Research / 5G & Signaling Transport·Technical Deep Dive

SCTP-Hijacker: node impersonation on the 5G N2 interface

5G's control plane runs over a transport protocol nobody talks about. We showed how to hijack it at DEF CON 30: tear down the legitimate SCTP association with a forged ABORT, then re-establish it from the attacker's own host using SCTP multihoming and a crafted NGAP Setup Request — impersonating the base station outright. Validated against a commercial 4G network using equipment from two major European vendors.

AuthorsPedro Cabrera · Miguel GallegoBased onA Telco Odyssey · 2022Reading time~10 min

0
Major European vendors' equipment the attack was validated against
0
Phases: recon, ABORT, re-handshake, NGAP impersonation
0
Cryptographic authentication on SCTP verification tags by default
0
First demonstrated at DEF CON 30 & Ekoparty

01 — The setup

SCTP is not a 5G protocol

The Stream Control Transmission Protocol was published as RFC 2960 in October 2000 and revised as RFC 4960 in 2007. It predates 5G by more than a decade. It was designed for telecom signaling, sitting between IP and the application protocols that operators actually care about, and it solved two problems that TCP and UDP could not: ordered multi-stream delivery and native multihoming for transport-layer failover.

In a 5G Standalone network, NGAP messages travel over SCTP/IP on the N2 interface between the gNB and the AMF. In a 4G network, S1AP messages travel over SCTP/IP on the S1 interface between the eNB and the MME. In SS7 signaling carried over IP — SIGTRAN — M3UA also runs over SCTP. The same transport, three different application layers on top.

This matters because attacks at the SCTP layer affect every application protocol stacked above it. When the SCTP-Hijacker was first presented in 2022, the public framing was "an attack on 5G." That framing is too narrow. The more accurate description is that this is a transport-layer attack against mobile signaling — demonstrated in the 5G stack, but with the same structural exposure in 4G S1AP and in any other context where SCTP carries signaling without authentication.

SCTP carries signaling across three mobile generations

5G · N2 interfaceNGAP3GPP TS 38.413SCTP · multihomingIETF RFC 4960IPL2 / L14G · S1 interfaceS1AP3GPP TS 36.413SCTP · multihomingIETF RFC 4960IPL2 / L1SIGTRAN / SS7M3UARFC 4666SCTPIETF RFC 4960IPL2 / L1

Two features make the hijack possible. First, verification tags — the 32-bit values exchanged during the handshake to validate messages — travel in clear text, so a man-in-the-middle can read them and forge messages that look authentic. Second, multihoming lets a single SCTP association advertise several IP addresses per endpoint, for redundancy. The attacker breaks the legitimate association and rebuilds it from its own host, listing both its IP and the impersonated node's IP in the new handshake — so the core accepts it as the same peer reconnecting.

The headline

SCTP-Hijacker abuses transport-layer features that have been in the protocol for two decades to impersonate a network node in the 5G control plane. The cryptography is not broken. The authentication is just not there.

02 — Where the attacker sits

Not on the radio. Inside the transport.

SCTP-Hijacker and SUCI-Cracker share an author, a year, and a paper. They do not share an attacker model. SUCI-Cracker is a radio-layer attack with external exposure: someone with a software-defined radio in physical proximity to a victim. SCTP-Hijacker is the opposite — its exposure is strictly internal. The attacker needs logical access to the operator's signaling transport network, the IP infrastructure that connects the base stations to the core.

The paper is deliberate about this. It rates the attack's probability as very low, precisely because it depends on three conditions holding at once:

An insider position

internal exposure only

The attacker must already be inside the signaling transport network to run the man-in-the-middle step that recovers SCTP verification tags and ports. This is not a remote or over-the-air attack — it assumes a malicious insider or an existing foothold on the operator's internal network.

A scenario that allows full success

interception must be feasible

IP traffic interception (for example ARP spoofing) has to be possible against the SCTP path. The countermeasures that would prevent it exist on most networking equipment — but, as the paper notes, are not always properly configured or monitored in production.

Absence of monitoring or IP filtering

IDS/IPS and EMS gaps

The attack has to go unnoticed by the security elements usually deployed in these networks — IDS/IPS and traffic probes — and the node management systems must not enforce an IP allowlist on which nodes can form associations. Both controls typically exist; both are often left unconfigured.

Why it still matters

low probability, high impact

The paper rates impact as very high and risk as medium. As private 5G and network slicing put critical assets — industrial machinery, transport, robotics — behind 5G-SA only, an internal node-impersonation attack stops being academic and starts threatening business continuity.

03 — The attack

Four phases, one quiet hijack

The SCTP-Hijacker chains together a man-in-the-middle reconnaissance step, a forged ABORT to tear down the legitimate association, a fresh SCTP handshake from the attacker's host that abuses multihoming, and a crafted NGAP Setup Request that registers the attacker as the base station. The interactive walkthrough below steps through the chain.

sctp-hijacker · attack walkthrough

Phase 01 — Recover the verification tags

man-in-the-middle on the signaling transport network

The attacker starts inside the transport network between gNB and AMF and runs a man-in-the-middle attack — in the lab, ARP spoofing — against the live SCTP association. The goal is two pieces of information that the forged messages will need: the 32-bit verification tag for the direction being attacked, and the SCTP port the gNB is using.

