4G Architecture Diagram

When 4G evolved from its 3G predecessor, only small incremental changes were made to the network
architecture. The following 4G network architecture diagram shows the key components of a 4G core network:

In the 4G network architecture, User Equipment (UE) like smartphones or cellular devices, connects over the
LTE Radio Access Network (E-UTRAN) to the Evolved Packet Core (EPC) and then further to External Networks,
like the Internet. The Evolved NodeB (eNodeB) separates the user data traffic (user plane) from the network’s
management data traffic (control plane) and feeds both separately into the EPC.

5G Architecture Diagram
5G was designed from the ground up, and network functions are split up by service. That is why this architecture
is also called 5G core Service-Based Architecture (SBA). The following 5G network topology diagram shows the
key components of a 5G core network:

• User Equipment (UE) like 5G smartphones or 5G cellular devices connect over the 5G New Radio Access
Network to the 5G core and further to Data Networks (DN), like the Internet.
• The Access and Mobility Management Function (AMF) acts as a single-entry point for the UE connection.

1
• Based on the service requested by the UE, the AMF selects the respective Session Management Function
(SMF) for managing the user session.
• The User Plane Function (UPF) transports the IP data traffic (user plane) between the User Equipment
(UE) and the external networks.
• The Authentication Server Function (AUSF) allows the AMF to authenticate the UE and access services
of the 5G core.
• Other functions like the Session Management Function (SMF), the Policy Control Function (PCF),
the Application Function (AF) , and the Unified Data Management (UDM) function provide the policy
control framework, applying policy decisions and accessing subscription information, to govern the
network behavior.
As you can see, the 5G network architecture is more complex behind the scenes, but this complexity is needed
to provide better service that can be tailored to the broad range of 5G use cases.

Difference between 4G and 5G Network Architecture

In a 4G LTE network architecture, the LTE RAN and eNodeB are typically close together, often at the base or near
the cell tower running on specialized hardware. The monolithic EPC on the other hand is often centralized and
further away from the eNodeB. This architecture makes high-speed, low-latency end-to-end communication
challenging to impossible. As standards bodies like 3GPP and infrastructure vendors like Nokia and Ericsson
architected the 5G New Radio (5G-NR) core, they broke apart the monolithic EPC and implemented each
function so that it can run independently from each other on common, off-the-shelf server hardware. This allows
the 5G core to become decentralized 5G nodes and very flexible. For example, 5G core functions can now be co-
located with applications in an edge data center, making communication paths short and thus improving end-
to-end speed and latency.

2
LTE Security Architecture
In LTE communication, each protocol in the air interface cellular stack, shown below, performs a series of
functions and operates in one of two logical planes: User Plane or Control Plane. The control plane is responsible
for carrying all of the signaling communication required for the user device (UE) to be connected, while the user
plane is the logical plane responsible for carrying user data sent over the network.

• Radio Resource Control (RRC) (Layer 3)

• Packet Data Convergence Protocol (PDCP) (Layer 2)

• Radio Link Control (RLC) (Layer 2)

• Medium Access Control (MAC) (Layer 2)
• Physical Access (PHY) (Layer 1)

In addition to this variety of protocols, the complexity of the UE Attach process of a mobile device, whose graph
is shown below, and the number of network elements it addresses, vide the broad attack surface needed by
cyber attackers.

3
Cryptographic Approach
Most of the technical security requirements exist within the primary LTE security specification (3GPP TS 33.401).
LTE introduced a new set of encryption algorithms and a significantly different key structure from that of
GSM/UMTS. For confidentiality and integrity, the cryptographic algorithm sets called EPS (Evolved Packet
System) Encryption Algorithms (EEA) and EPS Integrity Algorithms (EIA) are available.
• EEA1 and EIA1 are based on SNOW 3G, very similar to the algorithms used in UMTS.
• EEA2 and EIA2 are based on AES with EEA2 defined by AES in CTR mode and EIA2 defined by AES-
CMAC (Encryption based MAC).
• EEA3 and EIA3 are both based on ZUC, Chinese encryption.
Many keys in LTE are 256 bits long, but some current implementations use 128 bits. The chart below shows the
switches that protect the LTE Network Infrastructure.

• CK: Cipher Key (Confidentiality) (128 Bit)

• IK: Integrity Key (128 Bit)

• KASME: Key Access Security Management

Entity (MME Base Key) (256 Bit)

• Enc: Encryption

• Int: Integrity

Hardware Security
UICC (Universal Integrated Circuit Card) is the foundation of the next-generation SIM card and LTE security
architecture used in modern mobile devices. In LTE, UICCs are equipped with a long-term, preshared encryption
key called K. This key is stored in the attack-proof UICC and also in the core network (HSS – Home Subscriber
Server) and is not exported. All other keys in LTE's cryptographic structure are derived from Kasme, which is
called the session master key.
User Equipment (UE) Security
The primary LTE authentication mechanism used by mobile devices to authenticate to an LTE network is called
the Authentication and Key Agreement (AKA) protocol. The AKA protocol shown in the graphic below proves
using encryption that UICC and MNO (Mobile Network Operator) know about the secret key K.

