Close menu

Technical Description of 5G Infrastructure

5G involves an advanced “air interface” and far more sophisticated internal core network capabilities than previous generations of mobile network technologies.

  • 1G — Analog voice.
  • 2G — Analog voice and text.
  • 3G — Mobile broadband — analog voice and digital data.
  • 4G — Licensed & unlicensed spectrum Integration using various air interfaces, now primarily long-term Evolution (LTE). All-digital (after transition period) for both voice and data.
  • 5G — All digital and all Internet Protocol based (including voice). Faster broadband, uses an advanced air interface that more efficiently uses spectral resources and offers advanced core network-based features and functions.

5G technology incorporates a set of cellular network “standards” developed by industry bodies, primarily the 3rd Generation Partnership Project (3GPP) in cooperation with other standards organizations like the Internet Engineering Task Force (IETF), Institute of Electrical and Electronics Engineers (IEEE) and the International Telecommunications Union (ITU). The most significant primary advancement between 4G (for the most part Long Term Evolution, or LTE although there were others) and 5G relates to reduced “latency” or the measure of time delay between resource request and resource delivery. It is a function of time, distance and the speed of light.

The primary focus on latency is because many applications like gaming, Augmented Reality (AR), Virtual Reality (VR), vehicle applications, stock trading or industrial automation are very time-sensitive — they require the lowest possible delay between request and response. The typical latency delay measurement is milliseconds. A secondary, but also important, goal was to increase bandwidth — the amount of information that can be delivered over a given period, like per second. The third primary goal was to increase network capacity, or the ability to handle and manage far more information transfer given exponentially increasing usage demand.

The focus on latency in particular required network core enhancements. All information takes a path between at least two endpoints, but it always traverses the provider’s network, at least in part, on its way from, or to, the user equipment (UE). Core network performance improvement can also significantly reduce latency. Finally, businesses and other organizations also want their own customized services. Core enhancements within 5G now support “network slicing” — individualized logical network function “slices” that are optimized for specific use — cases where a user may want even lower latency or is more concerned about the ability to efficiently attach huge numbers of Internet of Things (IoT) devices and does not need “voice.”

5G is therefore a complete network solution. The network architecture much resembles that for LTE but the nomenclature, placement and capabilities for core functions or operations have significantly evolved. The 5G core network, which enables the advanced functionality of 5G networks, is one of three primary components of the 5G System (5GS). The other two components are the 5G Access network (5G-AN) and User Equipment (UE). The 5G core uses a distributed cloud-aligned service-based architecture (SBA) to support authentication, security, session management and aggregation of traffic from connected devices, all of which require the complex interconnection of network functions, as shown in the 5G core diagram.

The components of the 5G core architecture include:

  • User plane function (UPF)
  • Data network (DN), e.g., operator services, Internet access or third party services
  • Core Access and Mobility Management Function (AMF)
  • Authentication Server Function (AUSF)
  • Session Management Function (SMF)
  • Network Slice Selection Function (NSSF)
  • Network Exposure Function (NEF)
  • NF Repository Function (NRF)
  • Policy Control function (PCF)
  • Unified Data Management (UDM)
  • Application Function (AF)

The 5G network architecture diagram below illustrates how these components are associated.

5G was designed from the ground up, and network functions are split up by service. That is why this architecture is also called 5G core Service-Based Architecture (SBA). The following 5G network topology diagram shows the key components of a 5G core network:

5G Architecture Diagram

5G Architecture

A different diagram provides more functions 5G now uses, often employing cloud systems accessed through a Session Border Controller (SBC):

5G Architecture Using Session Border Control

Yet another slightly different look reveals additional details, principally those related to billing:

5G Architecture Showing User Plane and Control Plane

The entire network works like this:

