automatic

Security Analysis

Protecting networks in production



Security Standard Assurance
One for All

The Security Assurance Specification (SCAS) defines a set of test cases for mobile network equipment. As soon as a component satisfies all tests in their selection, e.g., for the base station, it can be considered secure according to the specification. Automatic testing reduces the overhead and domain-knowledge needed for accurate tests. At the same time, it delivers reproducible and comparable results that assure the same independent standard for each tested component.

5G Campus
  Section Name Test Case Result
4.2.2.1.1 Integrity Protection of RRC-Signalling TC-CP-DATA-INT-RRC-SIGN-gNB
4.2.2.1.2 Integrity Protection of User Data between the UE and the gNB TC-UP-DATA-INT-gNB
4.2.2.1.4 RRC Integrity Check Failure TC-CP-INT-CHECK-FAILURE-gNB
4.2.2.1.5 UP Integrity Check Failure TC-UP-INT-CHECK-FAILURE-gNB

Threat Analysis
Flaws and Attacks

The specified test cases of SCAS are only the tip of the ice berg. They provide a first guideline for a common security standard, but the test cases cannot cover all potential threats or even aspects of a technical flaw. With nearly a decade of experience in mobile security research, we know what can go wrong. For demanding use cases, we provide an extended threat analysis that goes beyond the limitations of SCAS. Our security analysis indicates threats and potential attacks along with technical flaws in mobile network components.

5G Phone and SIM


AMF SCAS Evaluation

The Security Assurance Specification (SCAS) defines a set of test cases that verify the security of a mobile network component. The automatic application of these test cases holds many opportunities for systematic and reproducible testing. In the following, we provide exemplary SCAS results for a 5G AMF and explain the analysis procedure.

Probing Setup

The AMF is a core network component. To analyze its security, we use a probe that combines a UE and a base station component. The probe directly connects to the AMF and applies the SCAS test cases dynamically. To achieve this, the probe sends and receives information through the standard interfaces of the core network and the AMF.

  Section Name Test Case Result Name Category Description Asset
4.2.2.1.2 RES* Verification Failure Handling TC-RES*-VERIFICATION-FAILURE RES* Verification Failure Denial of Service If a malicious UE initiates a registration request using a SUCI and this request is followed by primary authentication in which an incorrect RES* is sent to the network, then the RES* verification will fail. In this case, if the RES* verification failure is not handled correctly, e.g., AMF/SEAF does not reject the registration request directly, or initiates a new authentication procedure with the UE, this would result in waste of system resources. Sufficient Processing Capacity
4.2.2.6.1 Invalid or Unacceptable UE Security Capabilities Handling TC-UE-SEC-CAP-HANDLING-AMF Invalid or Unacceptable UE Security Capabilities Tampering of Data, Information Disclosure A flawed AMF implementation accepting insecure or invalid UE security capabilities may put User Plane and Control Plane traffic at risk, without the operator being aware of it. If NULL ciphering algorithm and/or NULL integrity protection algorithm of the UE security capabilities is accepted by the AMF, all the subsequent NAS, RRC, and UP messages will not be confidentiality and/or integrity protected. The attacker can easily intercept or tamper control plane data and the user plane data. This can result in information disclosure as well as tampering of data. User Account Data and Credentials, Mobility Management Data
4.2.2.3.3 NAS Integrity Algorithm Selection and Use TC-NAS-INT-SELECTION-USE-AMF NAS Integrity Selection and Use Tampering of Data, Information Disclosure, Denial of Service If NAS does not use the highest priority algorithm, NAS layer risks being exposed and/or modified or being exposed to denial of service. Sufficient Processing Capacity, Control Plane Signalling
4.2.2.3.3+ NAS Integrity Algorithm Selection and Use (+) TC-NAS-INT-SELECTION-USE-AMF+ NAS Integrity Selection and Use Tampering of Data, Information Disclosure, Denial of Service If NAS does not use the highest priority algorithm, NAS layer risks being exposed and/or modified or being exposed to denial of service. Sufficient Processing Capacity, Control Plane Signalling
4.2.2.1.1 Synchronization Failure Handling TC-SYNC-FAIL-SEAF-AMF Resynchronization Denial of Service If RAND and AUTS are not included when synchronization fails, the resynchronization procedure does not work correctly. This can result in waste of system resources and deny a legitimate user access to the system. Sufficient Processing Capacity
4.2.2.3.1 Replay Protection of NAS Signalling Messages TC-NAS-REPLAY-AMF Bidding Down Tampering of Data, Information Disclosure If SMC does not include the complete initial NAS message if either requested by the AMF or the UE sent the initial NAS message unprotected, the UE can force the system to reduce the security level by using weaker security algorithms or turning security off, making the system easily attacked and/or compromised. User Account Data and Credentials
4.2.2.3.2 NAS NULL Integrity Protection TC-NAS-NULL-INT-AMF NAS NULL Integrity Protection Elevation of Privilege If NAS NULL integrity protection is used outside of emergency call scenarios, an attacker can initiate unauthenticated non-emergency calls. Sufficient Processing Capacity
4.2.2.4.1 Bidding Down Prevention in Xn-Handover TC-BIDDING-DOWN-XN-AMF Bidding Down on Xn-Handover Tampering of Data, Information Disclosure If AMF cannot verify that the 5G security capabilities received from source gNB via the target gNB are the same as the UE security capabilities that the AMF has stored, the source gNB may force the system to accept a weaker security algorithm than the system is allowed forcing the system into a lowered security level making the system easily attacked and/or compromised. User Account Data and Credentials
4.2.2.4.2 NAS Protection Algorithm Selection in AMF Change TC-NAS-ALG-AMF-CHANGE NAS Integrity Protection Algorithm Selection in AMF Change Tampering of Data, Information Disclosure If the highest priority NAS integrity protection is not selected by the new AMF in AMF change, the new AMF could end up using a weaker algorithm forcing the system into a lowered security level making thee system easily attacked and/or compromised. User Account Data and Credentials
4.2.2.5.1 5G-GUTI Allocation TC-5G-GUTI-ALLOCATION Failure to Allocate New 5G-GUTI Information Disclosure If a new 5G-GUTI is not allocated by AMF in certain registration scenarios (i.e. receiving Registration Request message of type "initial registration", receiving Registration Request message of type "mobility registration update", receiving Service Request message sent by the UE in response to a Paging message), an attacker could keep on tracking the user using the old 5G-GUTI after these registration procedures. Mobility Management Data

