Why is NRF poisoning so dangerous?

The Network Repository Function (NRF) is the "central phonebook" of the 5G core. If an attacker can poison it with a rogue Network Function, they can intercept all traffic meant for legitimate services, potentially stealing subscriber authentication keys or modifying call flows. Unlike other attacks that affect individual subscribers, NRF poisoning can compromise the entire core network simultaneously.

Does mTLS solve all SBA security issues?

Mutual TLS (mTLS) provides strong authentication and encryption between microservices, but it doesn't prevent application-layer attacks. An attacker who compromises a single container can still use its valid certificate to perform authorized (but malicious) API calls — such as BOLA-based subscriber enumeration. mTLS is necessary but not sufficient.

What is the role of eBPF in 5G security?

eBPF (Extended Berkeley Packet Filter) allows security tools to monitor syscalls and network traffic at the kernel level with minimal overhead. It is essential for detecting container escapes and unauthorized lateral movement within the highly dynamic 5G core environment. Tools like Tetragon and Falco leverage eBPF for real-time security enforcement.

How does 5G SBA security compare to legacy SS7/Diameter?

The SS7 vulnerabilities and Diameter protocol protocols provided no authentication at all — any node could send any message to any destination. The 5G SBA adds OAuth 2.0, mTLS, and NRF-based authorization, which is a massive improvement. However, the cloud-native architecture introduces entirely new attack classes (container escapes, BOLA, mass assignment) that didn't exist in the legacy monolithic world.

Can network slicing protect against SBA attacks?

Network slicing provides logical separation, but slices share the SBA infrastructure (AMF, NRF, SCP). A BOLA attack or NRF poisoning in the shared control plane affects all slices. True protection requires per-slice NRF instances and slice-specific OAuth scoping — which most current deployments don't implement.

What open-source tools are available for 5G SBA testing?

Open5GS and free5GC provide complete 5G core implementations for lab testing. For API security testing, standard tools (Burp Suite, OWASP ZAP) work against the HTTP/2 APIs. Kubernetes security can be assessed with kube-bench, kube-hunter, and Trivy. TelcoSec's TelcoSec protocol analysis tools provide telecom-specific testing frameworks.

Vulnerabilities In 5g Sba

title: "Vulnerabilities in the 5G SBA" description: "TelcoSec exposes 5G SBA vulnerabilities: NRF poisoning, BOLA in telecom APIs, container breakout paths in Kubernetes-deployed 5G cores, and zero-trust defenses." date: "2024-03-03" lastModified: "2026-05-15" author: "Sentry_Primary" authorName: "TelcoSec Research" category: "CORE_ATTACKS" severity: "CRITICAL" image: "/images/articles/sba-vulnerabilities-hero.webp" imageAlt: "5G SBA Kubernetes Security - Cloud-Native Network Function Vulnerabilities" readingTime: 22

The transition from 4G LTE to 5G Standalone (SA) represents a paradigm shift in mobile network architecture. Where legacy networks relied on monolithic, proprietary hardware communicating over obscure protocols like SS7 vulnerabilities and Diameter protocol, 5G is built on the Service Based Architecture (SBA) — a cloud-native framework where every core network function is a microservice communicating via RESTful APIs over HTTP/2.

This architectural revolution delivers unprecedented operational flexibility, but it simultaneously imports the entire web application and container security threat landscape into the heart of critical national telecommunications infrastructure. Every OWASP API vulnerability, every Kubernetes misconfiguration, and every container escape technique developed against enterprise cloud environments is now directly applicable to the network that carries emergency calls, enables autonomous vehicles, and supports critical infrastructure slicing.

This research provides a comprehensive analysis of SBA-specific attack vectors, from NRF poisoning to API authorization bypass, and the defensive architectures required to mitigate them. For the broader 5G security context including SUCI, 5G-AKA, and SEPP, see our 5G network security architecture analysis.

CLASSIFIED

// CONTENT UPGRADE AVAILABLE

TECHNICAL GUIDE: 5G SBA Security Audit Checklist

Download the comprehensive NF-level security audit checklist for Kubernetes-deployed 5G cores (PDF).

GET CHECKLIST [→]

In this architecture, Network Functions (NFs) are deployed as cloud-native microservices — typically in Docker containers managed by Kubernetes — communicating via RESTful APIs over HTTP/2. This article dissects the specific attack vectors exposed by the 5G SBA, including NRF poisoning, BOLA exploitation, container escape paths, and protocol translation vulnerabilities at the 4G/5G interworking boundary.

KEY TAKEAWAYS:

NRF poisoning allows for total control over core traffic flows.
BOLA and Mass Assignment expose subscriber data at the API layer.
Container escape from border NFs provides kernel-level access.
Zero Trust mesh (Istio/mTLS) is mandatory for core survival.
4G interworking introduces legacy Diameter protocol attack vectors into the 5G core.

I. 5G SBA Architecture Overview

Before analyzing attack vectors, it's essential to understand the NF landscape. The 5G SBA decomposes the monolithic EPC into discrete, independently scalable Network Functions:

Core Network Functions and Their Attack Surface

Network Function	Role	API Surface	Risk Level
NRF	Service discovery & authorization	NF registration/discovery	Critical — single point of failure
AMF	Access & mobility management	UE registration, handover	High — border-facing NF
SMF	Session management	PDU session lifecycle	High — controls data plane
UDM	Subscriber data management	Subscription queries	Critical — contains all subscriber data
AUSF	Authentication	5G-AKA/EAP-AKA'	Critical — key derivation
UPF	User plane forwarding	N4 (PFCP)	High — data plane access
NSSF	Slice selection	NSSAI routing	High — cross-slice routing
PCF	Policy control	Policy rules	Medium — QoS/charging
NEF	API exposure to external apps	Northbound APIs	High — external attack surface
NWDAF	Analytics & ML	Data collection	Medium — lateral movement pivot
SCP	Service communication proxy	All inter-NF traffic	Critical — if compromised, all traffic visible

All inter-NF communication uses HTTP/2 with JSON payloads, routed through the Service Communication Proxy (SCP). The NRF provides OAuth 2.0-based access tokens for NF-to-NF authorization. This is a radical departure from the implicit trust model of SS7 legacy signaling — but introduces its own class of vulnerabilities.

VUEFLOW::SBA_TOPOLOGY

Interactive: Drag nodes / Zoom with scroll wheel

INITIALIZING INTERACTIVE CANVAS [→]

TECHNICAL GUIDE: 5G SBA Security Audit Checklist

I. 5G SBA Architecture Overview

Core Network Functions and Their Attack Surface

WAS THIS ARTICLE HELPFUL?