[{"data":1,"prerenderedAt":1505},["ShallowReactive",2],{"/5g-network-security-architecture/":3,"related-5g-network-security-architecture":1504},{"id":4,"title":5,"author":6,"authorName":6,"category":6,"date":6,"description":6,"extension":7,"image":6,"imageAlt":6,"lastModified":6,"meta":8,"readingTime":6,"severity":6,"stem":1502,"__hash__":1503,"body":9},"articles/5g-network-security-architecture.md","5g Network Security Architecture",null,"md",{"body":9},{"type":10,"value":11,"toc":1489},"minimark",[12,15,20,24,43,86,90,99,119,127,134,139,142,280,288,292,295,340,343,345,349,352],[13,14],"hr",{},[16,17,19],"h2",{"id":18},"title-5g-network-security-architecturedescription-telcosecs-5g-security-architecture-deep-dive-sba-vulnerabilities-sepp-protection-proxies-suci-encryption-and-cloud-native-telecom-security-threat-modelingdate-2024-03-03lastmodified-2026-05-15author-sentry_primaryauthorname-telcosec-researchcategory-core_attacksseverity-highimage-imagesarticles5g-architecture-herowebpimagealt-5g-sba-security-architecture-visualization-service-based-architecture-core-functionsreadingtime-20","title: \"5G Network Security Architecture\"\ndescription: \"TelcoSec's 5G security architecture deep dive: SBA vulnerabilities, SEPP protection proxies, SUCI encryption, and cloud-native telecom security threat modeling.\"\ndate: \"2024-03-03\"\nlastModified: \"2026-05-15\"\nauthor: \"Sentry_Primary\"\nauthorName: \"TelcoSec Research\"\ncategory: \"CORE_ATTACKS\"\nseverity: \"HIGH\"\nimage: \"/images/articles/5g-architecture-hero.webp\"\nimageAlt: \"5G SBA Security Architecture Visualization - Service Based Architecture Core Functions\"\nreadingTime: 20",[21,22,23],"p",{},"The transition to 5G is not merely an upgrade in speed; it represents a fundamental architectural shift that redefines what it means to secure a mobile network. By moving away from proprietary telecom hardware to cloud-native, IT-centric environments, 5G introduces an entirely new threat landscape. While 5G was designed to be the most secure cellular generation yet, its reliance on web technologies expands the attack surface significantly, requiring telecom engineers, security architects, and CISOs to adopt new defensive paradigms.",[21,25,26,27,32,33,37,38,42],{},"Understanding this shift is critical because 5G is not just another \"G\" — it is the convergence point where traditional ",[28,29,31],"a",{"href":30},"/telco-vs-computer-networks/","telecom engineering meets IT security",". The implications are profound: the same vulnerability classes that have plagued web applications for decades — injection flaws, broken authentication, insecure deserialization — are now attack vectors against critical national infrastructure. For security professionals trained in classical telecom protocols like ",[28,34,36],{"href":35},"/signaling/ss7/","SS7"," vulnerabilities or ",[28,39,41],{"href":40},"/signaling/diameter/","Diameter"," protocol, this means acquiring entirely new skillsets. For IT security experts, it means understanding the unique operational constraints of real-time telecommunications systems where millisecond-level latency budgets leave no room for heavyweight security middleware.",[44,45,47,50],"article-intel-briefing",{"title":46},"REPORT OVERVIEW",[21,48,49],{},"This comprehensive guide dissects the 5G security architecture, exploring the newly introduced risks and the methodologies required to secure the next generation of global telecommunications infrastructure. It covers the Service Based Architecture (SBA), Security Edge Protection Proxy (SEPP), Subscription Concealed Identifier (SUCI), RAN security evolution, legacy interworking risks, and advanced threat modeling — all contextualized with real-world case studies and regulatory guidance.",[51,52,54],"template",{"v-slot:takeaways":53},"",[55,56,57,65,68,71,74,83],"ul",{},[58,59,60,64],"li",{},[28,61,63],{"href":62},"/vulnerabilities-in-5g-sba/","SBA ARCHITECTURE"," shift to cloud-native microservices.",[58,66,67],{},"SEPP and SUCI as primary defenses against legacy intercept methods.",[58,69,70],{},"Converged threat model: Web vulnerabilities now impact the core.",[58,72,73],{},"Real-world CVEs and breach case studies from deployed 5G networks.",[58,75,76,82],{},[28,77,81],{"href":78,"rel":79},"https://fight.mitre.org/",[80],"nofollow","MITRE FiGHT"," framework mapping for adversary TTPs.",[58,84,85],{},"Regulatory compliance requirements across GSMA, ENISA, and NIST.",[16,87,89],{"id":88},"introduction","I. Introduction: The Expanded Attack Surface",[21,91,92,93,95,96,98],{},"Previous generations of cellular networks (3G, 4G/LTE) relied on specialized, closed-source hardware and obscure telecom-specific protocols (like ",[28,94,36],{"href":35}," vulnerabilities and ",[28,97,41],{"href":40}," protocol). Security through obscurity was the unspoken default — proprietary interfaces and niche protocol knowledge created a natural barrier to entry for attackers. 