5G is usually sold on three promises: more speed, lower latency, more capacity. The more consequential change is structural — and it reshapes the attack surface in ways earlier generations never had to worry about.
This article walks through the 5G Standalone (SA) core from a security perspective: how its functions communicate, why HTTP/2 changes the kind of exposure operators face, and what a structured assessment of that environment reveals. It's written to explain risk and how to mitigate it — not as an intrusion guide.
01 / ARCHITECTUREWhat is a 5G Standalone core, in practice?
In the 5G SA model defined by 3GPP (TS 23.501 and TS 23.502), the core is a set of Network Functions (NFs), each owning a specific responsibility: access and mobility AMF, session management SMF, user-plane routing UPF, authentication AUSF, subscriber data UDM/UDR, policy PCF, and service discovery NRF.
The NRF deserves special attention. In a service-based architecture, a function that wants to consume a service first has to discover which function provides it. The NRF is the registry for that process — which makes it, defensively, both a single point of knowledge and a potential single point of abuse.
02 / PROTOCOLSWhy does HTTP/2 change the picture?
Earlier generations relied on telco-specific signaling: MAP/CAP over SS7 in 2G/3G, Diameter over SCTP in 4G — both with a long documented history of abuse. The 5G control plane instead uses APIs built on HTTP/2, with messages structured as JSON and protection expected via TLS.
That word — expected — is the whole point. When control-plane traffic between functions isn't encrypted and authorized, it becomes readable and potentially modifiable by anyone positioned to observe it. And unlike SS7, the skills to understand it are no longer niche: they're standard web-security skills.
2G / 3G
4G
5G
03 / METHODOLOGYWhat does a structured assessment reveal?
Assuming a controlled scenario where an assessor already has a foothold inside the core, a natural methodology follows: observe first, then discover, then evaluate impact.
Passive reconnaissance starts with capturing internal traffic and asking a simple question — can it be understood? In a lab core running OpenAirInterface without TLS, HTTP/2 control-plane traffic is legible JSON: it can expose identifiers, registration data, and enough structure to reconstruct the logical topology and identify the NRF.
From there, impact is assessed across three dimensions:
Integrity
Could an unauthorized actor alter registered information or configuration, leading the network to decide on false data?
Availability
Could legitimate functions be disrupted or replaced — degrading registration, sessions, policy or routing?
Confidentiality
Could functions holding sensitive subscriber data (such as the UDM) be reached directly? This is the "spice."
04 / FINDINGThe uncomfortable finding: most cores ship unprotected
The assessment looked at whether encryption and authorization are actually implemented across open-source cores and commercial vendor implementations. The mechanisms exist in the standard — they simply aren't switched on.
| Implementation | Encryption | Authorization |
|---|---|---|
| OAI | NO | NO |
| Open5GS | OPTIONAL | NO |
| Vendor A | NO | NO |
| Vendor B | NO | NO |
| Vendor C | NO | NO |
Commercial vendors anonymized. The pattern is consistent across both open-source and industry implementations: protection between network functions is largely absent by default.
05 / DEFENSEHow should a 5G core be protected?
Against misuse of the HTTP/2 control plane, two controls do most of the work — and around them, the discipline that cloud-native deployments demand.
◆ Baseline controls
- TLS for encryption and mutual authentication between functions.
- OAuth 2.0 authorization flows, so a function can't call any service it discovers.
- Container integrity & immutability controls across the deployment.
- Multi-vendor NFV governance — uniform controls across heterogeneous frameworks.
- Least-privilege roles for operators and administrators.
The 5G core is a complex environment to operate and defend: multiple layers, multiple vendors, a service-based design that trades isolation for flexibility. The encouraging part is that the gap is mostly one of configuration and operational rigor — not missing technology.
FAQCommon questions
Is 5G more secure than 4G?
5G introduces stronger security mechanisms in the standard, but real-world security depends on whether those mechanisms (TLS, authorization) are actually enabled — and in practice they often aren't.
What is the NRF in a 5G core?
The Network Repository Function is the registry where network functions advertise and discover each other's services. It's central to how the core operates, which also makes it a high-value target.
Why does HTTP/2 matter for 5G security?
Because the 5G control plane uses HTTP/2 and JSON, web-security techniques transfer directly to the telco core — widening the pool of actors who can understand and interact with control-plane traffic.
Is your 5G core configured to resist this?
Ethon Shield audits SS7, Diameter and 5G core security as an independent telecom security auditor.
Request an assessment → 5G Sharp Orchestrator on GitHub