Demystifying 5G Security: Understanding the Registration Protocol

TL;DR: The 5G registration protocol presents unique security challenges despite its improved architecture over previous generations. This article breaks down the fundamentals of 5G radio security during the initial registration of User Equipment to the 5G Core, demonstrates how to test for vulnerabilities in the registration protocol, and highlights key security considerations for organizations deploying 5G technology.

The 5G Security Landscape

5G technology is rapidly becoming ubiquitous across multiple sectors. Major carriers have deployed nationwide coverage, operational technology companies are transitioning from Wi-Fi to 5G, and cloud providers like AWS now offer 5G as a service. By 2030, analysts predict 80% of mobile data traffic will run on 5G networks, approximately double today's usage rate.

While 5G offers significant improvements in speed, reliability, and security options, testing these networks presents unique challenges that traditional methodologies can't address: 

• Regulatory constraints on radio frequency transmissions and compliance with lawful interception mandates under FCC guidelines
• Lack of standardized security testing frameworks (no "OWASP Top 10 for 5G")
• Limited detailed public research on common vulnerabilities
• Expensive equipment requirements for comprehensive testing

Additionally, much of today's 5G infrastructure operates in non-standalone mode, built on 4G foundations. The industry transition to 5G standalone (5G SA) will introduce new attack surfaces requiring attention.

Understanding 5G Network Architecture

Fundamentally, 5G architecture consists of three primary components that work together to deliver connectivity:

User Equipment (UE) serves as the physical device connecting to the cellular network, ranging from smartphones and IoT devices to industrial equipment.

Radio Access Network (RAN) provides the infrastructure connecting UE to the core network, primarily consisting of gNBs (next-generation Node Bs) that handle radio transmissions and receptions.

5G Core functions as the network's "brain" by processing data, handling registration, and routing traffic to appropriate destinations.

Within the 5G Core, the Access and Mobility Management Function (AMF) plays a critical role in the registration process. Think of the AMF as network air traffic control. It receives connection requests, analyzes them, and directs traffic where it needs to go.

The 5G Registration Protocol

When a device connects to a 5G network, the registration process follows several key steps to authenticate the user and establish secure communications: 

1. Registration Request - The UE initiates connection to the 5G Core, including a SUCI (Subscription Concealed Identifier) instead of plaintext identifiers.
2. Authentication Request/Response - The 5G Core challenges the UE with RAND and AUTN values, and the UE responds with RES* calculated using its subscriber key.
3. Security Mode Command/Complete - Establishes integrity protection and encryption between the UE and AMF.
4. PDU Session Establishment - Sets up communication parameters like IP addressing, quality of service, and routing.

All steps are carried as NAS (Non-Access Stratum) messages over the AS (Access Stratum) transport channel between the UE and the gNB. However, NAS security is not activated until step 3.

This means steps 1 and 2 (the Registration Request and Authentication messages) are transmitted without integrity protection or encryption. That gap is where a critical vulnerability window exists, where attackers can exploit unprotected signaling.

The security vulnerabilities outlined below show how the initial registration request can pose serious issues, with additional weakness and misconfigurations potentially emerging in subsequent stages of the 5G registration protocol.

Critical Security Vulnerabilities

Before starting vulnerability research, the potential vulnerabilities within the 5G registration protocol were identified through 3GPP Technical Specifications (TS). 3GPP is a global telecommunications standards body for mobile communication technologies. Through review of articles such as 3GPP 30.511 and 3GPP 33.512 a list of potential vulnerabilities was compiled and tested for in our test environment.

Testing was performed using Open5Gs in its default deployment state, representing a typical 5G Core setup. Open5Gs can be used in real-world environments to deploy functional private 5G Core networks. Traffic sent from a simulated UE and was analyzed using Wireshark. Through our testing analysis, we've identified several critical security issues that organizations must monitor:

SUPI Disclosure Risk

5G replaces 4G's IMSI with a Subscription Permanent Identifier (SUPI) that should be encrypted into a Subscription Concealed Identifier (SUCI) before transmission. The SUCI should be calculated by the Universal Subscriber Identity Model (USIM) using the home network public key, which is provisioned prior to deployment, and is then transmitted by the UE during registration. However, when the USIM fails to implement this protection correctly, they expose unique identifiers that enable persistent user tracking. While this might be less concerning for stationary IoT devices, it presents significant privacy issues for mobile users.

Null & Weak Encryption and Integrity Exploitation

Encryption within context of 5G ensures that communication between the UE and the 5G Core can be read by third parties, while integrity algorithms are used ensure that communication being sent for UE to the 5G Core cannot be modified in transit once the Security Mode Complete is sent. 5G currently supports a range of encryption algorithms for air interface protection, from EEA0 (null encryption) up to EEA7, with EEA0 providing no confidentiality protections. Similarly, integrity algorithms follow the same pattern as encryption algorithms, ranging from EIA0 (null integrity) to EIA7, with EIA0 providing no integrity protection.

• EEA1and EIA1 uses SNOW 3G, which is considered a legacy option.
• Most modern devices uses EEA2 and EIA2 which supports AES.
• EEA3 and EIA3 is based on a ZUC stream cipher.
• EEA4 through EEA7 and EIA4 through EIA7 reuses the mapping for backwards combability with EPS.

