Thirty years of attacks, and the architecture they produced
“Every security mechanism in 5G exists because somebody, somewhere, successfully attacked an earlier generation.”
— THE ONE-SENTENCE SUMMARY OF THIS CHAPTER
A 5G network carries your payments, your hospital’s telemetry, your country’s power-grid signaling, and two billion private conversations — across an air interface that anyone with a $300 software radio can listen to. That is the problem 3GPP security was built to solve. This chapter tells the story of how mobile security evolved, why 5G had to be fundamentally different, and introduces the six objectives that every later chapter serves.
🎯 Learning objectives
Trace the security evolution from 2G to 5G and name the specific weakness each generation fixed.
Sketch the 5G attack surface from UE to roaming interconnect.
Define the six security objectives with a concrete 5G example of each.
Describe the 3GPP security-domain model and the UE–serving–home trust triangle.
📘 Standards reference box — Chapter 1
Specification
Title
Release / version verified
TS 33.501
Security architecture and procedures for 5G System
Rel-18, v18.11.0 (2026-04)
TS 33.401
EPS (LTE) security architecture
Rel-18 edition
TS 33.102
3G security architecture
Rel-17/18 edition
TS 23.501
System architecture for the 5G System
Rel-19, v19.6.0
Versions checked June 2026 on the public 3GPP/ETSI portals. Rel-19 security work in SA3 is ongoing — always verify against the latest 3GPP version before relying on details in production.
1.1 A Short History of Trust: 2G to 5G
Think of mobile security as a door that gained one more lock with every generation — and every lock was added after a break-in.
2G (GSM, 1990s) had one lock, and it only worked one way. The network checked that you were a real subscriber — but your phone never checked that the network was real. Encryption (the A5 family) was weak by modern standards, and there was no integrity protection at all: nothing stopped an attacker from silently modifying messages. Worst of all, your permanent identity — the IMSI (International Mobile Subscriber Identity) — was regularly sent in cleartext over the air. This single design gap created an entire industry of IMSI catchers: fake base stations that harvest identities and downgrade calls.
3G (UMTS — TS 33.102) fixed the biggest hole. It introduced AKA — Authentication and Key Agreement — a challenge-response protocol where both sides prove themselves. The network proves freshness and authenticity through a token (AUTN) that only the real home network could have built, because it is computed from a secret key K stored in exactly two places: your USIM card and the home operator’s vault. 3G also added integrity protection for signaling. But the IMSI still leaked in cleartext in common scenarios.
4G (LTE/EPS — TS 33.401) industrialized the model. It built a proper key hierarchy — one master session key (KASME) fanning out into separate keys for signaling encryption, signaling integrity, and user-data encryption — and added elegant handover key chaining (NH/NCC) so that a compromised base station cannot unlock your past or future sessions. Yet two gaps survived: the IMSI could still be requested in cleartext, and user-plane traffic had encryption but no integrity protection — which researchers later exploited in the aLTEr attack to silently redirect victims’ DNS.
5G (TS 33.501) is the first generation designed assuming that every part of the system can be attacked — including the operator’s own infrastructure and its roaming partners. Its four signature upgrades:
#
5G upgrade
What it closes
1
SUCI — identity encrypted with the home network’s public key before transmission
25 years of IMSI catching
2
Unified authentication (5G-AKA / EAP-AKA′), home network gets the final word
Visited-network fraud, access-type gaps
3
User-plane integrity protection
aLTEr-class traffic manipulation
4
SEPP — cryptographic guard on the roaming border (N32)
SS7/Diameter interconnect abuse
FIGURE 1.1Evolution of Mobile Network Security — 2G to 5G
Purpose: the entire 30-year security story on one page. Read each column top-to-bottom (green = capability, red = weakness), then follow the gold arrows: every red item is closed by a green item one generation later.
The capability ladder
A second way to see the same story: security is cumulative. 5G keeps every rung below it and adds three of its own.
FIGURE 1.2What Each Generation Fixed — the Security Capability Ladder
Purpose: security as a cumulative ladder. The three dark steps are 5G’s own additions — identity concealment, user-plane integrity, and core/roaming security.
💡 Key idea
Mobile security is cumulative and reactive. 5G did not start from a blank page — it kept the AKA core invented for 3G, kept the key hierarchy invented for 4G, and added exactly the protections whose absence had been exploited in the field.