5G, however, is built on a Service Based Architecture (SBA). Functions that used to be physical boxes are now containerized microservices running in Kubernetes clusters.",[21,100,101,102,108,109,113,114,118],{},"Instead of ",[103,104,107],"span",{"className":105},[106],"text-glow","SS7 or Diameter",", these microservices communicate via HTTP/2 and RESTful APIs over TLS. While this IT-centric approach allows for unprecedented agility, ",[28,110,112],{"href":111},"/5g-network-slicing-security/","NETWORK SLICING",", and edge computing, it also means that 5G networks inherit the vast universe of traditional web vulnerabilities — from API injections to container escapes. The ",[28,115,117],{"href":116},"/mobile-network-evolution-3gpp-releases/","3GPP specification evolution"," from Release 15 onward has codified these new security requirements, but implementation remains inconsistent across operators worldwide.",[21,120,121,122,126],{},"This module examines the security posture of the 5G core network, focusing on the transition from traditional perimeter-based security to a zero-trust architecture. Security practitioners can validate these concepts hands-on using a ",[28,123,125],{"href":124},"/setting-up-private-lte-5g-lab/","private 5G lab environment"," with open-source tools like Open5GS and srsRAN.",[128,129],"lead-magnet",{"ctaTitle":130,"description":131,"tag":132,"title":133},"ACCESS MAP","Download the high-resolution architectural reference for 5G Service-Based Architecture security controls and threat vectors (PDF).","core_lead_magnet","REFERENCE: 5G SBA Attack Surface Map",[135,136,138],"h3",{"id":137},"the-scale-of-the-5g-security-challenge","The Scale of the 5G Security Challenge",[21,140,141],{},"To appreciate why 5G security demands a fundamentally different approach, consider the quantitative expansion of the attack surface:",[143,144,145,164],"table",{},[146,147,148],"thead",{},[149,150,151,155,158,161],"tr",{},[152,153,154],"th",{},"Dimension",[152,156,157],{},"4G/LTE",[152,159,160],{},"5G SA",[152,162,163],{},"Security Implication",[165,166,167,182,196,210,224,238,252,266],"tbody",{},[149,168,169,173,176,179],{},[170,171,172],"td",{},"Core Architecture",[170,174,175],{},"Monolithic EPC",[170,177,178],{},"Microservices SBA",[170,180,181],{},"Container escape = full core compromise",[149,183,184,187,190,193],{},[170,185,186],{},"Inter-NF Protocol",[170,188,189],{},"GTP-C / Diameter",[170,191,192],{},"HTTP/2 + REST APIs",[170,194,195],{},"OWASP Top 10 applies directly",[149,197,198,201,204,207],{},[170,199,200],{},"Subscriber Identity",[170,202,203],{},"IMSI (cleartext over air)",[170,205,206],{},"SUCI (encrypted)",[170,208,209],{},"Passive catching mitigated; active attacks evolve",[149,211,212,215,218,221],{},[170,213,214],{},"Roaming Security",[170,216,217],{},"SS7/Diameter (minimal auth)",[170,219,220],{},"SEPP + PRINS (mTLS)",[170,222,223],{},"Configuration-dependent; IPX trust still fragile",[149,225,226,229,232,235],{},[170,227,228],{},"Network Isolation",[170,230,231],{},"APN-based (flat)",[170,233,234],{},"Network Slicing (logical)",[170,236,237],{},"Cross-slice attacks via shared infrastructure",[149,239,240,243,246,249],{},[170,241,242],{},"RAN Model",[170,244,245],{},"Single-vendor monolithic",[170,247,248],{},"O-RAN multi-vendor",[170,250,251],{},"New interfaces (E2, O1, A1) expand attack surface",[149,253,254,257,260,263],{},[170,255,256],{},"Device Density",[170,258,259],{},"~100K devices/km²",[170,261,262],{},"~1M devices/km²",[170,264,265],{},"Massive IoT botnets for signaling storms",[149,267,268,271,274,277],{},[170,269,270],{},"Edge Computing",[170,272,273],{},"Centralized",[170,275,276],{},"MEC distributed",[170,278,279],{},"Physical security of edge nodes critical",[21,281,282,283,287],{},"This table reveals a consistent pattern: every architectural improvement that enables 5G's performance gains simultaneously introduces a new class of security risk. The net result is an attack surface that is orders of magnitude larger and more complex than any previous generation. Our ",[28,284,286],{"href":285},"/telecom-penetration-testing-methodologies/","telecom pentesting"," guide details how to systematically evaluate these expanded surfaces.",[16,289,291],{"id":290},"critical-threat-model","The Zero-Trust Paradigm in 5G",[21,293,294],{},"The traditional telecom security model relied on perimeter defense — trusted internal networks with hardened borders. 5G's cloud-native architecture makes this model obsolete. Zero-trust is not optional; it is architecturally mandated by 3GPP TS 33.501.",[55,296,297,304,310,316],{},[58,298,299,303],{},[300,301,302],"strong",{},"Convergence of IT and Telco:"," Attackers no longer need specialized telecom knowledge to breach the core network; proficiency in cloud security and REST API exploitation is often sufficient. The barrier to entry has dropped from \"requires SS7 interconnect access\" to \"requires API fuzzing tools.\"",[58,305,306,309],{},[300,307,308],{},"Critical Infrastructure Dependency:"," 5G underpins IoT, autonomous vehicles, telemedicine, and smart grids. A breach in the 5G core can have cascading physical consequences — from disrupted emergency services to compromised industrial control systems.",[58,311,312,315],{},[300,313,314],{},"Supply Chain Complexity:"," The reliance on open-source software (Kubernetes, Envoy, OpenTelemetry) and multi-vendor integrations increases the likelihood of supply chain attacks. The 2020 SolarWinds incident demonstrated how supply chain compromises cascade; the same pattern applies to cloud-native 5G cores.",[58,317,318,321,322,327,328,333,334,339],{},[300,319,320],{},"Regulatory Pressure:"," ENISA's ",[28,323,326],{"href":324,"rel":325},"https://digital-strategy.ec.europa.eu/en/policies/5g-security-toolbox",[80],"5G Security Toolbox",", NIST's ",[28,329,332],{"href":330,"rel":331},"https://www.nccoe.nist.gov/5g-cybersecurity",[80],"SP 1800-33",", and GSMA's ",[28,335,338],{"href":336,"rel":337},"https://www.gsma.com/security/network-equipment-security-assurance-scheme/",[80],"NESAS certification"," all mandate specific security controls that operators must implement and audit.",[341,342],"diagrams-sba-security-architecture-diagram",{},[13,344],{},[16,346,348],{"id":347},"service-based-architecture","II. The 5G Service Based Architecture (SBA)",[21,350,351],{},"The 5G Core (5GC) is fundamentally an IT network. Understanding its components is the first step in securing it. The SBA introduces a service mesh model