Part 9: Threat Model - 5G Attack Surface

Learning Objective: Apply STRIDE threat modeling to identify 5G SA vulnerabilities and mitigations.

5G SA Attack Surface Map

graph TB
    subgraph "Radio"
        UE[📱 UE]
        gNB[📡 gNB]
    end
    
    subgraph "SBA (HTTP/2 APIs)"
        NRF[NRF]
        SCP[SCP]
        AMF[AMF]
        SMF[SMF]
        AUSF[AUSF]
        UDM[UDM]
        PCF[PCF]
    end
    
    subgraph "User Plane"
        UPF[UPF]
    end
    
    UE -.->|✅ N1 NAS
Encrypted| AMF
    gNB -.->|❌ N2 NGAP
No mTLS| AMF
    gNB -.->|❌ N3 GTP-U
No encryption| UPF
    
    AMF -.->|❌ SBI HTTP/2
No mTLS default| NRF
    SMF -.->|❌ SBI HTTP/2
No OAuth2| UDM
    SCP -.->|❌ SPOF
No redundancy| AMF
    
    style UE fill:#ccffcc
    style gNB fill:#ffcccc
    style SCP fill:#ffcccc
    style NRF fill:#ffcccc

Threat Catalog

1. SBA API Attack Surface (S, T, I, E)

Attack Vector:

• Exploit HTTP/2 SBI between NFs
• No mTLS or OAuth2 by default in many deployments

Impact:

• Spoofing: Rogue NF registers with NRF
• Tampering: Modify SBI messages (e.g., change QoS policies)
• Information Disclosure: Intercept subscriber data (SUPI, session info)
• Elevation of Privilege: Unauthorized NF access

Mitigation:

• ✅ mTLS for all SBI communication
• ✅ OAuth2 tokens for NF-to-NF auth
• ✅ API gateway with rate limiting

STRIDE Score: S=High, T=High, I=High, E=High

2. SUPI/SUCI Privacy Attacks (I)

Attack Vector:

• Exploit weak home network public key
• Brute-force SUCI decryption

Impact:

• Information Disclosure: Recover SUPI (permanent identifier)

Mitigation:

• ✅ Use strong ECC keys (P-256 or higher)
• ✅ Rotate home network keys regularly
• ✅ Monitor for SUCI decryption attempts

STRIDE Score: I=Medium

3. Network Slice Isolation Bypass (E, I)

Attack Vector:

• Exploit misconfigured S-NSSAI policies
• UE gains access to unauthorized slice (e.g., URLLC slice)

Impact:

• Elevation of Privilege: Access premium services without authorization
• Information Disclosure: Cross-slice data leakage

Mitigation:

• ✅ Strict NSSF policies (whitelist S-NSSAI per SUPI)
• ✅ UPF-level isolation (separate UPF per slice)
• ✅ Network segmentation (VLANs, VRFs)

STRIDE Score: E=High, I=Medium

4. SEPP and N32 Roaming Security (S, T, I)

Attack Vector:

• Exploit weak N32 security (no mTLS)
• Man-in-the-middle between home and visited network

Impact:

• Spoofing: Fake roaming partner
• Tampering: Modify roaming signaling
• Information Disclosure: Intercept roaming subscriber data

Mitigation:

• ✅ N32 mTLS with certificate pinning
• ✅ SEPP topology hiding (don't expose internal NF IPs)
• ✅ Roaming partner validation (PKI)

STRIDE Score: S=High, T=High, I=High

5. UPF GTP-U Tunneling Attacks (T, D)

Attack Vector:

• Same as 4G: inject GTP-U packets with spoofed TEID
• Exploit N3 (gNB ↔ UPF) or N9 (UPF ↔ UPF)

Impact:

• Tampering: Inject malicious payloads
• DoS: Flood UPF with packets

Mitigation:

• ✅ IPsec on N3 and N9
• ✅ GTP-U sequence number validation
• ✅ UPF firewall rules (drop invalid TEIDs)

STRIDE Score: T=High, D=High

6. SCP as Single Point of Failure (D)

Attack Vector:

• DoS attack on SCP
• All NF-to-NF communication fails

Impact:

• Denial of Service: Entire 5G core unavailable

Mitigation:

• ✅ Deploy multiple SCP instances (load balancing)
• ✅ Direct NF-to-NF communication as fallback
• ✅ DDoS protection (rate limiting, geo-blocking)

STRIDE Score: D=Critical

7. AMF/SMF API Abuse (E, D)

Attack Vector:

• Exploit unauthenticated SBI APIs
• Trigger mass PDU session creation (DoS)
• Modify UE context (privilege escalation)

Impact:

• Elevation of Privilege: Unauthorized session creation
• Denial of Service: Resource exhaustion

Mitigation:

• ✅ OAuth2 for all SBI calls
• ✅ Rate limiting per NF
• ✅ Input validation (reject malformed requests)

STRIDE Score: E=High, D=High

8. NRF Poisoning (S, D)

Attack Vector:

• Rogue NF registers with NRF
• NRF returns rogue NF address to legitimate NFs

Impact:

• Spoofing: Legitimate NFs connect to rogue NF
• Denial of Service: Rogue NF drops all requests

Mitigation:

• ✅ NRF authentication (mTLS, OAuth2)
• ✅ NF certificate validation
• ✅ NRF audit logs (monitor for suspicious registrations)

STRIDE Score: S=Critical, D=High

9. 5G-AKA Replay Attacks (S)

Attack Vector:

• Capture RAND/AUTN and replay to UE
• Exploit weak sequence number (SQN) validation

Impact:

• Spoofing: Fake network authentication

Mitigation:

• ✅ Strict SQN validation in UDM
• ✅ Use 5G-AKA' (enhanced version)
• ✅ Monitor for duplicate RAND values

STRIDE Score: S=Medium

10. N2 NGAP Unencrypted (I, T)

Attack Vector:

• Sniff N2 (gNB ↔ AMF) SCTP traffic
• Extract NAS messages

Impact:

• Information Disclosure: UE context, session info
• Tampering: Modify NGAP messages

Mitigation:

• ✅ IPsec on N2
• ✅ SCTP authentication

STRIDE Score: I=High, T=High

5G Attack Kill Chain

graph LR
    A[1. Reconnaissance
Scan for open SBI ports] --> B[2. Initial Access
Exploit unauthenticated API]
    B --> C[3. Execution
Register rogue NF with NRF]
    C --> D[4. Persistence
Maintain NRF registration]
    D --> E[5. Privilege Escalation
Access AMF/SMF APIs]
    E --> F[6. Defense Evasion
Blend with legitimate traffic]
    F --> G[7. Credential Access
Exfiltrate SUPI from UDM]
    G --> H[8. Discovery
Enumerate all NFs via NRF]
    H --> I[9. Lateral Movement
Pivot to other NFs]
    I --> J[10. Collection
Intercept subscriber data]
    J --> K[11. Exfiltration
Send data to C2]
    K --> L[12. Impact
DoS or data breach]
    
    style A fill:#ffcccc
    style L fill:#ff9999

Threat Summary Table

5G vs 4G Security Improvements

Summary

• ✅ 5G improves privacy (SUCI) but introduces new attack surface (SBA)
• ✅ SBI HTTP/2 APIs are vulnerable without mTLS + OAuth2
• ✅ Network slicing requires strict isolation policies
• ✅ SCP and NRF are critical single points of failure

Next: Part 10: K8s + Telecom Threats →