The 5G Attack Surface Architects Missed

Private LTE and 5G networks are becoming foundational infrastructure for enterprise environments. Utilities, transportation systems, ports, and industrial operators are connecting thousands of devices to support automation, monitoring, and operational control. 

One reason enterprises are comfortable adopting cellular connectivity is the architecture itself. Compared to traditional IP networks, cellular environments appear more structured and easier to control. Traffic flows through defined gateways, and devices typically do not communicate directly with each other. 

For many teams, this creates a simple mental model: if all traffic passes through the gateway, the network can be controlled and inspected. 

But networking history shows that architectures often behave differently under real-world conditions than they do on paper. 

Recent research titled “Uncovering Hidden Paths in 5G Core: Exploiting Protocol Tunneling and Network Boundary Bridging” highlights an example of this. The study demonstrates how protocol tunneling inside the 5G core can allow traffic to move through paths operators may not expect. 

For organizations building large-scale private cellular networks, the implications are worth understanding. 

Cellular Networks Are Secure by design But Not Always Fully Visible 

To understand the issue, it helps to revisit how cellular networks are structured relative to traditional enterprise IP networks. 

Traditional enterprise IP networks operate in a mesh topology. Devices communicate through routers and switches, and traffic can travel across multiple paths. 

Because of this flexibility, enterprise networks rely heavily on segmentation and firewalls to control east-west communication between devices. 

Cellular networks take a different approach. 

Most cellular architectures use a centralized packet gateway model. Devices, known as User Equipment (UE), send traffic through packet gateways before reaching external networks or other endpoints. 

In practice, this creates something closer to a star topology: 

• Devices do not communicate directly with each other 

• Traffic flows through centralized gateways 

• Network operators enforce policy at the gateway layer 

This architecture simplifies network control and has led many organizations to assume that cellular environments naturally limit lateral movement between devices. 

However, the way traffic moves through cellular protocols introduces an important nuance. 

 

GTP-U Tunneling and the Inspection Gap Enterprises Overlook 

Cellular networks transport user traffic using GTP-U (GPRS Tunneling Protocol – User Plane). 

GTP-U encapsulates device traffic inside tunnels as it moves across the cellular core. This allows mobile networks to efficiently route traffic between different network elements. 

Encapsulation, however, also changes where traffic can be inspected. 

In many enterprise deployments, traffic is inspected when it exits the cellular network and reaches enterprise firewalls at the SGi interface. 

But when traffic remains encapsulated inside GTP-U tunnels, the packet gateway may route it internally without exposing it to those inspection points. 

Under certain conditions, this behavior can create unexpected communication paths inside the network. 

This is the scenario explored in the recent research. 

 

Connected Devices, Compromised Network: The 5G Pivot Point Threat 

The research demonstrates how attackers could attempt to exploit this behavior using a compromised device connected to the network. 

In simplified terms, the attacker crafts traffic that appears legitimate to the network. The packet gateway validates identifiers such as the device IP address and the Tunnel Endpoint Identifier (TEID), and accepts the packet. 

However, the payload inside the tunnel may contain manipulated destination information. 

If successful, traffic can be redirected toward unintended endpoints within the network infrastructure. 

From the network’s perspective, the traffic appears normal. In reality, it may be traveling through a path that the operator never intended. 

In environments with thousands of connected devices, this creates the potential for lateral movement between devices within the cellular network. 

 

The Window is Getting This Right Is Closing 

A few years ago, this type of discussion would have been largely academic. 

Today it is not. 

Enterprises are no longer experimenting with private cellular networks. They are deploying them at scale to support operational technology and mission-critical systems. 

Utilities are connecting grid infrastructure.
Ports are automating cranes and vehicles.
Industrial sites are running production systems over cellular connectivity. 

In these environments, a compromised device is not just an IT concern. It can affect physical operations. 

The research does not suggest that cellular networks are inherently insecure. However, it highlights an important shift in thinking. 

As deployments scale, security assumptions that were reasonable for small networks may not hold for large ones. 

 

The Observability Gap Baked Into 5G Architecture 

In my experience working with enterprise cellular deployments, one of the biggest challenges organizations face is visibility. 

Most teams know which SIMs are active on their network. Far fewer know which physical devices those SIMs are connected to or how those devices behave on the network. 

As deployments expand, this gap becomes harder to manage. 

When networks support hundreds or thousands of devices across multiple sites, understanding device behavior becomes essential. 

Security teams need to answer basic questions: 

• What devices are connected to the network? 

• Which SIM belongs to which device? 

• How are those devices communicating? 

• Are they behaving as expected? 

Without this context, detecting compromised devices becomes significantly more difficult. 

 

The Core Is Not Enough: Why Device-Level Visibility Defines Security in Critical Cellular Infrastructure  

Private LTE and 5G networks are rapidly evolving into critical infrastructure for modern enterprises. 

As these networks scale, the industry will need to rethink how cellular security is approached. Protecting the network core alone is not enough. 

The real challenge is understanding what is happening at the device level. 

In large-scale cellular environments, the devices themselves often determine the security posture of the entire network. 

The better we understand those devices and how they communicate, the better we can secure the networks that increasingly power our critical systems.