Landslide 5G Core Vulnerability Testing
If there’s one big lesson in network security over the past two decades, it’s that there’s no such thing as a “fully secured” perimeter. You can build the biggest, scariest firewall around your environment, but that won’t necessarily keep you protected. Worse, focusing on the perimeter can lull you into complacency. By imagining you’ve kept the bad guys outside, you can fail to pay close enough attention to what’s happening inside. As some companies learned the hard way, if you’re overly dependent on the firewall, and an attacker manages to sneak past, they can do whatever they want.
Modern organizations take a more holistic approach to security, staying vigilant against threats both inside the firewall and out. But there’s been one notable exception, where defenses still tilt towards the perimeter: mobile networks. Mobile environments are inherently less vulnerable, as carriers can strictly control which devices they allow onto the network. Now though, these networks are undergoing massive change. As telco infrastructures evolve into virtualized network functions (NFs) running in service-based architectures, the threat surface grows. Suddenly, there are more potential vulnerabilities—and more ways for attackers to try to insert threats into the network.
As part of our Landslide testing suite, Spirent offers a broad set of vulnerability tests for 5G Core networks. These include the full complement of 3GPP Security Assurance Specification (SCAS) test recommendations—plus additional vulnerability tests—and the ability to fully automate this testing. These 5G security testing capabilities, currently available only from Spirent, provide essential protection for modern networks. In fact, operators already rely on them to continually verify that they’ve closed off vulnerabilities in the network and can spot threats trying to exploit them.
Meeting the 5G Security Threat
Bringing virtualized, cloud-optimized 5G architectures to telco networks can unlock huge benefits for service providers. At the same time though, this evolution creates an infrastructure that’s far more dynamic and complex. Rather than running as monolithic applications, 5GC networks employ a disparate mix of software NFs constantly exchanging data—and continually receiving patches and updates. This ever-shifting software landscape creates a larger threat surface for malicious actors to try to exploit, since every NF update could potentially open a new vulnerability.
Security gaps can arise across authentication, authorization, encryption, and system-hardening in multiple suppliers’ NFs. If these vulnerabilities are exploited, attackers could launch distributed denial of service (DDoS), man-in-the-middle (MitM), and other attacks from inside the network. Such attacks could cause significant damage—compromising subscriber data, disrupting critical operations, even bringing down the network.
Why then don’t we see more industry voices raising urgent alarms about these threats? Partly due to the longstanding perception that telecom networks are relatively secure. After all, telco networks authorize every device registering to the network—including verifying that required security features are enabled—and block non-compliant devices at the perimeter. The problem is that, historically, once a device gets in, the network stops paying close attention to its behavior. And unfortunately, devices are trivially easy to hack. As a result, every smartphone in the network—and soon, millions of Internet of Things (IoT) devices—becomes a potential entry point for threats. Additionally, attacks can occur over control plane messages that are constantly exchanged between NFs.
For example, even if the network verifies that a device has the right security enabled when registering, an attacker could switch off those features later, during a handoff between cells. If the new cell doesn’t detect this change, there is now a non-compliant “trusted” device passing traffic in the network. (One of Landslide’s 5GC security tests checks for exactly this vulnerability.)
Fortunately, 3GPP takes the threat of 5G architectural vulnerabilities seriously. Through SCAS (TR 33.926), 3GPP provides a set of recommended vulnerability tests for NFs in 5G networks. And a growing number of regulators now mandate that operators regularly conduct and pass these tests.
Testing 5G Security with Landslide
Today, there are two options to perform SCAS testing: You can set up testbeds, download and run all SCAS tests for each NF in your network, examine trace logs to see if the network correctly detected and blocked the malicious behavior, and repeat the whole process after every NF software update. Or you can let Landslide do all of that for you and just read the results.
As part of its included vulnerability testing, Landslide can perform all recommended SCAS tests for 5GC NFs, as well as additional security tests that go even farther than the specification. As part of the Landslide 5GC Automation Platform (L5AP), these tests can be fully automated, even seamlessly integrated into a continuous integration/continuous delivery (CI/CD) pipeline to run automatically after every software update.
How valuable is this comprehensive, automated 5G vulnerability testing? Consider just two examples:
Blocking cross-slice discovery and services: In a 5GC network using network slicing, the Network Resource Function (NRF) is responsible for ensuring that an NF in one slice can’t access resources from an NF in another. This isolation is essential, as without it, an attacker could use one slice to access traffic in a more secure slice or launch a DDoS attack on a slice supporting mission-critical services. Landslide can perform the SCAS “NF discovery authorization for a specific slice” test to verify that the network blocks this behavior.
Stopping control plane signaling storms: Going beyond SCAS, Landslide can also help protect against DDoS attacks attempting to bring down an Access and Mobility Management Function (AMF). Through this test (which you won’t find in the 3GPP specification), Landslide emulates a scenario where malware has taken control of thousands of devices to launch a coordinated attack, flooding the AMF with registration requests. It then verifies that the network blocks all requests above a predefined threshold.
5G core security testing scenario
Putting 5G Security Testing to Work
To perform the full set of SCAS tests—much less detect vulnerabilities beyond them—you need three things: comprehensive test cases, realistic 5G traffic emulation, and automated test result validation. Without these capabilities, operators and vendors leave themselves at significant risk. While it’s theoretically possible to run SCAS tests without automation, it requires significant time and effort to manually verify test results against the specification. Given that most network vendors now release software updates every month—some, every week—trying to keep up with vulnerability testing without automation becomes a nearly impossible task.
Today, Spirent is the only testing provider that can deliver all three capabilities, providing comprehensive, automated 5G testing for SCAS vulnerabilities and beyond. Industry leaders have already put these capabilities into action. For additional in-depth exploration of how Spirent’s Landslide Core Network Testing can safeguard your network against hidden vulnerabilities with automated 5G testing, watch our demo on 5G Core Security.