🎯 Goal
Understand the 5G core and radio access network architecture, its security enhancements over 4G (e.g., new authentication framework, encrypted SUPI, SEPP for roaming), and the new attack surfaces introduced by service-based architecture (SBA), virtualized network functions, and network slicing.
🔑 Key Skills to Learn
- 5G Architecture: Service-Based Architecture (SBA), core network functions (AMF, SMF, UPF, NRF, NSSF, AUSF, UDM, PCF, AF), interfaces (N1–N50, F1AP, E1AP, NGAP).
- 5G RAN & gNB: CU/DU split, F1 interface, RRC, SDAP layers.
- 5G Authentication & Key Management: 5G-AKA, EAP-AKA', SUPI/SUCI encryption (ECIES), new USIM (5G SIM).
- Roaming Security: Security Edge Protection Proxy (SEPP), N32 interface, PRINS protocol, IPX interworking.
- Network Slicing: Slice identifiers (S-NSSAI), security isolation between slices, NSSF exposure.
- Virtualization & Cloud-Native 5G Core: NFV/SDN, containers/VMs for network functions, risks from shared infrastructure, API security (HTTP/2, JSON, REST APIs).
- New Attack Vectors: Exposure of NRF/NSSF/PCF APIs, service discovery hijacking, 5G-specific MITM, downgrade to 4G/3G, Stingray/IMSI-catcher evolution (SUPI catching without encryption), gNB impersonation, GTP-U hijacking in 5G NSA.
- Interworking with Legacy (4G/3G): Dual connectivity (EN-DC), handover attacks, cross-protocol vulnerabilities.
- 5G Security Standards: 3GPP TS 33.501 (security architecture), GSMA NESAS/SCAS, ITU-T guidelines.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Open5GS / free5GC | Open-source 5G core (SA) for lab testing and analysis. |
| OAI (OpenAirInterface) 5G | Open-source RAN and core implementation for experimentation. |
| UERANSIM | Lightweight 5G UE and RAN simulator to connect to a 5G core. |
| Wireshark (with 5G dissectors) | Analyze NGAP, HTTP/2, PFCP, GTP-U, etc. |
| Scapy / Python (with SCTP libraries) | Craft and test 5G signaling packets. |
| 5G-EVE / Open5G-lab | Testbeds and scripts for 5G security experiments. |
| My5G-RANTester | Security assessment tool for 5G RAN and core. |
| Nmap (with 5G-capable NSE scripts) | Scan and fingerprint 5G core network functions. |
📖 Free Learning Resources
- 3GPP TS 33.501 – "Security architecture and procedures for 5G System" (available free to read). Link
- ENISA 5G Security Reports – EU’s cybersecurity agency analysis and recommendations. Link
- NIST Special Publication 800-187 – Guide to 5G Security. Link
- GSMA 5G Security Resources – Summaries of NESAS, FS.31, and security guidelines. Link
- 5G Security for Dummies (Thales) – Introductory free e-book. Link
- Positive Technologies – 5G Security Research – Whitepapers on SBA threats and signaling attacks. Link
- TROOPERS / TelcoSecDay Talks – Look for recent presentations on 5G core vulnerabilities (YouTube).
- O-RAN Alliance Security Focus Group – Public documents and webinars on open RAN security. Link
🔗 Roadmap Placement
- Prerequisites: Telecom Security (SS7, Diameter, GTP) to understand legacy signaling and how 5G interworks with them; Networking (TCP/IP, HTTP/2, SCTP); Linux.
- Directly Enables: 5G Security Researcher, Telecom Penetration Tester for mobile operators, Regulatory/Government roles in telecom security, and contribution to 3GPP/GSMA security working groups.