4
Air Interface Security
Both control plane and user plane packets communicating between the UE and eNodeB (evolved Node B – Base
Station) on the Uu can be protected, but are left optional for operators in these standards. User plane privacy
protection can be done at the PDCP (Packet Data Convergence Protocol) layer and this will be an operator
option. LTE specifies an encryption indicator specification in 3GPP TS 22.101. This feature is designed to provide
the user with visibility into the access network encryption status. Unfortunately, this feature is not widely
implemented in modern mobile phone operating systems. The charts below show how LTE can provide network
integrity and encryption.

Access Network Security

Handover is the most important operation in the access network. There are two types of handover operations:
X2 and S1 handover. During the S1 handover, the MME (Mobile Management Entity) is aware that the handover
will occur. In an X2 handover, the MME is unaware of this and the handover takes place entirely between the
eNodeBs via the X2 interface. There are separate security considerations for both handover methods. With the
S1 handover, the MME is able to refresh the encryption parameters used to protect the air interface before the
connection is lost. With the X2 handover, new key material can only be obtained after the handover for use on
the next delivery.
Backhaul Security
All it takes to intercept IP traffic between eNodeB and EPC (Evolved Packet Core) is basic network experience, a
computer, a network cable, and access to a passthrough port. All intercepted traffic is clear text unless privacy
is maintained on the S1 interface. Confidentiality is ensured by initiating an IPsec tunnel on the eNodeBs for
traffic passing over the (potentially not physically secure) S1 interface and terminating the tunnel at the security
gateway placed at the edge of the Security Area where the EPC is hosted.
Using IPsec on the S1 interface requires endpoints that terminate the
IPsec tunnel to be provisioned with preshared keys or digital
certificates. It is possible to use a scalable system such as Public Key
Infrastructure (PKI) in an LTE network. The security parameters used to
establish the encrypted connection can be dynamically negotiated
using Internet Key Exchange (IKE) based on the policies configured on
the endpoints. Both endpoints of the IPsec tunnel (eNodeB and SEG) contain digital certificates or preshared
keys. These are provided manually or dynamically from the PKI system.
Core Network Security
Although traditional IP network security and operational methods are useful, there is no specific security
standard for EPC. Draft TR 33,806 was withdrawn while 3GPP initially created Security Assurance Specifications
(SCAS) for MME as a trial, after the initial SCAS for MME was completed, the 3GPP SA3 working group planned
to continue work on SCAS for other network product classes. In this case, core network security does not include
any stringent security specifications or requirements in the 3GPP standards.

5
LTE Networks Cyber Threats
General Cybersecurity Threats
LTE infrastructure components (eNodeB, MME, S-GW) are susceptible to commonly known software flaws in
general-purpose operating systems (like FreeBSD and other Unix/Linux). This highlights the need for consistent
updating and patching to fix known vulnerabilities of LTE systems.
User Equipment (UE) Security
Malware infecting a mobile device's operating system, 3rd party firmware, and installed applications can prevent
a UE from accessing the cellular network. The malware will directly install the BBU (Base Band Unit) operating
system and associated firmware. Attacks on the BBU operating system can modify important configuration files
required to access the network or prevent an important routine from running, such as processing a signal from
a base station (DoS).
Malware for Base Station Infrastructure
Malware installed on a mobile device or infecting a mobile device's operating system and 3rd party firmware
can cause a bot to launch an attack against the radio network infrastructure. This DDoS attack can be initiated
as a continuous flow of connection requests, or it can occur in the form of requests for high-bandwidth
information and services. Disabling the system through a mobile application that requests a large number of
updates is the best example of a DDoS attack against operators. Malware can also penetrate base station
operating systems and cause unexpected/undesirable hardware behavior.
Malware for Core Network Infrastructure
Malware that infects an operator's core network infrastructure can record network activities, change the
configuration of critical communication gateways, or listen to user traffic (E.g. Call traffic, SMS/MMS) depending
on which components are infected. Such attacks have been observed in GSM networks before, but there are no
detected examples of these attacks in the LTE core network infrastructure.
Unauthorized OAM Network Access
Operations and Management (OAM) software is an essential part of an operational cellular network and
provides remote access to geographically dispersed network components. These OAM network interfaces
provide fast access to network components and allow MNOs to centrally manage and configure networks. Poor
design and non-reinforcement of these management networks/interfaces pose a serious security risk to the
operational stability of the network, unauthorized access to the management interfaces can allow inadvertent
or deliberate configuration of potentially critical network systems.
Rogue Base Stations
Fake base stations are unlicensed base stations that do not belong to a real operator and are not operated
legally. They establish a cellular network that appears to be a suitable carrier network. The hardware required
to install these devices is available as COTS. The software required to operate the 2G (GSM) base station is open
source. It is freely available and can be configured to operate as a rogue base station. Rogue base stations benefit
from transmission at the highest power level, regardless of which base station is being broadcast to as a mobile
device's preferred carrier network. Therefore, when the mobile device is physically close to a rogue base station
while transmitting at very high power levels, it will be able to attempt to connect to that station. The security
level offered by GSM does not have mutual authentication between the mobile device and the cellular network
and strong encryption algorithms with keys of sufficient length. In addition, the 2G GSM air interface does not
have to be encrypted.

