As mobile networks become more modular, interoperable, and layered, attackers have adapted their techniques accordingly. In the 4G and 5G era, the protocol stack is no longer a clean vertical. Instead, it’s a horizontal maze where multiple layers — signaling, user plane, control plane, API, and management — coexist with implicit trust assumptions. And those assumptions are exactly where attackers operate.
This blog post explores cross-protocol attack paths: how adversaries pivot across different protocol layers to escalate privileges, bypass controls, or reach deeper into the core. We’ll break down the stack for both 4G and 5G, and map how attackers abuse the seams between them.
1. What Is a Cross-Protocol Attack?
A cross-protocol attack path occurs when an attacker exploits a vulnerability or misconfiguration in one protocol — and then leverages it to interact with another layer of the stack that wasn’t directly exposed.
In mobile networks, this might look like:
- Using GTP-C to manipulate bearer paths and inject unauthorized traffic into S1-U (user plane).
- Exploiting SIP messages in IMS to trigger payload behavior in Diameter or HTTP/2 interfaces.
- Abusing SS7 to trigger fallback procedures that expose NAS or SMF sessions in 5G cores.
Each protocol serves a specialized purpose, but in practice, they're often linked through orchestration logic, error-handling flows, or shared infrastructure components.
2. The 4G Protocol Stack – And Where It Breaks
In LTE networks, the protocol stack is divided into:
- Access (eNodeB, UE): NAS, RRC, PDCP
- Core (MME, SGW, PGW): S1-AP, GTP-C/U, Diameter
- Interconnect: SS7, SIGTRAN, Diameter for roaming
- IMS: SIP, RTP, and Diameter for voice/SMS
Example attack paths in 4G:
- From GTP-C to GTP-U: Attackers who gain access to the control plane can inject or modify bearer tunnels to reroute or sniff user data. There’s often no deep inspection of GTP-U.
- Diameter ↔ SIP crossover: Misconfigured policy control (PCRF) and IMS components allow SIP messages to trigger unintended resource allocation or service state changes via Diameter.
- SS7-induced fallback: Remote attackers trigger handovers to insecure legacy radio (e.g., 2G), forcing devices to become vulnerable to passive IMSI catching or voice interception.
Because many 4G deployments mix legacy and IP-native elements, attackers can chain together outdated signaling with modern transport mechanisms for maximum reach.
3. The 5G Stack – More APIs, More Layers, More Risks
The 5G Service-Based Architecture (SBA) shifts much of the signaling and orchestration to HTTP/2 and REST-style APIs. The stack now includes:
- NG-RAN interfaces: NGAP, XnAP
- Core control: HTTP/2 between AMF, SMF, PCF, UDM, etc.
- User plane: GTP-U still in use for data forwarding
- Application exposure: NEF, SEPP, and external API access
Common 5G cross-protocol attack patterns:
- HTTP/2 to GTP-U: By compromising a service-based function (e.g., AMF or SMF), attackers can craft messages that instantiate or modify GTP tunnels — despite not having direct GTP access.
- API fuzzing → mobility abuse: Faulty input validation in SBI (Service-Based Interfaces) can result in unintended behavior in mobility management, triggering state transitions or session drops.
- Diameter carryover risks: Even though 5G aims to replace Diameter, many deployments still use it for interworking, especially for roaming — creating a hidden backchannel that’s often unmonitored.
- SEPP misconfigurations: Improperly protected SEPP (used for secure interconnect between operators) may still permit cross-protocol injection or downgrade attacks.
What makes 5G riskier is that many interfaces are optional, exposed to external parties, or inconsistently authenticated — making it easier for attackers to find seams between protocols.
4. Layer Hopping: Techniques and Motivations
Attackers engage in cross-protocol pivoting for several reasons:
- Privilege Escalation: Moving from a read-only API to a control layer (e.g., provisioning GTP sessions or modifying slice configurations).
- Lateral Movement: Gaining access to one protocol domain (e.g., SIP) and using it to influence another (e.g., DNS, HTTP/2).
- Stealth: Abusing weak protocol boundaries to hide traffic inside user plane tunnels or legitimate service signaling.
- Resilience: When one protocol is monitored or filtered, pivoting to another with looser controls increases persistence.
Real-world red teams have successfully moved from Diameter → GTP-U, HTTP/2 → NAS, or even RAN protocol abuse to inject rogue measurements or spoofed identities.
5. Why Stack Diagrams Matter
Operators often manage protocols in silos: GTP belongs to EPC, SIP to IMS, HTTP/2 to core teams. But attackers don’t follow these organizational charts.
Stack diagrams are crucial for:
- Identifying weak intersections where no single team has full ownership
- Mapping privilege boundaries, especially where protocol transitions occur (e.g., from HTTP to GTP)
- Simulating lateral attack paths during red team or risk modeling exercises
- Building detection logic that correlates behavior across protocol domains
Visualizing the full 4G/5G stack — with both vertical (layered) and horizontal (cross-domain) flows — is one of the most underrated exercises in mobile network security.
6. Future Trends in Cross-Protocol Exploitation
Looking ahead, we expect:
- AI-driven fuzzing to uncover new protocol bridging vulnerabilities.
- More Open APIs in telecom cloud exposing protocol translation gateways.
- Multi-vendor stack abuse, especially where components from different suppliers share data paths but not security models.
- Edge-native attack chains, combining RAN messages, local API abuse, and user plane injection on MEC nodes.
As telecom transforms into a software-driven industry, the concept of "protocol isolation" becomes increasingly theoretical.
Conclusion
Cross-protocol attacks are not hypothetical. They’re happening now — across live 4G and 5G networks, often undetected. The very complexity that enables modern telecom also enables attackers to exploit seams between layers, shift horizontally across systems, and escalate privilege without ever triggering a signature.
Understanding these attack paths — and visualizing them through accurate stack diagrams — is a critical step toward building realistic threat models and effective defenses in mobile network environments.