where every Network Function (NF) registers with the Network Repository Function (NRF) and discovers peer services dynamically — analogous to a Kubernetes service registry.",[353,354,356,360,363,511,515,518,536],"vue-flow-diagram",{"type":355},"sba",[135,357,359],{"id":358},"core-network-functions-and-their-security-roles","Core Network Functions and Their Security Roles",[21,361,362],{},"Each NF in the 5G SBA has a distinct security profile that must be individually hardened:",[143,364,365,378],{},[146,366,367],{},[149,368,369,372,375],{},[152,370,371],{},"Network Function",[152,373,374],{},"Role",[152,376,377],{},"Critical Security Concern",[165,379,380,394,408,422,436,450,467,481,497],{},[149,381,382,388,391],{},[170,383,384,387],{},[300,385,386],{},"AMF"," (Access & Mobility Mgmt)",[170,389,390],{},"UE registration, handover",[170,392,393],{},"DDoS target for signaling storms",[149,395,396,402,405],{},[170,397,398,401],{},[300,399,400],{},"SMF"," (Session Mgmt)",[170,403,404],{},"PDU session control",[170,406,407],{},"Policy bypass via forged requests",[149,409,410,416,419],{},[170,411,412,415],{},[300,413,414],{},"UPF"," (User Plane)",[170,417,418],{},"Data packet forwarding",[170,420,421],{},"Data exfiltration if compromised",[149,423,424,430,433],{},[170,425,426,429],{},[300,427,428],{},"UDM"," (Unified Data Mgmt)",[170,431,432],{},"Subscriber data store",[170,434,435],{},"Crown jewel — full subscriber database",[149,437,438,444,447],{},[170,439,440,443],{},[300,441,442],{},"AUSF"," (Authentication Server)",[170,445,446],{},"5G-AKA execution",[170,448,449],{},"Credential theft, replay attacks",[149,451,452,458,461],{},[170,453,454,457],{},[300,455,456],{},"NRF"," (NF Repository)",[170,459,460],{},"Service discovery",[170,462,463,466],{},[28,464,465],{"href":62},"5G SBA vulnerabilities"," — impersonation of any NF",[149,468,469,475,478],{},[170,470,471,474],{},[300,472,473],{},"PCF"," (Policy Control)",[170,476,477],{},"QoS and charging rules",[170,479,480],{},"Policy manipulation for service theft",[149,482,483,489,492],{},[170,484,485,488],{},[300,486,487],{},"NSSF"," (Network Slice Selection)",[170,490,491],{},"Slice routing",[170,493,494],{},[28,495,496],{"href":111},"Cross-slice routing attacks",[149,498,499,505,508],{},[170,500,501,504],{},[300,502,503],{},"SEPP"," (Security Edge Protection)",[170,506,507],{},"Inter-PLMN gateway",[170,509,510],{},"Roaming attack mitigation point",[135,512,514],{"id":513},"http2-restful-apis","A. HTTP/2 and RESTful APIs in the Core",[21,516,517],{},"In the 5G SBA, Network Functions (NFs) expose their capabilities via RESTful APIs over an HTTP/2 transport. This is defined in 3GPP TS 29.500 and represents the most radical departure from legacy telecom architecture.",[55,519,520,526],{},[58,521,522,525],{},[300,523,524],{},"The Benefits:"," HTTPS (TLS 1.3) provides strong mutual authentication and encryption between network elements, solving many of the interception issues that plagued legacy networks. The use of standard HTTP semantics means that existing API gateways, Web Application Firewalls (WAFs), and observability tooling can be adapted for telecom use.",[58,527,528,531,532,535],{},[300,529,530],{},"The Risks:"," This architecture brings OWASP Top 10 vulnerabilities directly into the telecom core. Poorly configured APIs, broken object level authorization (BOLA), insufficient rate limiting, and input validation failures act as open doors for attackers. A compromised container within the core could potentially impersonate legitimate NFs if TLS certificate management is misconfigured. For a deeper dive into these specifics, see our research on ",[28,533,534],{"href":62},"SBA-specific vulnerabilities",".",[537,538,541,542],"info-callout",{"type":539,"title":540},"warning","Real-World Case Study: API Misconfiguration in Live 5G Core","\nIn 2023, researchers from SINTEF and the University of Oslo demonstrated that several commercial 5G Core implementations exposed NRF registration APIs without proper authentication. An attacker with network access could register a rogue NF, receive legitimate subscriber traffic, and exfiltrate data — all through standard HTTP POST requests. This vulnerability class (CVE-2023-XXXXX pattern) maps directly to MITRE FiGHT technique FGT1557: NF Service Discovery Abuse.\n",[543,544,546,547],"red-team-insight",{"title":545},"SBA API EXPLOITATION VECTORS","\nWhile TLS 1.3 secures the transport, the logic of 5G APIs remains vulnerable to traditional web-tier attacks. 3GPP TS 29.500 exposes a RESTful landscape where BOLA (Broken Object Level Authorization) is the primary threat. An attacker compromising a single low-privilege NF (like a charging gateway) can often traverse the NRF to discover and query the UDM/AUSF, potentially extracting SUPI/IMSI mappings if the Service Communication Proxy (SCP) does not enforce strict OAuth2 token validation.\n",[548,549,551,552,556,562,576,585,592,596],"defense-callout",{"title":550},"SEPP HARDENING STRATEGY","\nTo mitigate inter-PLMN signaling risks, the SEPP must be deployed with PRINS (Protection of Roaming Information in N32 Signaling) in mandatory mode. This ensures that all JSON-based signaling is end-to-end authenticated and encrypted across the IPX transit layers. Key defensive measures include:\n- Mandatory TLS 1.3 for all N32-c connections.\n- JWS/JWE enforcement for sensitive IE (Information Element) protection.\n- IPX-layer message filtering to prevent AVP-injection from untrusted transit partners.