How to Hack 5G - Part 1

Fingerprint Icon Written by Chris Powell

Next Article

Hacking 5G

For pretty much my entire career, I've been looking at embedded systems, especially those involved with telecommunications. I never intended for my job to take this path, and in some circumstances, I've tried to avoid it.

I've got a lot of experience exploiting things such as optical networks, and 4G and 5G systems. Based on this, I've decided to write a series of blog posts talking about what telecommunications are and how to hack them.

Hopefully, my real-world experience can help address some of the half-truths floating about, and with the advent of 5G technology, I thought it's best to start there.

I'm hoping to release an article once a month until its finished. I don't know how long it's going to be yet, but I'm going to start from the outside of the network, i.e. your mobile device and work my way into the 5G core.

This article was written in February 2020 and is the first in the series. It discusses what telecommunication systems are and what 5G means.

Telecommunications

Wikipedia defines telecommunications as “the transmission of signs, signals, messages, words, writings, images and sounds or information of any nature by wire, radio, optical or other electromagnetic systems”.

I'm inclined to agree, it's everything involved in transmitting a signal from one place, typically your work or home. To another location, usually, someone else's work or home. The most common forms of telecommunications systems are cellular and fixed-line.

Cellular is the stuff that you connect to wirelessly.

5G UE and Basestation
- 5G User Equipment (UE) and gNodeB

Fixed-line is the stuff you connect to through a wire.

ONT and OLT
- Optical Network Terminal (ONT) and Optical Line Terminal (OLT)

The easiest way to think about telecommunications is that it's the Internet itself. Your website and computer might sit on the peripheral, but telecommunication networks comprise of the routers, switches and cables that transmit the data from your computer to your site.

What is 5G?

We've all heard terms like 4G and 5G, but what do they mean. You'll probably be surprised by this, but they don't “mean” anything. It's all made up for marketing purposes, and that's it.

Quick history lesson, “modern” standards started with the 3rd Generation Partnership Project (3GPP). It's a big standards organisation that standardises telecommunication protocols and how cellular devices interact with one another.

It was founded in 1998 and started by creating standards to govern “3G” technology, hence the 3G in 3GPP. And the first standard, called Release 99 was released in 1999, guess where the 99 came from.

But like everything great, the 3GPP versioning convention suffered from the Millennium bug. So after Release 99, the standards were changed to begin at Release 4 for some reason.

The idea of each subsequent 3GPP release is to enhance those that came before it and aims to provide standards to govern faster and more efficient communication for mobile devices. This way, newer versions can be thought of as a gradual upgrade of technology discussed in previous releases. After all, technology changes, so does how we use it.

One important thing to understand is that some of the releases are considered more significant than other versions. These special releases are the ones that get a cool logo, change your phone from having a 3G to a 4G at the top and get all the media attention.

So if anyone in the future asks you “What is 4G?", you need only respond “3GPP Release 8 and above” because that's all 4G means. A bunch of technologies described in, and after Release 8 of the 3GPP standard. If instead someone were to ask “What is all this 5G stuff?", you need to change your answer to “Obviously everything from 3GPP Release 15 and above, duh”.

So it's no wonder why we call these technologies, 2G, 3G, 4G and 5G because the real answer is a bit abstract and confusing. I've detailed the 3GPP release versions below, with details added.

3GPP Release Release Date Details
Release 4 (3G) Q2 2001 3G Introduction
Release 5 Q1 2002 3G Enhancement
Release 6 Q4 2004 3G Enhancement
Release 7 Q4 2007 2G and 3G Enhancement
Release 8 (4G) Q4 2008 Introduction of 4G, and 3G Enhancement
Release 9 Q4 2009 WiMax, 3G and 4G Interoperability
Release 10 Q1 2011 3G and 4G Enhancement
Release 11 Q3 2012 4G Enhancement
Release 12 March 2015 4G Enhancement
Release 13 Q1 2016 4G Enhancement
Release 14 (5G) Mid 2017 Elements on road to 5G
Release 15 End 2018 5G Phase 1
Release 16 2020 5G Phase 2
Release 17 ~Sept 2021

Another interesting thing to point out is that just because something is a 5G release, doesn't mean we forget all about 4G. For instance, 4G upgrades can feature in standards after the version that describes 5G, at least the related technology anyway.

And now for the most surprising bit, 5G hasn't been standardised yet! At least in its pure form. Which is a bit weird because we keep hearing the news say 5G is here and it's going to change everything.

I would write an angry letter and say statements like these are false, but I don't think it goes far enough. I prefer to say they're an out-and-out lie. If there's one thing you should take away from this post, it's this.

“5G is a collection of quite significant technological advancements, which are currently sitting in a draft document, and the entire 5G standard should be released soon."

Some of the more significant changes in 5G are the use of Massive Multiple-Input Multiple-Output (MIMO) in the Radio Access Network (RAN). And the effort to virtualise the 5G core. But based on some stuff I've personally seen, I don't think the virtualisation bit will work as intended.

What I've said might be a little confusing, but cellular networks have two major parts. The wireless bit your mobile devices talk to, the RAN. And the stuff that switches terabytes of data around and ensures it arrives at the correct location, the core.

