← Book home
Part 6 · Threats, Attacks, and Operator Protection
25

Common 5G Security Misconfigurations

The protections were there all along — somebody just switched them off

"Almost no real 5G breach exploits a flaw in the standard. They exploit a checkbox someone left unchecked, a default someone never changed, a 'temporary' bypass someone forgot." — THE RECURRING THEME OF THIS BOOK

Throughout this book, one pattern keeps appearing: the standard provides the protection, and the deployment disables it. This chapter collects the most common, most dangerous 5G misconfigurations into one place — a field guide of what goes wrong, why, how to find it, and how to fix it. Each maps back to the chapter that explains the underlying mechanism.

🎯 Learning objectives
📘 Standards reference box — Chapter 25
ReferenceTitleNote
TS 33.5015G security (the controls being disabled)Rel-18, v18.11.0 (2026-04)
TS 33.117 + SCASNF hardening requirementsRel-18 edition
GSMA FS.405G security configuration guidancecurrent

Checked June 2026 — verify against the latest 3GPP version.

25.1 The Misconfiguration Heat Map

FIGURE 25.1Misconfiguration Heat Map Across the Architecture
UE gNB transport CORE/SBA partner PLMN 1 2 3 4 5 6 1 SUCI null scheme · 2 UP integrity off · 3 N4/backhaul unprotected · 4 plaintext SBI · 5 NRF auth gap · 6 SEPP filtering off six hotspots account for most real-world 5G security findings
Purpose: the field guide on one page. Six recurring hotspots — each a switched-off protection — account for the bulk of real 5G audit findings.
FIGURE 25.2#1 NEA0/NIA0 Beyond Emergency Use
whatnull ciphering (NEA0) or nullintegrity (NIA0) for normal service→ readable / forgeable traffic whyalgorithm priority leavesNEA0/NIA0 high; copiedfrom an integration profile detect / fixcapture SMC, read NEA/NIA;forbid null outside emergency;KPI on null usage (Ch 8,26)
Purpose: the most basic failure — running with no crypto. One SMC capture reveals it; an algorithm-priority fix and a KPI prevent recurrence (Chapter 8).
FIGURE 25.3#2 UP Integrity "Not Needed" by Default
whatUP integrity off (or "preferred"silently off) on slices needing it→ aLTEr-class tampering possible whyeMBB "not needed" defaultcopied into enterprise/IoTslice; throughput fears detect / fixcapture DRB setup; set"required" (not "preferred");Rel-16+ RAN (Ch 9)
Purpose: the safety-relevant one. "Preferred" fails open; critical slices must use "required" on a capable RAN (Chapter 9). Detect via DRB-setup capture.
FIGURE 25.4#3 Certificate Sins
the certificate sins (SBA, SEPP, backhaul) ✗ self-signed in production ✗ expired (outage) / unrotated (breach) ✗ wildcard / shared across NFs fix: automated PKI lifecycle (CMPv2), per-NF certs, rotation + revocation (Ch 10, 14)
Purpose: PKI hygiene at scale. Manual certs cause expiry outages and un-rotated breaches; automation (CMPv2) and per-NF certs are the fix (Chapters 10, 14).
FIGURE 25.5#4 NRF Authorization Bypass (Token Not Validated)
compromised NF producer NF request over mTLS (valid cert) producer SKIPS token validation(or ignores audience claim) 200 OK — unauthorized data served authentication (mTLS) ≠ authorization — the producer MUST validate signature, scope, AND audience (Ch 10)
Purpose: the authentication-vs-authorization confusion made concrete. A valid certificate without token validation is an open door (Chapter 10).
FIGURE 25.6#5 Exposed SBI / OAM on Routable Networks
enterprise / OAM netshould NOT reach core routable! NRF / SBI / OAMcrown-jewel reachable fixnetwork segmentation,no routable path to SBI/OAM detect: reachability scan from non-core networks — the NRF/OAM must be unreachable except from authorized segments
Purpose: network-layer exposure. Even with mTLS, the crown-jewel interfaces must be network-segmented unreachable from enterprise/OAM nets (Chapter 11).
FIGURE 25.7#6 SEPP Filtering Disabled "Temporarily"
"just for this partner, just for now" → forgotten SEPP message filtering off → SS7-class location/intercept attacks pass straight into the core (Ch 13) fix: re-enable filtering with per-partner allowlist; alarm on any SEPP with filtering disabled (drift detection)
Purpose: the "temporary" bypass that becomes permanent. Encryption without filtering still lets malicious-but-valid roaming messages through (Chapter 13).
FIGURE 25.8#7 Unprotected F1 / Backhaul
gNB F1 / N2 / N3 in CLEAR over leased transport core "leased line = private" is FALSE — IPsec required; N4 is the usual omission (Ch 3, 14, 15)
Purpose: the "leased means safe" fallacy. RAN transport over networks you don't own needs IPsec; F1 and N4 are the chronic gaps (Chapters 14, 15).
FIGURE 25.9#8 Slice Isolation Failures
"isolated" slice with only SOME isolation layers e.g. UP-isolated but resource-shared → starvation by a noisy neighbor; or eMBB security defaults inherited fix: verify all FOUR isolation layers (CP/UP/mgmt/resource) + per-slice security policy (Ch 20)
Purpose: the partial-isolation trap. "Isolated" is a four-part claim; missing the resource layer turns a neighbor into an SLA-breaker (Chapter 20).
FIGURE 25.10Misconfiguration Audit Quick-Scan
THE 60-MINUTE 5G MISCONFIG SCAN ☑ capture a registration → NEA/NIA non-null? SUCI scheme A/B? ☑ capture a DRB setup → UP integrity required where needed? ☑ packet-capture F1/N2/N3/N4 → IPsec present? ☑ test producer → does it reject a token with wrong audience? ☑ reachability scan → is SBI/OAM/NRF unreachable externally? ☑ SEPP config → filtering enabled, per-partner allowlist? ☑ certificates → per-NF, not expired, rotation automated? ☑ slice → all four isolation layers verified?
Purpose: a fast, high-yield audit. These eight checks — mostly a few packet captures and a scan — find the majority of real 5G security gaps (feeds Chapter 28).