6
Equipment & Identity Monitoring
As mentioned earlier, both IMSI (UICC) and IMEI act as unique identifiers. Both of these identifiers are indicators
of who owns a mobile phone and where that device is physically located. Nowadays, it is normal for individuals
to keep their mobile devices physically close to them. For example, where a rogue base station is used to
intercept traffic in a residential area, the rogue network operator can detect whether a particular person is in a
particular location, thereby threatening the person's privacy and security. All data required for geolocation can
be obtained over the signaling channels and sent over the air.
Downgrade Attacks
Using a fake base station broadcasting at a high power level, the attacker can force the user to downgrade to
the GSM or UMTS level. There are no publicly known weaknesses in the encryption algorithms used to protect
the privacy and integrity of the UMTS air interface. However, there are significant weaknesses in the 2G GSM
encryption algorithms used to protect the privacy and integrity of the air interface. Examples of cracked 2G
encryption algorithms are A5/1 and A5/2. Depending on the algorithm used when connecting to the rogue base
station, the air interface encryption algorithms chosen to protect the air interface can be cryptographically
cracked and cause call and data privacy.

Preventing Emergency Phone Calls

Attackers using fake base stations can prevent mobile devices physically close to the station from accessing
emergency services. This happens when the user fails to forward their traffic to the operator. If this attack
occurs during an emergency, victims may be prevented from seeking help from public safety services and first
responders.
Unverified Rejection Messages
During the UE addition procedure, some messages may be sent before discussing the security parameters. One
of these unauthenticated messages is the ATTACH REJECT message, which prevents a UE from completing the
connection procedure. A rogue base station forcing the UE to participate in a UE insertion procedure may send
this unauthenticated. In response to receiving this message, a UE will no longer attempt to connect to this LTE
network or others. Since the ATTACH REJECT message is sent even before the UE authenticates the network,
it cannot distinguish the fake base station from a real one. This can cause a DoS attack that can continue until
the UE is turned off and on again. Certain base station applications will not be automatically retried when an
ATTACH REJECT message is received.

7
Air Interface Listening
A sophisticated eavesdropping attack is possible if the operator does not encrypt the user plane LTE traffic in
the Uu interface. Attackers will need to have the appropriate hardware to capture and store the radio
transmission between the UE and the eNodeB. In addition, attackers will need software to identify the specific
LTE frequencies and time slots a UE uses to communicate so they can demodulate the intercepted traffic into
IP packets.
Attacks Through Hijacked Femtocell
Femtocell offers a user the possibility to have a small base station in their own home or elsewhere. These small
base stations can assist an eNodeB with slow, intermittent or no access to the core network. UEs connect to
these devices like a typical eNodeB, but these devices are often reconnected to the operator's core network
via an Internet service provider. Femtocells have been standardized in LTE since Rel.8 and are referred to as
H(e)nodeB, HeNodeB or HeNBs. HeNBs are required to make an IPsec connection to a HeNB gateway (HeNB-
GW) to protect the main traffic network to and from an operator's core network. If HeNBs are physically in the
possession of an attacker, this will provide unlimited time to identify a flaw in HeNB. A rogue HeNB can be
used in a similar way to a rogue base station, but also gain access to encryption keys used to protect cellular
connectivity. They will also give attackers access to plaintext traffic before it is sent back to the core network.
Radio Jamming Attacks
Jamming attacks are a method used to hack access to cellular networks by exploiting the radio frequency
channel used to transmit and receive information. This attack is accomplished by transmitting static and/or
noise at high power levels in a given frequency band, reducing the signal-to-noise ratio. Attack classification
can be accomplished in a variety of ways that require varying skill levels and access to specialized equipment.
Scrambling that targets specific channels in the LTE spectrum and is timed to avoid interception is called "smart
scrambling". Broadcast noise over a wide range of RF frequencies is called "silent mixing".
• UE Radio Interface Jamming: A low-cost, high-complexity attack type to prevent the UE from sending
signals to an eNodeB. Research on this topic suggests that this attack is possible due to the small
amount of LTE control signaling used by LTE air interface protocols.
• eNodeB Radio Interface Jamming: Base stations are connected to other base stations via physical (eg
fiber optic) or wireless (eg microwave) links. These connections are often used to perform call hand-
off transactions. Wireless connections used between eNodeBs can be mixed. Theoretically, the
intelligent scrambling attack used against the UE could be modified to prevent the forwarding of RF
communication from eNodeB to eNodeB.
Backhaul and Kernel Blocking
Backhaul connectivity covers data communication between the LTE core and eNodeBs (cell sites). When the
LTE network does not use privacy protection in the backhaul interface, the communication between the cell
site will be vulnerable to eavesdropping. If an attacker gains access to network equipment that terminates the
S1 interface, blocking communication is a plus.

