Select a result to preview

18_test_plan_mobility_site_to_core

Mobility 4G/5G Holistic Security Test Plan

Objective

Evaluate a mobility environment end-to-end as a security engineer, from the antenna site and radio layer through transport, core, cloud, and management systems. This plan combines the Mobility/ and open5gs_lab/ source material with current public guidance from 3GPP, GSMA, NIST, CISA, ENISA, and O-RAN Alliance.

Scope

In scope

Out of scope unless separately authorized

Engagement guardrails

Typical operator architecture to assess

The plan assumes a modern operator footprint with these major components:

  1. Antenna site / RAN edge: antennas, RET/AISG, RRU/RRH or O-RU, BBU or DU, site router/switch, PTP/GNSS timing, rectifiers, batteries, generator transfer, environmental controller, cameras, and badge access.
  2. Transport: fiber or microwave fronthaul/backhaul, L2/L3 aggregation, MPLS/IP transport, timing distribution, OOB management, and encryption domains.
  3. Core and edge: EPC for 4G, 5GC for 5G SA, MEC or regional UPF breakout, DNS, PKI, API gateways, and interconnect security controls.
  4. Management and cloud: OSS/BSS, EMS/NMS, SIEM, identity providers, NFV, Kubernetes/OpenShift, image registries, GitOps/CI/CD, and vendor remote access.

Access-level model

Use this legend in every test case to state the level of access the assessor has.

Level Access you have Typical examples
AL0 Public or untrusted external vantage OSINT, passive observation from outside facilities, public attack surface review
AL1 Authorized subscriber-side access only Your test handset, test SIM, passive RF collection, drive/walk testing
AL2 Authorized physical site access Escorted cabinet inspection, console access, patch panel review, power and lock checks
AL3 Internal read-only network or operations access SPAN/TAP, NMS/OSS read-only, transport diagrams, inventory, logs, config review
AL4 Lab or pre-production admin access to telecom functions Open5GS, UERANSIM, srsRAN, NF config changes, controlled protocol validation
AL5 Cloud/platform/admin access Kubernetes, hypervisor, CI/CD, secrets, PKI, image registry, IAM
AL6 Interconnect or roaming security authority SEPP, Diameter/GRX/IPX, partner trust, external signaling gateways

Architecture and attack-location diagrams

Diagram 1: End-to-end mobility trust boundaries

graph LR
    classDef external fill:#d62828,stroke:#264653,color:#fff
    classDef internal fill:#2a9d8f,stroke:#264653,color:#fff
    classDef thirdparty fill:#e76f51,stroke:#264653,color:#fff
    classDef data fill:#264653,stroke:#2a9d8f,color:#fff

    subgraph EXT["External / Subscriber Edge"]
        UE["UE / handset / SIM"]:::external
        RF["Air interface
Uu / NR"]:::external
    end

    subgraph SITE["Antenna Site / Cell Edge"]
        ANT["Antennas / RET / RRU or O-RU"]:::internal
        DU["BBU / DU / site router"]:::internal
        PWR["Power, battery, GNSS/PTP, cabinet access"]:::internal
    end

    subgraph TRANS["Transport"]
        FH["Fronthaul / midhaul"]:::thirdparty
        BH["Backhaul / MPLS / microwave / fiber"]:::thirdparty
        OOB["OOB management"]:::thirdparty
    end

    subgraph CORE["Regional Edge / Core"]
        EPC["4G EPC
MME/HSS/SGW/PGW/PCRF"]:::internal
        SA["5G Core
AMF/SMF/UPF/AUSF/UDM/NRF"]:::internal
        MEC["MEC / UPF breakout / DNS / PKI"]:::data
    end

    subgraph MGMT["Management / Platform"]
        OSS["OSS/BSS/EMS/NMS"]:::internal
        K8S["Kubernetes / NFV / CI-CD / IAM"]:::internal
        SIEM["SIEM / telemetry / detections"]:::data
    end