The Registration Request sent from the UE allows the device to specify supported encryption and integrity algorithms during connection establishment. Our research revealed critical flaws:

• Devices can request null encryption (EEA0) and null integrity (EIA0) for non-emergency situations, which the 5G Core networks should reject.
  • It is highly recommended that the 5G Core be configured to accept secure and modern integrity and encryption algorithms, such as EEA2 (AES) and EIA2 (AES-CMAC) to maintain strong over-the-air protections.
• Initial registration messages lack integrity protection by default, which can enable manipulation if improperly configured
• Attackers can perform "bidding down attacks" by deploying a rouge gNB to intercept and modify registration requests in transit, forcing the UE to fall back on less secure protocols or use less secure encryption (EA0) and integrity (IA0) algorithms which provide no real protections over the air communication.

Allowing the use of the EEA0 and EIA0 algorithm in a 5G Core network significantly weakens subscriber confidentiality, as EA0 provides no encryption, leaving user data and signaling traffic exposed to passive eavesdropping. This undermines one of the core security improvements of 5G over previous generations.

Replay Attacks

Replay attacks occur when attackers capture legitimate 5G signaling messages and retransmit them to trick the network or UE into processing previously valid requests. This vulnerability is primarily during the unauthenticated phase of the registration protocol, such as with the registration request, since these are sent in clear text with no anti-replay mechanisms introduced.

One example of this attack vector can be demonstrated using the open-source tool 5GReplay, which allows users to capture and replay NAS and RRC messages in a 5G environment. The tool supports both live and pre-recorded message sources and replays them via a simulated gNB. Thanks to its modular design, custom replay rules can be crafted to target specific messages. To test whether a 5G Core would improperly accept a repeated registration request from a UE that has already authenticated, we wrote the following rule in 5GReplay:

<beginning> 
  <property value="THEN" 
            property_id="101" 
            type_property="FORWARD" 
            description="Forward InitialUEMessage with Registration Request"> 

    <!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) --> 
    <event value="COMPUTE" 
           event_id="1" 
           description="Trigger: InitialUEMessage" 
           boolean_expression="ngap.procedure_code == 15"/> 

    <!-- Context match on NAS Registration Request (message_type == 65) --> 
    <event value="COMPUTE" 
           event_id="2" 
           description="Context: Registration Request" 
           boolean_expression="nas_5g.message_type == 65"/> 

  </property> 
</beginning> 

We then used Wireshark to monitor the 5G Core’s response to determine whether it processed the replayed registration request. If the core accepted and handled the message, this would indicate that no freshness check or context validation was applied.

Beyond basic replay attacks, more advanced tools like Sni5Gect exist. Sni5Gect allows for real-time interception, modification, and injection of 5G control-plane messages without the need for a rogue gNB. While it supports broader NAS injection attacks, it’s particularly useful in testing bidding down attacks, where the attacker can force the UE to negotiate null or weak encryption/integrity algorithms like EEA0 or EIA0.

Additional Attack Vectors

Beyond registration-specific vulnerabilities, 5G networks face additional threats including AMF spoofing through rogue core networks, gNB jamming, IMSI catcher-style surveillance techniques, emergency access bypass exploitation, and NAS Injection against authentication sequences.

Automating The Attacks

After identifying the critical vulnerabilities that can exist within the registration protocol, Bishop Fox created internal capabilities to assist with the identification of encryption and integrity algorithms in use as well as if the SUPI is disclosed. The tool listens for 5G traffic or read from a pcap file. An example snippet of the tool within our test environment can be seen below:

$ ./snoopy --live lo 

Listening... 
Encyrption in use [EEA0] 
Integrity in use [EIA0, EIA1, EIA2] 
SUPI (MCC+MNC+MSIN) 9997000000001 

Stay tuned for more information on this tool!

Testing Your 5G Environment

Organizations deploying 5G networks should focus security testing efforts on several key areas:

• Registration Protocol Analysis requires continuous examination of traffic between UE and core during the connection process, paying particular attention to the unprotected initial messages that create vulnerability windows.
• Security Capability Enforcement involves verifying that core networks properly reject devices requesting weak security configurations, testing both integrity protection and encryption enforcement.
• SUCI Implementation testing confirms that devices consistently encrypt their identifiers appropriately before transmission, preventing privacy violations and tracking attacks.

Security Recommendations for 5G Deployments

Based on our vulnerability research, organizations should implement these critical security measures:

• Require Strong Integrity and Encryption by configuring 5G Core networks to reject connections with null or weak algorithms. This prevents downgrade attacks and ensures baseline security protection.
• Enforce SUCI Usage to ensure all UE devices encrypt their identifiers before transmission. Monitor network traffic for SUPI exposure and reject non-compliant devices.
• Deploy Rogue Infrastructure Detection mechanisms to identify unauthorized gNBs or core components. Implement network segmentation and access controls to limit the impact of compromised infrastructure.
• Establish Regular Security Testing programs as 5G implementations continue evolving. The technology's rapid development cycle requires ongoing vigilance to identify new vulnerability classes.

Conclusion

While 5G offers significant security improvements over previous cellular generations, its registration protocol contains exploitable vulnerabilities that require immediate attention. The unprotected initial messages, cryptographic negotiation weaknesses, and identifier exposure risks create attack vectors that sophisticated adversaries will inevitably target.

Through proper implementation of security controls and continuous assessment, the enhanced capabilities of 5G can be fully realized while mitigating the risks inherent in any wireless communication technology.

Note: This analysis is based on security research conducted in controlled testing environments. For detailed vulnerability disclosure information or to discuss 5G security assessment strategies, contact our research team directly.