  • User Equipment (UE) like 5G smartphones or 5G cellular devices connect over the 5G Radio Access Network to the 5G core and further to Data Networks (DN), like the Internet.
  • The Access and Mobility Management Function (AMF) acts as a single-entry point for the UE connection.
  • Based on the service requested by the UE, the AMF selects the respective Session Management Function (SMF) for managing the user session.
  • The User Plane Function (UPF) transports the IP data traffic (user plane) between the User Equipment (UE) and the external networks.
  • The Authentication Server Function (AUSF) allows the AMF to authenticate the UE and access services of the 5G core.
  • Other functions like the Session Management Function (SMF), the Policy Control Function (PCF), the Application Function (AF) and the Unified Data Management (UDM) function provide the policy control framework, applying policy decisions and accessing subscription information, to govern the network behavior.
  • IMS is used for many purposes, but one primary function is to facilitate voice, messaging and other related services supported by the 5G version of Session Initiation Protocol (SIP). IMS interoperates with the Media Gateway (IMS-MGW) used to exchange Signaling System 7 (SS7) and bearer communications with the landline circuit switched network.
  • The Charging Function (CHF) on the network side allows for billing. CHF includes Access Gateway Function (AGF), Charging Data Function (CDF) and Charging Gateway Function (CGF). AGF resides between the wireline access infrastructure and wireless core network and allows connectivity to the 5G Core. CDF is an entity within the IP Multimedia Subsystem (IMS) billing architecture responsible for collating accounting requests from IMS CTF (Charging Trigger Functions) such as Call Session Control Functions (CSCF) and Application Servers (AS). Charging Gateway Function (CGF) is part of the mobile service provider’s billing domain, designed to translate Call Detail Records (CDRs) generated by the network into a format suitable for the billing system.
  • CHF supports the online charging, offline charging and convergent charging models which can enable the 5G business like slice charging. The CDF collects billing messages, generates corresponding CDRs and sends them to CGF, which processes the CDRs and generates bill files for BOSS to collect through the file interface. CHF also forwards billing request messages sent by SMF to the Business and Operational Support System (BOSS) and forwards BOSS responses to the Session Management Function (SMF). SMF is primarily responsible for interacting with the decoupled data plane, creating updating and removing Protocol Data Unit (PDU) sessions and managing session context with the User Plane Function (UPF).

An “air interface” is the technology used to obtain radio transmission between devices and a base station in a Radio Access Network (RAN). The air interface defines the frequency, channel bandwidth, modulation scheme and other configurations necessary to provide the “physical link” between the device and the larger network. “5G” is the latest “generation” (although work has already begun on 6G). 5G employs an optimized orthogonal frequency-division multiplexing (OFDM)-based family of waveforms and multiple access techniques, as well as a common, flexible framework that enables efficient multiplexing of various services. The OFDM family can efficiently coexist with other waveforms and multiple access schemes in the same framework, such as Resource-Spread Multiple Access (RSMA) for connecting IoT devices or for Sparse Code Multiple Access (SCMA) — a variation of Code Division Multiplexing Access (CDMA) — for other machine-machine communications. 5G may use one multiplexing method for uplink and another for downlink in order to maximize efficiency and minimize latency or vary based on specific user needs, network resource requirements or other considerations.

5G Infrastructure and Privacy, Cybersecurity and Liberty

The following discussion builds on the technical discussion in “What is 5G?” and employs the same nomenclature. We recommend you read that first.

The entire communications infrastructure, from bottom to top, has been exquisitely designed to identify, locate and track users then capture and store virtually all user-related information while it is in motion (transit) and when it is at rest (stored). Indeed, it is already prepared for the next level: full control over virtually every aspect of our lives.

The infrastructure is configured — at the dirt layer, all the way through each of the 7 Open Systems Interconnection (OSI) abstraction layers (or, if you prefer, the 4 TCP/IP model layers) and then the applications and devices that users employ, to facilitate locating and identifying people and then collecting their information for various purposes including control. It is not just the Internet or even 5G. It is the entire infrastructure.