Methods to Mitigate Threats to LTE Networks

General Recommended Practices for CyberSecurity
These applications address UE Security, Base Station Infrastructure Malware, Core Network Infrastructure
Malware, and Unauthorized OAM Network Access issues. LTE infrastructure components (eNodeB, MME, S-GW)
often use general-purpose systems to create their own networks. It is important to apply the recommended
practices regarding computer security to these LTE components in the same way that they apply to current
information technology. Protection mechanisms such as patch management, configuration management,

8
identity and access management, malware detection, and intrusion detection and prevention systems can also
be applied to the operator's LTE infrastructure. These processes and protection mechanisms can be adapted to
best support and protect the specialized LTE system.
Ensuring Privacy in the Air Interface
Addresses Air Interface Listening attacks. Although maintaining the integrity of the NAS and RRC is mandatory,
air interface encryption is optional, not mandatory, for operators in LTE systems. Enabling the cryptographic
protection of the user plane over the Uu interface via the Upenc (User Plane Encryption) key will be able to
prevent passive eavesdropping attacks. However, the implementation of privacy protection on the air interface
can cause significant latency on cellular networks and can also significantly affect the UE's battery.
Using the Encryption Indicator
Addresses Air Interface Listening attacks. The authentication procedure for the 2G GSM system does not
perform mutual authentication between the mobile device and the base station. This allows the rogue base
station to perform a downgrade attack on a UE with an active LTE connection. The confidentiality of the said
GSM connection cannot be ensured. Current mobile devices do not allow a user to know if their connection to
the eNodeB is encrypted. 3GPP provides an "encryption indicator" to alert the user if a connection is
unencrypted. The encryption indicator is defined in 3GPP TS 22.101 as a feature that informs the user about the
status of the privacy protection of the user plane. It is possible for the operator to disable this feature with a
setting in USIM. This indicator will benefit users who want to know if their over-the-air cellular connections are
encrypted.
User Defined Option to Connect to LTE Networks
This solution addresses issues with Rogue Base Stations. Rogue base stations often exploit the lack of mutual
authentication in GSM. Current mobile devices do not give the average user an option to have their mobile
device only connect to a 4G LTE network, a specific carrier network, or a specific physical cellular site. If users
can only enable their mobile devices to connect to the 4G LTE network, mutual authentication is provided
between the UE and the eNodeB with the LTE AKA protocol, and an effective rogue base station attack that
lowers the level of the GSM connection is not possible. Many UEs are known to have a preferred list of network
technologies. It is unclear whether this option prevents an under attack UE from connecting to the rogue base
station. Although this function is not for security purposes, it can provide a vital defense against rogue base
stations.
Protecting the Privacy of the S1 Interface
This measure addresses Backhaul and Listening issues in the Core Grid. Both physical and logical security can be
used to secure the backhaul connection of an LTE network. Placing devices in physically secure locations is an
important step in maintaining carrier connectivity and protecting it from attackers. Encrypting and securing IP
traffic that crosses the backhaul connection is equally important and provides a higher level of assurance, made
possible through NDS/IP. Maintaining privacy on the S1 interface can cause latency on cellular backhaul
connections
Encryption of Interfaces Between Core Network Components
This measure addresses Backhaul and Listening issues in the Core Grid. As long as it does not significantly affect
the availability of network resources, hiding communication between core network nodes is achieved in some
way, possibly through the mechanisms described in 3GPP TS 33.210. For example, traffic between S-GW and P-
GW must be encrypted. In the near future, many of the network components will be able to be bundled together
as separate applications on the same server.

9
Using the SIM/USIM PIN Code
This measure addresses issues caused by Theft of Service. Some modern mobile equipment operating systems
by 3GPP TS 121.111
3rd Party OTT Solutions
It addresses Level-down, Air Interface Listening, Backhaul and Core Network Listening, Attacks via Hijacked
Femtocell, and Attacks to K. If an operator is not encrypting the user's traffic or a passive eavesdropping attack
occurs, using a 3rd Party OTT service can provide strong authentication, integrity and privacy protection for user
data. The 3rd Party OTT service is mostly a user-acquired application that is not provided by the operator.
Unverified Rejection Behavior
In the presence of illegitimate messages with the ability to deny network access, it is a precautionary measure
to reduce the impact of the attack that the UE continues to search for other networks, ignoring the denial of the
service network. Base station software can be tested to understand the behavior these systems exhibit in the
presence of unauthenticated REJECT messages.

Threats to LTE Core Network (EPC)

Fraud
Insufficient protection of EPC components allows attackers to access operator services and resources by
bypassing charging systems or charging other subscribers. As a result, operators suffer direct financial losses,
while subscribers may have to pay large bills for services they do not actually use. Such situations occur when
the IP addresses of the devices sending requests to the operator are not verified.

An attacker can use another subscriber's identity to gain unauthorized Internet access by sending a specially
generated GTP-C "Session Application Creation" service message to P-GW, as seen in the figure above. If the
request contains an IMSI of a real subscriber, the charging system charges that subscriber for all traffic used by
the attacker. Otherwise, when IMSI is not assigned to a real subscriber, data transmission costs are covered by
the operator.

10
Another variant of this attack uses the CGF (Charging Network Gateway Function) failover mechanism, as seen
in the figure above. This component is responsible for receiving detailed data (CDR - Charged Data Record)
regarding the service provided and verifying it in the billing system. When the CGF buffer overflows or is
overloaded, data about the provisioned service may be rejected by a "Redirect Request" message containing
the IP address of the backup gateway. Attackers take advantage of this situation by sending their IP addresses
to P-GW as free CGF addresses, bypassing the CGF. The described attack scenarios could potentially allow
attackers unrestricted access to services that are not included in the attackers' fee plan and bring direct financial
loss to the mobile operator.
Capture the Connection
Such an attack could result in the leaking of sensitive subscriber data and compromising important resources.
The attacker may continue to impersonate the subscriber and when the connection is given to the subscriber,
the subscriber may become unable to benefit from many services.

