5G SA Roaming Without OAuth 2.0 Equals Insecurity By Design.

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

1939

Abstract

functionalities not covered in this article issues an authorization token(Oauth2.0 Access token) to the consumer network function.</p></blockquote><figure id="9e10"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Imk2mrQId-M-oI6bxrvGgA.png"><figcaption></figcaption></figure><blockquote id="0f8d"><p>Once the consumer network function has the authorization token(Oauth2 Access token), it can now present it to the producer network function with the intent to consume some of its services. Inside the authorization token(Oauth2 Access token) there is the scope of which services the consumer network function is authorized to consume. Furthermore, the access is only granted to the consumer network function once the producer network function has verified the integrity of the authorization token(Oauth2.0 Access token), which is covered in this <a href="https://readmedium.com/why-didnt-3gpp-use-rfc-8705-for-nrf-s-0auth2-tokens-in-5g-core-62aecd413445"><b>article</b></a>.</p></blockquote><p id="b143">After covering the introduction to authorization in the 5G core, one should ask the question below:</p><h2 id="3380">What Are The Risks Of Lack Of Authorization?</h2><p id="8196">According to OWASP Top 10 2021, the lack of authorization is part of A01:2021 — Broken Access Control, which has the following definition:</p><blockquote id="df9e"><p>“Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.”</p></blockquote><p id="50d7">In short, if there is a lack of controls to restrict which services the consumer network functions are allowed to access in the producer network functions. Bad actors can conduct the following attacks:</p><ol><li>The consumer network functions can use unauthorized requests to

Options

delete, update, or read the information on the network that is not in the scope of the current procedure.</li><li>The bad actor can exploit the lack of scope or restriction to get sensitive information such as subscriber’s keys, and PII(Personal Identifiable Information) then use it with other information to further compromise subscribers or the network.</li><li>The consumer network functions can consume unauthorized resources with escalated privileges from producers, for example, AMF having access to resources that should be accessed by UDM or AUSF.</li></ol><h2 id="1292">Recommendations</h2><ol><li>Ensure that mobile operators and vendors implement authorization using Oauth2.0 Access token and the NRF.</li><li>Since broken access control exposes networks to unnecessary risks and burdens security teams. Therefore, implementing authorization controls and enforcing the least privileges, and adequate expiration time for the authorization token(Oauth2.0 Access token).</li><li>Send only authorization token(Oauth2.0 Access token) inside of a Mutual TLS tunnel between two the producer and consumer network functions, because the access token is not hashed and has human readable contents.</li><li>Harden and pentest the NRF.</li><li>Enable only 5G SA roaming with mobile operations that support authorization controls via Oauth2.0 as specified by 3GPP specifications.</li></ol><h2 id="54ce">References</h2><ol><li><a href="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169">https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169</a></li><li><a href="https://oauth.net/2/mtls/">https://oauth.net/2/mtls/</a></li><li><a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">https://owasp.org/Top10/A01_2021-Broken_Access_Control/</a></li><li><a href="https://oauth.net/2/">https://oauth.net/2/</a></li></ol></article></body>

Insecurity By Design Or Insecurity By Ignorance?

When discussing 5G SA roaming, the main focus currently in GSMA Fraud and Security Group is on mutual TLS to prevent man-in-the-middle attacks and encrypt all the traffic between mobile operators, when Home PLMN exchanges traffic via Visited PLM or when an operator deploys 5G Core in a hybrid cloud. Whereby the AMF and SMF sitting in the public cloud need to exchange signaling traffic with network functions hosted in a private cloud.

It will be assumed that the reader has knowledge of PKI, mutual TLS, Oauth2.0 and 5G Core procedures.

Well, one can argue that mutual TLS enforces zero trust by ensuring that the identity of the network functions is authenticated via the exchange of identity certificates and the encryption of signaling traffic between two trusted roaming partners. However, mutual TLS cannot provide access control to the producer’s resources, in the absence of proper authorization the roaming partner will access services or data beyond the scope of their roaming agreement. Therefore, leading to security vulnerabilities.

How does authorization work in the 5G Core?

Before the consumer network function consumes a service from a producer network function, it needs to request an access token from the NRF(Network Repository Function) as described in the above image. The NRF, which is the authorization server in the 5G core and has additional functionalities not covered in this article issues an authorization token(Oauth2.0 Access token) to the consumer network function.

Once the consumer network function has the authorization token(Oauth2 Access token), it can now present it to the producer network function with the intent to consume some of its services. Inside the authorization token(Oauth2 Access token) there is the scope of which services the consumer network function is authorized to consume. Furthermore, the access is only granted to the consumer network function once the producer network function has verified the integrity of the authorization token(Oauth2.0 Access token), which is covered in this article.

After covering the introduction to authorization in the 5G core, one should ask the question below:

What Are The Risks Of Lack Of Authorization?

According to OWASP Top 10 2021, the lack of authorization is part of A01:2021 — Broken Access Control, which has the following definition:

“Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.”

In short, if there is a lack of controls to restrict which services the consumer network functions are allowed to access in the producer network functions. Bad actors can conduct the following attacks:

The consumer network functions can use unauthorized requests to delete, update, or read the information on the network that is not in the scope of the current procedure.

The bad actor can exploit the lack of scope or restriction to get sensitive information such as subscriber’s keys, and PII(Personal Identifiable Information) then use it with other information to further compromise subscribers or the network.

The consumer network functions can consume unauthorized resources with escalated privileges from producers, for example, AMF having access to resources that should be accessed by UDM or AUSF.

Recommendations

Ensure that mobile operators and vendors implement authorization using Oauth2.0 Access token and the NRF.

Since broken access control exposes networks to unnecessary risks and burdens security teams. Therefore, implementing authorization controls and enforcing the least privileges, and adequate expiration time for the authorization token(Oauth2.0 Access token).

Send only authorization token(Oauth2.0 Access token) inside of a Mutual TLS tunnel between two the producer and consumer network functions, because the access token is not hashed and has human readable contents.

Harden and pentest the NRF.

Enable only 5G SA roaming with mobile operations that support authorization controls via Oauth2.0 as specified by 3GPP specifications.