Let’s start at the very bottom, at and even below the OSI “physical layer” that represents physical components like power plugs, connectors, receivers and cable types. There are techniques that use RF – the basic frequencies used to support a carrier wave — to discern presence. The subject does not need to be connected, or even have any kind of electronic device. They can use the RF itself to “see” you through a wall. It does so by observing a living body’s blocking or attenuation of the RF field in all three dimensions. These techniques can follow you around inside your home through imaging regardless of whether you have a device on you.

Once you are connected, the technology starts its identification and tracking. For the most part, what this is about is how your device interacts with the network and then the information residing in the device. We call your device “UE” for short. Each UE will have one or more unique identifiers. Your cell phone has an IMSI (International Mobile Subscriber Identity). Your Ethernet, Wi-Fi, Bluetooth and other interfaces like NFC will each have a MAC address (Media Access Control). Your computer has a device ID. If there are multiple authenticated users on a single device each will have a username. All this can be put together and discerned from the outside. The device becomes your proxy and in many ways, it is, effectively, you.

Information gleaned from a device’s interaction with the communications network at each layer can be used to infer many things about what a user is doing and where the user is. All of it is captured, stored and used for many purposes — by businesses for marketing and other purposes, by the government for surveillance and others for malicious purposes like identity theft and blackmail. Your “permissions” regarding how you interact with the network of networks are all subject to the provider — and therefore also government — control. They can “cancel” you — effectively render you a digital non-person, with the flip of a few switches that are already embedded in the current network.

The 5G network standards were assembled so providers could deliver a large menu of advanced features, functions and capabilities, with minimum latency, high speeds and improved network security. But it also by necessity had to intensely track and log each “transaction” because the industry wanted to be able to implement fine-grained, per-transaction charging to their users if the market allowed. Service delivery also entails interconnection, interoperation and traffic exchange with the other service providers so that, for example, an AT&T wireless user can talk to Verizon customers, send and receive SMS and MMS messages to/from T-Mobile customers and, of course, use the Internet to communicate with billions of other endpoints. The industry has always maintained various forms of inter-provider compensation arrangements for the necessary network to network interconnection and traffic exchange.

Thus, the “5G” network core also has “functions” associated with the ability to ultimately bill users and other providers, and this, in turn, means there must be robust data-capture capability to feed the billing system. Data capture requires logging each transaction, and some of that can only be accomplished by looking at more than just IP headers. In order to truly engage in fine-grained billing the network must also be able to “see” (and sometimes even record) some, if not all, of the actual content.

Deep Packet Inspection (DPI) is a network-level appliance that captures traffic on ingress and egress. It examines packet header information and payload (content). It can identify the content and/or application being used, and the network operator can then give handling instructions based on the ascertained content and/or application. The network then invokes IP Multimedia Subsystems (IMS) functions. IMS can allow the provider to grant access and use permissions, assign prioritization and deliver targeted advertising or messages. The network operator can filter or block “unacceptable” content or uses and allocate or deny resources (e.g., bandwidth priority or communications through other networks) based on these and other provider-selected criteria. 5G extensively uses these tools.

The User Plane Function (UDF) maps to the Unified Data Management (UDM) and Policy Control Function (PCF), that can then invoke processes within the Access and Management Function (AMF) and even the Authentication Server Function (AUSF). These, in turn, allow, disallow or otherwise control what the user can do, including the network resources that are made available to the user. It also supplements the ability to identify billing events. User activity is logged and stored for later access by the billing system.

Content discernment is not new. IMS was conceived in 1998 and deployed around 2005, to support mobile data services. SMS has been publicly available since 1993 for GSM-based handsets and quickly became interoperable with the other air interfaces like CDMA. SMS texting leveraged earlier SMS gateways that were used for network notifications like a new voice mail or a billing alert.

