Are SMS messages vulnerable in 5G ?

Mar 1, 2024 by Charles Beumier | 405 views

SS7 Phishing

https://cylab.be/blog/326/are-sms-messages-vulnerable-in-5g

This blog discusses the security of SMS in the context of 5G. In a preceding blog (https://cylab.be/blog/171/sms-based-2-factor-authentication-is-insecure), we already addressed the issue of SMS interception in 2G/3G networks and its potential consequences for 2-Factor Authentication. Here, we analyze the situation within the 5G ecosystem.

SMS_small.jpg

1. 5G deployment

5G will not immediately replace the 2G, 3G and 4G networks, which are still in use today. The transition will be gradual and vary in speed across countries within the Global System. The antenna coverage of legacy versions will remain useful in areas where 5G coverage is lacking. The deployment of 5G itself starts with support from 4G equipment (Non Standalone 5G) to later become Standalone 5G once 4G infrastructure is completely replaced.

2. 5G SMS mechanisms

Three mechanisms exist in 5G for sending and receiving SMS:

  • In SMS over NAS, the 5G SMS function (SMSF) sends and receives messages to and from the legacy SMS center (SMSC) in 2G/3G networks, which stores and later sends SMS when appropriate. The SMSC interfaces with the SS7/MAP protocol, which is vulnerable to SMS interception, denial of service or fraud. SMS Home routing and SMS firewall are typically installed to mitigate such attacks.

  • In the case of SMS over IP, the 5G User Plane Function (UPF) interfaces with the IP Multimedia System (IMS) to transfer SMS to and from the SMSC. The Diameter protocol (used in 4G) is susceptible to similar vulnerabilities as SS7 for 2G and 3G.

  • Rich Communication Suite (RCS) was developed to deliver multimedia messages and provide enhanced services. If the target device is not RCS-enabled, the message is delivered as a SMS.

Additionally, there is consideration for a mechanism specific to 5G, utilizing the Service-Based Architecture (modular services communicating with well-defined APIs).

3. SMS still in abondance

The Short Message Service was introduced in 2G networks and enjoyed much more success than expected. Initially, it served as a communication channel between two persons. Later, it began to be used by applications to deliver notifications, one-time passwords, or reminders. In 5G, massive communications are expected to control devices or support the Internet of Things (IoT), likely increasing the quantity of SMS messages.

4. SMS attacks

The various SMS attacks can be categorized into three groups.

4.1 Unsollicited SMS

Unsollicited SMS messages (also known as spam SMS) refer to messages received without consent. They are annoying and intrusive. Some are sent indiscriminately while others are targeted to harvested phone numbers. The less dangerous messages contain product or service advertisements.

In the case of SMS phishing (smishing), the objective is to steal personal information or financial data to prepare an attack. Really dangerous SMS messages contain a link to malicious websites aimed at installing malware on the device. These messages often masquerade as official agencies or firms to increase the recipient's confidence.

These kinds of messages will certainly exist in 5G.

4.2 Signalling attacks

These are well-prepared attacks carried out by individuals who gain access to the SS7 or Diameter networks. The presence of legacy equipment in 5G for many years to come implies the possibility of exploiting their vulnerabilities. In SS7, a number can be spoofed to hide a premium number, resulting in additional costs for the recipient who contacts it. SMS messages can also be intercepted and read for information harvesting or discarded if the objective is to deny the SMS service.

Users have little or no control over these attacks. They should remain vigilant and detect suspicious SMS messages to report and assist providers or regulatory authorities. These entities can employ monitoring systems to detect suspicious patterns or unusual traffic.

These kinds of attacks will certainly exist in 5G.

4.3 Attacks on 5G functions

It is likely that attacks will be attempted on the new functions present in 5G. The SMS function (SMSF) and the User Plane Function (UPF) are the two functions mainly concerned.

5. Conclusions

Despite 5G being designed with security in mind, SMS remains vulnerable to various attack angles. Legacy telecommunication networks continue to be necessary to support older connected systems or to ensure better coverage during 5G deployment. The emphasis on data protection and privacy, driven by regulations such as GDPR, has incentivized telecom regulators and mobile operators to implement robust protection measures. These efforts must continue to evolve with the advancement of technology. While these measures are beyond the control of end users, adhering to good practices such as installing application updates and avoiding suspicious links can help mitigate the risks of falling victim to attackers.

This blog post is licensed under CC BY-SA 4.0

This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept