5G Mobile Hacking with SDR

With the emergence of 5G-NR NSA (Non-StandAlone) and the future deployment for SA (Standalone) mode, many devices including mobile phones, IoT devices, and connected cars will be actively connected to the internet. Moreover, the use of NR-U (New Radio Unlicensed) bands with 5G allows private companies, as well as campuses and other places to own their own 5G network. All of these changes introduce new risks that will see during this training.

Indeed, this course aims to focus on 5G NSA (Non-Standalone), and SA (Standalone) security, giving the techniques to perform security assessments on devices as well as on the core network. For the practice, all challenges will generally take place on our cloud-connected to our 5G-NR setup inside a faraday cage. Moreover, additional advices will be given to attendees to create the best assessment set up according to their budget.

Day 1

Day 1 will introduce the 5G NSA mode, but also the SA mode that should appear in many countries in fall 2022. During this day, we will introduce also the radio aspect, the tools, and the setup to organize our RF assessments with Software-Defined Radio.

Theory

• Introduction to mobile networks and protocols (2G/3G/4G/5G)
• Differences between 5G NSA and SA
• Security mechanism on the radio
• SIM/USIM/ISIM cards
• Equipment and tools for our tests
• Incoming tools
• Possible attacks on 5G-NR
• How to safely assess 5G devices
• Hunting for vulnerabilities

Challenge 1: Fingerprinting devices

• Running an NSA and SA network
• Downgrading stack on a 5G device equipment
• Fingerprinting devices

Challenge 2: Manipulating secrets

• Generating secrets
• Programming an ISIM card
• Registering a device

Challenge 3: Analyzing communications

• Hunt for secrets and vulnerabilities
• Decode and manipulate radio frames
• Play with control and user (data) planes

Day 2

The last day will be an opportunity to see the core network side, which could be very interesting in cases the operator exposes some nodes outside, as was the case many times. Moreover, it will focus more on the Standalone mode, which will drastically change from 2G-4G infrastructures and applications.

During this day, attendees will also realize why it is important to not only rely on the 5G-NR security mechanisms only but also provide additional countermeasures in devices as well.

Theory

• Introduction of the 5G SA infrastructure and REST APIs
• Security Mechanisms
• Possible attacks
• Hunting for exposed nodes/gateways
• Our latest feedbacks

Challenge 1: hunting and intruding exposed nodes

• Mapping a cloud
• Look for exposed services
• Finding and exploiting vulnerabilities to intrude the service

Challenge 2: REST API attacks

• Attacking the API to get persistent
• Hijack communications

Challenge 3: attack devices

• Map devices in remote from the exposed network
• Find and exploit vulnerabilities on devices