    UE -->|"attach / registration / paging"| RF
    RF -->|"attack area: rogue cell, paging, downgrade"| ANT
    ANT -->|"attack area: cabinet, console, AISG, GNSS"| DU
    DU -->|"attack area: fronthaul / sync / management"| FH
    FH -->|"attack area: transport exposure"| BH
    BH -->|"attack area: signaling and user plane reachability"| EPC
    BH -->|"attack area: signaling and user plane reachability"| SA
    EPC -->|"Diameter / GTP / policy"| MEC
    SA -->|"SBI / PFCP / GTP-U"| MEC
    OSS -->|"config / monitoring / remote admin"| DU
    OSS -->|"config / monitoring / remote admin"| EPC
    OSS -->|"config / monitoring / remote admin"| SA
    K8S -->|"platform and secret control"| SA
    K8S -->|"platform and secret control"| MEC
    SIEM -.->|"telemetry / alerting coverage"| PWR
    SIEM -.->|"telemetry / alerting coverage"| BH
    SIEM -.->|"telemetry / alerting coverage"| SA

Diagram 2: Antenna site attack locations

graph TB
    classDef external fill:#d62828,stroke:#264653,color:#fff
    classDef internal fill:#2a9d8f,stroke:#264653,color:#fff
    classDef detect fill:#264653,stroke:#2a9d8f,color:#fff

    ATT["Assessor / attacker position"]:::external
    ANT["Panel antennas / massive MIMO"]:::internal
    RRU["RRU / O-RU / TMA / RET"]:::internal
    CAB["Cabinet / DU / router / switch"]:::internal
    TIME["GNSS / PTP / sync"]:::internal
    PWR["Rectifier / battery / generator transfer"]:::internal
    MGMT["Local craft / serial / OOB mgmt"]:::internal
    DET["CCTV / access logs / tamper alarms"]:::detect

    ATT -->|"passive RF collection"| ANT
    ATT -->|"physical tamper / cable access"| RRU
    ATT -->|"badge / lock / cabinet access"| CAB
    ATT -->|"timing spoof / sync dependency review"| TIME
    ATT -->|"power outage / resiliency review"| PWR
    ATT -->|"console / mgmt exposure review"| MGMT
    DET -.->|"detects or records activity"| ANT
    DET -.->|"detects or records activity"| CAB
    DET -.->|"detects or records activity"| MGMT

Diagram 3: Control, user, and management plane attack map

graph TD
    classDef attack fill:#d62828,stroke:#264653,color:#fff
    classDef internal fill:#2a9d8f,stroke:#264653,color:#fff
    classDef detect fill:#264653,stroke:#2a9d8f,color:#fff

    K1["Radio plane
UE <-> eNB/gNB"]:::attack
    K2["Site plane
RRU/O-RU <-> DU/CU"]:::attack
    K3["Transport plane
fronthaul / backhaul / timing"]:::attack
    K4["Control plane
NAS / NGAP / S1AP / Diameter / SBI / PFCP"]:::attack
    K5["User plane
GTP-U / N3 / S1-U / N6 breakout"]:::attack
    K6["Management plane
OSS/BSS / EMS / IAM / K8s / vendor access"]:::attack
    D1["Packet capture, logs, timing alarms, auth events"]:::detect
    C1["Defense objective:
isolate, authenticate, encrypt, detect"]:::internal

    K1 --> K2 --> K3 --> K4 --> K5 --> K6
    D1 -.->|"coverage required across every layer"| K1
    D1 -.->|"coverage required across every layer"| K3
    D1 -.->|"coverage required across every layer"| K6
    C1 -.->|"control intent applies to all planes"| K2
    C1 -.->|"control intent applies to all planes"| K4
    C1 -.->|"control intent applies to all planes"| K5

Required equipment

Core assessment kit

Equipment Required Used for
Linux laptop or workstation with Docker and packet tools Yes Open5GS/UERANSIM/srsRAN lab, captures, config review
Wireshark/tshark/tcpdump Yes NGAP, S1AP, NAS, GTP, PFCP, Diameter, HTTP/2 SBI analysis
Test Android handset plus known-good test SIM/eSIM profile Yes Subscriber-side validation, field measurements, privacy and fallback checks
Documentation kit (diagrams, inventory, IP plan, standards mapping) Yes Site-to-core traceability and evidence collection

