Poking Holes in 5G with 5GReasoner

This week, we were once again greeted to a chorus of alarm bells heralding the latest vulnerabilities in the emerging 5G network. I’m afraid to say we are going to need to get used to it. We first heard about the possibility of launching targeted MiTM attacks via 5G networks this summer at Black Hat. Now, researchers at Purdue University and the University of Iowa have published a new paper detailing 11 new 5G vulnerabilities.


How did they do it?

This is actually the most fascinating part. The researchers built a tool called “5GReasoner,” which essentially analyzes the 5G protocol stack to reveal 5G weaknesses. It’s important to note that the data set they tested against was based on theoretical modeling, since there are some challenges around collecting real-world 5G data sets right now -- there isn’t a lot of 5G in the wild and presumably the researchers would have needed to travel to a place that had 5G and stay there for a while; tough on a student budget right? 5GReasoner hasn’t been released to the public and I wonder if it might have some commercial viability. When we begin to see “network slicing” (think private 5G networks) technology take off in the enterprise, there will be a need to test the sanctity of these networks.

At any rate, the researchers’ findings are based on the 5G protocol stack in theory, not live data. That’s important because no two infrastructure vendors are going to implement the 5G protocol spec exactly the same; as with many protocols, there’s too much ambiguity in the spec and wriggle room in the standards. In my opinion, that means that once 5G networks truly become ubiquitous, we are going to see many more 5G security flaws, and many will be vendor-specific. And then of course, there’s Huawei. The US wants to ban them as an untrusted 5G infrastructure provider (they could be spying), but they continue to flourish internationally.


What did they find?

The researchers reported their findings to the GSMA, a global telecom body that called the findings “nil or low impact.” Nevertheless, they felt they were important enough to add the researchers to their Mobile Security Research Hall of Fame. Here are some of the vulnerabilities they were able to theoretically exploit (many of these require a fake base station/small cell):

  1. You can find a person’s location
  2. You can run up someone’s wireless bill with a replay attack. (NAS counter reset)
  3. MiTM attacks, Denial of Service Attacks, Battery depletion attacks
  4. You can Hijack the paging channel and create a fake emergency alert

GSMA dismisses these as low impact because they are based on the theoretical 5G protocol spec. However, do these seem relevant to you? Because in reality there are going to be many more exploits in the actual 5G network than the theoretical one.


What can we do?

Stay vigilant. That means if you haven’t done so yet, it’s the right time to move to a zero trust framework. We don’t know where the next attack or vulnerability is going to come from, but we can take steps to prepare. The first step is to stop trusting devices that we aren’t constantly monitoring. The next step is to take action the moment we discover any anomalies, actions such as removing all sensitive enterprise content, blocking a device from accessing cloud and enterprise resources, or even wiping a device entirely. Monitoring is important, but protecting your organization by acting swiftly is absolutely critical.

Before we allow a device to access enterprise content or cloud services, we need to make sure it passes our most stringent tests. We need to be certain that a 5G device isn’t rooted or jailbroken, is running the latest and most secure version of the OS and security patches, never transmits unencrypted data, and isn’t currently undergoing a 5G MiTM or any other kind of attack. MobileIron provides tools like MobileIron Threat Defense and Access that can help protect your organization from emerging threats. Click to learn more about the only mobile security platform mentioned in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 report, or to have a MobileIron rep contact you, please click here.

Russ Mohr

Director, N. American Carrier and Channel Sales Engineering at MobileIron

About the author

Russell Mohr is a 20 year veteran of the tech industry. Before joining MobileIron in 2012,  he worked extensively in sales, business development, product marketing, and engineering for companies including Lucent  Technologies and Blackberry. In his current role as a technical director of our channel and carrier team,, Russell helps customers solve challenges and devise strategies using MobileIron’s best in breed EMM and IoT solutions. He is a regular speaker at MobileIron and partner events and frequently publishes blogs, white papers, and podcasts. 

Follow Russell’s twitter handle @rhmohr to stay updated about the latest industry developments or find him on Linkedin.


Similar Blogs