Build it, break it, watch it — security you can touch
"You can read about 5G-AKA a hundred times. The first time you watch RES* travel across your own packet capture, you finally understand it."
— WHY LABS MATTER
Every chapter of this book ended with a mini lab pointing here. This chapter ties them together into a coherent, safe, reproducible lab environment built on free, open tools — Open5GS, UERANSIM, and Wireshark — so you can observe 5G security mechanisms with your own eyes, reproduce the misconfigurations, and practice the detections. It's the hands-on companion to the whole book.
🎯 Learning objectives
Stand up a safe 5G security lab (Open5GS + UERANSIM + Wireshark).
Observe 5G-AKA, SUCI, NAS/AS security in captures.
Inspect SBA APIs, tokens, and TLS.
Reproduce key misconfigurations safely.
Understand the legal/safety boundaries.
⚠️ Safety & legal boundary
Run all labs on an isolated test network with your own SIMs/UEs. Transmitting on licensed spectrum, or interfering with real networks or subscribers, is illegal in most jurisdictions. Use a shielded/conducted setup or software-only emulation. Never test against a production or third-party network without explicit written authorization.
Purpose: the whole lab on one page. UERANSIM emulates the radio side, Open5GS runs a real 5G core, Wireshark watches — entirely in software, entirely safe.
FIGURE 33.2Lab Segmentation and Safety Boundaries
Purpose: the one safety rule that matters. Keep the lab isolated — emulation is legal and safe precisely because it never touches real spectrum or networks.
FIGURE 33.3Lab 1 — Observing 5G-AKA in Wireshark
Purpose: Chapter 6 made tangible. Watch the real Authentication Request/Response, then induce both failure modes (MAC, sync) and confirm their signatures.
FIGURE 33.4Reading NAS Security Mode Command in a Capture
Purpose: Chapter 8 in a packet. The SMC capture shows the selected algorithms and the replayed-capabilities bidding-down defense — and reveals null-crypto misconfigs instantly.
FIGURE 33.5Lab 2 — SUCI On/Off Comparison
Purpose: Chapter 4 proven in two captures. Scheme A/B hides identity (and changes each time); null scheme exposes it — the most persuasive demonstration of why SUCI configuration matters.
FIGURE 33.6Lab 3 — SBA API and Token Inspection
Purpose: Chapter 10 made concrete. Decode a real access token's scope/audience and watch NRF discovery/registration — the SBA security model as packets.
FIGURE 33.7Lab 4 — TLS/Certificate Lab with a Private CA
Purpose: Chapters 10 and 25 in practice. Run a private PKI, enable mTLS, and prove the audience-validation negative test — the highest-yield SBA audit item.
FIGURE 33.8Lab 5 — SEPP Conceptual Exercise
Purpose: Chapter 13 conceptually. Even a simplified two-SEPP model shows how message filtering drops a malicious-but-valid message — the SS7-attack fix in action.
FIGURE 33.9Lab Result Validation Flow
Purpose: make labs rigorous. State the expected observation first, then confirm — turning play into reproducible verification you can trust and teach.
FIGURE 33.10Lab-to-Production Mapping
Purpose: close the loop. The skills built in the lab are exactly the audit and SOC activities of Chapters 25–28 — the lab is professional practice, not just play.
33.2 The Practical Operator View
Keep the lab isolated — the one inviolable safety rule.
Build the five core labs (AKA, SUCI, SBA tokens, TLS/cert, SEPP) — they cover the book's heart.
Define expected observations before running — make labs reproducible.
Reproduce misconfigurations (null crypto, missing audience check) to learn the detections.
Map every lab to its production activity (Figure 33.10) — train the audit/SOC muscle.
Real network example. A telecom operator's security team struggled to get RAN and core engineers to take SUCI configuration seriously — it was abstract. The security lead built Lab 2 (Figure 33.5) and, in a 20-minute session, captured a registration with scheme A (showing an opaque, ever-changing blob) and then with the null scheme (showing the subscriber's IMSI-equivalent in plain text on the projector). The room went quiet. The same engineers who'd shrugged at "enforce SUCI scheme" now understood, viscerally, what null scheme leaked. The lab did what a hundred slides hadn't. The team made that capture a standard part of onboarding. Security people learn from specs; everyone else learns from seeing the IMSI on the screen.
★ Chapter Summary
Build a safe, isolated lab with Open5GS + UERANSIM + Wireshark — all software, no spectrum, no legal risk.
Five core labs cover the book's heart: 5G-AKA, SUCI on/off, SBA tokens, TLS/cert, SEPP filtering.
Reproduce misconfigurations (null crypto, missing audience check) to learn the detections.
Define expected observations first; map every lab skill to a real audit/SOC activity.
The one rule: keep it isolated — never test against real networks without authorization.
? Review Questions
What three tools form the core lab, and what does each provide?
Why must the lab stay isolated, and what is illegal otherwise?
What would you observe in a 5G-AKA capture, and how do you induce each failure mode?
How does the SUCI on/off lab demonstrate identity privacy?
What token claims do you decode in the SBA lab, and why?
What negative test proves the authorization audit, and what result do you expect?
How does each lab map to a production audit/SOC activity?
Why define expected observations before running a lab?
🧪 Mini lab — build the whole thing
Stand up the reference lab (Figure 33.1) on isolated VMs: install Open5GS, configure a subscriber, run UERANSIM, and capture with Wireshark. Then execute all five core labs in sequence: (1) 5G-AKA + both failure modes, (2) NAS SMC read, (3) SUCI on/off, (4) SBA token decode, (5) TLS/cert + audience negative test. For each, write the expected observation first, then confirm it. Finally, reproduce one misconfiguration from Chapter 25 and the detection from Chapter 26. You will finish with hands-on command of the entire book — and a lab you can use to train every engineer who needs to see, not just read, why 5G security works the way it does.