11
The same attack can be made on the MME using a custom-made GTP-C "Context Request" message, where the
TEID and TMSI of the hacked subscriber are specified among other parameters (figure above). The vulnerability
in the GTP protocol and the failure to validate the sender's IP addresses allow the attacker to access the Internet
by subscribing. This method can bypass legal monitoring systems and cause outlaws to use the systems.
DoS Attack Against Subscribers
Several scenarios are possible for performing a denial of service attack on the EPC that blocks the subscriber's
Internet connection. Once the connection is lost, the user can reboot the smartphone to restore it. However, if
the attacker constantly makes such an attack, the subscriber will be completely blocked. With brute force attacks
against TEIDs, the attacker can disconnect multiple users at once. Such actions significantly affect the overall
quality of the services provided and the trust of subscribers in the operator. This attack succeeds if the sender's
address is not verified on the operator's equipment when the attacker sends a GTP-C "Delete Bearer Request"
message to the MME containing the subscriber's TEID. The sender's IP address is replaced with the S-GW's IP
address. After that, the subscriber is disconnected until it is reconnected to the network or the phone is
restarted.

The attacker can also enable the subscriber to leave the Internet by obtaining the TEID of the subscriber's current
session and sending a GTP-C "Delete Session Request" message to the P-GW (figure below).

12
DoS Attack on Operator Equipment
Telecommunications equipment manufacturers do not always examine "worst case scenarios" of how interfaces
and protocols are abused and assume that all network elements comply with the standards. It is known that
specially prepared faulty packets can cause malfunction of elements of the operator's signaling network (figure
below).

Control Packages in User Tunnel (GTP-in-GTP)

Another major security issue arises from GTP-U tunnels where user data resides and terminates in P-GW. Only
the payload portion of the packet is transmitted to external networks. If an authorized mobile Internet user
encapsulates a service pack (GTP-C) as payload in a GTP-U packet, the P-GW can accept them as a control signal
packet instead of sending them together down the network. Therefore, if GTP-in-GTP attacks are not blocked in
the network, it would be possible for all attacks to occur not only from within the network but also from a
subscriber LTE modem or mobile phone (figure below).

13
Unaddressed Domains in LTE Security Architecture
Default privacy protection for user traffic
LTE standards do not provide privacy protection for user traffic as a default system configuration. Encryption of
user traffic by default will provide direct security to end users, except in some scenarios such as emergency calls.
Prohibition of user traffic
Although LTE standards require integrity protection for critical signal traffic, maintaining the integrity of user
traffic is expressly prohibited.
Lack of protection against scrambling attacks
It is not clear whether this issue is in LTE standards.
OAM Networks
There are vulnerabilities depending on how the OAM network is designed and managed.

14
5G Security Architecture
User Equipment Security Features
Authentication: In this context, the user equipment must authenticate the network identifier through key
authentication.
Confidentiality of user and signaling data: User equipment can support the confidentiality of data through
cipher algorithms for encryption. User equipment must use the NEA0, 128-NEA1, and 128-NEA2 cipher
algorithms. For context, NEA0 is lack encryption while 128-NEA2 is identical to AES-128. The cipher algorithm
128-NEA3 is a stronger algorithm, though it is optional to use.
Integrity of user and signaling data: The cipher algorithms NIA0, 128-NIA1, and 128-NIA2 are used for integrity
protection. User equipment must support integrity protection and replay protection of user data between it and
the network nodes. Integrity protection is a part of tamper-proofing, which is when steps are taken to ensure a
program runs properly, especially when entities try to disrupt, monitor, or change how it runs. An optional
element of the integrity of user data is integrity protection of the data between the user equipment and the
network node. It is optional because integrity protection of the user plane adds overhead to the packet size and
increases the processing load on both the user equipment and network node.
Secure storage and processing of subscription credentials: These credentials and their long-term keys are to be
integrity protected within the user equipment with a tamper-resistant piece of hardware. The long-term keys
are to never be available unencrypted outside of the tamper-resistant hardware. Any authentication algorithm
that uses subscription credentials must be run in this hardware. This portion of the larger standard also
mandates that it must be possible to perform a security evaluation on the hardware components.
Subscriber privacy: In order to meet the 3GPP 5G security standard, user equipment must support what 3GPP
calls the globally unique temporary UE identity (GUTI). The GUTI provides an unambiguous identification of the
user equipment but does not reveal the UE or the user’s permanent identity in the 5G network. The subscription
permanent identifier (SUPI) must not be transferred unencrypted over next-generation radio access networks.
The universal subscriber identity module is where the home network public key, protection scheme identifier,
home network public key identifier, and subscription concealed identifier (SUCI), are all stored. The SUCI in turn
contains the SUPI. The 5G network provider is in charge of subscriber privacy as well as provisioning and updating
the home network public key and that key’s identifier. In the 3GPP 5G security standard, a home network refers
to the network the user is primarily subscribed to.
Network Security Features
5G base stations are called gNB, which is short for new radio NodeB. This comes after 4G LTE’s evolved NodeB
and 3G’s NodeB.
Subscription authentication: The network is required to authenticate the SUPI when authenticating and
performing key agreements with the user equipment.
User equipment authorization: The serving network has to authorize the user equipment by using the
subscription profile obtained from the home network. The serving network essentially being a roaming network
that allows the user to connect to their home network. User equipment authorization depends on the SUPI being
authenticated.
Serving network authorization by the home network: In this part of the larger 5G security standard, the user
equipment must be assured it is connected to a serving network authorized by the home network.
Access network authorization: Just as a serving network must be authorized by a home network, an access
network must be authorized by the serving network to provide services to the user equipment.

