As part of the AMF network product, it is expected that the AMF to contain AMF application, a set of running processes (typically more than one) executing the software package for the AMF functions and OAM functions that is specific to the AMF network product model. Functionalities specific to the AMF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.512.
In addition to the critical assets of a GNP as described in clause 5.2 of the present document, the critical assets specific to the AMF to be protected are:
AMF Application;
Mobility Management data: e.g. subscriber's identities (e.g. SUCI), subscriber keys (I.e. KNASenc, KNASint, NH), authentication parameters, address of serving gNB, APN name, data related to mobility management like UE status, UE's IP address, etc., session management like PDN type, QoS and so on, or node selection and routing selection, e.g. IP address of UE related UPF, selected routing connection based on UE's identity, etc.
The interfaces of AMF to be protected and which are within SECAM scope: for example
Service based interface, Namf, for providing services to SMF, AUSF, NEF, PCF, GMLC, SMSF, LMF and UDM
Service based interface for consuming services from NSSF, SMF, LMF, SMSF, PCF, 5G-EIR, UDM, AUSF, and NRF
Reference point interfaces:
N1.
N2.
N26.
Console interface, for local access: local interface on AMF.
OAM interface, for remote access: interface between AMF and OAM system.
Threat Description: If RAND and AUTS are not included when synchronization fails, the resynchronization procedure does not work correctly. This can result in waste of system resources and deny a legitimate user access to the system.
Threat name: Failed integrity check of Initial Registration message
Threat Category: Denial of Service
Threat Description: If integrity check of attach message fails, a user identity cannot be verified. This can result in waste of system resources and deny a legitimate user access to the system.
Threat Description: If a malicious UE initiates a registration request using a SUCI and this request is followed by primary authentication in which an incorrect RES* is sent to the network, then the RES* verification will fail. In this case, if the RES* verification failure is not handled correctly, e.g., AMF/SEAF does not reject the registration request directly, or initiates a new authentication procedure with the UE, this would result in waste of system resources.
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If SMC does not include the complete initial NAS message if either requested by the AMF or the UE sent the initial NAS message unprotected, the UE can force the system to reduce the security level by using weaker security algorithms or turning security off, making the system easily attacked and/or compromised.
Threatened Asset: User account data and credentials
Threat Category: Tampering of data, Information Disclosure, Denial of Service
Threat Description: If NAS does not use the highest priority algorithm, NAS layer risks being exposed and/or modified or being exposed to denial of service.
Threatened Asset: Sufficient Processing Capacity, Control plane signalling
Threat Description: If NAS NULL integrity protection is used outside of emergency call scenarios, an attacker can initiate unauthenticated non-emergency calls.
Threat Category: Tampering of Data, Information Disclosure, Denial of Service
Threat Description: If security mode complete message is not confidentiality protected, the AMF cannot be certain that the SMC is executed correctly. This can result in waste of system resources and deny a legitimate user access to the system.
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If AMF cannot verify that the 5G security capabilities received from source gNB via the target gNB are the same as the UE security capabilities that the AMF has stored, the source gNB may force the system to accept a weaker security algorithm than the system is allowed forcing the system into a lowered security level making the system easily attacked and/or compromised.
Threatened Asset: User account data and credentials
Threat name: NAS integrity protection algorithm selection in AMF change
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If the highest priority NAS integrity protection is not selected by the new AMF in AMF change, the new AMF could end up using a weaker algorithm forcing the system into a lowered security level making thee system easily attacked and/or compromised.
Threatened Asset: User account data and credential
Threat Description: If authentication fails in the AMF and the non-emergency bearer is not released, the UE can continue receiving unauthorized call, wasting valuable system resources.
Threat name: Invalid or unacceptable UE security capabilities
Threat Category: Tampering of Data, Information Disclosure
Threat Description: A flawed AMF implementation accepting insecure or invalid UE security capabilities may put User Plane and Control Plane traffic at risk, without the operator being aware of it. If NULL ciphering algorithm and/or NULL integrity protection algorithm of the UE security capabilities is accepted by the AMF, all the subsequent NAS, RRC, and UP messages will not be confidentiality and/or integrity protected. The attacker can easily intercept or tamper control plane data and the user plane data. This can result in information disclosure as well as tampering of data.
Threatened Asset: User account data and credentials, Mobility Management data.
Threat name: Invalid encoding of UE 5G security capabilities on the NG interface
Threat Category: Tampering of data, Information Disclosure
Threat Description: A flawed AMF implementation that incorrectly encodes the UE 5G security capabilities from the initial UE registration request to the corresponding Context Setup Request message on the NG interface will pose a risk to the AS user plane and control plane. It should be noted that encoding from the NAS to the NGAP protocol in this case is not a one-to-one copy of the UE 5G security capabilities but must consider the specifics of the NGAP protocol. Specifically, four bits are available to the encoder at the NAS layer for NIA0, NIA1, NIA2, NIA3, while only three bits are available at the NGAP layer for these four algorithms. If the algorithms are not transferred correctly to the gNB/ng-eNB due to an incorrect implementation of the AMF, the RAN node will misinterpret the algorithm list, resulting in the selection of an incorrect security algorithm on the AS. In the end, this may result in the selection of an insecure (e.g. null) algorithm letting an attacker easily intercept or manipulate control plane data and user plane data, leading to information disclosure.
Threatened Asset: User account data and credentials, Mobility Management data.
Threat Description: If a new 5G-GUTI is not allocated by AMF in certain registration scenarios (i.e. after receiving Registration Request message of type "initial registration", or Registration Request message of type "mobility registration update", or Service Request message sent by the UE in response to a Paging message), an attacker could keep on tracking the user using the old 5G-GUTI after these registration procedures. For a CIOT UE in idle state with suspend indication, even though the UE will not initiate Service Request after receiving a paging message, if a new 5G-GUTI is not allocated, the attacker can replay the paging message multiple times, and based on the responding messages the attacker could still be able to track the UE.
Threat name: NAS based redirection from 5GS to EPS
Threat Category: Denial of Service, Information disclosure.
Threat Description: In NAS based redirection from 5GS to EPS in 5G CIoT , when a UE initiates registration procedure with the AMF, the AMF may redirect the UE from 5GC to EPC with a Registration Reject message sent to the UE, and if the Registration Reject message with an EMM cause which indicates to the UE that the UE shall not use 5GC is not protected, the attacker can modify the cause and the UE will try to connect to the EPS. This will lead to a bidding down attack to the UE.
Threat name: failed Verification of UE Identity during RRC Reestablishment Procedure for CP CIoT 5GS Optimization
Threat Category: Denial of Service.
Threat Description: If veritification of UE using CP CIoT 5GS Optimization during RRC Reestablishment procedure fails, a user identity cannot be verified. This can result in waste of system resources and deny a legitimate user access to the system. In addition, if the AMF does not correctly indicate the ng-eNB result of veritication, an unlegal UE may successfully re-establish on the ng-eNB, and result in waste of system resources.
Threat Description: After the successful network slice-specific authentication and authorization, there will be an Allowed NSSAI list both in UE and AMF. Then, the UE will initiate the PDU session establishment request with the requested S-NSSAIs included. If the AMF does not verify whether the received S-NSSAIs is within the Allowed NSSAI list stored at the AMF, an attacker can still include the rejected S-NSSAIs in the request and access the slice after it fails the NSSAA procedure.