00_index
📡 Open5GS Telecom Security Lab Guide
A comprehensive hands-on guide to 4G/5G networks, Kubernetes, and threat modeling for security engineers
🎯 Learning Objectives
By completing this lab guide, you will:
- ✅ Understand 4G LTE EPC architecture (MME, HSS, SGWC/U, PGWC/U)
- ✅ Understand 5G NSA (Non-Standalone) dual connectivity
- ✅ Understand 5G SA (Standalone) Service Based Architecture
- ✅ Build working Docker labs for 4G EPC (Open5GS + srsRAN reference) and 5G SA (Open5GS + UERANSIM)
- ✅ Deploy telecom core networks on Kubernetes with Helm charts
- ✅ Apply STRIDE threat modeling to 4G, 5G, and K8s telecom infrastructure
- ✅ Identify attack surfaces and mitigations for mobile core networks
- ✅ Analyze 20 real-world attack case studies across signaling, identity, SMS/malware, and APT/gang categories
- ✅ Build a prioritized defense roadmap based on attack frequency, impact, and feasibility
📚 Guide Structure
Theory Sections
| Part | File | Description |
|---|---|---|
| 1 | 4G/LTE Fundamentals | EPC architecture, CUPS, interfaces (S1, S5, S6a, S11, Gx) |
| 2 | 5G NSA Architecture | EN-DC, dual connectivity, eNB+gNB integration |
| 3 | 5G SA Architecture | SBA, NRF, all NFs, N-series interfaces, slicing |
Hands-On Labs
| Part | File | Description |
|---|---|---|
| 4 | Docker Lab: 4G EPC | Build 4G LTE EPC with Open5GS on Docker (MME, HSS, PCRF, SGW, PGW) |
| 5 | Docker Lab: 5G NSA | NSA/EN-DC conceptual exercise (UERANSIM cannot simulate NSA) |
| 6 | Docker Lab: 5G SA | Build full 5G SA core with all NFs + UERANSIM gNB/UE end-to-end |
| 7 | Kubernetes Deployment | Deploy Open5GS on K8s with Helm charts |
Threat Modeling
| Part | File | Description |
|---|---|---|
| 8 | 4G Threat Model | STRIDE analysis of 4G EPC attack surface |
| 9 | 5G Threat Model | STRIDE analysis of 5G SA attack surface |
| 10 | K8s + Telecom Threats | Container, orchestration, and supply chain threats |
Real-World Attack Case Studies
| Part | File | Description |
|---|---|---|
| 11 | Core Signaling Attacks (SS7/Diameter/GTP) | SS7 OTP theft, location tracking, Diameter exploitation, commercialized interception, GTP roaming abuse |
| 12 | Subscriber Identity & SIM Attacks | Carrier PII breaches, targeted SIM swapping, insider fraud, metadata abuse, smishing with carrier data |
| 13 | SMS Abuse, Malware & MFA Bypass | Android SMS stealers, OTP interception services, phishing+SS7 combos, A2P abuse, premium SMS fraud |
| 14 | APT & Gang Mobile Operations | State surveillance, APT spear-phishing, ransomware SMS extortion, CaaS operations, coordinated carrier targeting |
| 15 | Attack Matrix & Defense Roadmap | Master comparison matrix, combined STRIDE profile, standards mapping, prioritized defense roadmap |
🛠️ Prerequisites
Hardware
- Mac with Docker Desktop (Apple Silicon or Intel)
- 8GB+ RAM recommended (16GB for K8s labs)
- 20GB+ free disk space
Software
- Docker Desktop for Mac
- Homebrew (for installing tools)
- Wireshark (for packet analysis)
- Basic terminal/shell knowledge
Optional (for K8s labs)
kubectl- Kubernetes CLIkindorminikube- Local K8s clusterhelm- Kubernetes package manager
Important
Docker Image Sources: The labs use per-NF images from borjis131/docker-open5gs (e.g., borieher/open5gs-amf:v2.7.6). There is no single monolithic Open5GS Docker image.
Warning
UERANSIM Limitation: UERANSIM simulates 5G NR only (gNB + 5G UE). It cannot simulate 4G eNBs. Part 4 (4G EPC) deploys the core network and references srsRAN 4G for the RAN side. Part 6 (5G SA) uses UERANSIM for full end-to-end testing.
🚀 Recommended Learning Path
Path 1: Theory First (Recommended for Beginners)
- Read Parts 1-3 (Theory)
- Complete Parts 4-6 (Docker Labs)
- Complete Part 7 (Kubernetes)
- Study Parts 8-10 (Threat Modeling)
- Study Parts 11-15 (Real-World Attack Case Studies)
Path 2: Hands-On First (For Experienced Engineers)
- Skim Part 1 (4G basics)
- Complete Part 4 (4G Docker Lab)
- Read Part 3 (5G SA theory)
- Complete Part 6 (5G SA Docker Lab)
- Jump to Parts 8-10 (Threat Modeling)
- Study Parts 11-15 (Real-World Case Studies)
Path 3: Security-Focused (For Threat Modelers)
- Skim Parts 1-3 (Architecture overview)
- Read Parts 8-10 (Threat Models)
- Study Parts 11-15 (Real-World Attack Case Studies)
- Complete Parts 4-6 (Labs to validate threats)
📖 How to Use This Guide
Reading Tips
> [!NOTE]= Important concepts and context> [!TIP]= Helpful hints and best practices> [!WARNING]= Security warnings and known issues> [!CAUTION]= Critical items that can break your lab- 📊 Mermaid diagrams = Visual architecture (render in VS Code with Mermaid extension or GitHub)
Lab Tips
- Each lab is self-contained with full configs
- Copy-paste commands directly into terminal
- Use
docker-compose logs -f <service>to debug - Wireshark/tcpdump snippets provided for packet analysis
Threat Modeling Tips
- STRIDE categories: Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege
- Each threat includes attack vector, impact, and mitigation
🔗 External Resources
🤝 Contributing
Found an error or want to improve this guide? Contributions welcome!
Let's build some mobile networks! 🚀
Start with → Part 1: 4G/LTE Fundamentals