Why one-way authentication was fatal
In GSM, the network sends a random challenge (RAND); the SIM computes a response (SRES) from K; the network verifies it. Done. At no point does the network prove anything. Any device that can transmit a GSM carrier can claim to be a cell of any operator — and phones obey it, because phones were designed to trust the strongest signal.
3G’s AKA closed this with the AUTN token: a value containing a sequence number and a message authentication code computed from K. A fake base station cannot fabricate AUTN. The UE verifies it before responding. Chapter 5 dissects this machinery in full.
FIGURE 1.3One-Way vs Mutual Authentication
Purpose: the single most important authentication concept in this book. On the right, the UE checks the network’s token AUTNbefore revealing anything — a fake base station cannot fabricate it.
The IMSI catcher: the attack that shaped 5G privacy
The IMSI catcher (false base station, “stingray”) is the canonical legacy attack — and it worked, essentially unchanged, for 25 years across three generations:
The attacker broadcasts as a high-power cell of the victim’s operator.
Phones reselect to it — strongest signal wins.
The fake cell sends an Identity Request — a legitimate, unauthenticated legacy message.
The phone replies with its IMSI in cleartext.
The attacker tracks the subscriber, or downgrades them to 2G to attack the weak cipher.
5G’s answer — SUCI, where the identity is encrypted to the home operator’s public key so even the serving network cannot read it off the air — is the subject of Chapter 4.
FIGURE 1.4The Classic IMSI-Catcher Attack on Legacy Networks
Purpose: the concrete attack that motivates SUCI and false-base-station detection. Note step ③ — a perfectly legitimate legacy message; the protocol itself was the vulnerability.
1.2 Why 5G Needs Stronger Security
If 5G were only a faster radio, LTE security plus a coat of paint would have sufficed. It is not — for five structural reasons:
Change
What it means
Security consequence
1 · The core became a web app
SBA: NFs are services talking HTTP/2 + JSON over REST
Containers on Kubernetes, shared/public cloud, edge sites
Infrastructure trust must be engineered, not assumed (Ch 22, 29)
3 · The network opened on purpose
NEF exposes location, QoS, slicing to external apps
Exposure is a feature; uncontrolled exposure is a breach (Ch 12)
4 · One network, many tenants
Slices sold to enterprises, public safety, industry
A slice boundary is a security boundary (Ch 20)
5 · Clients multiplied ×100
Massive IoT: cheap, unattended, unpatched devices
Each device a potential bot; together, a signaling weapon (Ch 23)
⚠️ Warning
The most dangerous 5G security mindset is “we secured LTE, and 5G is similar.” The radio procedures are similar. The core, the trust model, the exposure surface, and the operational environment are not.
And the stakes rose. 4G carried consumers’ internet. 5G is designed to also carry society’s control plane: factory automation (URLLC), power-grid teleprotection, remote healthcare, public safety, ports, railways. When the network becomes critical infrastructure, its failure modes become national-security events — which is why regulators (EU 5G Toolbox, national telecom security acts) now legally compel much of what this book describes.
FIGURE 1.5The 5G Attack Surface Map
Purpose: the master “where can we be hit” picture — nine numbered entry points spanning device, radio, transport, core, exposure, roaming, cloud, and management. Chapter 24 expands every branch into a full threat model.
FIGURE 1.65G as Critical Infrastructure — Dependency Map
Purpose: why availability is a first-class security objective. Six sectors now place their control traffic on the mobile network — its failure modes are their failure modes.
1.3 The Six Security Objectives
Everything in TS 33.501 serves one of six objectives. Learn these six words and every later mechanism will have an obvious “why.”
FIGURE 1.7The Six Security Objectives of 5G
Purpose: the book’s organizing framework. Each card pairs the objective with the question it answers and its flagship 5G mechanism.
Three nuances worth fixing in memory:
Authentication ≠ authorization. An NF can be genuinely authenticated by mTLS and still not be authorized to read subscriber data — that is what OAuth scopes enforce. Confusing the two is the root of real NRF misconfigurations (Chapter 25).
Privacy ≠ confidentiality. Encrypting a message hides its content; privacy hides who is communicating. A fully encrypted NAS exchange can still leak identity if the GUTI never changes.
