The Security Assurance Specification (SCAS) defines a set of test cases for mobile network equipment. As soon as a component satisfies all tests in their selection, e.g., for the base station, it can be considered secure according to the specification. Automatic testing reduces the overhead and domain-knowledge needed for accurate tests. At the same time, it delivers reproducible and comparable results that assure the same independent standard for each tested component.
|184.108.40.206.1||Integrity Protection of RRC-Signalling||TC-CP-DATA-INT-RRC-SIGN-gNB|
|220.127.116.11.2||Integrity Protection of User Data between the UE and the gNB||TC-UP-DATA-INT-gNB|
|18.104.22.168.4||RRC Integrity Check Failure||TC-CP-INT-CHECK-FAILURE-gNB|
|22.214.171.124.5||UP Integrity Check Failure||TC-UP-INT-CHECK-FAILURE-gNB|
The specified test cases of SCAS are only the tip of the ice berg. They provide a first guideline for a common security standard, but the test cases cannot cover all potential threats or even aspects of a technical flaw. With nearly a decade of experience in mobile security research, we know what can go wrong. For demanding use cases, we provide an extended threat analysis that goes beyond the limitations of SCAS. Our security analysis indicates threats and potential attacks along with technical flaws in mobile network components.
The Security Assurance Specification (SCAS) defines a set of test cases that verify the security of a mobile network component. The automatic application of these test cases holds many opportunities for systematic and reproducible testing. In the following, we provide exemplary SCAS results for a 5G AMF and explain the analysis procedure.
The AMF is a core network component. To analyze its security, we use a probe that combines a UE and a base station component. The probe directly connects to the AMF and applies the SCAS test cases dynamically. To achieve this, the probe sends and receives information through the standard interfaces of the core network and the AMF.
|126.96.36.199.2||RES* Verification Failure Handling||TC-RES*-VERIFICATION-FAILURE||RES* Verification Failure||Denial of Service||If a malicious UE initiates a registration request using a SUCI and this request is followed by primary authentication in which an incorrect RES* is sent to the network, then the RES* verification will fail. In this case, if the RES* verification failure is not handled correctly, e.g., AMF/SEAF does not reject the registration request directly, or initiates a new authentication procedure with the UE, this would result in waste of system resources.||Sufficient Processing Capacity|
|188.8.131.52.1||Invalid or Unacceptable UE Security Capabilities Handling||TC-UE-SEC-CAP-HANDLING-AMF||Invalid or Unacceptable UE Security Capabilities||Tampering of Data, Information Disclosure||A flawed AMF implementation accepting insecure or invalid UE security capabilities may put User Plane and Control Plane traffic at risk, without the operator being aware of it. If NULL ciphering algorithm and/or NULL integrity protection algorithm of the UE security capabilities is accepted by the AMF, all the subsequent NAS, RRC, and UP messages will not be confidentiality and/or integrity protected. The attacker can easily intercept or tamper control plane data and the user plane data. This can result in information disclosure as well as tampering of data.||User Account Data and Credentials, Mobility Management Data|
|184.108.40.206.3||NAS Integrity Algorithm Selection and Use||TC-NAS-INT-SELECTION-USE-AMF||NAS Integrity Selection and Use||Tampering of Data, Information Disclosure, Denial of Service||If NAS does not use the highest priority algorithm, NAS layer risks being exposed and/or modified or being exposed to denial of service.||Sufficient Processing Capacity, Control Plane Signalling|
|220.127.116.11.3+||NAS Integrity Algorithm Selection and Use (+)||TC-NAS-INT-SELECTION-USE-AMF+||NAS Integrity Selection and Use||Tampering of Data, Information Disclosure, Denial of Service||If NAS does not use the highest priority algorithm, NAS layer risks being exposed and/or modified or being exposed to denial of service.||Sufficient Processing Capacity, Control Plane Signalling|
|18.104.22.168.1||Synchronization Failure Handling||TC-SYNC-FAIL-SEAF-AMF||Resynchronization||Denial of Service||If RAND and AUTS are not included when synchronization fails, the resynchronization procedure does not work correctly. This can result in waste of system resources and deny a legitimate user access to the system.||Sufficient Processing Capacity|
