Integrity Under Siege: A Rogue gNodeB's Manipulation of 5G Network Slice Allocation

TL;DR

This work identifies a previously underexplored integrity vulnerability in 5G network slicing: a rogue gNodeB can manipulate slice allocation during the initial registration process. By exploiting permissible but insecure configurations such as null-ciphering and weaknesses in NAS key derivation, the attacker can forge slice requests and redirect UEs to suboptimal or default slices, with both stealthy and overt performance impacts. The authors validate the threat through a comprehensive 5G testbed, demonstrating dramatic QoS degradation (up to 95% bandwidth loss and 150% latency increase), as well as systemic resource contamination that saturates core network UPFs. They argue that this integrity breach undermines SLA guarantees and critical infrastructure, and propose a multi-layer mitigation framework including core-network anomaly detection, cross-layer integrity monitoring, and preventative hardening (e.g., disabling null-ciphering and increasing NSSAI entropy). The findings highlight a paradigm shift in 5G security from solely protecting confidentiality to securing dynamic resource management, and they call for practical deployment of cross-layer defenses to ensure reliable, differentiated service delivery.

Abstract

The advent of 5G networks, with network slicing as a cornerstone technology, promises customized, high-performance services, but also introduces novel attack surfaces beyond traditional threats. This article investigates a critical and underexplored integrity vulnerability: the manipulation of network slice allocation to compromise Quality of Service (QoS) and resource integrity. We introduce a threat model, grounded in a risk analysis of permissible yet insecure configurations like null-ciphering (5G-EA0), demonstrating how a rogue gNodeB acting as a Man-in-the-Middle can exploit protocol weaknesses to forge slice requests and hijack a User Equipment's (UE) connection. Through a comprehensive experimental evaluation on a 5G testbed, we demonstrate the attack's versatile and severe impacts. Our findings show this integrity breach can manifest as obvious QoS degradation, such as a 95% bandwidth reduction and 150% latency increase when forcing UE to a suboptimal slice, or as stealthy slice manipulation that is indistinguishable from benign network operation and generates no core network errors. Furthermore, we validate a systemic resource contamination attack where redirecting a crowd of UE orchestrates a Denial-of-Service, causing packet loss to exceed 60% and inducing measurable CPU saturation (~80%) on core network User Plane Functions (UPFs). Based on these results, we discuss the profound implications for Service Level Agreements (SLAs) and critical infrastructure. We propose concrete, cross-layer mitigation strategies for network operators as future work, underscoring the urgent need to secure the integrity of dynamic resource management in 5G networks.

Figures (6)

• Figure 1: 5G network slicing architecture.
• Figure 2: The 5G registration procedure, highlighting relevant message elements (blue) and the rogue 's interference points (red).
• Figure 3: Key-derivation hierarchy from $K_{\mathrm{AUSF}}$ to $K_{\mathrm{NASint}}$, detailing KDF function codes and parameters ($P_n$), where $L_n$ denotes the octet length of $P_n$.
• Figure 4: Baseline performance profiles. Empirical and theoretical CDFs for (a) Bitrate, (b) Jitter, and (c) across the configured , , and slices.
• Figure 5: degradation during the resource contamination attack. Measured Bitrate, Jitter, and Packet Loss as the number of hijacked clients increases for three scenarios.