Availability lives mostly outside the cryptography. No key derivation stops a signaling storm. Availability is capacity engineering, overload control, and SOC response (Chapters 26–27).
1.4 The 3GPP Security Domain Model
TS 33.501 organizes all of 5G security into domains — a structure inherited from TS 33.102. The book’s parts map onto it:
Access to the device itself: USIM ↔ ME binding, PIN
Ch 4
IV · Application domain security
Applications riding the network: AKMA, exposure
Ch 12, 22
V · SBA domain security
NF-to-NF authentication, transport, authorization — new in 5G
Part 3
VI · Visibility & configurability
The user/UE knowing which protections are active
Ch 19
FIGURE 1.83GPP Security Domains (TS 33.501 View)
Purpose: connect the spec’s formal domain structure to the physical network. Domain V (SBA security) is 5G’s addition — the others evolved from 3G’s model in TS 33.102.
1.5 The Trust Triangle: UE, Serving Network, Home Network
5G security choreography always involves three parties:
The UE (with its USIM holding K) trusts its home network — which holds the twin copy of K and the private key for SUCI.
The serving network — possibly a roaming partner on another continent — is trusted conditionally and verifiably: it receives an anchor key (KSEAF) cryptographically bound to its own identity (the serving network name), so a key issued for one network is useless to another.
The home network keeps the final word: in 5G-AKA, the home AUSF — not the visited network — confirms the authentication result. This “increased home control” is a direct response to 4G-era roaming fraud.
This triangle explains otherwise-puzzling design choices throughout the book: why SUCI is encrypted to the home key, why KSEAF derivation includes the serving network name, why SEPPs authenticate PLMN-to-PLMN.
FIGURE 1.9The 5G Trust Triangle
Purpose: the three-party trust model behind every authentication chapter. Note the highlighted verdict line: the home network — not the visited one — has the final word.
1.6 Defense in Depth: How the Layers Stack
No single 5G mechanism is the security. Protection comes from nine independent layers, so one failure does not collapse the system:
FIGURE 1.10Defense in Depth Across the 5G System
Purpose: the layered model and the book’s chapter map in one picture. The red core is the long-term key K — every ring exists to keep an attacker further from it, and from your subscribers.
💡 Key idea
When you evaluate any 5G security question, ask: which layer is supposed to catch this — and which layer catches it if the first one fails? If the answer to the second question is “nothing,” you have found a real risk.
1.7 The Practical Operator View
What does this chapter mean on Monday morning?
RAN engineers: every security decision you can see — ciphering indicators, integrity configuration, NEA/NIA algorithm priorities — traces to objectives in this chapter. When a parameter looks like bureaucracy, it is usually a patched attack.
Core engineers: your SBA is an HTTP application platform. Budget operational effort for certificates and tokens the way IT platforms do — because you now run one.
Security engineers: 3GPP gives you mechanisms, not a secure network. TS 33.501 mandates capabilities; configuration, monitoring, and audit are on you (Parts 6–7).
Managers: the cost of 5G security is dominated not by cryptography but by lifecycle: PKI operations, cloud platform patching, SOC integration, roaming agreement hygiene.
Common misconfiguration risks (preview of Chapter 25)
User-plane integrity set to “not needed” network-wide because of throughput fears.
SUCI null-scheme configured “temporarily” during integration — then forgotten.
SBA running plaintext HTTP inside the data center because “internal is safe.”
SEPP message filtering disabled to make a new roaming partner work.
1.8 Threats and Mitigations Summary
Threat
Exploits
5G mitigation
Ch.
