G [2] and it has also been proven to work in 5G [1]. Compared to IMSI catchers, the use of the flaw for identifying nearby subscribers has two limitations: First, the attacker has to know the ID of a person of interest that they are looking for. Only these subscribers with known IDs can be detected, it is not possible to find the ID of a new subscriber without knowing / guessing it.

Second, LFM requires an attacker to probe every new device that connects to their fake base station for every ID that they are looking for. In addition to probing every new device, the attacker also needs to contact an authentic mobile network to obtain authentication requests for each person of interest.

Due to these limitations, the LFM flaw is less powerful than previously used IMSI catchers. The objective of this project is to examine the scalability and practicability of exploiting the flaw on a larger scale.

Signaling storm is a specific type of DDoS attack, which emerges from frequent small-scale signaling activities of a group of compromised UE. Typically, signaling messages are exchanged between UE and the network for establishing communication sessions and managing network resources. However, signaling attacks abuse regular procedures to generate high number of signaling messages within a short period. The generation of excessive signaling load increases the network congestion and consumes resources. In 5G, UEs must send a request to initiate themselves and establish the communication with the 5G core. These initial registration request messages contain UE related information about identity, location and capabilities. The recent research internship focused on signaling storms has revealed that an initial registration request flood can generate significant signaling load and stress the network core. In the scope of mentioned internship, a simulation environment was created using UERANSIM and open5GS to investigate the impact of repetitive initial registration requests from a botnet comprising hundreds of UEs on control plane resources. The master thesis involves a comprehensive research study based on this initial observation to identify other signaling attack scenarios initiated by UEs, that abuse regular UE signaling for registration processes, inter-slice handovers and mobility handovers. Furthermore, assessing the impact of these scenarios and exploring possible detection methodologies are crucial for the intended study.

Motivation: 5G networks are designed to be used for three types of connected services: Enhanced Mobile Broadband(eMBB), Ultra Reliable Low Latency Communications (URLLC) and Massive Machine Type Communications (mMTC). Higher throughput, reliable connections and low latency capabilities of 5G networks should meet uninterrupted and robust data exchange requirements of users. Both the industry and individual users heavily rely on seamless connectivity. However, numerous studies have shown that 5G networks are vulnerable to signaling threats and DDoS attacks, which are becoming more severe due to the growing number of mobile and IoT devices. Such attacks can increase latency and impact service availability. The majority of literature on this topic examines potential 5G threats including signal storms and their effect on users. Even some detection and prevention techniques have been proposed. Although these studies provide valuable information about signaling storms, it has not been particularly investigated how control plane resources can be exploited by flooding UE initiated and 5G protocol specific requests. The research gap regarding concrete statements to reproduce signaling attacks is the main motivation of this study.

Objectives and Research Question: This work will focus on UE initiated DDoS attacks targeting control plane resources of 5G networks and it will question if these attacks can have a severe impact on practical 5G test setup. Therefore, signaling procedures particularly the ones involving NAS and NGAP protocols, will be explored to identify scenarios for UE initiated signaling attacks. The characteristics of the identified scenarios will be derived by theoretical analysis. The remaining objectives are reproducing these scenarios conducting experiments with appropriate simulation tools, evaluating the impact of these attacks on the network and user experience and investigating detection solutions for signaling storms.

Challenges: The identified scenarios should be demonstrated and analyzed to study the research question, which poses two main challenges. Designing a simulation environment for realistic attack reproduction is elaborate, which requires determining the most suitable solution to simulate UE, gNB and 5GC among existing solutions. The simulation environment cannot completely replace the real 5G network and there will be some restrictions. Therefore, the second challenge is to design experiments in a way that allows the derivation of general statements about 5G security threats from observations made during the experiments

Contribution: This thesis will address the signaling attacks on the control plane of 5G networks by identifying concrete signaling scenarios to generate excessive packet floods, analyzing them, and demonstrating them to assess their impact on the network. The simulation environment will allow reproducing various attacks to derive characteristics of the attacks, which are required for detection by distinguishing between good and malicious communication patterns. Overall, this work will contribute to the improvement of network security.