15
Confidentiality of user and signaling data: The 5G gNB must support the encryption of user data in transit and
for radio resource control (RRC) signaling. The gNB should activate the user data encryption process based on
security policy. Such encryption algorithms are the same as what the user equipment utilizes for data
confidentiality, as mentioned above.
Integrity of user and signaling data: The nodes, like the user equipment, must support integrity protection and
replay protection of user data going between the user equipment and the gNB. The encryption algorithms are
the same as the ones used by the user equipment for integrity protection. However, NIA0 isn’t recommended
for integrity protection since it does not encrypt and therefore adds unnecessary overhead. 5G network nodes
must also support integrity protection and replay protection of RRC. For context, RRC exists in the control plane
and controls configuration between radio interface Layer 2 and Layer 3.
Setup and configuration requirements: In this 5G security standard, when operations and management (O&M)
systems setup and configure gNBs must be authenticated and authorized by a registration authority and a
certification authority (RA/CA) so attackers won’t be able to modify the gNB settings and software
configurations. Communication between the O&M systems and the gNB must be confidential, integrated, and
replay-protected from unauthorized entities. Additionally, software and data changes must be authorized
before installation and use, the software and data itself must be authorized, and transferring the software to
the gNB must be confidential and have integrity protection. The bootup process must be done in a secure
environment to protect its sensitive elements.
Requirements for key management inside the gNB: There is a need to protect the different elements of
encryption keys provided by the 5G network core to the gNBs. The elements are the subscription-specific session
keying material, which holds long term keys used for security association setup and authentication purposes.
The first element of this requirement is that any part of a gNB deployment storing or processing unencrypted
keys must be protected from physical attacks. If it isn’t protected physically then the gNB is placed in a physically
secure location.
Handling user plane and control plane data requirements: The requirements for key management are similar
to those for handling user plane and control plane data for the gNB. Unencrypted data must be protected from
physical attacks, placed in a physically secure location, and the unencrypted data is stored and processed in a
secure environment.
Requirements for a secure environment: The secure environment that all of this unencrypted data is running
in has requirements as well. It must support secure storage through, for example, long-term cryptographic
secrets and vital configuration data. The environment must be able to execute sensitive functions and protocols
that use long-term secrets. Executive sensitive functions include encryption and decryption of user data. An
example of a protocol using long-term secrets is an authentication protocol. This part of the 3GPP 5G security
standard requires a secure environment to have integrity. Finally, only those with authorized access can access
the secure environment.
Requirements for F1 interfaces: The F1 interface can send signaling traffic and user plane data between a
distributed unit and a central unit of the network. The F1 interface for the control plane and for the user plane
must support confidentiality, integrity, and replay protection. However, the F1 interfaces for control planes and
user planes are protected independently. The same protections must apply to all management traffic
transmitted over the central unit to the distributed unit link.
Requirements for E1 interfaces: The E1 interfaces work with an open interface between the central unit and
the control plane as well as the central unit and the user plane. The E1 interface used in both of those scenarios
requires confidentiality, integrity, and replay protection.