|22.214.171.124.1||Replay Protection of NAS Signalling Messages||TC-NAS-REPLAY-AMF||Bidding Down||Tampering of Data, Information Disclosure||If SMC does not include the complete initial NAS message if either requested by the AMF or the UE sent the initial NAS message unprotected, the UE can force the system to reduce the security level by using weaker security algorithms or turning security off, making the system easily attacked and/or compromised.||User Account Data and Credentials|
|126.96.36.199.2||NAS NULL Integrity Protection||TC-NAS-NULL-INT-AMF||NAS NULL Integrity Protection||Elevation of Privilege||If NAS NULL integrity protection is used outside of emergency call scenarios, an attacker can initiate unauthenticated non-emergency calls.||Sufficient Processing Capacity|
|188.8.131.52.1||Bidding Down Prevention in Xn-Handover||TC-BIDDING-DOWN-XN-AMF||Bidding Down on Xn-Handover||Tampering of Data, Information Disclosure||If AMF cannot verify that the 5G security capabilities received from source gNB via the target gNB are the same as the UE security capabilities that the AMF has stored, the source gNB may force the system to accept a weaker security algorithm than the system is allowed forcing the system into a lowered security level making the system easily attacked and/or compromised.||User Account Data and Credentials|
|184.108.40.206.2||NAS Protection Algorithm Selection in AMF Change||TC-NAS-ALG-AMF-CHANGE||NAS Integrity Protection Algorithm Selection in AMF Change||Tampering of Data, Information Disclosure||If the highest priority NAS integrity protection is not selected by the new AMF in AMF change, the new AMF could end up using a weaker algorithm forcing the system into a lowered security level making thee system easily attacked and/or compromised.||User Account Data and Credentials|
|220.127.116.11.1||5G-GUTI Allocation||TC-5G-GUTI-ALLOCATION||Failure to Allocate New 5G-GUTI||Information Disclosure||If a new 5G-GUTI is not allocated by AMF in certain registration scenarios (i.e. receiving Registration Request message of type "initial registration", receiving Registration Request message of type "mobility registration update", receiving Service Request message sent by the UE in response to a Paging message), an attacker could keep on tracking the user using the old 5G-GUTI after these registration procedures.||Mobility Management Data|
There is a list of encryption and integrity algorithsm that are mandatory to implement: NEA0, NEA1, NEA2, NIA0, NIA1, NIA2. If the UE Security Capabilities do not include one of these algorithms, the connection should not be accepted. The table below shows examples of combinations that have been accepted by the AMF and that should have been rejected. This causes the test case to fail.
|Encryption (NEA)||Integrity (NIA)|
The UE offers a set of encryption and integrity algorithms that can be used in the connection. The AMF has the responsibility to select one algorithm each according to a configured priority list. This configuration depends on the setup of the network and differ across multiple configurations. However, it is important to select the algorithm according to this priority list. In our example test, we define the encryption algorithm priorities as NEA0, NEA1, NEA2 and the integrity algorithm priorities as NIA2, NIA1, NIA0 (from high to low priority).
When focusing on positive combinations of algorithms only, the test succeeds (see 18.104.22.168.3). In contrast to this, the test of all possible combinations reveals the violating behavior of the AMF and leads to a failing test (see 22.214.171.124.3+). In this extended version, the test succeeded in 80 out of 192 permutations.
|Encryption||NEA0, NEA1, NEA2, NEA3||NEA0, NEA1, NEA2||NEA0||NEA0|
|Integrity||NIA0, NIA1, NIA2, NIA3||NIA2, NIA1, NIA0||NIA2||NIA1|
The test report documents the analysis results of our exemplary automatic SCAS evaluation of an AMF. It includes a general overview of the test setup, documents the overall test statistics, and provides details about the individual test cases. These details consist of an overview of the applied sub-tests, e.g., the combinations of UE Security Capabilities that are sent to the network. For each test case, we provide these test details and compare the observed with the expected result to justify the overall passing or failing test result.