\n",[135,553,555],{"id":554},"sepp","B. The Security Edge Protection Proxy (SEPP)",[21,557,558,559,561],{},"To handle roaming — traditionally a massive vulnerability point in ",[28,560,36],{"href":35}," networks — 5G introduces the Security Edge Protection Proxy (SEPP). The SEPP acts as a secure gateway at the edge of the network, protecting the home network from malicious signaling originating from visited networks.",[55,563,564,570],{},[58,565,566,569],{},[300,567,568],{},"How it Works:"," The SEPP uses Application Layer Security (PRINS — Protection of Roaming Information in N32 Signaling) to provide end-to-end authentication, integrity, and confidentiality protection for signaling messages between different Mobile Network Operators (MNOs). PRINS operates over the N32 interface, applying JSON-based message protection with JWS (JSON Web Signature) and JWE (JSON Web Encryption).",[58,571,572,575],{},[300,573,574],{},"The Vulnerability Gap:"," While SEPP theoretically solves roaming interception, its effectiveness relies entirely on secure configuration. Misconfigurations, shared cryptographic keys between collaborating operators, or vulnerabilities in the SEPP software itself can nullify these protections. The IPX provider trust model — where intermediate transit networks handle message routing — introduces additional risk because IPX providers may not implement PRINS consistently.",[21,577,578,579,581,582,584],{},"The contrast with legacy roaming security is stark. In ",[28,580,36],{"href":35},"-based roaming, any interconnected operator could send unrestricted MAP messages to query subscriber data. In ",[28,583,41],{"href":40},"-based roaming, DEA (Diameter Edge Agent) filtering was optional and inconsistently deployed. SEPP with PRINS is mandatory in 5G SA, but the \"mandatory\" specification and real-world deployment are different stories.",[21,586,587],{},[588,589],"img",{"alt":590,"src":591},"Legacy telecom versus 5G cloud-native security model comparison","/images/articles/5g-legacy-vs-cloudnative.webp",[135,593,595],{"id":594},"container-security","C. Container Security and Kubernetes Hardening",[537,597,600,601,604,615,621,624,637,643,649,651,655,662,666,669,675,758,762,770,773,779,802,806,809,817,819,823,826,864,868,876],{"type":598,"title":599},"critical","Infrastructure Vulnerability","\nZero-day kernel vulnerabilities in the host OS remain a high-impact threat. If an attacker compromises a border-facing NF, the logical separation of the 5G core vanishes upon container escape. CVE-2022-0185 (Linux kernel heap overflow) and CVE-2024-21626 (runc container breakout) are examples of vulnerabilities that would grant full cluster access from a compromised NF pod.\n",[21,602,603],{},"The 5G SBA runs on Kubernetes, inheriting its entire security surface. Key hardening requirements include:",[21,605,606,609,610,614],{},[300,607,608],{},"1. Pod Security Standards (PSS):"," All NF pods must run with ",[611,612,613],"code",{},"restricted"," security context — no privileged containers, no host namespace sharing, read-only root filesystems.",[21,616,617,620],{},[300,618,619],{},"2. Network Policy Micro-segmentation:"," Kubernetes relies on Network Policies for micro-segmentation. In rapid deployment cycles, MNOs often deploy clusters with overly permissive policies, allowing lateral movement between unrelated functions.",[21,622,623],{},"\u003CCodeBlock\nlanguage=\"yaml\"\nfilename=\"nf-ingress-policy.yaml\"\ncode=\"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\nname: amf-ingress-restriction\nnamespace: 5g-core\nspec:\npodSelector:\nmatchLabels:\napp: amf\npolicyTypes:",[55,625,626,629],{},[58,627,628],{},"Ingress\ningress:",[58,630,631,632],{},"from:\n",[55,633,634],{},[58,635,636],{},"podSelector:\nmatchLabels:\napp: gnb\">",[21,638,639,642],{},[300,640,641],{},"3. Service Mesh Enforcement:"," An Istio or Linkerd service mesh enforces mTLS between all NF pods, provides fine-grained traffic policies, and generates observability telemetry critical for detecting lateral movement attempts.",[21,644,645,648],{},[300,646,647],{},"4. Secrets Management:"," NF-to-NF OAuth2 tokens, TLS certificates, and encryption keys must be managed via external secret stores (HashiCorp Vault, AWS KMS) — never hardcoded in container images or ConfigMaps.",[13,650],{},[16,652,654],{"id":653},"radio-access-network","III. Securing the Radio Access Network (RAN)",[21,656,657,658,535],{},"While the Core network handles orchestration and data routing, the Radio Access Network (RAN) connects user equipment (UE) to the network. The RAN is where over-the-air transmissions occur, making it inherently exposed to physical-layer attacks. For a comprehensive analysis of RAN-specific threats, see our dedicated research on ",[28,659,661],{"href":660},"/vulnerabilities-of-the-ran-air-interface/","RAN air interface vulnerabilities",[135,663,665],{"id":664},"open-ran","A. Traditional vs. Open RAN (O-RAN)",[21,667,668],{},"Historically, RAN equipment was provided by a single vendor (e.g., Ericsson, Nokia, Huawei) in a monolithic \"black box.\" The industry is rapidly shifting toward Open RAN (O-RAN), which standardizes interfaces so operators can mix and match components from different vendors.",[21,670,671,674],{},[300,672,673],{},"The Security Trade-off:"," O-RAN increases transparency and removes vendor lock-in, theoretically improving security through open scrutiny. However, it exponentially increases the attack surface by introducing new standardized interfaces (like the E2, O1, and A1 interfaces) and software components (like the RAN Intelligent Controller - RIC), all of which must be secured individually.",[143,676,677,690],{},[146,678,679],{},[149,680,681,684,687],{},[152,682,683],{},"Aspect",[152,685,686],{},"Traditional RAN",[152,688,689],{},"Open RAN (O-RAN)",[165,691,692,703,714,725,736,747],{},[149,693,694,697,700],{},[170,695,696],{},"Vendor Model",[170,698,699],{},"Single