Stateful black box uplink testing for 5G StandAlone network

Abstract

5G StandAlone (SA) service was launched by T-Mobile in 2020, and the service area of the 5G SA network is increasingly expanding. However, there is little research on security in the 5G SA network for some reason. First, it is difficult to build a test environment for security research due to a lack of commercial equipment and open-source projects. In addition, since the core network is a black-box environment, it is quite hard to check the direct results of network testing. Therefore, existing approaches are only focused on finding standard vulnerabilities by applying formal methods based on specifications, and there are limitations that cannot find for other flaws, such as implementation flaws. In this work, we propose a first approach that performs stateful uplink testing while considering various attack scenarios in the 5G SA network. We analyzed the capabilities of MitM (Man-in-the-Middle) and Fake UE, which are possible attack models for networks, and classified the attack scenarios into four cases. Then, the test was done by applying these cases to all states that could happen during the UE's registration process. In addition, we categorized states according to security features and made it easy to create test cases for each network state machine. We evaluated our system with 4 core networks and discovered 16 implementation flaws: 11 cases can cause DoS (Denial-of-Sevice) attacks, 1 case can cause a eavesdropping attack, and 1 case can cause an impersonate attack.