5G Radio and Next-Generation Core Networks Hacking

Part 1: 5G radio

Day 1 will introduce the 5G NSA mode and the SA mode, which should appear in many countries in the fall of 2022. During this day, we will also introduce the radio aspect, the tools, and the setup to organize our RF assessments with Software-Defined Radio

Theory

• Introduction to mobile networks and protocols (2G/3G/4G/5G)
• Differences between 5G NSA and SA
• Security mechanism on the radio
• SIM/USIM/ISIM cards
• Equipment and tools for our tests
• Incoming tools
• Possible attacks on 5G-NR
• How to safely assess 5G devices
• Hunting for vulnerabilities

Assignment 1: Manipulating secrets

• Looking in-depth secrets generated during a registration
• Manipulating them

Assignment 2: Observations and fingerprinting

• Running a 5G virtual network
• Inspecting captures
• Fingerprinting devices

Assignment 3: Setup a 5G NSA network

• Setup a 5G NSA network with Software-Defined Radio
• Configuring an ISIM card

Assignment 4: Setup a 5G SA network

• Setup a 5G SA network with Software-Defined Radio
• Alternatives

Assignment 5: Capture The Flag

• Analyzing communications between a client and a network
• Capturing the secrets

Part 2: 5G Core Networks

The last day will be an opportunity to see the core network side, which could be very interesting when the operator exposes some nodes outside, as was the case many times. Moreover, it will focus more on the Standalone mode, which will drastically change from 2G-4G infrastructures and applications.

During this day, attendees will also realize why it is crucial to not only rely on the 5G-NR security mechanisms but also provide additional countermeasures in devices.

Theory

• Introduction of the 5G SA infrastructure and REST APIs
• Security Mechanisms
• Possible attacks
• Hunting for exposed nodes/gateways
• Our latest feedbacks

Assignment 1: Hunting and intruding exposed nodes

• Mapping a cloud
• Look for exposed services
• Finding and exploiting vulnerabilities to intrude the service

Assignment 2: REST API attacks

• Attacking the API to get persistent
• Hijack communications
• Looking at 2 different Open-sourced stacks

Assignment 3: Attack devices

• Map devices in remote from the exposed network
• Find and exploit vulnerabilities on devices

Part 3: OpenRAN

OpenRAN represents a good opportunities for manufacturers that are not part of the telecom ecosystem. This technology revisits all the architectures of a RAN with open-sources blocks and new AI concepts to handle and scale a network. But this new technology that is sold to be secure using open-sources blocks can also introduce new vulnerabilities and vectors of attacks.

In this section, we will learn about OpenRAN, and how to attack and secure such a network.

Theory

• Introduction to RANs
• OpenRAN’s architectures
• Introduction to containers and Kubernetes
• Current tools and attacks

Assignment 1: Fingerprinting OpenRAN network

• Mapping OpenRAN assests
• Enumerating vulnerabilities
• Looking for interesting vectors

Assignment 2: Attacking the network

• Intruding a network
• Pivoting
• Backdooring applications

Assignment 3: Securing

• Avoid misconfigurations
• Testing and auditing a setup in the cloud

The content of private trainings can be arranged depending on your needs. We also provide additional content as follows:

• More practical attacks on vRAN and OpenRAN
• Fuzzing the core network protocol stacks
• etc.

• Knowledge of Linux administration
• Understanding of pentesting (network and applications) or Red teaming is also a plus
• All attendees must have a laptop running Linux, with 8GB of RAM min.
• Basic knowledge of radio is not mandatory but is a plus