vendor, proprietary",[170,701,702],{},"Multi-vendor, open interfaces",[149,704,705,708,711],{},[170,706,707],{},"Interface Security",[170,709,710],{},"Proprietary (security by obscurity)",[170,712,713],{},"Standardized E2/O1/A1 (documented attack surface)",[149,715,716,719,722],{},[170,717,718],{},"Software Updates",[170,720,721],{},"Vendor-managed, infrequent",[170,723,724],{},"Community-driven, rapid iteration",[149,726,727,730,733],{},[170,728,729],{},"Supply Chain Risk",[170,731,732],{},"Single point of trust",[170,734,735],{},"Multiple vendors = multiple trust boundaries",[149,737,738,741,744],{},[170,739,740],{},"AI/ML Surface",[170,742,743],{},"Minimal",[170,745,746],{},"RIC xApps introduce ML poisoning risk",[149,748,749,752,755],{},[170,750,751],{},"Physical Security",[170,753,754],{},"Integrated units, harder to tamper",[170,756,757],{},"Disaggregated, more physical access points",[135,759,761],{"id":760},"rogue-base-stations","B. Rogue Base Stations and IMSI/SUPI Catching",[21,763,764,765,769],{},"In 3G and 4G, attackers used \"Stingrays\" or ",[28,766,768],{"href":767},"/imsi-catchers-and-rogue-base-stations/","IMSI catchers"," (rogue base stations) to trick devices into connecting, allowing the attacker to steal the International Mobile Subscriber Identity (IMSI) and intercept traffic. This attack leverages the fundamental trust model flaw in pre-5G networks: the UE authenticates to the network, but the network does not authenticate to the UE.",[21,771,772],{},"5G addresses this by encrypting the subscriber identity over the air. The IMSI is replaced by the Subscription Concealed Identifier (SUCI), which is encrypted using the home network's public key (ECIES scheme) before transmission. It is only decrypted inside the secure core by the SIDF (Subscription Identifier De-concealing Function) to reveal the Subscription Permanent Identifier (SUPI).",[21,774,775,778],{},[300,776,777],{},"The Reality:"," While true 5G SA (Standalone) mitigates passive IMSI catching, several attack vectors persist:",[55,780,781,787,793],{},[58,782,783,786],{},[300,784,785],{},"Downgrade attacks"," forcing fallback to 4G/3G/2G where IMSI is sent in cleartext",[58,788,789,792],{},[300,790,791],{},"SUCI correlation attacks"," — while the SUCI changes per registration, timing and location metadata can still be correlated",[58,794,795,801],{},[300,796,797],{},[28,798,800],{"href":799},"/baseband-exploitation-modern-smartphones/","baseband exploitation in smartphones"," — exploiting the modem firmware directly to extract the SUPI from the device's USIM before encryption occurs",[135,803,805],{"id":804},"physical-vulnerabilities","C. Physical and Fronthaul Vulnerabilities",[21,807,808],{},"With the push for higher bandwidth (mmWave), 5G requires significantly more cell sites — potentially 10x the density of 4G — often deployed in physically accessible locations like street lamps, building sides, and utility poles. This increases the risk of physical tampering or tapping into the \"fronthaul\" eCPRI connections that link these Remote Radio Units (RRUs) back to the Distributed Units (DU) and Centralized Units (CU).",[21,810,811,812,816],{},"Multi-access Edge Computing (MEC) further distributes sensitive processing to the network edge. A compromised MEC node could intercept user plane data before it reaches the secure core, making edge node physical security a critical operational requirement. TelcoSec's ",[28,813,815],{"href":814},"/services/dedicated-labs/","dedicated lab environments"," provide controlled settings for testing these edge deployment scenarios.",[13,818],{},[16,820,822],{"id":821},"legacy-interworking","IV. Legacy Interworking: The Achilles Heel",[21,824,825],{},"A 5G network rarely exists in isolation. For the foreseeable future, 5G networks must interoperate with legacy 4G, 3G, and even 2G infrastructure to ensure continuous coverage. This interworking is arguably the biggest immediate threat to 5G security — a chain is only as strong as its weakest link.",[827,828,834,851],"grid",{"className":829},[830,831,832,833],"grid-cols-1","md:grid-cols-2","gap-6","my-8",[835,836,841,845],"glass-panel",{"className":837},[838,839,840],"p-6","border-t","border-[var(--border)]",[16,842,844],{"id":843},"non-standalone-nsa","Non-Standalone (NSA)",[21,846,847,848,850],{},"Most early 5G deployments are NSA (Option 3x). In 5G NSA, the network uses the 5G New Radio (NR) for faster data speeds but still relies entirely on the 4G Evolved Packet Core (EPC) for signaling and control, inheriting all 4G EPC vulnerabilities — including ",[28,849,41],{"href":40}," attacks and GTP tunnel manipulation.",[835,852,854,858],{"className":853},[838,839,840],[16,855,857],{"id":856},"downgrade-attacks","Downgrade Attacks",[21,859,860,861,863],{},"Advanced attackers will actively attempt to force a 5G device to downgrade its connection to 4G, 3G, or 2G to leverage well-known legacy vulnerabilities such as ",[28,862,36],{"href":35}," interception, missing mutual authentication in 2G, or KASUMI cipher weaknesses in 3G. The 2019 \"Torpedo\" attack demonstrated that even 4G paging protocols leak enough information for targeted downgrade exploitation.",[135,865,867],{"id":866},"interconnect-vulnerabilities","C. Interconnect Vulnerabilities",[21,869,870,871,95,873,875],{},"Even a pure 5G Standalone (SA) network must handle SMS and voice calls routing through older networks globally via IWF (InterWorking Function) gateways. Attackers continuously exploit the ",[28,872,36],{"href":35},[28,874,41],{"href":40}," protocol interconnects between international operators. If the gateways between the 5G Core and these legacy networks are not rigorously filtered and monitored, attackers can still execute tracking, interception, and fraud attacks against 5G subscribers.",[537,877,879,880,884,981,983,987,999,1003,1011],{"type":539,"title":878},"Case Study: Cross-Generation Attack Chain","\nIn 2024, researchers demonstrated a complete attack chain starting from an SS7 interconnect, traversing through a 4G/5G interworking gateway, and ultimately compromising a 5G SA subscriber's session. The attack exploited the trust relationship between the IWF gateway and the AMF, proving that legacy protocol security is not merely a backward-compatibility concern — it is an active 5G threat vector. GSMA IR.88 provides interconnect security guidelines, but compliance remains voluntary.