SMS originally relied (and to some extent still does rely) on an application layer mobile-related part (Mobile Application Part, or MAP) in the Signaling System 7 (SS7) call control system that prevailed at the time for basic wired or wireless telephony. SS7 is a rudimentary packet network not based on the Internet Protocol. It transmits “in the clear” (e.g., it is not encrypted). The primary security on the SS7 network is that it is a closed system — only telecom operators are supposed to have access to it. End users and most hackers cannot access the system as a whole. Unfortunately, telecom providers operating as bad actors, governmental agencies and even many provide parties figured out how to obtain relatively unrestricted access to all the information available in the SS7 network. Sigtran was introduced in the early 2000s so messages and commands could be passed through IP networks. This introduced significant vulnerability. See Cybersecurity, below.

Several SS7 parts (including but not limited to the ISDN User Part (ISUP) and Transaction Capabilities Application Part (TCAP) included data fields up 128 bytes. The system was later improved to 160 seven-bit characters, and this is what allowed (and imposed the original length limit for) SMS messages. SMS (and now MMS) can now be handled outside the SS7 network, in higher network layers, for networks that do not exclusively rely on SS7 for call/session control. That is why larger SMS messages can be sent and received — the system uses message concatenation to split messages in the middle and then each end can reassemble them. Twitter originally adopted a 140 character limit only because it wanted to mimic SMS, but now up to 280 characters are allowed. But that is a marketing and business choice. There is actually no significant technical reason for this cap.

What few realize is that SS7 MAP transactions — the headers, transactional metadata and content — are stored with all other SS7-related transactions since they were part of the signaling. So every text message was available to the network operators involved in the process. Indeed, as explained further below, the U.S. government has for many years had indirect access to the SS7 network and was therefore able to intercept SMS, listen to calls and track location without the subscriber’s knowledge. Using other tools the government can also identify all IP endpoints the user has contact with, and it can capture and store the transactional information (“metadata”), and often even the content of the communication. It can “see” your emails if they are not encrypted. It can, if it wants, sometimes even get inside your mobile device and access the information stored in it, often even if it is encrypted while at rest.

5G closes the final loop. No person can ever completely avoid surveillance, tracking and privacy invasions if and to the extent they are “connected” to any network in any way. You can hide only if you fully dispense with all communications network devices. But even then they can still often find you if they want to expend more effort and expend the required resources.

Cybersecurity

The 5G network has improved security from unwanted outside actors. The network now uses encryption for more — but still not all – operations. The networks use Authentication and Key Management (AKA) procedure to require mutual authentication between the user device (UE) and the network and derive crypto keys to protect the User Plane and Control Plane data. Specifically, 5G employs a Service Based Architecture for Core network to support a unified authentication framework using:

  • 5G-AKA: 5G-Authentication and Key Management.
  • EAP-AKA: Extensible Authentication Protocol – Authentication and Key Management.
  • EAP-TLS: Extensible Authentication Protocol – Transport Layer Security.

These AKA procedures allow integration of the following functions:

  • Access and Mobility Management Function (AMF): receives all connection and session-related information from the User Equipment (UE) (N1/N2) but is responsible only for handling connection and mobility management tasks.
  • Security Anchor Function (SEAF): resides within serving network (closely with AMF) and acts as “middleman” during the authentication process between a UE and its home network. It can reject an authentication from the UE, but it relies on the UE’s home network to accept the authentication.
  • Authentication Server Function (AUSF): is within a home network and performs authentication with a UE. It makes the decision on UE authentication, but it relies on backend for computing the authentication data and Keys when 5G-AKA or EAP-AKA is used.
  • Unified data management (UDM): similar to HSS/HLR entity and hosts functions related to data management, such as the Authentication Credential Repository and Processing Function (ARPF), which selects an authentication method based on subscriber identity and configured policy and computes the authentication data and Keys for the AUSF whenever required.
  • Subscription Identifier De-concealing Function (SIDF): This function decrypts a SUCI to obtain its long-term identity known as the SUPI, e.g., the International Mobile Subscriber Identity (IMSI). This is a 15-digit number that recognizes the carrier your phone is using. Each IMSI is a unique code. It is securely stored and sent by your device to your network in order to identify you. The subscriber identity is always transmitted over the radio interfaces in an encrypted form. More specifically, a public key-based encryption is used to protect the SUPI. Therefore, only the SIDF has access to the private key associated with a public key distributed to UEs for encrypting their SUPIs.
  • Non-3GPP Interworking Function (N3IWF): N3IWF is a newly introduced entity that acts as a VPN server to allow the UE to access the 5G core over untrusted, non-3GPP networks through IPsec tunnels. There can be multiple security contexts established with one authentication execution, allowing the UE to move from a 3GPP access network to a non-3GPP network without having to be re-authenticated.

