An Emerging Threat: Attacking 5G Via Network Slices

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

RSA CONFERENCE — San Francisco — While 5G security is not new as a topic of conversation, emerging attack vectors continue to come to the fore. Deloitte & Touche researchers have uncovered a potential avenue of attack targeting network slices, a fundamental part of 5Gs architecture.
The stakes are high: Not just a faster 4G, next-generation 5G networks are expected to serve as the communications infrastructure for an array of mission-critical environments, such as public safety, military services, critical infrastructure, and the Industrial Internet of Things (IIoT). They also play a role in supporting latency-sensitive future applications like automated cars and telesurgery. A cyberattack on that infrastructure could have significant implications for public health and national security, and impact a range of commercial services for individual enterprises.
At the heart of any 5G network is a flexible, IP-based core network that allows resources and attributes to be assembled into individual slices — each of these network slices is tailored to fulfill the requirements requested by a particular application. For instance, a network slice supporting an IIoT network of sensors in a smart-factory installation might offer extremely low latency, long device battery life, and constricted bandwidth speed. An adjacent slice could enable automated vehicles, with extremely high bandwidth and near-zero latency. And so on.
Thus, one 5G network supports multiple adjacent network slices, all of which make use of a common physical infrastructure (i.e., the radio access network, or RAN). Deloitte collaborated on a 5G research project with Virginia Tech to explore whether it was possible to exploit 5G by compromising one slice, then escaping it to compromise a second. The answer to that turned out to be yes.
Throughout our journey with Virginia Tech, our objective was uncovering how to make sure that appropriate security is in place whenever a 5G network is put in for any type of industry or any customer, Shehadi Dayekh, specialist leader at Deloitte, tells Dark Reading. We saw network slicing as a core area of interest for our research, and we set about discovering avenues of compromise.
Abdul Rahman, associate vice president at Deloitte, notes that attacking one slice in order to get to a second could be seen as a form of container escape in a cloud environment — in which an attacker moves from one container to another, moving laterally through a cloud infrastructure to compromise different customers and services.
When we look at the end-to-end picture of a 5G network, theres the 5G core, and then the 5G RAN, then there are the end devices and the users after the end devices, he says. The core has really evolved to a point where a lot of the services are essentially in containers, and theyve been virtualized. So there may then be a similar [attack-and-escape] process where were able to influence or affect a device on network slice two from a device or a compromise within network slice one.
The research uncovered that an initial compromise of the first network slice can be achieved by exploiting open ports and vulnerable protocols, he explains. Or, another path to compromise would involve obtaining the metadata necessary to enumerate all of the services on the network, in order to identify a service or a set of services that may have a vulnerability, such as a buffer overflow that would allow code execution.
Then, to achieve slice-escape, there are capabilities in the wireless space to emulate tons of devices that can join networks and start causing some stress on the core network, Dayekh says. Its possible to bring in some scanning capabilities to start exploiting vulnerabilities across slices.
A successful attack would have a number of layers and steps, and would be non-trivial, Deloitte found — but it can be done.
From a real-world feasibility perspective, its really dependent on how much money is spent, Dayekh says, adding that cyberattackers would likely make an ROI calculation when weighing whether an attack is worth the time and expense.
Its about how serious [and hardened] the network is, if its a mission-critical network, and how serious the target application is, he explains. Is it an application for, say, shelf replenishment or cashierless checkout, or is it a military or government application?
If the attacker is a well-funded advanced persistent threat (APT) interested in mounting destructive attacks on, say, an automated pipeline, the approach would be more convoluted and resource-intensive, Rahman adds.
This sets the stage for a bad actor that utilizes advanced recon and surveillance-detection techniques, to minimize on the blue side being seen, he says. You utilize observation to determine avenues of approach and key terrain, while ensuring concealment. If were going to recon a network, we want to do it from a place where we can scan the network and obfuscate our reconnaissance traffic amongst all the other traffic thats there. And theyre going to build this network topology, aka an attack graph, with nodes that have metadata associated with enumerative services around what we would like to attack.
When it comes to potential outcomes of a successful attack, Rahman and Dayekh used the example of a campaign against an industrial sensor network for a smart-factory application.
Ultimately, we can deploy malware that can actually impact the data thats gathered from those sensors, whether its temperature, barometric pressure, its line of sight, computer vision, whatever that may be, Rahman notes. Or it may be able to occlude the image or maybe only send back a portion of the results by manipulating what the sensor has the ability to see. That could potentially cause false readings, false positives, and the impact is huge for manufacturing, for energy, for transportation — any of those areas that depend on sensors to give them near-real-time outputs for things like health and status.
The Internet of Medical Things (IoMT) is another area of concern, due to the ability to directly impact patients using remote health services such as kidney dialysis or liver monitoring, or those who have a pacemaker.
Theres also another form of attacks that involve deploying malware on vulnerable IoT devices, then using them to jam or flood the air interfaces or take up shared computational resources at the edge. That can lead to denial of service across slices since they all share the same RAN and edge computing infrastructure, Deloitte found.
When it comes to defending against attacks involving network slicing, there are at least three broad layers of cybersecurity to deploy, the researchers note:
Convert threat intelligence, which consists of indicators of compromise (IOCs), into rules.
Use artificial intelligence and machine learning to detect anomalous behaviors.
Implement platforms that contain standard detection mechanisms, filtering, the ability to create automation, integration with SOAR, and alerting.
Its important, as ever, to ensure defense in depth. The rules have a shelf life, Rahman explains. You cant totally depend on rules because they get aged off because people create malware variants. You cant totally depend on what an AI tells you about probability of malicious activity. And you cant really believe in the platform because there may be gaps.
Much of the defense work also has to do with gaining a view into the infrastructure that doesnt overwhelm defenders with information.
The key is visibility, Dayekh says, because when we look at 5G, theres massive connectivity: A lot of IoT, sensors, and devices, and you also have containerized deployments and cloud infrastructure that scales up and down and gets deployed in multiple zones and multiple hybrid clouds, and some clients have more than one vendor for their cloud. Its easier when we dont have a lot of slices or we dont have a lot of device IDs or SIM cards or wireless connections. But there are potentially millions of devices that you may have to look at and correlate data for.
Theres also ongoing management to consider, since the 5G standard is updated every six months with new features.
As a result, most operators are still scratching the surface on the amount of work they have to put into shoring up security for 5G networks, the researchers say, noting that the workforce shortage is also affecting this segment. And that means that automation will be required to handle tasks that need to be done in a repeatable manner.
Automation from a source perspective can go out to these devices and reconfigure them on the fly, Rahman says. But the question is, is do you want to do that in production? Or do you want to test that first? Typically, we are risk averse, so we test when we do change requests, and then we vote on it. And then we deploy those changes in production, and that takes a certain amount of time. But those processes can be automated with DevSecOps pipelines. Solving this will take some out-of-the-box thinking.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
An Emerging Threat: Attacking 5G Via Network Slices