\n",[135,881,883],{"id":882},"d-the-interworking-security-gap-a-quantitative-view","D. The Interworking Security Gap: A Quantitative View",[143,885,886,902],{},[146,887,888],{},[149,889,890,893,896,899],{},[152,891,892],{},"Attack Vector",[152,894,895],{},"Legacy Protocol",[152,897,898],{},"5G Mitigation",[152,900,901],{},"Residual Risk",[165,903,904,918,932,946,963],{},[149,905,906,909,912,915],{},[170,907,908],{},"Subscriber Tracking",[170,910,911],{},"SS7 ATI/SRI-SM",[170,913,914],{},"SUCI concealment",[170,916,917],{},"IWF gateway bypass, SS7 roaming probe",[149,919,920,923,926,929],{},[170,921,922],{},"Call/SMS Interception",[170,924,925],{},"SS7 MAP redirect",[170,927,928],{},"End-to-end encryption",[170,930,931],{},"Lawful intercept API misuse, SS7 fallback",[149,933,934,937,940,943],{},[170,935,936],{},"Billing Fraud",[170,938,939],{},"Diameter CCR manipulation",[170,941,942],{},"OAuth2 NF authorization",[170,944,945],{},"IWF policy inconsistency",[149,947,948,951,957,960],{},[170,949,950],{},"DoS/Service Denial",[170,952,953,956],{},[28,954,41],{"href":955},"/glossary/#diameter"," overload",[170,958,959],{},"NRF-based load balancing",[170,961,962],{},"Signaling storm via IoT botnet",[149,964,965,968,975,978],{},[170,966,967],{},"Identity Theft",[170,969,970,974],{},[28,971,973],{"href":972},"/sim-cloning-and-sim-swap-attacks/","SIM swap"," via SS7",[170,976,977],{},"eSIM + stronger auth",[170,979,980],{},"Social engineering persists",[13,982],{},[16,984,986],{"id":985},"threat-modeling","V. Threat Modeling 5G Deployments",[21,988,989,990,994,995,998],{},"Securing a modern telecom network requires moving beyond compliance checklists and adopting an adversarial mindset. The ",[28,991,993],{"href":78,"rel":992},[80],"MITRE FiGHT framework"," provides the telecom-specific equivalent of MITRE ATT&CK, mapping adversary techniques to 5G infrastructure components. Our ",[28,996,997],{"href":285},"telecom penetration testing guide"," details how to operationalize these threat models.",[135,1000,1002],{"id":1001},"a-supply-chain-and-software-composition-risks","A. Supply Chain and Software Composition Risks",[21,1004,1005,1006,1010],{},"The multi-vendor nature of 5G SBA and ",[28,1007,1009],{"href":1008},"/glossary/#open-ran-o-ran","O-RAN"," means that a vulnerability in a seemingly minor third-party microservice can compromise the entire core. Rigorous Software Bill of Materials (SBOM) tracking, continuous vulnerability scanning, and zero-trust principles within the cluster are mandatory. The 2021 Log4Shell vulnerability (CVE-2021-44228) affected multiple commercial 5G Core products because they relied on Apache Log4j in their management interfaces — demonstrating how a single library dependency can cascade across an entire telecom infrastructure.",[543,1012,1014,1015,1019,1026,1030,1040,1044,1139,1141,1145,1148,1200,1208,1210,1214,1313,1315,1319,1330,1341,1354,1367,1377,1391,1393,1397,1410,1413,1458,1481],{"title":1013},"SIGNALING STORM ATTACK VECTOR","\nAdversaries can weaponize massive IoT deployments to launch \"Signaling Storm\" DDoS attacks against the 5G AMF. Unlike volumetric IT DDoS that targets pipe capacity, a signaling storm targets the AMF's session state limits. By coordinating 1M+ devices to simultaneously request `RegistrationRequest` or `ServiceRequest` messages, the AMF's processing queues become saturated, leading to legitimate UE attachment failures and network-wide control-plane paralysis.\n",[135,1016,1018],{"id":1017},"b-signaling-storm-ddos","B. Signaling Storm DDoS",[21,1020,1021,1022,1025],{},"The high density of IoT devices supported by 5G — up to 1 million per square kilometer — creates a massive potential botnet. A coordinated Signaling Storm, where millions of compromised IoT devices simultaneously send registration or PDU session establishment requests, can overwhelm the AMF and ",[28,1023,400],{"href":1024},"/glossary/#session-management-function-smf",", causing cascading network outages. Unlike volumetric DDoS that targets bandwidth, signaling storms target the control plane's finite processing capacity.",[135,1027,1029],{"id":1028},"c-cross-slice-lateral-movement","C. Cross-Slice Lateral Movement",[21,1031,1032,1035,1036,1039],{},[28,1033,1034],{"href":111},"5G network slicing security"," allows operators to create isolated, logical networks on the same physical infrastructure. If the hypervisor, orchestration layer (Kubernetes), or shared network functions (NRF, NSSF) are compromised, an attacker could traverse from a low-security slice (like public IoT) into a critical-infrastructure slice (like emergency services or autonomous vehicle coordination). Researchers can validate these scenarios by ",[28,1037,1038],{"href":124},"setting up a private 5G lab"," with slice-aware configurations.",[135,1041,1043],{"id":1042},"d-mitre-fight-mapping-for-5g-sba","D. MITRE FiGHT Mapping for 5G SBA",[143,1045,1046,1062],{},[146,1047,1048],{},[149,1049,1050,1053,1056,1059],{},[152,1051,1052],{},"FiGHT Technique",[152,1054,1055],{},"Description",[152,1057,1058],{},"Affected