5G installations are becoming more present in our lives and will introduce significant changes regarding the traffic demand growing with time. The development of the 5G will is not only an evolution in terms of speed but also tends to be adapted in many contexts: medical, energy, industries, transportation, etc. In this article, we will briefly introduce the 5G network and take as an example the assessment we did with the DeeperCut team to place 3rd on the PwC & Aalto 5G Cybersecurity challenge to introduce possible attacks, but also the tools we developed at Penthertz.
With the introduction of the packet service, mobile user equipment (UE) can use the IP communication protocol. Without the proper routing and filtering of UE communications, some sensitive assets on the operator's infrastructure could be exposed, such as core network services. Mobile operators generally know this attack vector and apply suitable mechanisms to avoid risk from the subscriber context. Nevertheless, those mechanisms differ from one operator to another, and their effectiveness varies. Research aspects in mobile networks are evolving a lot with the development of the SDR (Software-Defined Radio) and the SDNs (Software-Defined Networks), which introduce new kinds of architectures. These new architectures are mostly cloud-based systems and include new features that need time to understand and entirely mature from the deployment perspective. In addition, with the research progress of SDR based 4G and 5G-NR NSA networks, new services also appeared to be used inside organizations like private mobile networks. However, the organization itself only provides all security procedures and mechanisms. This post is an overview of previous assessments on private GPRS and LTE mobile network commercial and public solutions and 5G-NR NSA setups.
When assessing LoRa devices' security, like any other RF technology, we must deal with unknown radio parameters and data/payloads we need to understand to complete our mission. Moreover, understanding these parameters and data may help to find interesting issues to exploit (clear-text communication, weak keys, stack protocol vulnerabilities). In this post, we will briefly present LoRa and its different security modes, and then we will focus on RF techniques to detect, demodulate and decode LoRa signals. Additionally, we will introduce some scripts we have made to decode, generate LoRa PHY and MAC payloads, Bruteforce keys and finally, fuzz some protocol stacks.