Cross-Service Token: Finding Attacks in 5G Core Networks

• URL: http://arxiv.org/abs/2509.08992v1
• Date: Wed, 10 Sep 2025 20:40:33 GMT
• Title: Cross-Service Token: Finding Attacks in 5G Core Networks
• Authors: Anqi Chen, Riccardo Preatoni, Alessandro Brighente, Mauro Conti, Cristina Nita-Rotaru,
• Abstract summary: We present FivGeeFuzz, a grammar-based fuzzing framework designed to uncover security flaws in 5G core SBIs.<n>Using FivGeeFuzz, we discovered 8 previously unknown vulnerabilities in free5GC, leading to runtime crashes, improper error handling, and unauthorized access to resources.
• Score: 58.86003502940164
• License: http://creativecommons.org/publicdomain/zero/1.0/
• Abstract: 5G marks a major departure from previous cellular architectures, by transitioning from a monolithic design of the core network to a Service-Based Architecture (SBA) where services are modularized as Network Functions (NFs) which communicate with each other via standard-defined HTTP-based APIs called Service-Based Interfaces (SBIs). These NFs are deployed in private and public cloud infrastructure, and an access control framework based on OAuth restricts how they communicate with each other and obtain access to resources. Given the increased vulnerabilities of clouds to insiders, it is important to study the security of the 5G Core services for vulnerabilities that allow attackers to use compromised NFs to obtain unauthorized access to resources. We present FivGeeFuzz, a grammar-based fuzzing framework designed to uncover security flaws in 5G core SBIs. FivGeeFuzz automatically derives grammars from 3GPP API specifications to generate malformed, unexpected, or semantically inconsistent inputs, and it integrates automated bug detection with manual validation and root-cause analysis. We evaluate our approach on free5GC, the only open-source 5G core implementing Release 17-compliant SBIs with an access control mechanism. Using FivGeeFuzz, we discovered 8 previously unknown vulnerabilities in free5GC, leading to runtime crashes, improper error handling, and unauthorized access to resources, including a very severe attack we call Cross-Service Token Attack. All bugs were confirmed by the free5GC team, 7 have already been patched, and the remaining one has a patch under development.

Related papers

• Towards Effective, Stealthy, and Persistent Backdoor Attacks Targeting Graph Foundation Models [62.87838888016534]
  Graph Foundation Models (GFMs) are pre-trained on diverse source domains and adapted to unseen targets.<n>Backdoor attacks against GFMs are non-trivial due to three key challenges.<n>We propose GFM-BA, a novel Backdoor Attack model against Graph Foundation Models.
  arXiv  Detail & Related papers  (2025-11-22T08:52:09Z)
• Integrity Under Siege: A Rogue gNodeB's Manipulation of 5G Network Slice Allocation [2.90110037823427]
  5G networks, with network slicing as a cornerstone technology, promises customized, high-performance services, but also introduces novel attack surfaces beyond traditional threats.<n>This article investigates a critical and underexplored integrity vulnerability: the manipulation of network slice allocation to compromise Quality of Service (QoS) and resource integrity.<n>We show how a rogue gNodeB acting as a Man-in-the-Middle can exploit protocol weaknesses to forge slice requests and hijack a User Equipment's connection.
  arXiv  Detail & Related papers  (2025-11-05T09:26:39Z)
• CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
  We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
  arXiv  Detail & Related papers  (2025-05-14T13:37:07Z)
• Securing 5G Bootstrapping: A Two-Layer IBS Authentication Protocol [4.087348638056961]
  Lack of authentication during the initial bootstrapping phase between cellular devices and base stations allows attackers to send malicious messages to the devices.<n>We propose E2IBS, a novel and efficient two-layer identity-based signature scheme for seamless integration with existing cellular protocols.<n>Compared to the state-of-the-art Schnorr-HIBS, E2IBS reduces attack surfaces, enables fine-grained lawful interception, and achieves 2x speed in verification.
  arXiv  Detail & Related papers  (2025-02-07T13:32:48Z)
• EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
  Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data. While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated. We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
  arXiv  Detail & Related papers  (2024-05-21T06:14:49Z)
• Establishing Trust in the Beyond-5G Core Network using Trusted Execution Environments [4.235733335401408]
  We review the security implications introduced in B5G networks, and the security mechanisms that are supported by the 5G standard. We propose a vertical extension of Zero Trust, namely, Zero Trust Execution, to model untrusted execution environments. We provide an analysis on how to establish trust in Beyond-5G network architectures using Trusted Execution Environments.
  arXiv  Detail & Related papers  (2024-05-20T17:02:18Z)
• Penetration Testing of 5G Core Network Web Technologies [53.89039878885825]
  We present the first security assessment of the 5G core from a web security perspective. We use the STRIDE threat modeling approach to define a complete list of possible threat vectors and associated attacks. Our analysis shows that all these cores are vulnerable to at least two of our identified attack vectors.
  arXiv  Detail & Related papers  (2024-03-04T09:27:11Z)
• Towards Zero-Trust 6GC: A Software Defined Perimeter Approach with Dynamic Moving Target Defense Mechanism [1.33134751838052]
  This paper introduces the concept of Software Defined Perimeter (SDP) as an innovative solution. We capitalize on the SDP controller-based authentication and authorization mechanisms to secure the EPC network's control and data plane functions. We augment the SDP zero-trust capabilities via the incorporation of a dynamic component, the Moving Target Defense (MTD)
  arXiv  Detail & Related papers  (2023-12-27T02:54:55Z)
• Toward 6G Native-AI Network: Foundation Model based Cloud-Edge-End Collaboration Framework [55.73948386625618]
  We analyze the challenges of achieving 6G native AI from perspectives of data, AI models, and operational paradigm.<n>We propose a 6G native AI framework based on foundation models, provide an integration method for the expert knowledge, present the customization for two kinds of PFM, and outline a novel operational paradigm for the native AI framework.
  arXiv  Detail & Related papers  (2023-10-26T15:19:40Z)
• Smart Fuzzing of 5G Wireless Software Implementation [4.1439060468480005]
  We introduce a comprehensive approach to bolstering the security, reliability, and comprehensibility of OpenAirInterface5G (OAI5G) We employ AFL++, a powerful fuzzing tool, to fuzzy-test OAI5G with respect to its configuration files rigorously. Secondly, we harness the capabilities of Large Language Models such as Google Bard to automatically decipher and document the meanings of parameters within the OAI5G that are used in fuzzing.
  arXiv  Detail & Related papers  (2023-09-22T16:45:42Z)
• ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning [80.85273827468063]
  Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable. We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts. We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
  arXiv  Detail & Related papers  (2021-03-23T15:04:44Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.