IMSI catching / tracking
2G–4G cleartext identity
SUCI, GUTI reallocation
4, 19
Fake base station MitM
2G one-way auth
Mutual AKA, AS integrity
5, 9
Cipher downgrade
2G/3G weak algorithms
Algorithm policy, replayed-capability check
8
User-plane modification (aLTEr)
4G missing UP integrity
UP integrity protection
9
Roaming interconnect fraud
SS7 / Diameter openness
SEPP, N32 protection
13
Core lateral movement
new in 5G (SBA)
mTLS + OAuth on SBA
10
API abuse
new in 5G (exposure)
NEF / CAPIF controls
12
Cloud platform compromise
new in 5G (CNF)
CNF hardening, zero trust
29–30
1.9 3GPP Terminology Introduced in This Chapter
Term
Meaning
UE / ME / USIM
User Equipment = Mobile Equipment + the USIM application holding the long-term key K (on the UICC smart card)
IMSI / SUPI / SUCI
Permanent identity (≤4G / 5G) and its concealed over-the-air form
AKA
Authentication and Key Agreement — the mutual challenge-response family
SBA / SBI
Service-Based Architecture / Interface — the HTTP/2 core design
SEPP
Security Edge Protection Proxy — guards the roaming border (N32)
NEF
Network Exposure Function — the controlled API doorway
Serving vs home network
Where you are vs who holds your subscription
1.10 Real Network Example
A European operator launching 5G SA in 2023 ran a pre-launch red-team exercise. Findings, in order of severity:
SBA in plaintext HTTP between NFs “inside the trusted zone” — one compromised lab VM could read authentication vectors crossing the bus. Fix: mandatory mTLS, two-week PKI sprint.
SUCI null-scheme still active from integration testing — subscribers had been sending IMSI-equivalent identities in cleartext for four months. Fix: home-network key provisioning + scheme enforcement, plus a KPI alarm on null-scheme registrations (Chapter 26).
UP integrity “not needed” on all slices — copied from an eMBB template into the enterprise slice sold to a utility company. Fix: per-slice UP security policy.
⚠️ The recurring theme of this book
None of these were standards gaps. All were operational gaps — the standard offered the protection; the deployment had switched it off.
1.11 Troubleshooting Checklist
When you suspect a “security generation” problem in a live network:
Confirm whether the UE is on 5G SA, NSA, or has fallen back to LTE/3G/2G — protections differ per layer it lands on.
Check the registration identity used: SUCI, 5G-GUTI, or (bad sign) a cleartext permanent identity.
Verify negotiated algorithms in the NAS and AS Security Mode Commands — flag NEA0/NIA0 outside emergency calls.
Check the UP security policy actually applied to the PDU session (integrity: required / preferred / not needed).
Confirm transport protection (IPsec/TLS) status on the backhaul segment in question.
If a roaming partner is involved — pull SEPP logs first.
Date-check your spec assumptions: which release is the network actually compliant to?
★ Chapter Summary
Mobile security evolved reactively: 3G fixed 2G’s one-way authentication, 4G built the key hierarchy, 5G fixed identity privacy, user-plane integrity, core trust, and roaming.
5G needs stronger security because the architecture changed: web-style SBA core, cloud-native deployment, deliberate API exposure, multi-tenant slicing, massive IoT.
All mechanisms serve six objectives: confidentiality, integrity, authentication, authorization, privacy, availability.
TS 33.501 structures protection into security domains; trust flows through the UE–serving–home triangle with increased home control.
Standards provide capabilities — real breaches come from configuration and operations. That asymmetry drives the second half of this book.
? Review Questions
Why was one-way authentication in GSM sufficient for its designers in 1990, and what changed?
Name the two security gaps that survived from 2G all the way through 4G, and the 5G mechanism that closed each.
An NF presents a valid TLS client certificate to the UDM. Is it authorized to read subscriber data? Explain the distinction this tests.
Explain why encrypting all NAS messages does not, by itself, give a subscriber privacy.
Your CTO says: “We hardened LTE; 5G NSA reuses the LTE anchor, so we’re covered.” Give three specific things this misses.
In the trust triangle, why is KSEAF bound to the serving network name? What attack does this prevent?
Which of the six security objectives is least addressed by cryptography, and what addresses it instead?
Map each finding from the real network example (1.10) to one of the six security objectives.
🧪 Mini lab / thought experiment — the downgrade hunt
No equipment needed. Take your own phone for a one-day field observation. Note every time the indicator changes between 5G, 4G and 3G/2G (elevators, parking garages, trains, rural areas). For each transition, write one line: which security properties did I just lose? (Use Figure 1.2.)
Then answer: if you were an attacker with a false base station, where in your day would you position it — and which generation would you force the phone onto? Keep your notes: in Chapter 19 you will revisit them knowing exactly what an IMSI catcher can and cannot do against 5G SA, and in Chapter 33 you will reproduce the legitimate parts in an Open5GS lab.