5G泰坦尼克号.pdf

《5G泰坦尼克号.pdf》由会员分享，可在线阅读，更多相关《5G泰坦尼克号.pdf（46页珍藏版）》请在三个皮匠报告上搜索。

1、FAST IOT07/08/25Dr.Altaf Shaik-Fast IOTThe 5G TitanicDr.Altaf Shaik,Robert JaschekReference:https:/education.nationalgeographic.org/resource/titanic-sinks/Fast IOT&Technische Universitt Berlin407/08/25FAST IOTFAST IOTTitanicOn April 15,1912,the RMS Titanic sunk in the North Atlantic Ocean07/08/25Dr.

2、Altaf Shaik-Fast IOT5What 5G assumes?607/08/25FAST IOTFAST IOTCUPSControl user plane separation707/08/25FAST IOTFAST IOTSecurity featuresDesign omits IPSec usage if the interface is physically protected.807/08/25FAST IOTFAST IOT5G data flowGTP:GPRS tunneling protocol(Age:26)907/08/25FAST IOTFAST IOT

3、Positioning the 5G attacker07/08/25Dr.Altaf Shaik-Fast IOT10But what if that separation fails?1107/08/25FAST IOTFAST IOTProtocol tunneling via GTP-UEncapsulating one protocol inside user-plane traffic to reach a specific node Why GTP-U:A protocol that lacks built-in integrity checks or source authen

4、tication.Simple forwarding logic based solely on IP address and identifiersNo inspection of payload contentsDelivers encapsulated inner payloads to internal GTP-U-capable nodes(e.g.,UPF,gNodeB)Sending GTP-U encapsulated packets to networks is considered fraud1207/08/25FAST IOTFAST IOTProtocol tunnel

5、ing-packetGTP-U-in-GTP-U encapsulated packetStandard protocol compliant1307/08/25FAST IOTFAST IOTHow to craftDiscover and craft packet with internal IP addresses and portsfrom search engines,recon,insiders,intermediariesEnumerate and forge target users tunnel identifier,and IP address1407/08/25FAST

6、IOTFAST IOTProtocol tunneling-flow1507/08/25FAST IOTFAST IOTProtocol tunneling-roaming5G has N9 interface connect roaming interfacesPacket could be tunneled internationally a vulnerable UPF will execute itHome NetworkVisited Network1607/08/25FAST IOTFAST IOTNetwork boundary bridgingRouting user-plan