5G Standalone Security – Exploitation Risks in Service-Based Architecture and Roaming

Introduction: The Shift to 5G Standalone

The move from non-standalone 5G (anchored to 4G cores) to full 5G Standalone (SA) represents the most significant shift in mobile network architecture in decades.

Unlike previous generations, 5G SA’s Service-Based Architecture (SBA) replaces tightly controlled, proprietary signalling with a web-like ecosystem of network functions—all communicating over standardised APIs and often using HTTP/2 or RESTful interfaces.

While this flexibility enables faster service deployment, network slicing, and integration with enterprise and IoT ecosystems, it also opens new pathways for attackers.

Service-Based Architecture – Opportunity and Risk

What SBA Changes

In SBA, core functions such as the Access and Mobility Management Function (AMF), Session Management Function (SMF), and Network Slice Selection Function (NSSF) communicate through service-based interfaces (SBIs) instead of fixed point-to-point links.

Why This Matters for Security

• Increased Exposure – Many SBIs are designed for ease of integration, not minimal exposure.

• Shared Infrastructure – Multiple network slices may share underlying resources, making isolation critical but challenging.

• Standard Protocol Stack – Using common web protocols makes SBA accessible to a wider pool of attackers who already understand HTTP/JSON traffic patterns.

Vulnerabilities in the 5G SA Environment

1. Insecure Network Function (NF) ExposureIf NFs are accessible beyond the intended trust domain—such as through misconfigured API gateways—attackers could send malicious requests to manipulate sessions, subscriber profiles, or slice configurations.

2. Weak Authentication Between NFsSome deployments rely on insufficient mutual authentication between NFs, making it possible for a compromised NF to impersonate another.

3. Misconfigured Slice IsolationPoor slice configuration could allow one compromised slice (e.g., for an IoT application) to impact the performance or security of another (e.g., emergency services).

4. API Abuse and Data ExfiltrationAPIs are central to SBA, but without rate limiting, schema validation, and behavioural monitoring, they can be abused for bulk subscriber data extraction.

5. Expanded Roaming Threat Surface5G introduces new roaming models over SBA, which may inherit historical signalling vulnerabilities while adding API-level risks.

Roaming Risks in the 5G SA Context

5G SA roaming involves inter-PLMN SBA exposure—meaning that operators exchange service-based messages across trust boundaries. This creates several risk points:

• Cross-Operator API Access – Malicious or compromised roaming partners could access sensitive network functions.

• Protocol Translation Weaknesses – Interworking functions between SBA and legacy Diameter/SS7 may create exploitable seams.

• Slice-Level Roaming – Network slices can be extended across borders, potentially exposing mission-critical services to insecure environments.

Exploitation Scenarios

Scenario 1: NF Impersonation

An attacker compromises a roaming partner’s NF and uses it to request subscriber data or alter session management in the target network.

Scenario 2: Slice Hopping Attack

A vulnerability in one network slice allows attackers to pivot into a higher-security slice, affecting emergency services or industrial control systems.

Scenario 3: API Enumeration and Abuse

An attacker systematically probes SBA interfaces exposed to roaming partners, mapping available services and exploiting those with weak authentication or input validation.

Scenario 4: Roaming Mediation Layer Exploit

A flaw in the mediation function translating between 5G SBA and legacy protocols enables call interception or session hijacking.

Why Current Protections May Be Insufficient

• Security Lag in Early Deployments – In the rush to deliver 5G services, some operators prioritise feature rollout over full security hardening.

• Legacy Integration Pressures – Maintaining interworking with 4G/3G cores introduces backdoor risks.

• Limited Operational Experience – SOC analysts may lack familiarity with SBA-specific threats, delaying detection.

• Regulatory Gaps – Standards for 5G SBA security enforcement are still maturing, with uneven adoption across markets.

Mitigation Strategies

1. API Gateway SecurityDeploy API gateways with strong authentication, rate limiting, schema validation, and threat intelligence integration.

2. Strong NF AuthenticationUse mutual TLS or equivalent mechanisms to ensure all NFs validate each other before exchanging information.

3. Slice Isolation TestingRegularly validate that traffic and control planes are fully isolated between slices, especially those serving critical services.

4. Roaming Security PoliciesNegotiate and enforce strict API exposure policies with roaming partners, and validate compliance.

5. Threat Simulation and Red TeamingRun simulated SBA attacks—including NF impersonation and slice-hopping scenarios—to train detection and response teams.

6. Continuous MonitoringIntegrate SBA traffic analytics into SOC workflows, with anomaly detection tuned for service-based interactions.

Strategic Implications for Boards and Executives

5G SA introduces new strategic risks that extend beyond technical concerns:

• Reputational Damage – A breach involving critical services over 5G slices could damage trust in both the operator and the technology.

• Regulatory Scrutiny – Governments are increasingly aware of 5G’s critical infrastructure role and may impose strict compliance mandates.

• Operational Resilience – The more interconnected and API-driven the network, the more important it becomes to validate every trust relationship.

For boards, the decision is not whether to invest in SBA security—it is whether to invest early enough to prevent an incident that forces reactive spending under public scrutiny.

Final Thoughts

5G Standalone offers unmatched potential for operators, enterprises, and national infrastructure. But the same openness that enables innovation also invites exploitation.

Operators must move beyond traditional perimeter security and embrace an API-first security mindset - treating every NF, every slice, and every roaming link as a potential attack vector.

Bridge Connect supports operators in designing and auditing SBA deployments, securing cross-operator API exposure, and developing resilience strategies that align with both commercial goals and national security priorities.