RAN and Core
- Radio Access Network and Core

5G is aiming to overhaul the entire thing, both sides, hence why it has a logo, and why everyone's making such a big deal. However, one thing people don't usually consider when talking about the RAN and core is the differences in their cost and device count.

If you think about it, operators need to put base stations (2G), NodeBs (3G), eNodeBs (4G) and gNodeBs (5G) everywhere. How else could they claim to have the coverage they advertise?

Fortunately, devices in the RAN are cheaper and more robust. But there is a considerable cost associated with the sheer volume of devices, and the labour involved when installing them.

The core is the opposite, devices are far more expensive, but there's far fewer of them. And they're typically deployed within secure data centres, so there's a lower installation cost.

Interestingly security concerns are the other way round. A single gNodeB going offline might affect the coverage within a couple of miles of its location. Whereas a core gateway crashing might take out a quarter of the country.

It is for this reason you hear governments, operators and news outlets continuously talking about the 5G core. It is a vital component of our day-to-day lives, whether you realise it or not and it's security is paramount.

By now the geeks among you are probably wondering why you're not neck-deep in MIPS, ARM or PPC assembly code. Don't worry. I'll get to the technical stuff in subsequent posts.

I don't want this post to end up being the length of a book, and I think it's vital for less-technical folks to understand the peculiarities of what the worlds news and our respective governments are worried about.

5G Today

So Chris, if we haven't standardised 5G yet, how are companies selling 5G technology? Good question casual internet user!

What we call 5G today is something we refer to as “New Radio”, which for some reason means everything starts with a G instead of an E. Simply, it's the magical radio bit that your phone talks to and that's pretty much it.

In marketing terms, New Radio is the smallest amount of the 5G standard that must exist for network operators to change the number at the top of your phone from a 4G to a 5G. Then make you pay a premium on your phone bill for the privilege.

See how marketing works? I'd complain because it seems like an underhanded tactic, but we only have ourselves to blame. New things are exciting, after all.

That's not to say there aren't substantial speed improvements between your mobile device and the gNodeB. Or that what we currently have isn't an essential step in the eventual deployment of full 5G.

We need to spot the truth in the marketing material and realise proper 5G is several years away. Some people, far more knowledgable than I, think we'll have to wait for 6G to see a big difference!

But at the end of the day, 5G is going to be a massive change in how cellular networks interact with each other and switch data. Much like what 4G was to 3G, but what we currently have is a bunch of New Radio devices (gNodeB's) glued to the 4G network.

Current 5G Deployment
- What 5G deployments currently look like

This 5G network architecture is what we call Non-StandAlone (NSA) mode, and it's named that because it HAS to use the 4G system as its backhaul. For the more discerning people out there, you might ask something like “If we depend on the 4G network for our data backhaul, doesn't that mean we have a speed bottleneck?". And you'd be right, NSA mode means we are limited to 4G speeds within the network core.

It's funny that the current limitation of 5G technology is that 5G technology doesn't exist yet. So we are left with this new ultra-speed 5G radio tacked onto lower a speed 4G backhaul, which has the potential to slow everything down.

So don't expect significant improvements to happen before the official 5G StandAlone (SA) rollout, which won't happen for several years as we have to wait until mid-2020 for 5G SA standardisation. Then we have to wait for manufacturers to build it, and then operators to buy it, and then engineers to install it.

What I've described isn't necessarily bad, I mean we weren't able to make phone calls over 4G until recently. We had to wait for something called Voice over (Vo) Long Term Evolution (LTE), or VoLTE. What happened before this is your 4G connection would have to drop back onto the 3G network to make a phone call.

What I've said doesn't mean that manufactures or operators are waiting around. Remember that companies that make up the 3GPP organisation are also its most significant users. A lot of the work the vendors do directly feeds back into the standardisation process. And who better to influence the standards than the people that have to follow them?

It does mean rolling out 5G becomes a bit of an issue. Not that this prevents media outlets fantasising about it or world governments arguing over it.

My personal view is, don't expect anything to change any time soon. And probably don't expect anything to improve significantly even when 5G SA is up and running.

Conclusion

5G is coming, even though 5G is a marketing term, and the standards don't exist yet. We have NSA mode and a bunch of release numbers from the 3GPP, but will a lot change?

Probably not. The technology that underpins 5G is exciting though, and there is one significant security feature which can stop IMSI catchers and rogue base stations in their tracks. I will discuss all of this and more in subsequent posts, so stay tuned!

Upcoming Topics

  • Hacking SIM cards
  • How cryptography protects your wireless data
  • Hacking JavaCard
  • Hacking Over-The-Air (OTA) updates
  • How 5G stops IMSI catchers

Who am I?

I'm Chris, and I've been lucky enough to spend the last four years of my career working for Huawei, the biggest vendor of telecommunications equipment in the world. I worked as a senior vulnerability researcher in the Huawei Cyber Security Evaluations Center (HCSEC), an organisation of super-geniuses that put me to shame.

If you have any directed questions or want to collaborate on anything, or want to shout at me and tell me I'm wrong. I'm reachable via LinkedIn or our contact page.