Failure Analysis


4.2.2.6.1 Invalid or Unacceptable UE Security Capabilities Handling

There is a list of encryption and integrity algorithsm that are mandatory to implement: NEA0, NEA1, NEA2, NIA0, NIA1, NIA2. If the UE Security Capabilities do not include one of these algorithms, the connection should not be accepted. The table below shows examples of combinations that have been accepted by the AMF and that should have been rejected. This causes the test case to fail.

The test case succeeded in 68 out of 256 permutations.

Encryption (NEA) Integrity (NIA)
0 1 2 3 0 1 2 3 Expected Result
Reject  Accept
Reject  Accept
Reject  Accept

4.2.2.3.3+ NAS Integrity Algorithm Selection and Use (+)

The UE offers a set of encryption and integrity algorithms that can be used in the connection. The AMF has the responsibility to select one algorithm each according to a configured priority list. This configuration depends on the setup of the network and differ across multiple configurations. However, it is important to select the algorithm according to this priority list. In our example test, we define the encryption algorithm priorities as NEA0, NEA1, NEA2 and the integrity algorithm priorities as NIA2, NIA1, NIA0 (from high to low priority).

When focusing on positive combinations of algorithms only, the test succeeds (see 4.2.2.3.3). In contrast to this, the test of all possible combinations reveals the violating behavior of the AMF and leads to a failing test (see 4.2.2.3.3+). In this extended version, the test succeeded in 80 out of 192 permutations.

Type Capabilities Priorities Expected Selected
Encryption NEA0, NEA1, NEA2, NEA3 NEA0, NEA1, NEA2 NEA0 NEA0
Integrity NIA0, NIA1, NIA2, NIA3 NIA2, NIA1, NIA0 NIA2 NIA1

Test Report


Test Report
 

The test report documents the analysis results of our exemplary automatic SCAS evaluation of an AMF. It includes a general overview of the test setup, documents the overall test statistics, and provides details about the individual test cases. These details consist of an overview of the applied sub-tests, e.g., the combinations of UE Security Capabilities that are sent to the network. For each test case, we provide these test details and compare the observed with the expected result to justify the overall passing or failing test result.


Please refer to the official SCAS specification for a detailed overview of the test cases and their characteristics.