25.2 The Practical Operator View

25.3 Misconfigurations and Mechanisms

MisconfigurationEffectMechanism chapter
NEA0/NIA0 in normal servicereadable/forgeable traffic8
UP integrity off/"preferred"aLTEr-class tampering9
SUCI null schemeidentity exposure4,19
Plaintext SBIauth vectors/keys readable10
NRF token not validatedauthorization bypass10,11
SEPP filtering offSS7-class roaming attacks13
Unprotected F1/N4/backhaulsignaling/user interception14,15
Partial slice isolationstarvation/cross-tenant20

25.4 Terminology

TermMeaning
drift detectionAlerting when configuration deviates from a secure baseline
fail open / fail closed"preferred" silently disables vs "required" rejects
quick-scanA fast, capture-based misconfiguration audit

Real network example. An operator's annual third-party audit ran the quick-scan from Figure 25.10 against a "mature" two-year-old 5G SA network. In a single afternoon it found four of the eight hotspots active: a SUCI null scheme left from integration, UP integrity "preferred" (silently off) on the RAN's older cells, one core vendor's NF skipping token audience validation, and a SEPP with filtering disabled for a roaming partner onboarded eight months earlier. None were standards flaws; all were switched-off protections. The network had passed because nobody had ever run the captures. Fixes took days; the lesson took longer: a "secure by standard" network is only secure if someone periodically verifies the protections are actually on.

Chapter Summary

? Review Questions

  1. Why do real 5G breaches rarely exploit standards flaws?
  2. Name the six-to-eight most common misconfigurations and the chapter each maps to.
  3. Why does "preferred" UP integrity fail open, and why is that dangerous?
  4. How can a valid mTLS connection still allow an authorization bypass?
  5. Why is "leased line = private" a dangerous assumption?
  6. What single capture reveals null crypto, and what reveals SUCI null scheme?
  7. Why are "temporary" bypasses the #1 source of forgotten exposure?
  8. Run the quick-scan mentally on a network you know — which hotspot is most likely active and why?
🧪 Mini lab — run the quick-scan

Using Open5GS + UERANSIM (or a real network you're authorized to test): execute the eight checks from Figure 25.10. (1) Capture a registration — read NEA/NIA and SUCI scheme. (2) Capture a DRB setup — read UP integrity. (3) Check whether SBI runs over TLS. (4) Test a producer with a wrong-audience token. (5) For each finding, identify the mechanism chapter and the one-line fix. (6) Write the drift alarm you'd add to catch a regression. This 60-minute scan is the single highest-yield security activity in this book — and the seed of your Chapter 28 audit.

← Chapter 24 Chapter 25 Chapter 26 →