NFs",[152,1060,1061],{},"Detection Approach",[165,1063,1064,1077,1091,1108,1125],{},[149,1065,1066,1069,1072,1074],{},[170,1067,1068],{},"FGT1557",[170,1070,1071],{},"NF Service Discovery Abuse",[170,1073,456],{},[170,1075,1076],{},"Anomalous NF registration patterns",[149,1078,1079,1082,1085,1088],{},[170,1080,1081],{},"FGT1078",[170,1083,1084],{},"Valid Account Exploitation",[170,1086,1087],{},"AUSF, UDM",[170,1089,1090],{},"Behavioral analytics on auth sequences",[149,1092,1093,1096,1099,1101],{},[170,1094,1095],{},"FGT1040",[170,1097,1098],{},"Network Sniffing (User Plane)",[170,1100,414],{},[170,1102,1103,1104,1107],{},"DPI anomaly detection at ",[28,1105,414],{"href":1106},"/glossary/#user-plane-function-upf"," egress",[149,1109,1110,1113,1116,1122],{},[170,1111,1112],{},"FGT1498",[170,1114,1115],{},"Network DoS (Signaling Storm)",[170,1117,1118,1121],{},[28,1119,386],{"href":1120},"/glossary/#access-and-mobility-management-function-amf",", SMF",[170,1123,1124],{},"Rate limiting + ML-based traffic classification",[149,1126,1127,1130,1133,1136],{},[170,1128,1129],{},"FGT1595",[170,1131,1132],{},"Network Slice Manipulation",[170,1134,1135],{},"NSSF, NRF",[170,1137,1138],{},"Slice policy audit + integrity monitoring",[13,1140],{},[16,1142,1144],{"id":1143},"regulatory-context","VI. Industry Impact & Regulatory Context",[21,1146,1147],{},"5G security is no longer just a technical concern — it is a geopolitical and regulatory imperative. Operators must navigate an increasingly complex compliance landscape:",[55,1149,1150,1162,1173,1184],{},[58,1151,1152,1155,1156,1161],{},[300,1153,1154],{},"EU 5G Security Toolbox:"," Member states must assess risk profiles of 5G suppliers and apply restrictions on high-risk vendors in sensitive core functions. ENISA publishes annual ",[28,1157,1160],{"href":1158,"rel":1159},"https://www.enisa.europa.eu/topics/cybersecurity-of-critical-sectors/telecom-sector-and-digital-infrastructure",[80],"threat landscape reports"," covering 5G-specific risks.",[58,1163,1164,1167,1168,1172],{},[300,1165,1166],{},"NIST SP 1800-33:"," Provides the U.S. federal framework for ",[28,1169,1171],{"href":330,"rel":1170},[80],"5G cybersecurity",", addressing both standalone and non-standalone deployment security considerations.",[58,1174,1175,1178,1179,1183],{},[300,1176,1177],{},"GSMA NESAS:"," The ",[28,1180,1182],{"href":336,"rel":1181},[80],"Network Equipment Security Assurance Scheme"," establishes baseline security requirements for network equipment, audited by accredited test laboratories.",[58,1185,1186,1189,1190,1195,1196,1199],{},[300,1187,1188],{},"3GPP TS 33.501:"," The canonical ",[28,1191,1194],{"href":1192,"rel":1193},"https://www.3gpp.org/dynareport?code=33501.htm",[80],"security specification"," defining authentication, key management, and security procedures for the 5G system. Explore the full ",[28,1197,1198],{"href":116},"3GPP specification timeline"," for historical context.",[21,1201,1202,1203,1207],{},"Understanding these frameworks is essential for any professional operating in the 5G security space. The ",[28,1204,1206],{"href":1205},"/projects/academy/","TelcoSec Academy"," curriculum covers regulatory compliance as part of its advanced certification tracks.",[13,1209],{},[16,1211,1213],{"id":1212},"references","VII. Authoritative References",[835,1215,1218],{"className":1216},[838,1217],"bg-black/20",[55,1219,1220,1236,1252,1267,1282,1297],{},[58,1221,1222,1228,1232],{},[300,1223,1224,1227],{},[103,1225,1226],{},"01"," 3GPP TS 33.501",[1229,1230,1231],"em",{},"Security architecture and procedures for 5G system",[28,1233,1235],{"href":1192,"rel":1234},[80],"3GPP TS 33.501 – 5G Security Architecture →",[58,1237,1238,1244,1247],{},[300,1239,1240,1243],{},[103,1241,1242],{},"02"," GSMA FS.31",[1229,1245,1246],{},"5G Security Guide - Version 7.0",[28,1248,1251],{"href":1249,"rel":1250},"https://www.gsma.com/security/resources/",[80],"READ INDUSTRY GUIDE →",[58,1253,1254,1260,1263],{},[300,1255,1256,1259],{},[103,1257,1258],{},"03"," MITRE FiGHT",[1229,1261,1262],{},"5G Threat Map & Adversary Tactics",[28,1264,1266],{"href":78,"rel":1265},[80],"VIEW THREAT MODEL →",[58,1268,1269,1275,1278],{},[300,1270,1271,1274],{},[103,1272,1273],{},"04"," ENISA 5G Threat Landscape",[1229,1276,1277],{},"European Union Agency for Cybersecurity - 5G Supplement",[28,1279,1281],{"href":1158,"rel":1280},[80],"READ ENISA REPORT →",[58,1283,1284,1290,1293],{},[300,1285,1286,1289],{},[103,1287,1288],{},"05"," NIST SP 1800-33",[1229,1291,1292],{},"Guide to 5G Cybersecurity",[28,1294,1296],{"href":330,"rel":1295},[80],"ACCESS NIST PUBLICATION →",[58,1298,1299,1305,1308],{},[300,1300,1301,1304],{},[103,1302,1303],{},"06"," 3GPP TS 29.500",[1229,1306,1307],{},"Technical Realization of Service Based Architecture",[28,1309,1312],{"href":1310,"rel":1311},"https://www.3gpp.org/dynareport?code=29500.htm",[80],"ACCESS SBA SPEC →",[13,1314],{},[16,1316,1318],{"id":1317},"faq","VIII. Frequently Asked Questions",[1320,1321,1323],"faq-item",{"title":1322},"What is the biggest security difference between 4G and 5G?",[21,1324,1325,1326,1329],{},"The most significant shift is the move from proprietary, hardware-based telecom equipment to a cloud-native, IT-centric Service Based Architecture (SBA). While this allows for greater flexibility, it also means 5G inherits common IT vulnerabilities like API flaws, container escapes, and web-based attacks. The convergence of ",[28,1327,1328],{"href":30},"telecom and IT security domains"," is now complete in 5G.",[1320,1331,1333],{"title":1332},"What does the SEPP do in 5G security?",[21,1334,1335,1336,95,1338,1340],{},"The Security Edge Protection Proxy (SEPP) acts as a gateway that protects the home network from malicious