5. 5G_Specific

Legal & Ethical Notice — US Law

This document is for educational and defensive security research purposes only.

All techniques described herein are analyzed in a controlled lab environment using your own equipment and licensed test SIMs. Applying any of these techniques to real-world cellular infrastructure, third-party devices, or spectrum you do not own is illegal under US federal law, including:

47 U.S.C. § 333 — Prohibits interference with radio communications. RF jamming is illegal for all private parties and state/local law enforcement with no exceptions. The FCC has imposed fines exceeding $34 million for marketing jamming devices.
47 U.S.C. § 301 — Requires an FCC license to transmit on licensed spectrum. Operating a fake base station (eNodeB/gNB) on live cellular frequencies without authorization violates this statute.
47 U.S.C. § 605 — Prohibits unauthorized interception of radio communications not intended for the recipient.
18 U.S.C. § 2511 (Wiretap Act) — Prohibits intentional interception of electronic communications, including voice (VoLTE/RTP) and data.
18 U.S.C. § 1029 — Prohibits fraud involving access devices. SIM cards are federally defined access devices; cloning, unauthorized key extraction, and related acts are federal crimes.
18 U.S.C. § 1030 (CFAA) — Prohibits unauthorized access to computer systems, including telecom signaling infrastructure (Diameter, GTP, SBI APIs).

Lab use requirements: All radio experiments must be conducted in an RF-shielded environment (Faraday cage) using test SIMs provisioned in your own Open5GS/srsRAN lab. No transmission on live cellular bands is permitted without an FCC experimental license.

This document does not constitute legal advice. Consult a licensed attorney before conducting any security research involving radio spectrum or telecommunications infrastructure.

Layer 5 — 5G-Specific Attack Surface

Overview

5G introduces fundamental architectural changes that create new attack surfaces not present in 4G:

Service Based Architecture (SBA) — all core NFs communicate via HTTP/2 REST APIs
Network Slicing — multiple virtual networks share the same physical infrastructure
O-RAN — open, disaggregated RAN with standardized interfaces between components
Edge Computing (MEC) — compute pushed to the network edge
SUCI/SUPI — subscriber identity concealment
5G NSA vs SA — Non-Standalone reuses 4G anchor, inheriting its weaknesses

5G Architecture Reference

flowchart LR
    UE --> gNB

    subgraph 5GC["5G Core (5GC)"]
        gNB -- N2/N3 --> AMF
        AMF -- N8 --> UDM
        AMF -- N11 --> SMF
        SMF -- N4 --> UPF
        UPF -- N6 --> Internet
        AMF -- N12 --> AUSF
        NRF["NRF\n(service discovery)\nAll NFs register here"]
        NSSF["NSSF\n(slice selection)"]
        PCF["PCF\n(policy)"]
    end

    subgraph ORAN["O-RAN"]
        NRT_RIC["Near-RT RIC"]
        NONRT_RIC["Non-RT RIC"]
        ODU["O-DU / O-CU"]
        ORU["O-RU"]

        NONRT_RIC -- A1 --> NRT_RIC
        NRT_RIC -- E2 --> ODU
        ODU -- "Open Fronthaul (eCPRI)" --> ORU
    end

Threat Points

5.1 SUPI/SUCI De-anonymization

What it is: 5G conceals the subscriber's permanent identity (SUPI/IMSI) using SUCI (Subscription Concealed Identifier), encrypted with the home network's public key via ECIES.

Protections:

SUPI never sent in cleartext over air (unlike 4G)
ECIES (Elliptic Curve Integrated Encryption Scheme) per 3GPP TS 33.501

Residual attack vectors:

5.1.1 SUCI Correlation

SUCI changes every registration, but timing and network behavior can correlate to the same device
Passive SUCI collection → traffic analysis → device fingerprinting (without SUPI)

5.1.2 IMEI Still Exposed

PEI (IMEI in 5G) can be requested in cleartext during 5G registration in some flows
IMEI is persistent — correlates across SUCI changes
3GPP recommends IMEI encryption but many deployments don't enforce it

5.1.3 Downgrade to 4G (NSA)

5G NSA uses 4G anchor (LTE core)
UE still performs 4G NAS attach → IMSI exposed as in 4G
Attacker can block 5G SA frequencies → force NSA → exploit 4G IMSI catch

5.1.4 SUPI Extraction via Compromised UDM

In a lab/test environment: UDM decrypts SUCI → SUPI
If UDM API (Nudm) is accessible without mTLS → query SUPI resolution endpoint

Tools:

srsRAN + UERANSIM (5G SA lab)
Wireshark: observe NGAP Registration Request → check mobileIdentity field type (SUCI vs 5G-GUTI)

5.2 NRF (Network Repository Function) Enumeration

What it is: The NRF is the 5G service discovery hub. All Network Functions (NFs) register with NRF and query it to discover peers. NRF exposes an HTTP/2 REST API.

