Impact of 5G SA Logical Vulnerabilities on UAV Communications: Threat Models and Testbed Evaluation

This paper evaluates the impact of logical vulnerabilities in 5G Standalone networks on UAV communications by utilizing a Kubernetes-based testbed to demonstrate how attacks from malicious UEs, compromised gNodeBs, or the 5G core can disrupt operations, thereby highlighting the critical need for user plane isolation and protocol integrity.

The Gist

Imagine you are flying a high-tech drone (UAV) using a smartphone app. In the old days, you might have used a direct radio link, like a walkie-talkie. But in this paper, the authors are testing what happens when that drone flies using 5G, the super-fast, low-latency mobile network we use for our phones.

The big question they ask is: "If the 5G network itself has holes in its logic, can a hacker take control of the drone?"

To find out, they built a miniature, safe version of a 5G network in a computer lab (a "testbed") and tried to break it in three different ways. Here is the breakdown of their findings using simple analogies.

The Setup: The Drone, The Pilot, and The Highway

Think of the 5G network as a massive, high-speed highway system.

• The Drone (UAV) is a delivery truck.
• The Ground Control Station (GCS) is the dispatcher in the control tower.
• The 5G Network is the road, the traffic lights, and the toll booths that keep the truck moving.

The authors tested three different ways a bad guy could hijack this system.

---

Attack 1: The "Imposter" on the Same Road

The Scenario: Imagine the Drone and the Dispatcher are driving on the same specific lane of the highway (called a "Network Slice"). The bad guy (a "Rogue UE") also gets a ticket to drive on that exact same lane.

The Vulnerability: In this 5G setup, the highway didn't put up enough fences between the cars. The bad guy realized that because they are on the same lane, they can talk directly to the Drone without going through the Dispatcher.

The Attack:
The bad guy uses a tool to scan for the Drone. Once found, they pretend to be the Dispatcher. They send a message saying, "Hey, I'm the boss! Land immediately!"

• The Analogy: It's like a stranger in a coffee shop walking up to your table, pretending to be your boss, and telling you to leave. If you don't have a secret handshake (digital signature) to prove who your boss really is, you might just listen.
• The Result: The drone lands immediately, even though the real pilot is screaming "No!" The mission is ruined.

Attack 2: The "Insider" at the Traffic Control Center

The Scenario: This time, the bad guy isn't on the road at all. They have snuck into the Traffic Control Center (the 5G Core Network). They have access to the computers that tell the trucks which lanes to use.

The Vulnerability: The authors found that the communication between the Traffic Control Center and the road switches (the UPF) wasn't locked down with strong digital locks. It was like the control center sending instructions on a postcard that anyone could read or change.

The Attack:
The bad guy sends a flood of fake orders to the traffic switches: "Delete the lane for the Drone! Delete the lane for the Dispatcher!"

• The Analogy: Imagine a saboteur in the control tower ripping up the blueprints for the road the drone is driving on. Suddenly, the road just disappears.
• The Result: The connection between the drone and the pilot is severed. The drone panics, thinks it's lost, and automatically flies back to its starting point (failsafe mode). The mission is interrupted.

Attack 3: The "Corrupt" Toll Booth

The Scenario: This is the sneakiest attack. The bad guy takes over one of the Toll Booths (the gNodeB) that the drone drives through. This booth is part of the official highway system, so it's trusted.

The Vulnerability: When the drone's data passes through this booth, the booth has to open the package to check where it's going. The authors found that the highway system often doesn't put a "tamper-evident seal" on the packages while they are being moved between booths.

The Attack:
The bad guy at the toll booth opens the package, looks at the navigation instructions inside, and changes the destination coordinates before resealing it.

• The Analogy: You send a letter to your friend with the address "123 Main St." The corrupt post office worker opens the envelope, changes the address to "456 Evil Lane," and puts it back in the mail. Your friend (the drone) thinks they are going to Main St, but they are actually flying toward Evil Lane.
• The Result: The pilot thinks they are sending the drone to the right place, but the drone is actually flying exactly where the hacker wants it to go. The pilot has no idea the commands have been altered.

---

The Big Lesson

The paper concludes that relying solely on the 5G network to keep the drone safe isn't enough. The network is like a highway; it's fast and efficient, but it's not a fortress.

The Solution?
You need multiple layers of security:

1. Fences on the Highway: Better isolation so random cars can't talk to your drone.
2. Locked Doors in the Control Tower: Strong encryption for the internal network commands.
3. Tamper-Proof Seals on the Packages: The most important fix is that the drone itself must verify the commands. Just like you wouldn't open a package from a stranger without checking the signature, the drone should use a digital "signature" to prove that the "Land" command actually came from the real pilot, not a hacker.

In short: Even if the 5G highway is compromised, the drone should have its own seatbelt and airbag (application-level security) to survive the crash.

Technical Summary

Here is a detailed technical summary of the paper "Impact of 5G SA Logical Vulnerabilities on UAV Communications: Threat Models and Testbed Evaluation."

1. Problem Statement

Unmanned Aerial Vehicles (UAVs) increasingly rely on 5G Standalone (SA) networks for Command and Control (C2) and telemetry due to the network's low latency and high capacity. However, the integration of UAVs into 5G introduces significant security risks. The paper addresses the critical gap in understanding how logical vulnerabilities within the 5G architecture—specifically regarding network slicing, user plane isolation, and internal interface security—can be exploited to disrupt, hijack, or terminate UAV operations.