The port matters because the gNB picks a new random source port for every SCTP association it forms with the AMF — a hardening measure noted in RFC 5062. The verification tags travel in the handshake in clear text, so a man-in-the-middle position recovers them directly. With the tag and the port in hand, the attacker can forge SCTP messages the peers will accept as genuine.

gNB192.0.2.10SCTP :38412AMF198.51.100.20SCTP :38412NGAP → outbound stream 1NGAP ← inbound stream 2attackerpassive observervtags · stream IDs · payload IDs

tool · ARP spoofing (MitM) · Wireshark with the SCTP dissector

Phase 02 — Break the association with a forged ABORT

spoofed source IP + recovered verification tag

SCTP has a chunk called ABORT that abruptly terminates an association, the rough equivalent of a TCP reset. The attacker crafts an ABORT spoofing the gNB's source IP address and inserting the verification tag recovered in Phase 01. Because the tag is correct, the AMF cannot tell the message did not come from the real gNB — it processes the ABORT and tears the association down.

On its own, this is the simpler ABORT attack: a temporary denial of service. The two nodes eventually notice the broken connection and re-establish it, so the outage is not permanent. The SCTP-Hijacker uses the ABORT as a stepping stone — it breaks the legitimate association precisely so the attacker can replace it before the real gNB reconnects.

gNB192.168.70.132AMF172.26.0.164legitimate SCTP associationattackerspoofs gNB source IPABORTforged ABORT + recovered vtagAMF tears the association down

tool · custom SCTP chunk crafting · spoofed IP + verification tag

Phase 03 — Re-establish the association with multihoming

a fresh 4-way handshake from the attacker's host

With the legitimate association down, the attacker immediately opens a new one from its own host, completing the SCTP 4-way handshake with the AMF: INIT, INIT-ACK, COOKIE-ECHO, COOKIE-ACK. The trick is in the INIT chunk, which carries two addresses via SCTP's multihoming feature: the attacker's own IP, and the legitimate IP of the gNB it is impersonating.

From the AMF's point of view it has simply re-established its association with the gNB after a brief drop. The multihoming advertisement means traffic addressed to either IP is accepted on the association. The HEARTBEAT–ABORT pairs from the old gNB still trying to reach the AMF do not interfere — the AMF has already moved on to the attacker's association.

attacker172.26.0.158AMF172.26.0.164INITINIT-ACKCOOKIE-ECHOCOOKIE-ACKINIT chunk advertises two addresses (multihoming)• 172.26.0.158 — attacker• 172.26.0.164 — impersonated gNBAMF accepts both as one association

tool · open-source SCTP stack · multihomed INIT (attacker IP + gNB IP)

Phase 04 — Register as the base station

a crafted NGAP Setup Request links transport to application

The SCTP association is now owned by the attacker, but the application layer above it — NGAP — still needs to be established. The attacker sends a crafted NGAP Setup Request, the message a real gNB uses to register itself with the AMF. Its parameters, such as the global gNB ID and the gNB name, are whatever the attacker puts in the malicious message.

The AMF accepts it and registers the new gNB. In the AMF's own console the attacker now appears as the connected base station, with the configured ID and name, and no trace of the original gNB. The impersonation is complete: transport hijacked via multihoming, application layer bound to it via the forged NGAP Setup. The legitimate gNB is simply gone from the AMF's view.

real gNBgone from AMFattackerfake gNBAMFaccepts setupNGAP SetupAMF console — connected gNBsIndex 1 · Connected · Global ID 0x4d20 · Name xDefCONconfigured by the attacker in the crafted NGAP Setup Request

tool · crafted NGAP Setup Request (spoofed global ID + gNB name)

The uncomfortable finding

The attack does not break any cryptography. There is no cryptography to break.

SCTP verification tags are 32-bit values exchanged in clear text during the handshake — a sanity check against blind injection, not a security control. Multihoming is a resilience feature working exactly as specified. The countermeasures that would stop the attack — IP traffic interception protection, random SCTP ports, IP allowlists on which nodes may associate — exist on most network equipment already. The attack succeeds not because the protocol is weak, but because those controls are routinely left unconfigured or unmonitored. That is exactly the gap a targeted audit closes.

04 — Beyond the lab

Validated on a commercial 4G network

The walkthrough above was demonstrated in a 5G-SA lab built on Open Air Interface, orchestrated by Ethon Shield's SHARP framework. But the most important result is not in the lab. The attack was validated at the end of 2021 against a commercial 4G network, using equipment from two major European vendors. SCTP is the same transport in both generations — it carries S1AP on the 4G S1 interface and NGAP on the 5G N2 interface — so the hijack crosses generations unchanged.

That is the real reach of this work. SCTP is not a 5G protocol; it is a transport protocol that predates 5G by a decade and underpins signaling across 4G S1AP, 5G NGAP, and SS7-over-IP via SIGTRAN. An attack on the transport layer is indifferent to the application protocol riding on top. The headline says "5G" because that is where it was first presented, but the exposure follows SCTP wherever it runs without IP-level controls.