16
5G Networks Cyber Threats
AKA Attacks
Authentication and Key Agreement (AKA) for 5G security and attacks are heavily researched in Borgaonkar et al,
Basin et al., and Cremers and Dehnel-Wild. Privacy was built into the standard for 3G and 4G authentication.
Unfortunately, there have been weaknesses found in the AKA system that allows for false base station attacks
and IMSI catchers through non-protected identity request mechanisms and authentication failure messages.
These flaws allowed for the creation of StingRays, a device used by law enforcement to track users through their
cellular devices. The protocol is extremely important for controlling devices that are allowed on the network
and maintaining the confidentiality of communications. From Cremers and Dehnel-Wild, the 5G-AKA protocol
does not meet its own security requirements. It is shown that an attacker can access a service network in the
name of a legitimate user other than itself. The attack is possible due to insecure transportation methods used
to transfer secret keys between UE and a base station required for authentication while a device is roaming. A
real-world application of the attack would be dependent on how the network carrier implements its
authentication mechanism. There are other known attacks against AKA that have been inherited from the 4G
protocol standards. In order for carriers to provide backward compatibility, the architecture from 4G will still be
operational, and even while the shift to 5G occurs, devices will still need to communicate with a 4G network first
before being upgraded to 5G. In the current 5G AKA specification, a vulnerability was found that would allow an
attacker to learn about the cellular consumption of a user through a replay attack from lack of randomness in
the sequence number (SQN). The SQN can be thought of as a token that allows access to a resource. This has
major privacy implications since an attacker will be able to determine the time spent on phone calls, SMS
statistics, and some web traffic usage. This attack works even while a user is not in range of an attacker’s fake
base station since a device will update the statistics when it returns in the range of the false base station. This
could mean that an attacker could determine the location and schedule of a user while only knowing the target’s
phone number.
Man-In-The-Middle
In the 5G space, Man-in-the-Middle (MITM) attacks are mostly resolved in theory with two-way authentication
for the UE and the base station as well as service providers that are in the middle. This can prevent a false base
station from sniffing traffic from the UE that connects directly to it. However, a flaw in the 5G-AKA standard
described in Section 4.1.1 will allow an attacker to reuse authentication keys from a previous session to create
a false base station. This would open the door to surveillance devices, like the StingRay and other ISMI catchers
that are used currently in LTE networks.
Aside from the issues with authentication, there has been researching on the insufficient protection of DNS
traffic. Intercepting or poisoning DNS entries can create a whole host of issues. Changing legitimate DNS requests
to return malicious IP addresses can allow the attacker to perform MITM attacks, steal credentials, and deploy
remote malware.
Location Discovery
A Temporary Mobile Subscriber Identity (TMSI) is a randomly assigned credential given to a device by a network
operator’s Mobile Management Entity (MME). It is recommended that the TMSI for a device should be changed
frequently.[24] However, in practice, this TMSI does not change often. When there are one or more pending
services for a device, the MME asks a nearby base station(s) to broadcast a paging message, which includes the
TMSI of the device. This makes the process of locating a device in an area a much simpler process. The attack
involves determining the paging interval of a target through the use of sniffing traffic on the network and placing
calls or texts at known times and allowing for a delay. The network will broadcast the paging notification and
slowly an attacker can find the target device. Once the paging interval is known, a device can be tracked in any
cellular area where the attacker has a sniffer in.
17
Integrity
Integrity is the principle of maintaining the accuracy and consistency of data from end point to end point, and it
is important in wireless communications to prevent data from being manipulated due to environmental factors
or malicious actors. Wireless specifications often incorporate methods to re-transmit data in order to overcome
disconnects or interference and to continue connections. It is important that this data is verified that it is exactly
the same as what the device sent. The consequences for altered data accepted can be as benign as a glitch in a
phone conversation to as catastrophic as power plants receiving the wrong control codes.
Message Alteration
In the current model, message authentication provides the verification of the source; however, there is no
protection against the duplication or modification of the message. Data transfer is much easier to alter when
compared to voice communications. Since much of the data transfer security is reliant on the application the
device is communicating with, it is difficult to remediate in the 5G space.
Message Spoofing
From the AKA attacks, an attacker can spoof a device on a cellular network. That will allow for the attacker to
send SMS messages and phone calls as the subscriber they are impersonating.
Silent Downgrade
When a UE attempts to connect to a base station, there is a negotiation that occurs where the UE and base
station determine authentication mechanisms, speeds, and encryption. A malicious base station may be able to
force the UE to downgrade to GSM, an older and less secure communication protocol, exploiting the pre-
authentication messages. All a false base station would need to do is broadcast a valid Mobile Country and
Network Code (MCC-MNC) combination for a network that has no public key provisioned in the USIM. This will
allow for MITM attacks, phone call snooping, and SMS message snooping.
Availability
Availability is the third leg of the CIA triad. This principle requires that all information systems be functional and
accessible at all times. It is an important objective because, without availability, nothing else matters. If a system
is not available, it is of no use to anyone. When dealing with cellular networking, an area being out of coverage
can have major consequences. In this day and age, most users do not have landline telephones, and there are
very few public telephones around. When life safety is involved, and communication is critical, the system that
carries communications is vital.
DDOS
A distributed denial of service (DDOS) attack occurs when a malicious actor attempts to disrupt service to a
commodity through the use of overburdening the system with fake requests and data traffic from a large
number of devices. This attack is hard to circumvent and difficult to track down to a single root cause. In the 5G
space, the inclusion of IoT will make this style of attack much more devastating and potentially easier to
orchestrate. Right now, there is not an abundance of non-mobile operating systems in the 4G LTE ecosystem,
so the bar to abusing and compromising these devices is higher. When wireless cameras that are running on
outdated versions of Linux with web servers become more common, it is not out of the realm of possibility that
an attack like the one seen with the Marai botnet will make its way to the 5G space. It is especially important to
include DDOS protections and mitigations in the standards and for network operators to work to thwart such
efforts.
Infrastructure. As stated previously in 3.4, having a 5G SDN can alleviate many foreseen problems with
connecting a massive amount of devices to a network, but it also creates some single points of failure. The
control plane and the individual switches in the core infrastructure are targets for attempts to disrupt service in

18
a large area. An attempt to locate the control plane for the SDN and go after individual network components
can have major negative effects if not properly defended.
With the radio spectrum being a scarce resource, the practice of leveraging unused radio frequencies in a
geographical area to use for 5G communications is included in the 5G proposals. Using the frequencies set aside
for government operations can provide benefits in areas where there are many devices attempting to
communicate over the same frequencies and causing connection issues. There is potential for abuse with this
method when looking at how the 5G infrastructure handles off-loading the connections when a control signal
from the military or government operations system attempts to broadcast on the reserved frequencies. If the
equipment that is attempting to use the spectrum allocated for it cannot properly reach the 5G infrastructure
to allow it to broadcast over the 5G equipment, then it can potentially cause a denial of service and hamper
critical communications. More research will need to be done to determine how feasible that attack would be
from a well-resourced threat actor.
User Equipment. As with the infrastructure, the user equipment is vulnerable to DDOS conditions at an even
higher rate. This equipment is likely not made to handle extremely high rates of data traffic. In current network
topologies, these devices do not normally take the brunt of a network attack. Routing and switching equipment
along with firewalls and intrusion prevention systems (IPS) will absorb most of a large DDOS attack by protecting
the endpoints. In 5G with D2D communications, these devices are potentially exposed to such attacks from
malicious actors that are in the vicinity of a target and have the capability to use other user equipment as a part
of a botnet. Following previous attacks that are able to determine the location of a user, a threat actor can set
up an attack using the devices in an area to launch against a specific target using the paging occasion hijacking.
Preventing such an operation would be difficult unless a network operator could detect indicators of an attempt
and perform mitigation.