Default NRF behavior (no auth):

Any client that can reach the NRF can query ALL registered NFs
Returns: NF types, IP addresses, FQDN, capacity, slice IDs (S-NSSAIs), supported services

Example NRF query (unauthenticated, if mTLS not enforced):

# Discover all registered NFs
curl -s http://nrf:8000/nnrf-nfm/v1/nf-instances \
  -H "Accept: application/json" | jq .

# Discover specific NF type (e.g., AMF)
curl -s "http://nrf:8000/nnrf-disc/v1/nf-instances?target-nf-type=AMF&requester-nf-type=SMF" \
  -H "Accept: application/json" | jq .

What this reveals:

All AMF, SMF, UDM, AUSF, PCF addresses
Slice configurations (S-NSSAIs per NF)
NF instance IDs (UUIDs) for further targeting
Load and capacity information

Mitigation per 3GPP TS 33.501: mTLS between all SBI interfaces (mandatory in spec, optional in many deployments)

Lab test:

# Open5GS NRF default — listens on localhost:8000
# In a lab, test NRF discovery without mTLS configured
curl http://127.0.0.1:8000/nnrf-nfm/v1/nf-instances

# With UERANSIM generating traffic, watch NF registrations

5.3 AMF / SMF / UDM SBI API Attacks

What it is: Each 5G core NF exposes HTTP/2 REST APIs as defined in 3GPP TS 29.5xx. If mTLS is not enforced or certificates are not validated, any accessible endpoint can be queried.

High-value endpoints:

AMF (Access and Mobility Management Function)

Namf_Communication/UEContextTransfer   → transfer UE context (can be abused for handover hijack)
Namf_EventExposure/Subscribe           → subscribe to UE mobility events (location tracking)
Namf_MT/EnableUEReachability           → wake up UE (paging trigger)

UDM (Unified Data Management — replaces HSS)

Nudm_SubscriberDataManagement/Get      → retrieve subscription profile (SUPI, services)
Nudm_UEAuthentication/GenerateAuthData → trigger AKA vector generation (impersonate AUSF)
Nudm_EventExposure/Subscribe           → track UE registration events

SMF (Session Management Function)

Nsmf_PDUSession/Create                 → create data session for arbitrary SUPI
Nsmf_PDUSession/Update                 → modify active session (redirect traffic)
Nsmf_EventExposure/Subscribe           → monitor PDU session events

Attack scenario (no mTLS):

# Impersonate AUSF and request auth vectors for target SUPI
curl -X POST http://udm:8000/nudm-ueau/v1/{supi}/security-information/generate-auth-data \
  -H "Content-Type: application/json" \
  -d '{"servingNetworkName":"5G:mnc001.mcc001.3gppnetwork.org","ausfInstanceId":"fake-uuid"}'

Legal note: Querying 5G SBI endpoints (AMF, UDM, SMF, AUSF) on a production network without authorization violates 18 U.S.C. § 1030 (CFAA). The curl example above impersonates an AUSF to extract authentication vectors — this is for local Open5GS lab testing only. Never use production NRF/UDM/AUSF endpoint addresses.

Tools:

curl / httpie — HTTP/2 SBI queries
Postman — API exploration
Wireshark with HTTP/2 dissector — capture SBI traffic in Open5GS lab
Open5GS source — reference for all endpoint paths and message formats

5.4 Network Slice Isolation Bypass

What it is: 5G allows multiple virtual networks (slices) to run on shared physical infrastructure. Slice isolation is supposed to prevent cross-slice access.

Slice identifiers:

S-NSSAI (Single Network Slice Selection Assistance Information): SD + SST
NSSAI in UE registration → NSSF assigns slice → AMF/SMF/UPF per slice

Attack vectors:

5.4.1 S-NSSAI Spoofing

UE requests a slice it's not authorized for by including unauthorized S-NSSAI in Registration Request
If AMF/NSSF doesn't validate subscription profile against requested slice → unauthorized slice access
Impact: access to enterprise/critical infrastructure slices from commodity UE

5.4.2 Shared UPF Exploitation

Some deployments share a UPF across slices (cost optimization)
If UPF packet rules (PFCP) are misconfigured → cross-slice traffic leakage
GTP-U TEID collision between slices (implementation bug) → packet misdirection

5.4.3 Slice DoS

Exhaust resources on a specific slice (PDU session flooding)
Impact: deny service to all subscribers of that slice (e.g., enterprise IoT, first responders)

Tools:

UERANSIM — configure UE with arbitrary S-NSSAI values
Open5GS — observe NSSF slice selection, test authorization enforcement
Scapy — GTP-U packet injection with cross-slice TEID

UERANSIM slice config:

# ue.yaml — request unauthorized slice
nssai:
  - sst: 1
    sd: "0x000001"   # enterprise slice SD — not provisioned for this UE

5.5 O-RAN Interface Security

What it is: O-RAN disaggregates the base station into separate components (O-RU, O-DU, O-CU) connected by open, standardized interfaces. This openness introduces new attack vectors.