The risk is not evenly distributed. As private 5G and network slicing place critical assets — industrial machinery, rail, drones, robotics — behind 5G-SA with no fallback, an internal node-impersonation attack moves from a low-probability curiosity to a credible threat to business continuity. Legacy attacks adapt to 5G faster than guidance keeps up, which is exactly why mobile-network security analysis cannot stop at the newest generation.

05 — Mitigation

The controls exist. Configure them.

The paper's conclusion is blunt: the attack depends on countermeasures that are usually available on networking equipment but not always properly configured or monitored. Mitigation is less about new technology than about closing known gaps.

  • 01
    Prevent the man-in-the-middle

    The hijack begins by recovering SCTP verification tags through IP traffic interception, typically ARP spoofing. Hardening the signaling transport against MitM — dynamic ARP inspection, port security, and where feasible IPsec on the interface — removes the attacker's first step.

  • 02
    RFC 5062 SCTP countermeasures

    RFC 5062 documents the known attacks against SCTP and the defences for them, including verification-tag handling and the random source-port selection that makes the gNB's port harder to predict. Implementing these is the protocol-level baseline.

  • 03
    IP allowlist on both layers

    Node management systems can enforce which IP addresses may form associations, at both the SCTP and NGAP layers. An allowlist of known node addresses rejects an association attempt from an attacker's host outright — the single most direct block on this attack.

  • 04
    Monitoring that would actually fire

    The attack assumes it goes unnoticed by IDS/IPS and traffic probes. A forged ABORT followed immediately by a new association from a different host, or a gNB whose source IP changes unexpectedly, are detectable events — if the monitoring is deployed and tuned to look for them.

  • 05
    Verify configuration, don't assume it

    Every control above usually exists in the equipment. The recurring failure is that it is present but not switched on, or switched on but never checked. A targeted N2/S1 audit confirms the deployed state matches the intended configuration — which is where the real exposure hides.

06 — Frequently asked

What people ask us about this research

What is the SCTP-Hijacker attack?

SCTP-Hijacker is a node impersonation attack against the N2 interface in 5G Standalone networks. The attacker, positioned inside the signaling transport network, recovers the SCTP verification tags via a man-in-the-middle step, sends a forged ABORT to break the legitimate association between the gNB and the AMF, then re-establishes the association from its own host using SCTP multihoming and a crafted NGAP Setup Request — registering itself with the AMF as the base station. It was first presented by Pedro Cabrera Cámara and Miguel Gallego Vara at DEF CON 30 and Ekoparty in 2022.

Is SCTP only used in 5G?

No. SCTP (RFC 4960) is a general transport protocol designed for telecom signaling and developed in the early 2000s, predating 5G by a decade. It carries NGAP on the 5G N2 interface, S1AP on the 4G S1 interface, and M3UA in SIGTRAN — the IP-based transport for SS7. Because the attack operates at the transport layer, it is indifferent to the application protocol above it: Ethon Shield validated it on a commercial 4G network as well as in a 5G-SA lab. The exposure is mobile-signaling-wide, not 5G-specific.

How is SCTP-Hijacker different from SUCI-Cracker?

Different layer, different threat model, different target. SUCI-Cracker is a radio-layer attack on subscriber privacy: an attacker with an SDR identifies victims by correlating an IMSI to its derived SUCI via the 5G AKA procedure. SCTP-Hijacker is a transport-layer attack on signaling integrity: an attacker positioned in the operator's transport network impersonates a network node. Both were presented in the same 2022 paper but target different parts of the architecture and require different attacker capabilities.

Can the attack be detected in production?

Yes, with monitoring that is actually deployed and tuned. The attack leaves detectable traces: a forged ABORT immediately followed by a new association from a different host, an unexpected change in a node's source IP, or an association forming from an address outside the known node set. The problem is that the IDS/IPS and traffic probes usually present in these networks are often not configured to flag SCTP association anomalies, which is why the attack assumes it will go unnoticed.

What countermeasures exist?

Per the paper: protecting the transport against IP interception (the MitM that recovers verification tags), the SCTP countermeasures documented in RFC 5062, and an IP allowlist at both the SCTP and NGAP layers so only known node addresses can form associations. Crucially, these controls usually already exist on the equipment — the recurring failure is that they are left unconfigured or unmonitored. Verifying the deployed configuration is where a targeted audit adds the most value.

Who is the realistic attacker here?

Not someone with an SDR in a coffee shop. The realistic attacker has logical access to the operator's signaling transport network: an insider with VLAN access, a foothold gained from an unrelated breach that reaches the OT side, a compromised contractor or supplier, a malicious tenant in a multi-tenant virtualised core, or a vendor in a weakly segmented Open RAN environment. The barrier to entry is positional, not technical.

References
Related research
  • Chlosta, Rupprecht, Pöpper & Holz (2021) — 5G SUCI-Catchers: Still catching them all?
  • Enea (2025) — Quantum of Malice: SCTP Insert Attacks in 4G & 5G Networks