19
Additional Information – LTE UE Attach Details

IMSI Acquisition

Procedure of Authentication

NAS Security Setup

20
Procedure for Location Update

EPS Session Establishment

21
Additional Information – LTE IDs
ID Meaning Description Structure
IMSI International Mobile Subscriber Unique identification of mobile IMSI (not more than 15 digits) =
Identity (LTE) subscriber Network (MME) PLMN ID + MSIN = MCC + MNC +
gets the PLMN of the subscriber MSIN
PLMN ID Public Land Mobile Network Unique identification of PLMN PLMN ID (not more than 6 digits) =
Identifier MCC + MNC
MCC Mobile Country Code assigned by ITU 3 digits

MNC Mobile Network Code assigned by National Authority 2 or 3 digits

MSIN Mobile Subscriber Identification assigned by operator 9 or 10 digits

Number
GUTI Globally Unique Temporary UE To identify a UE between the UE GUTI (not more than 80 bits) =
Identity and the MME on behalf of IMSI for GUMMEI + M-TMSI
security reason
TIN Temporary Identity used in Next GUTI is stored in TIN parameter of TIN = GUTI
Update UE’s MM context. TIN indicates
which temporary ID will be used in
the next update.
S-TMSI SAE Temporary Mobile Subscriber To locally identify a UE in short S-TMSI (40 bits) = MMEC + M-TMSI
Identity within a MME group (Unique
within a MME Pool)
M-TMSI MME Mobile Subscriber Identity Unique within a MME 32 bits
GUMMEI Globally Unique MME Identity To identify a MME uniquely in GUMMEI (not more than 48 bits)=
global GUTI contains GUMMEI PLMN ID + MMEI
MMEI MME Identifier To identify a MME uniquely within MMEI (24 bits) = MMEGI + MMEC
a PLMN Operator commissions at
eNBMMEI
MMEGI MME Group Identifier Unique within a PLMN 16 bits
MMEC MME Code To identify a MME uniquely within 8 bits
a MME Group. S-TMSI contains
MMEC8
C-RNTI Cell- Radio Network Temporary To identify an UE uniquely in a cell 0x0001 ~ 0xFFF3 (16 bits)
Identifier
IMEI International Mobile Equipment To identify a ME (Mobile IMEI (15 digits) = TAC + SNR + CD
Identity Equipment) uniquely
IMEI/SV IMEI/Software Version To identify a ME (Mobile IMEI/SV (16 digits) = TAC + SNR +
Equipment) uniquely SVN
ECGI E-UTRAN Cell Global Identifier To identify a Cell in a global ECGI (not more than 52 bits) =
(Globally Unique) PLMN I D+ ECI
EPC can know UE location-based
of ECGI
ECI E-UTRAN Cell Identifier To identify a Cell within a PLMN ECI (28 Bits) = eNB ID + Cell ID
PGW ID PDN GW Identity To identify a specific PDN GW (P- IP address (4 bytes) or FQDN
GW) HSS assigns P-GW for PDN (IP (variable length)
network) connection of each UE
TAI Tracking Area Identity To identify Tracking Area TAI (not more than 32 bits) =
Globally uniqueTAI PLMN ID + TAC P-GW
TAC Tracking Area Code To indicate eNB to which Tracking 16 bits
Area the eNB belongs (per Cell)
Unique within a PLMN16

22
ID Meaning Description Structure
TAI List Tracking Area Identity List UE can move into the cells Variable length
included in TAL list without
location update (TA update)
Globally unique
PDN ID Packet Data Network Identity To identify an PDN (IP network), PDN Identify = APN = APN.NI +
that mobile data user wants to APN.OI (variable length)
communicate with
PDN Identity (APN) is used to
determine the P-GW and point of
interconnection with a PDN
With APN as query parameter to
the DNS procedures, the MME will
receive a list of candidate P-GWs,
and then a P-GW is selected by
MME with policy
EPS Bearer ID Evolved Packet System Bearer To identify an EPS bearer (Default 4 bits
Identifier or Dedicated) per an UE4
E-RAB ID E-UTRAN Radio Access Bearer To identify an E-RAB per an UE 4 bits
Identifier•
DRB ID Data Radio Bearer Identifier To identify a DRB per an UE4 4 bits

LBI Linked EPS Bearer ID To identify the default bearer 4 bits

associated with a dedicated EPS
bearer4
TEID Tunnel End Point identifier To identify the end point of a GTP 32 bits
tunnel when the tunnel is
established

23