Key O-RAN interfaces:

Interface	Between	Protocol	Risk
Open Fronthaul (eCPRI/ethernet)	O-RU ↔ O-DU	IEEE 1914.3 / eCPRI	Timing attacks, fronthaul DoS
E2	Near-RT RIC ↔ O-CU/O-DU	SCTP/ASN.1	xApp-based RAN manipulation
A1	Non-RT RIC ↔ Near-RT RIC	HTTP/2 REST	Policy injection
O1	SMO ↔ all O-RAN NFs	NETCONF/YANG	Config manipulation
R1	rApp platform ↔ Non-RT RIC	HTTP/2 REST	rApp supply chain

Attack scenarios:

5.5.1 Malicious xApp on Near-RT RIC

xApps run on the Near-RT RIC and control O-DU/O-CU via E2 interface
A malicious or compromised xApp can: degrade handover decisions, block specific UEs, alter QoS for subscribers
O-RAN Alliance TR defines xApp sandboxing but implementation varies

5.5.2 E2 Message Injection

E2 uses SCTP with ASN.1-encoded messages (E2AP protocol)
If Near-RT RIC ↔ O-CU E2 link lacks IPsec/TLS → inject E2 control messages
Impact: manipulate RRM (Radio Resource Management) decisions in real-time

5.5.3 Open Fronthaul Timing Attack

Open Fronthaul relies on IEEE 1588 (PTP) for sub-microsecond timing sync
PTP spoofing → introduce timing errors → degrade radio performance or cause sync loss

5.5.4 A1 Policy Injection

A1 interface delivers ML model hints and policies from Non-RT RIC to Near-RT RIC
Unauthenticated A1 HTTP/2 endpoint → inject adversarial ML policies → degrade RAN performance

Tools:

OpenAirInterface — open-source O-RAN implementation
SD-RAN (ONF) — open-source Near-RT RIC + xApp SDK
e2sim — E2 interface simulator
Custom Scapy scripts for eCPRI/E2AP fuzzing

5.6 PFCP (N4 Interface) Attacks

What it is: PFCP (Packet Forwarding Control Protocol) connects the SMF to the UPF on the N4 interface. It defines packet detection, forwarding, and QoS rules for user plane traffic.

Protocol: UDP port 8805

Attack vectors:

5.6.1 PFCP Session Modification

If N4 is accessible without authentication/encryption → send Session Modification Request
Modify PDR (Packet Detection Rule) or FAR (Forwarding Action Rule)
Impact: redirect subscriber traffic to attacker endpoint, bypass QoS limits

5.6.2 PFCP Session Deletion

Delete active PFCP session → subscriber loses data connectivity

5.6.3 PFCP Heartbeat Flood

Flood UPF with PFCP Heartbeat Requests → CPU exhaustion

Tools:

# Scapy PFCP (requires scapy-contrib or custom layer)
from scapy.contrib.pfcp import PFCP, PFCPSessionEstablishmentRequest

pkt = IP(dst="upf_ip") / UDP(dport=8805) / PFCP() / PFCPSessionEstablishmentRequest()
send(pkt)

Legal note: Modifying or deleting PFCP sessions on a production UPF without authorization violates 18 U.S.C. § 1030 (CFAA). N4 interface access on a real network requires access to the operator's internal infrastructure — any such unauthorized access constitutes a federal crime. The Scapy example is for lab use targeting your own Open5GS UPF only.

5.7 5G NSA — Inherited 4G Weaknesses

Non-Standalone (NSA) mode: 5G NR radio but 4G EPC core.

Implications:

All Layer 2 NAS attacks (IMSI harvest, null encryption, AKA relay) apply
5G NR provides only the data radio bearer; signaling still via LTE
A rogue LTE eNB can trigger NSA → 4G security exposure
Many "5G" deployments globally are still NSA

Detection:

# Android: check NR NSA vs SA
adb shell settings get global preferred_network_mode
# SA = NR only / NSA = NR + LTE

# AT command
AT+QENG="servingcell"   # Quectel: shows NR-SA or NR-NSA

5G Pentest Lab Setup

flowchart TB
    VM["Ubuntu 22.04 VM"]
    VM --> O5GS["Open5GS 5GC\n(AMF, SMF, UPF, UDM, AUSF, NRF, PCF, NSSF)"]
    VM --> UERANSIM["UERANSIM\n(gNB + UE simulator)"]
    VM --> srsRAN["srsRAN 5G NR\n(gNB — needs USRP B210 for real UE)"]
    VM --> SDRAN["SD-RAN / OpenAirInterface\n(O-RAN components)"]
    VM --> WS["Wireshark\nHTTP/2 SBI + GTP-U + PFCP + NGAP capture"]

    subgraph Test Flow
        UE_SIM["UERANSIM UE"] --> REG["registers with\nOpen5GS AMF"]
        REG --> PDU["PDU session via\nSMF/UPF"]
        PDU --> OBS["Observe all SBI calls in Wireshark\n(filter: http2 or ngap or pfcp)"]
    end

macOS note: Docker Desktop on macOS runs containers inside a Linux VM — the above Docker-based setup works identically. However:

Bridge interfaces (br-<id>) are inside the Docker Desktop VM, NOT on the Mac host. Packet capture with tshark -i br-* does not work from the Mac host. Instead, run tshark inside a dedicated capture container on the same Docker network, or use tcpdump inside an existing container:
```
# Capture from inside a container (works on both Mac and Linux)
docker run --rm --net container:open5gs-amf \
  nicolaka/netshoot tshark -i any -Y "ngap or nas-5gs"
```
sudo apt install open5gs is Linux-only. On macOS use Docker Compose (TP-00 Docker method) — do not use apt on Mac.
srsRAN 5G NR real-time PHY is CPU/driver intensive and requires Linux for USRP support; run srsRAN in a Linux VM or use UERANSIM Docker containers for purely simulated tests on macOS.

Quick Open5GS + UERANSIM 5G SA lab:

# Open5GS install
sudo apt install open5gs

# UERANSIM build
git clone https://github.com/aligungr/UERANSIM
cd UERANSIM
mkdir build && cd build
cmake .. && make -j$(nproc)   # Linux
# macOS: cmake .. && make -j$(sysctl -n hw.logicalcpu)

# Start 5GC
sudo systemctl start \
  open5gs-nrfd open5gs-scpd \
  open5gs-amfd open5gs-smfd open5gs-upfd \
  open5gs-ausfd open5gs-udmd open5gs-udrd \
  open5gs-pcfd open5gs-bsfd open5gs-nssfd

# Add test subscriber via web UI (http://127.0.0.1:9999)
# IMSI: 001010000000001, K: 465B5CE8B199B49FAA5F0A2EE238A6BC

# Start simulated gNB
./nr-gnb -c config/open5gs-gnb.yaml

# Start simulated UE
./nr-ue -c config/open5gs-ue.yaml

# Verify PDU session
ip addr show uesimtun0
ping -I uesimtun0 8.8.8.8

5G Security Posture by Deployment Type

Deployment	Slicing	SUCI	mTLS SBI	O-RAN	NSA Weakness
5G SA (spec-compliant)	Yes	Yes	Should be yes	Optional	No
5G NSA (most current deployments)	No	No (4G NAS)	N/A	No	Yes
Private 5G (enterprise)	Yes	Yes	Often no	Possible	No
Lab / Open5GS default	Yes	Yes	No	No	No

Key 3GPP References

Spec	Topic
TS 33.501	5G security architecture (comprehensive)
TS 23.501	5G system architecture
TS 29.500	5G SBI principles (HTTP/2, JSON)
TS 29.510	NRF API
TS 29.518	AMF SBI API
TS 29.502	SMF SBI API
TS 29.503	UDM SBI API
TS 29.244	PFCP (N4 SMF↔UPF)
O-RAN.WG11	O-RAN security threat landscape

Academic / Industry Research

"5GReasoner" (Hussain et al., CCS 2019) — automated 5G NAS/RRC property verification
"O-RAN Security Analysis" (Abdalla et al., WiSec 2022)
"Threats to 5G Networks" (ENISA 2021) — EU threat taxonomy for 5G
"Slicing Security" (GSMA FS.44) — slice isolation threat model
"Practical 5G Core Security" (Positive Technologies) — SBI exposure research
GSMA FS.40 — 5G security guidelines

Complete Layer Index

#	Layer	File	Key Tools
1	RF & Air Interface	1. RF_Air_Interface.md	USRP B210, srsRAN, LTE-Cell-Scanner
2	RRC / NAS Signaling	2. RRC_NAS_Signaling.md	srsRAN, Open5GS, pycrate, FALCON
3	Core Network (Diameter/GTP)	3. Core_Network_Diameter_GTP.md	FreeDiameter, Scapy GTP
4	UE / Android + SIM	4. UE_Android_SIM.md	pySIM, Frida, SCAT, FirmWire
5	5G-Specific	5. 5G_Specific.md	UERANSIM, Open5GS, SD-RAN