← Book home
Part 3 · Core Network and SBA Security
12

NEF and API Security

Opening the network on purpose — without opening it to everyone

“A network that exposes nothing is useless to developers. A network that exposes everything is a gift to attackers. The NEF is where 5G draws that line.” — THE EXPOSURE DILEMMA

5G is designed to be programmable: enterprises and application developers can query device location, request QoS on demand, manage IoT fleets, and influence routing — through APIs. The NEF (Network Exposure Function) is the controlled doorway that makes this safe. This chapter covers the NEF, the CAPIF framework, external application authentication and authorization, and the API threats that come with an open network.

🎯 Learning objectives
📘 Standards reference box — Chapter 12
SpecificationTitleRelease / version verified
TS 33.5015G security — NEF / exposure securityRel-18, v18.11.0 (2026-04)
TS 33.122CAPIF — Common API Framework securityRel-18 edition
TS 23.501 / 29.522NEF architecture / northbound APIsRel-19 edition

Checked June 2026 — verify against the latest 3GPP version.

12.1 Why Exposure Exists

The 5G core holds information and levers that applications want: where a device is, what QoS it can get, how an IoT fleet is behaving, where traffic should break out. Exposing these creates revenue and use cases — but every exposed capability is also an attack surface. The NEF’s job is to expose selectively, safely, and accountably.

FIGURE 12.1Exposure Architecture — AF → NEF → Internal NFs
UNTRUSTED external AFs app devs · enterprises 3rd-party platforms NEF authentication authorization (per API/AF/UE) rate limiting · quotas data minimization topology hiding · audit TRUSTED CORE UDM · SMF · PCF · AMF never directly face apps speak only to the NEF N33 (northbound) internal SBI the NEF is the membrane: it translates and filters between the open world and the trusted core
Purpose: the exposure model. The internal NFs never speak to external apps directly — the NEF is the single mediated, monitored, throttled doorway.
FIGURE 12.2The CAPIF Framework (TS 33.122)
API Invokerthe external app CAPIF Core FunctiononboardingAPI discoveryauthN + authZ + logging API Exposing Fn= the NEF onboard / authenticate authorized invoke CAPIF standardizes the “developer portal” of the network: how a 3rd party registers, gets credentials, discovers APIs, and is authorized — with audit throughout
Purpose: CAPIF is the standardized framework behind exposure — think of it as the network’s API gateway and developer-onboarding system, specified and securable (TS 33.122).

12.2 Authenticating and Authorizing External AFs

FIGURE 12.3External AF Onboarding and Per-Call Authorization
external AF NEF/CAPIF internal NF ① onboard: identity + credentials (cert/secret) ② API credentials + entitlements ③ API call (e.g. “locate UE X”) + token ④ authorize: this AF?this API? this UE? consent? ⑤ only-if-allowed internal query (minimized) authorization is per-AF AND per-API AND per-UE — a location API for fleet A must not return fleet B’s devices
Purpose: exposure authorization is multi-dimensional. It’s not enough that the AF is authenticated — it must be entitled to this API for this UE, often with subscriber consent.
FIGURE 12.4NEF Authorization — Three Dimensions That Must All Hold
per-API which capability? location · QoS · monitoring device trigger · etc. per-AF (tenant) which application/enterprise? contract-scoped rate + quota tied here per-UE + consent which subscribers? consent/privacy required the privacy frontier access granted only at the INTERSECTION: allowed API ∧ entitled AF ∧ permitted UE (with consent) — any miss = deny
Purpose: the authorization model that makes exposure safe. Location-of-a-subscriber is the sensitive case — it needs all three dimensions plus consent, or it becomes a tracking service.

12.3 API Threats and Controls

FIGURE 12.5Northbound API Threat Map (OWASP API Lens)
API threat NEF control broken object-level authZ (access UE you shouldn’t)per-UE authorization + consent checks excessive data exposuredata minimization — return only what’s needed lack of rate limiting → scraping/DoSrate limits + quotas per AF broken authenticationstrong AF auth (cert/OAuth) via CAPIF injection / malformed inputstrict schema validation, input sanitization mass assignment / over-permissive paramsallowlist parameters, least-privilege APIs improper asset mgmt (shadow APIs)API inventory, deprecation, versioning the 5G northbound is a web API — so it inherits the web’s top API risks and needs the web’s API defenses, at the NEF
Purpose: exposure security is API security. The threats are the familiar OWASP API Top-10; the NEF is where the matching controls live.
FIGURE 12.6Rate Limiting and Quota Architecture
AF requestsbursty / high volume NEF rate/quota engineper-AF token bucketper-API limit · burst controldaily/monthly quota within limit → core over limit →429 Too Many protects internal NFs from API-driven amplification — without rate limiting, one misbehaving AF can DDoS the UDM
Purpose: rate limiting isn’t just fair-use — it’s a security control. It stops a compromised or buggy AF from turning the exposure layer into a DDoS amplifier against the core.
FIGURE 12.7Data Minimization in Exposure
internal NF returnsfull data set NEF minimizerstrip to entitled fieldspseudonymize UE identitycoarsen location if allowed AF receivesonly the minimum needed privacy + breach-limitation: if the AF is later compromised, it holds the least possible sensitive data (Chapter 19)
Purpose: the NEF should hand out the least data that satisfies the request. Coarse location instead of precise, a pseudonym instead of a SUPI — minimization limits both privacy harm and breach impact.
FIGURE 12.8API Abuse Scenario — and the Controls
the abuse a partner AF with a location entitlement queries many UEs, repeatedly, over time → builds a tracking database of people a "legitimate" API turned surveillance tool (real risk for location/presence APIs) the controls ✓ per-UE authorization + active consent ✓ quota: limited queries per UE per period ✓ anomaly detection on query patterns ✓ coarse location by default; precise on consent ✓ audit every location query
Purpose: the exposure layer’s defining risk — that a sanctioned API becomes mass surveillance. Consent, quotas, anomaly detection, and audit keep capability from becoming abuse.