RF and field kit

Equipment Required when Used for
Passive RF scanner or handset-based measurement apps AL1 field testing Cell inventory, PCI/TAC/neighbor mapping, serving-cell changes
SDR such as USRP B210 or equivalent AL4 lab-only active testing Controlled attach, registration, and protocol validation in isolated lab
Faraday cage or licensed RF-shielded environment Any active radio testing Prevents live-network interference
Directional and omni antennas, attenuators, calibrated cables SDR lab work Safe signal shaping and repeatable lab scenarios
Portable battery pack, safety PPE, flashlight, console cable set AL2 site work Cabinet review and safe field inspection

Site, transport, and platform kit

Equipment Required when Used for
Read-only NMS/OSS/EMS access AL3 Config, alarms, inventory, remote-access review
SPAN/TAP or capture container AL3-AL5 Control-plane and management-plane evidence
Time sync monitoring tools AL3 GNSS/PTP drift, holdover, and alarm validation
Kubernetes tools (kubectl, helm, image scanning, secrets review) AL5 CNF/NFV and platform hardening checks
Secure evidence repository All phases PCAPs, screenshots, logs, config snapshots, site photos

Test execution waves

Wave Goal Primary access
W1 External and subscriber-side mapping AL0-AL1
W2 Antenna site and transport review AL2-AL3
W3 Core signaling and management validation AL3-AL5
W4 Resilience, isolation, and detection validation AL3-AL6

Test case matrix

ID Domain What you validate Where the attack would happen Access level Key equipment Expected evidence / pass condition
TC-01 RF inventory Build a cell/site map, identify LTE/NR bands, TAC/PCI reuse, and unusual neighbor relations Air interface and site perimeter AL1 Test UE, passive RF tools Repeatable cell inventory and no unexplained rogue or stale neighbors
TC-02 Subscriber privacy Confirm 5G identities use SUCI where expected and document NSA/LTE fallback exposure Registration path between UE and AMF/MME AL1 + AL4 Test UE, Open5GS lab, Wireshark No plaintext permanent identity in expected 5G flows; fallback paths documented
TC-03 Downgrade control review Check whether network design, UE policy, and monitoring detect or prevent fallback abuse Radio control plane AL1 + AL4 Test UE, lab stack, captures Downgrade conditions are logged, bounded, and tied to policy
TC-04 Paging and location privacy Assess whether paging identifiers and timing can expose subscriber presence patterns Air interface and mobility management AL1 + AL4 Passive RF tools, captures Paging identifiers rotate appropriately; monitoring exists for anomalies
TC-05 Antenna site physical security Review locks, cabinet tamper controls, cable exposure, local craft ports, and third-party access processes Tower, rooftop, or cabinet site AL2 PPE, console kit, checklist, camera No uncontrolled cabinet access, exposed ports, or undocumented vendor pathways
TC-06 Site management exposure Verify craft, serial, web, and OOB interfaces are authenticated, segmented, and logged Site router, DU/BBU, environmental controller AL2 + AL3 Console cables, read-only NMS, packet capture No default creds, clear segmentation, and complete admin logging
TC-07 Timing and sync resilience Review GNSS/PTP dependency, holdover, alarming, and fallback design Site timing chain and transport AL3 Timing dashboards, architecture docs Timing sources are redundant, monitored, and not single-point dependent
TC-08 Power resilience Validate battery runtime, generator transfer assumptions, rectifier alarms, and restoration procedures Antenna site power plane AL2 + AL3 Site docs, alarm history Site power failure modes are documented and alerting works end-to-end
TC-09 Fronthaul/backhaul security Verify segmentation, encryption, QoS separation, and OOB isolation on fiber/microwave paths Fronthaul, midhaul, and backhaul transport AL3 Network diagrams, read-only config, captures Signaling, user, timing, and management traffic are separated and protected
TC-10 4G core baseline Validate attach, EPS-AKA, bearer setup, and logging in the EPC MME/HSS/SGW/PGW path AL4 Open5GS, srsRAN, Wireshark Clean attach flow, expected Diameter/GTP behavior, and preserved evidence
TC-11 5G core baseline Validate registration, 5G-AKA, PDU session establishment, and NF registration gNB/AMF/SMF/UPF/NRF path AL4 Open5GS, UERANSIM, Wireshark Clean registration and PDU session flow with expected SBI activity
TC-12 Diameter, GTP, and PFCP hardening Review reachability, source validation, exposure boundaries, and detection coverage EPC/5GC control and user plane interfaces AL3 + AL4 Captures, configs, firewall rules No unnecessary exposure; filtering and logging exist for key interfaces
TC-13 SBI security Verify mTLS, service auth, cert lifecycle, rate limits, and least-privilege NF access 5G SBI between AMF/SMF/UDM/AUSF/NRF/PCF AL4 + AL5 Open5GS lab, PKI records, API review NF communication is authenticated and unauthorized discovery is blocked
TC-14 Slice and tenant isolation Confirm unauthorized slice requests fail and shared UPF/compute boundaries are controlled NSSF/AMF/SMF/UPF and platform layer AL4 + AL5 UERANSIM, Open5GS, K8s tooling Slice policy is enforced and no cross-slice leakage is observed
TC-15 O-RAN or split-RAN review Assess O-RU/O-DU/O-CU, E2, A1, O1, and vendor remote access security Open RAN and disaggregated RAN interfaces AL3 + AL5 Architecture docs, O-RAN configs, mgmt review Open interfaces are authenticated, segmented, and monitored
TC-16 MEC and local breakout Review edge UPF breakout, DNS, service exposure, and local application trust boundaries MEC / regional edge / N6 breakout AL3 + AL5 Edge diagrams, capture, app inventory Breakout paths are isolated and edge services are not implicitly trusted
TC-17 OSS/BSS and admin identity Review privileged access, break-glass accounts, MFA, PAM, and vendor jump paths Management plane AL3 + AL5 IAM, PAM, bastion logs Privileged access is controlled, approved, and attributable
TC-18 CNF/NFV/Kubernetes posture Validate image provenance, secret handling, pod security, east-west policy, and backup integrity Telecom cloud platform AL5 kubectl, registry review, policy tools CNFs follow hardened runtime and secret-management controls
TC-19 Detection and telemetry Confirm alarms correlate across RF, transport, core, and cloud for the same incident SIEM/NMS/telemetry pipeline AL3 + AL5 SIEM, dashboards, alert rules A cross-layer incident can be traced from site to core without blind spots
TC-20 Roaming and interconnect governance Review SEPP, Diameter/GRX/IPX trust boundaries, partner filtering, and contractual security controls External interconnect boundary AL6 Interconnect diagrams, policies, read-only gateway logs Partner paths are filtered, authenticated, and formally governed