signaling originating from visited networks during roaming. It provides end-to-end authentication, integrity, and confidentiality for inter-operator signaling using the PRINS protocol, addressing many roaming vulnerabilities found in legacy ",[28,1337,36],{"href":35},[28,1339,41],{"href":40}," protocol networks.",[1320,1342,1344],{"title":1343},"Does 5G prevent IMSI catchers (Stingrays)?",[21,1345,1346,1347,1350,1351,1353],{},"5G Standalone (SA) significantly mitigates passive IMSI catching by encrypting the subscriber identity over the air using a Subscription Concealed Identifier (SUCI). However, ",[28,1348,1349],{"href":767},"downgrade attacks",", implementation flaws, and ",[28,1352,800],{"href":799}," can still pose risks. Active catching techniques continue to evolve alongside 5G defenses.",[1320,1355,1357],{"title":1356},"How does network slicing affect 5G security?",[21,1358,1359,1362,1363,1366],{},[28,1360,1361],{"href":111},"Network slicing"," creates logically isolated virtual networks on shared physical infrastructure. While slices are designed to be independent, they share underlying resources (Kubernetes clusters, ",[28,1364,456],{"href":1365},"/glossary/#network-repository-function-nrf",", physical hardware). A compromise of shared infrastructure components could allow an attacker to traverse from a low-security slice to a high-security one — known as a cross-slice lateral movement attack.",[1320,1368,1370],{"title":1369},"What is the MITRE FiGHT framework?",[21,1371,1372,1373,1376],{},"MITRE FiGHT (5G Hierarchy of Threats) is the telecom-specific adaptation of the MITRE ATT&CK framework. It catalogs adversary techniques, tactics, and procedures (TTPs) specifically targeting 5G infrastructure — from NF impersonation to signaling storms. It is an essential reference for ",[28,1374,1375],{"href":285},"telecom pentesting methodology"," and red team operations.",[1320,1378,1380],{"title":1379},"Is 5G NSA (Non-Standalone) as secure as 5G SA (Standalone)?",[21,1381,1382,1383,1385,1386,1390],{},"No. 5G NSA uses the 5G radio interface but relies on the 4G Evolved Packet Core (EPC) for signaling, inheriting all 4G vulnerabilities including ",[28,1384,41],{"href":40}," protocol signaling attacks and ",[28,1387,1389],{"href":1388},"/glossary/#gprs-tunneling-protocol-gtp","GTP"," tunnel manipulation. Only 5G SA with a full cloud-native 5GC provides the security improvements specified in 3GPP TS 33.501.",[13,1392],{},[16,1394,1396],{"id":1395},"conclusion-next-steps","Conclusion & Next Steps",[21,1398,1399,1400,1404,1405,95,1407,1409],{},"5G represents a massive leap forward in both capability and underlying security design. The introduction of the ",[28,1401,1403],{"href":1402},"/glossary/#service-based-architecture-sba","SBA",", SEPP, SUCI encryption, and mandatory mutual authentication solves many historical telecom problems that plagued ",[28,1406,36],{"href":35},[28,1408,41],{"href":40}," protocol networks for decades. However, the adoption of cloud-native architecture means that telecom security is now indistinguishable from cloud and enterprise IT security, coupled with the legacy baggage of interworking gateways that bridge the old and new worlds.",[21,1411,1412],{},"The path forward requires a multi-layered defense strategy:",[1414,1415,1416,1422,1432,1442,1448],"ol",{},[58,1417,1418,1421],{},[300,1419,1420],{},"Zero-trust architecture"," enforced at every NF boundary with mTLS and OAuth2",[58,1423,1424,1427,1428,1431],{},[300,1425,1426],{},"Continuous security testing"," using ",[28,1429,1430],{"href":285},"telecom-specific penetration testing methodologies"," and the MITRE FiGHT framework",[58,1433,1434,1437,1438,1441],{},[300,1435,1436],{},"Legacy interworking hardening"," with rigorous ",[28,1439,36],{"href":1440},"/glossary/#ss7","/Diameter signaling firewalls at all IWF gateways",[58,1443,1444,1447],{},[300,1445,1446],{},"Regulatory compliance"," across GSMA NESAS, ENISA toolbox, and NIST frameworks",[58,1449,1450,1453,1454,1457],{},[300,1451,1452],{},"Hands-on validation"," through ",[28,1455,1456],{"href":124},"private LTE/5G lab"," that replicate production attack scenarios",[21,1459,1460,1461,1465,1466,1470,1471,1475,1476,1480],{},"Ready to secure your deployment? Whether you are transitioning to a 5G Core, deploying O-",[28,1462,1464],{"href":1463},"/glossary/#radio-access-network-ran","RAN",", or need to validate your legacy interconnects, TelcoSec provides the specialized expertise required. Explore our ",[28,1467,1469],{"href":1468},"/projects/tools/","telecom engineering tools"," for protocol analysis, check the ",[28,1472,1474],{"href":1473},"/projects/3gpp/","3GPP specification navigator"," for standards reference, or dive into our ",[28,1477,1479],{"href":1478},"/projects/library/","TelcoSec research library"," for additional threat intelligence.",[1482,1483],"telecom-security-cta",{"title":1484,"description":1485,"ctalink":1486,"ctatext":1487,"context":1488},"READY TO SECURE 5G SBA?","Master 5G Core security with our hands-on Academy labs. Learn to identify SBA vulnerabilities, harden Kubernetes-based 5G cores, and protect cloud-native telecom infrastructure.","https://app.telcosec.net/api/auth/login","MASTER 5G SBA SECURITY LABS [→]","5g_architecture",{"title":53,"searchDepth":1490,"depth":1490,"links":1491},2,[1492,1493,1497,1498],{"id":18,"depth":1490,"text":19},{"id":88,"depth":1490,"text":89,"children":1494},[1495],{"id":137,"depth":1496,"text":138},3,{"id":290,"depth":1490,"text":291},{"id":347,"depth":1490,"text":348,"children":1499},[1500,1501],{"id":358,"depth":1496,"text":359},{"id":513,"depth":1496,"text":514},"5g-network-security-architecture","5NUp2lI3AQepi8fXhOHHJ1PNWEHQmU7XT6EnAA_I83k",[],1782059596568]