ATTACK CATEGORIES — Telecom & 5G Security Threat Domains

The modern cellular network is a multi-generational infrastructure where 2G SS7 routing coexists with 5G Service Based Architecture (SBA) REST APIs, and where subscriber identity flows through legacy HLRs, modern UDMs, and virtualized AMFs within a single roaming transaction. This architectural complexity — driven by backward compatibility requirements and the global nature of roaming agreements — creates an attack surface that spans hardware, firmware, protocols, and cloud-native software simultaneously.

Standard enterprise security frameworks and threat feeds are not designed for this environment. SIEM rules built for Windows endpoint telemetry cannot interpret MAP SRI message anomalies. Web application firewalls cannot inspect GTP-U tunnel headers. Generic vulnerability scanners cannot assess 3GPP-compliant NF registration tokens. Effective telecommunications security requires domain-specific tooling, protocol-level expertise, and a threat model organized around the cellular stack rather than the enterprise perimeter.

TelcoSec's research taxonomy addresses this gap by classifying every published vulnerability, exploit technique, and defensive control according to the architectural layer it targets. Security teams can use this structure to scope penetration testing engagements, prioritize remediation efforts, and map findings to MITRE FiGHT techniques and GSMA security guidelines.

// FIVE CORE ATTACK DOMAINS

• User Land: Baseband firmware exploitation, SIM and eSIM compromise, and modem-to-application-processor privilege escalation. Research targets the full UE hardware stack from Qualcomm MSM and Samsung Shannon chipsets through JavaCard applets and eSIM remote provisioning protocols.
• Signaling: Unauthenticated message injection across SS7 MAP, Diameter S6a/Gx/Gy, GTP-C, and 5G HTTP/2 SBI. Attack classes include location tracking, SMS interception, call redirection, authentication vector harvesting, and NRF poisoning.
• Transmissions: Radio access network (RAN) threats including IMSI catchers, inter-RAT downgrade attacks, O-RAN xHaul interface exploitation, and SDR-based passive interception. Physical-layer attacks that require no access to operator infrastructure.
• Core: 5G SBA network function abuse, container escape in Kubernetes-deployed NFs, OAuth2 token manipulation, and lateral movement across AMF, SMF, UPF, and UDM via REST API exploitation.
• Cellular Networks: End-to-end network-level threats spanning public MNO and private 5G deployments — inter-RAT fallback attacks, network slicing isolation failures, multi-access edge computing (MEC) security, and NPN configuration vulnerabilities.