Threatening the 5G core via PFCP DoS attacks: the case of blocking UAV communications

The modern communications landscape requires reliable, high-speed, high-throughput and secure links and sessions between user equipment instances and the data network. The 5G core implements the newly defined 3GPP network architecture enabling faster connectivity, low latency, higher bit rates and network reliability. The full potential of this set of networks will support a set of critical Internet of things (IoT) and industrial use cases. Nevertheless, several components and interfaces of the next-generation radio access network (NG-RAN) have proven to be vulnerable to attacks that can potentially obstruct the network's capability to provide reliable end-to-end communication services. Various inherent security flaws and protocol-specific weaknesses have also been identified within the 5G core itself. However, little to no research has gone into testing and exposing said core-related weaknesses, contrary to those concerning the NG-RAN. In this paper, we investigate, describe, develop, implement and finally test a set of attacks on the Packet Forwarding Control Protocol (PFCP) inside the 5G core. We find that, by transmitting unauthorised session control packets, we were able to disrupt established 5G tunnels without disrupting subscribers' connectivity to the NG-RAN, thus hindering the detection of said attacks. We evaluate the identified PFCP attacks in a drone-based scenario involving 5G tunnelling between two swarms.