12.4 Trusted vs Untrusted AFs

FIGURE 12.9Internal vs External AF — Two Trust Levels
UNTRUSTED AF (external) 3rd party, enterprise, developer MUST go through the NEF full controls: authN/authZ/quota/minimize never gets direct SBI access TRUSTED AF (operator-internal) operator’s own application (e.g. IMS, AF) MAY have direct SBI access (mTLS+OAuth) still authenticated & authorized (Ch 10) grant sparingly — justify each one
Purpose: the trust boundary decision. The dangerous mistake is granting external-ish applications “trusted” direct-SBI status to skip the NEF — every trusted AF is an un-mediated path into the core.
FIGURE 12.10NEF Audit Logging Points
onboardingwho · when · scope authZ decisiongrant/deny + reason data-returning callwhich UE · what data rate/quota eventthrottle/reject a complete audit trail is what lets you DETECT abuse (Ch 26) and PROVE compliance (privacy/regulatory) after the fact
Purpose: exposure without audit is exposure without accountability. Every sensitive-data call must be logged — it’s both your abuse-detection feed and your regulatory evidence.

12.5 The Practical Operator View

Common misconfiguration risks

12.6 Threats and Mitigations

ThreatVectorDefense
Unauthorized data accessbroken object-level authZper-UE authorization + consent
Mass surveillancelocation-API abusequota, anomaly detection, audit, coarse default
Core DDoS via APIno rate limitingper-AF rate/quota, 429 throttling
Data over-exposureexcessive fields returneddata minimization, pseudonymization
Injectionmalformed API inputschema validation, sanitization
NEF bypassexternal app as trusted AFstrict trust-boundary policy, audit grants

12.7 Terminology, Example, Checklist

TermMeaning
NEFNetwork Exposure Function — the controlled API doorway
CAPIFCommon API Framework — onboarding/discovery/auth for APIs (TS 33.122)
AF (trusted/untrusted)Application Function; untrusted goes via NEF, trusted may have direct SBI
northbound APIThe exposure API toward applications (e.g. N33)
data minimizationReturning the least sensitive data that satisfies the request

Real network example. An operator monetized a location API for logistics partners. A security review found it had no per-UE quota and returned precise GPS-grade location on every call. One partner — entirely within its contractual entitlement — was polling thousands of delivery-driver devices every few seconds, effectively building a real-time surveillance feed of individuals. Nothing was “hacked”; the API design itself enabled mass tracking. Fixes: coarse location by default (precise only with explicit consent), a per-UE query quota, anomaly detection on high-frequency polling, and full per-call audit. The most dangerous API abuse needs no exploit — just a generous entitlement and no limits.

Chapter Summary

? Review Questions

  1. Why must internal NFs never face external applications directly, and what does the NEF do in between?
  2. Name the three authorization dimensions the NEF must satisfy and why a location API needs all three plus consent.
  3. How does rate limiting at the NEF function as a security (not just fairness) control?
  4. Explain data minimization and how it limits both privacy harm and breach impact.
  5. Distinguish trusted and untrusted AFs and the risk of mislabeling an external app as trusted.
  6. Describe an API-abuse scenario that needs no exploit, and the four controls that stop it.
  7. What audit points must the NEF log, and what two purposes does the trail serve?
  8. Map three OWASP API Top-10 risks to specific NEF controls.
🧪 Mini lab — design a safe location API

On paper, design the authorization and controls for a monetized "get UE location" API: (1) Define the three authorization checks (API, AF, UE) and where consent fits. (2) Choose a default location granularity and the condition to return precise location. (3) Set a per-UE quota and the anomaly signal you'd alert on (hint: query frequency per UE). (4) List the audit fields per call. (5) Now red-team your own design: as a malicious-but-entitled partner, how would you still try to track someone — and which of your controls stops it? This is exactly the exercise that separates a revenue API from a surveillance liability.

← Chapter 11 Chapter 12 Chapter 13 →