Black Hat USA 2025 | The 5G Titanic

The presentation likened the 5G architecture to the Titanic, arguing that, like the ship’s supposedly watertight compartments, 5G’s control‑plane and user‑plane are assumed to be isolated but in practice lack vertical sealing. The speaker outlined how the network’s design—AMF, SMF in the control plane and gNodeB, UPF in the data plane—relies on this separation for security, yet the GTP‑U protocol, a 26‑year‑old forwarding mechanism, provides a conduit for attacks.

Key insights centered on protocol tunneling and network‑boundary bridging. By encapsulating malicious payloads inside GTP‑U headers, an attacker can route traffic from the data plane into the control plane, bypassing NAS and RC security. The threat model treats any 5G‑enabled device as a potential adversary capable of enumerating tunnel endpoint identifiers (TE IDs) and session IDs, exploiting the absence of rate‑limiting and encryption on internal interfaces.

In a lab spanning six core networks—four open‑source and two commercial—the researcher demonstrated that most UPFs process crafted tunnel packets, forwarding them back to themselves or to the base station, and that malformed packets can trigger crashes. Enumeration of TE IDs proved rapid, sometimes seconds, revealing predictable identifier allocation. The experiments also showed that the newer 5G control‑plane protocol (replacing GTP‑C) suffers from undefined behavior that can be weaponized for denial‑of‑service attacks.

The findings underscore an urgent need for telecom operators to reinforce vertical sealing between planes, enforce mandatory IPSec or equivalent encryption, and implement robust rate‑limiting on identifier allocation. Without these measures, 5G—and future 6G—networks remain exposed to fraud, service disruption, and large‑scale data exfiltration, threatening both consumer trust and carrier revenue.