The core problem is that while 5G offers robust physical security, logical configurations (such as shared Data Network Names or unencrypted internal interfaces) and application-layer weaknesses (lack of message signing) create an attack surface where an adversary can manipulate UAV behavior without necessarily breaking radio encryption.

2. Methodology

The authors developed a controlled experimental testbed to simulate a 5G SA environment and evaluate three distinct threat models.

• Testbed Architecture:

  • Core Network: Implemented using Open5GS (AMF, SMF, UPF, UDM, etc.) running in containers.
  • Access Layer: Simulated using UERANSIM to provide gNodeB (gNB) and User Equipment (UE) functionality.
  • Orchestration: Managed via a Kind-based Kubernetes cluster.
  • Scenario: A UAV (running a MAVLink simulator), a Ground Control Station (GCS), and a Malicious Agent (Rogue UE or Insider) connected to the network.
  • Configuration: A single PLMN (MCC 999, MNC 70) with a specific network slice (SST 1, SD 0x111111) and a shared DNN ("internet") to simulate a lack of strict isolation.

• Threat Models Evaluated:

  1. Rogue UE: A malicious device connected to the same slice/DNN as the UAV.
  2. Insider Threat: An adversary with access to the 5G Core (specifically the N4 interface between SMF and UPF).
  3. Compromised gNodeB: A legitimate base station under attacker control, capable of manipulating the user plane.

3. Key Contributions and Attack Vectors

A. Threat Model 1: Rogue UE (Lateral Movement & Spoofing)

• Vulnerability: The 5G architecture does not inherently guarantee isolation between UEs sharing the same DNN and slice. If the User Plane Function (UPF) allows local switching, devices can communicate directly.
• Attack: The attacker performs a network scan (e.g., probing UDP port 14550) to identify the UAV. Since many UAV applications (ArduPilot, PX4) do not use MAVLink signing by default, the attacker impersonates the GCS (System ID 255).
• Execution:
  1. Reconnaissance: Sends heartbeats and requests telemetry (GLOBAL_POSITION_INT) to map the UAV's location.
  2. Flooding: Sends a high-rate flood of MAV_CMD_NAV_LAND commands.
• Result: The UAV accepts the malicious commands, overriding the legitimate GCS, and is forced to land. The failsafe mechanism (heartbeat timeout) fails to trigger because the rogue UE also sends heartbeats.

B. Threat Model 2: Insider Threat (Core Network Compromise)

• Vulnerability: The N4 interface (PFCP protocol between SMF and UPF) is often treated as a "trusted" internal interface and may lack cryptographic protection (IPsec/TLS) in many deployments.
• Attack: The attacker, having access to the core, establishes a PFCP association with the UPF and performs a Session Deletion Flood.
• Execution: The attacker iterates through Session IDs (SEIDs), sending Session_Deletion_Request packets. When the UPF accepts a request, it tears down the GTP-U tunnel for that session.
• Result: The PDU session for the UAV (or GCS) is terminated. The UAV loses connectivity, triggering a failsafe mode that forces it to return to its origin or land, effectively neutralizing the mission.

C. Threat Model 3: Compromised gNodeB (User Plane Manipulation)

• Vulnerability: The gNodeB terminates radio encryption (PDCP), meaning user data is available in cleartext at the gNB. Furthermore, the N3 interface (GTP-U between gNB and UPF) often lacks integrity protection (NIA2) or encryption in practice, despite 3GPP recommendations.
• Attack: Navigation Hijacking via Data Tampering.
• Execution:
  1. The attacker controls a gNB to which the GCS is connected.
  2. Traffic from GCS to UAV passes through this compromised gNB.
  3. The attacker intercepts GTP-U packets, decapsulates them, and modifies the inner MAVLink payload (e.g., SET POSITION TARGET LOCAL NED).
  4. The attacker replaces target coordinates with attacker-defined values, re-encapsulates, and injects the packet.
• Result: The UAV executes the modified commands and flies toward a location chosen by the attacker. The operator sees the command as "accepted" because the radio link and tunnel remain intact, but the UAV's trajectory is hijacked.

4. Results

The experiments confirmed that logical vulnerabilities in 5G SA networks can lead to catastrophic failures in UAV operations:

• Confidentiality Breach: Attackers can easily extract UAV telemetry when devices share a slice.
• Integrity Breach: Navigation commands can be altered in transit without detection if the application layer lacks signing.
• Availability Breach: Session deletion attacks can instantly sever the link between the UAV and the network, triggering emergency landings.
• Layered Failure: The attacks succeed because security is often assumed at the radio layer, while the user plane (N3) and application layer (MAVLink) remain vulnerable.

5. Significance and Recommendations

This paper highlights that 5G security for UAVs cannot rely solely on network infrastructure security; it requires a multi-layered defense strategy.

• Network Isolation: Operators must enforce strict isolation policies within slices and DNNs to prevent lateral movement between UEs.
• Core Security: Internal interfaces like N4 must be protected with mutual authentication and integrity (e.g., IPsec or TLS) to prevent insider session manipulation.
• User Plane Integrity: The N3 interface should utilize integrity protection (NIA2) or IPsec to prevent tampering by compromised gNodeBs.
• Application Hardening: UAV control protocols (like MAVLink) must implement end-to-end signing and authentication. This is the only defense that remains effective even if the underlying 5G transport is compromised.

Conclusion: The study demonstrates that without specific hardening at the application and user-plane levels, 5G SA networks introduce new, critical attack vectors that can be exploited to take control of or disable UAVs.