Priority test cases to run first

If time is limited, start with these eight because they expose the largest end-to-end risk concentration:

  1. TC-05 Antenna site physical security
  2. TC-06 Site management exposure
  3. TC-09 Fronthaul/backhaul security
  4. TC-11 5G core baseline
  5. TC-12 Diameter, GTP, and PFCP hardening
  6. TC-13 SBI security
  7. TC-17 OSS/BSS and admin identity
  8. TC-19 Detection and telemetry

Evidence checklist by layer

Layer Evidence to collect
RF / UE Serving-cell screenshots, band and TAC inventory, registration captures, fallback behavior
Site Photos, lock and tamper observations, local-port inventory, access logs, power and environmental alarm history
Transport L2/L3 diagrams, encryption and VRF/VLAN policy, sync topology, firewall/filter rules
Core PCAPs for NGAP/S1AP, Diameter, PFCP, GTP, HTTP/2 SBI; NF configs and route policy
Platform K8s manifests, image sources, IAM role maps, cert lifecycle records, secret storage method
Detection Correlated alerts, dashboards, retention settings, on-call runbooks, incident replay notes

Pass/fail criteria

For each executed test case, record:

  1. Access level used
  2. Asset or interface tested
  3. Attack location
  4. Evidence gathered
  5. Security impact if abused
  6. Existing control
  7. Gap severity
  8. Recommended remediation owner

Lab mapping to your existing material

Use the open5gs_lab/ content for controlled validation of protocol and core behaviors:

Use the Mobility/ material to extend beyond the lab:

External references

Outcome

This plan gives you a practical way to assess mobility holistically: where the attack happens, what access the assessor has, what equipment is required, and what evidence proves the control either works or fails. It is designed so you can execute the same framework against a lab, a private network, or a production operator environment with the access level adjusted per phase.