Despite all the efforts researchers have already identified quite a few security vulnerabilities, and this will likely continue. But even if it is possible to completely lock down the network from hostile outside attack the network providers — and the government, which has full access and for all practical purposes is on equal footing with the provider — will always be able to still track each person, log and store all the “about” information for each transaction the user undertakes and also obtain full access to the content of each communication. Even end-to-end encryption does no good if the government or service provider has access to and control of one of the endpoints, thereby “seeing” the decrypted information.

Privacy

  • Autonomy privacy is an individual’s ability to conduct activities without concern of or actual observation (i.e., surveillance) or actual control over whether you can engage in those activities without constraint. (See Liberty section).
  • Information security is the protection of information resources from unauthorized access, which could compromise their confidentiality, integrity and availability. This includes, but is not limited to networks, hardware, software and information (some of which is confidential). (See Cybersecurity section).
  • Information privacy is the intersection of autonomy, privacy and information security — it is the appropriate protection, use and dissemination of information about individuals.

We have already touched on threats to information security and information privacy.

Tracking and spying through various forms of wiretapping may seem like a specialization of intelligence agencies only, being a quite complicated and expensive process. But it can actually be trivial to the government and many others. If the government or anyone else with malicious or monetary intent knows your International Mobile Subscriber Identity (IMSI) number, an authenticator assigned to every mobile subscriber that carries the country code, operator code and inner unique SIM-card code, they can find you, track you and often obtain communications related metadata and even your content.

In 2013 former CIA employee and computer professional Edward Snowden revealed information about the National Security Agency and a specific program they used based on SS7. The program allows them to track any telephone subscriber all over the world. And, of course, the government actively uses this program without the consent of the users. Snowden explained the result of his discovery by saying that he didn’t want to live in a world where everything he was doing and saying, was being wiretapped.

Three years later, in 2016, this vulnerability was successfully used for the experimental wiretapping of an American congressman. German researcher Karsten Nohl, knowing only the phone number of Representative Ted Lieu, hacked his phone and listened to the conversation with a journalist. Even after all this information was made public not much has changed within SS7. The transition to 5G significantly reduces SS7 involvement since it is now only necessary when one end is on the old landline network, or accessible only through it.

The problem, however, is that the government also has direct access to each major provider’s 5G cloud resources and physical connections to some 5G network cores that can and do make a copy of all information associated with every transaction. It is possible to access your microphone or camera. Alexa, Google Assistant, Cortana are always awaiting a prompt to go in action, and therefore listening in to everything. That too is stored, analyzed and used for different purposes.

Many think they can escape man-in-the-middle surveillance by using a Virtual Private Network (VPN). But VPNs do not completely obscure identity, location or use. Network information outside the VPN can still be used to infer what applications are being used inside an encrypted tunnel merely by observing data flows. For example, video has a fairly easily discernible data flow. Some can also tell whether the application is using Transmission Control Protocol (TCP) or something like Real Time Protocol (RTP) at the transport layer, and that allows inferences as well. A network can also easily deny permission to set up a VPN session by preventing completion of STARTTLS or it can just take it down the session and put user information back in the clear.

