Deep Dive into Telecom and 5G Security

Mobile network generations layer on each other operationally:

• 2G/GSM — A5/1, A5/3 encryption (broken or weak), SS7 signaling. Still used as fallback worldwide.
• 3G/UMTS — UMTS AKA mutual authentication, KASUMI encryption. SS7 signaling persists.
• 4G/LTE — EPS-AKA, SNOW 3G/AES encryption, Diameter signaling.
• 5G NSA — uses 4G core (EPC) with new radio; same Diameter attack surface.
• 5G SA — full 5G core (5GC) with Service Based Architecture: HTTP/2, OAuth2, network functions (AMF, SMF, UPF, AUSF, UDM, NRF), and SBI interfaces.

Three planes matter:

• User plane — actual subscriber data, terminated at UPF (5G) or P-GW (LTE).
• Control plane — signaling, session management, mobility.
• Management plane — OAM, configuration, often via traditional IT networks.

SS7 was designed in 1975 for trusted national carrier interconnects. The trust model failed when SS7 became globally interconnected and accessible via leased SS7 endpoints, compromised femtocells, and rogue carrier partnerships.

Practical SS7 attacks:

• SRI-SM / SRI for SMS — locate any subscriber globally (IMSI + serving MSC).
• UpdateLocation — divert calls and SMS to attacker-controlled MSC.
• SendRoutingInfo + USSD Notify — track or impersonate subscribers.
• InsertSubscriberData — modify subscriber profile.
• AnyTimeInterrogation — fine-grained location lookups.

SS7 SMS interception has been used in the wild to intercept banking 2FA codes, most famously against German bank customers in 2017.

Diameter (RFC 6733) replaced SS7 for LTE but inherited many of its trust problems. Attacks include:

• Subscriber Information disclosure via Insert-Subscriber-Data.
• DoS via S6a authentication floods.
• Location tracking via Notify-Request.
• Tax-the-network attacks that drain charging gateway resources.

GSMA recommendations (FS.11, FS.19) and Diameter Edge Agents (DEA) implementing message filtering remain the primary defenses. Penetration testing platforms like SigPloit automate SS7/Diameter attack chains.

5G SA replaces signaling with HTTP/2 + JSON between network functions, with OAuth2 access tokens for inter-NF authorization and mutual TLS for transport. The good news: it is modern and auditable. The bad news: the entire cloud-native attack surface — API authorization flaws, SSRF, JWT confusion, OAuth scope abuse, Kubernetes misconfigurations — now applies to telco cores.

Documented and theorized 5G SA attacks:

• N32 SEPP (Security Edge Protection Proxy) bypass — N32 carries roaming signaling between operators; SEPP enforces PRINS (PRotocol for N32 Interconnect Security). Misconfigured topology can allow direct NF reach across the interconnect.
• NRF (Network Repository Function) abuse — the NRF is the service registry for all NFs; an attacker with NRF write access can register a rogue UPF or AMF.
• OAuth2 access-token scope confusion — tokens issued for one slice consumed by another.
• JWT signature stripping or algorithm confusion in NF-to-NF auth.
• Race conditions in session establishment that leak charging or location info.
• Network slice isolation failures — a compromised tenant in slice A reaching control plane of slice B.

Academic and industry teams (Berlin TU SECT, Positive Technologies, ENEA AdaptiveMobile) have published proof-of-concept attacks against test 5G cores and live commercial networks alike.

The RAN itself is attackable. IMSI catchers (Stingrays) force devices into 2G or downgrade to weaker ciphers and capture identities. 5G AKA addresses long-term identity (SUPI is encrypted as SUCI using the home network public key), but downgrade attacks during initial registration remain a concern when 5G NSA falls back to LTE.

Open RAN (O-RAN) introduces split architectures (CU, DU, RU) connected via fronthaul (eCPRI) and management interfaces (O1, A1, E2). The xApps and rApps running on RIC platforms execute partner software with access to RAN metadata and control — a rich new attack surface that ORAN ALLIANCE's WG11 security working group is actively addressing.

5G's promise to enterprises includes private networks, dedicated slices, and edge compute via MEC. Each adds attack surface:

• MEC platforms are containerized Kubernetes deployments hosting partner apps near the UPF, with subscriber-data exposure if misconfigured.
• Private 5G is increasingly deployed in manufacturing and logistics; many systems are commissioned by integrators with default credentials, weak segmentation, and exposed OAM.
• API exposure — Network Exposure Function (NEF) and CAPIF expose telco capabilities to enterprise customers via REST APIs. API security (OWASP API Top 10) directly applies.

SS7 interception of German banking 2FA (2017) — criminals leased SS7 access from a foreign carrier, redirected SMS to harvest one-time codes, and drained accounts.

SIM swap attacks — not protocol-level, but devastating: attackers socially engineer carrier reps to port victim numbers, bypassing SMS 2FA at scale. SIM swap has driven nine-figure cryptocurrency thefts annually.

T-Mobile breaches (2021, 2023) — exposed 100M+ subscribers' data through API and access management failures in carrier OSS/BSS systems.

LightBasin / UNC1945 — a long-running adversary documented by CrowdStrike targeting telcos across multiple regions, abusing SS7 emulation, eDNS subscriber-tracking, and custom implants in subscriber-facing systems.

Salt Typhoon (2024) — Chinese state actor that compromised major US telcos' lawful-intercept and routing infrastructure, with implications for the privacy of millions of subscribers and the integrity of the CALEA legal intercept system itself.

Operators and regulators have responded with technical and governance controls:

1. SS7/Diameter firewalls at the edge of every SS7/Diameter interconnect. GSMA FS.11 (SS7), FS.19 (Diameter), and FS.36 (5G interconnect) define the controls.
2. SEPP for 5G interconnect — deploy and enforce PRINS / TLS profiles between roaming partners.
3. Network function hardening — patch NF software, run least-privileged service accounts, enforce mTLS on all SBI calls, validate OAuth scopes.
4. Kubernetes and CNF security — apply CNCF, NIST SP 800-204, and CISA Kubernetes hardening guides; isolate slices and tenants with strong networking and RBAC.
5. API security for NEF/CAPIF — OAuth2 with short-lived tokens, mTLS, rate limiting, and per-tenant scope enforcement.
6. OAM segmentation — manage NFs over out-of-band networks with jump hosts, MFA, and session recording.
7. Eliminate SMS-based 2FA for high-value accounts; promote FIDO2 / passkeys industry-wide.
8. Detection — continuous monitoring of signaling for anomalies (SS7 SRI-SM bursts, Diameter location queries, NF-to-NF call patterns out of baseline). Specialized vendors like P1 Security, Mobileum, AdaptiveMobile, and Positive Technologies provide telco-aware analytics.
9. Compliance regimes — ISO/IEC 27011, ENISA telco baselines, FCC and NIS2 reporting requirements in EU, and Salt-Typhoon-driven hardening directives in the US.