VPNs are useful because they make man-in-the-middle observation more difficult, but a VPN only “protects” information while in transit, and only up to your VPN provider’s ingress/egress router. It is in the clear the rest of the way unless you have a means to use end-to-end encryption in cooperation with the other user or device. Nor do VPNs protect your information at rest — inside your device or residing in a server or device on the other end. To protect that data you must employ device storage encryption. But this too has limits. If an intruder has direct access inside your device — where the information is unencrypted when being used by some client application or the device decryption key is stored and can be discovered — they can see that information too even if you have employed device storage encryption.

It is now virtually impossible to truly hide where UEs like a smartphone, tablet or personal computer are located. This can be discerned at several layers, including the wireless network node location and often the UE through Cell Site Location tools and in what the UE communicates to the network server at higher layers. If you have an Android handset or tablet Google can pull your GPS anytime it wants, even if you have tried really hard to deny permissions. If you do not use a VPN your IP number gives an indication of location and network provider. Even with a VPN your network provider assigned (as well as your device’s subnet assigned IP if you have a home gateway) can be discerned.

5G and 6G are even more intrusive. They have more capabilities, but most importantly they will support many more devices that can be associated with you and the radios will be much closer so they will be able to get an even more fine-grained profile.

These are only a couple of ways our communications network infrastructure has been set up to obtain a complete surveillance state that can indeed find anyone anywhere, including those hiding in an attic. It’s not just 5G — it is all things wireless — using information gleaned from how the RF energy works at the physical layer, the capabilities inside any modern network core and at the network layer and then what happens at and just below the application layer.

Nor is it just wireless. Your cable company and all those who “touch” your communications — whether using a wireless or wired node — can and are already tools to track you. They use this information to monetize your data, and it is shared with other private parties. They do share it with the government in many ways, usually without a warrant. The government is also directly connected to many network nodes through splitters and gets a complete copy. They can directly access your device and read the data at rest. Simply put, everything digital that is connected to any network is subject to appropriation.

Don’t think the 4th Amendment will save you. This surveillance is ongoing and all the information is stored in some vast data center, perhaps several. “They” can get to it any time they want. A warrant or subpoena is often just how they paper it all up if and when there may be civil or criminal litigation. But they already have it, perhaps in several forms. And they have no meaningful constraints on use as a practical matter.

Liberty

The term “liberty” appears in the due process clauses of both the Fifth and Fourteenth Amendments of the U.S. Constitution. As used in therein, liberty means freedom from arbitrary and unreasonable restraint upon an individual. Freedom from restraint refers to more than just physical restraint, but also the freedom to act according to one’s own will. On numerous occasions, the Supreme Court has sought to explain what liberty means and what it encompasses. For example:

  • The Supreme Court in Meyer v. Nebraska stated “[liberty] denotes not merely freedom from bodily restraint but also the right of the individual to contract, to engage in any of the common occupations of life, to acquire useful knowledge, to marry, establish a home and bring up children, to worship God according to the dictates of his own conscience, and generally to enjoy those privileges long recognized at common law as essential to the orderly pursuit of happiness by free men.”
  • In Bolling v. Sharpe, the Supreme Court stated “[liberty] is not confined to mere freedom from bodily restraint. Liberty under law extends to the full range of conduct which the individual is free to pursue, and it cannot be restricted except for a proper governmental objective.”
  • In Ingraham v. Wright, the Supreme Court stated liberty includes “freedom from bodily restraint and punishment” and “a right to be free from and to obtain judicial relief, for unjustified intrusions on personal security.”

Liberty is a slightly different expression for what privacy advocates call autonomy privacy.

Sign up for free news and updates from Children’s Health Defense. CHD focuses on legal strategies to defend the health of our children and obtain justice for those injured. We can't do it without your support.