TELCOBREAK
Workshop · DEF CON 34

Stage Walkthrough

Crawl — 2G Attack Surface

Enumerate the three classic 2G weaknesses while passively observing a real attach: cleartext IMSI, no network authentication, weak/optional ciphering.
Scene 1.1 · Passive sniff of an attach
You're a passive listener near the cell. Capture the attach and pull the identity.
sniff air
attach --net 2g
decode last
310260555000111
Scene 1.2 · Observe ciphering negotiation
Find out how this call will be protected over the air.
auth show
decode cipher
A5/0 (NULL cipher)
Even when A5/1 is used, the network chooses and the MS can't insist — the subscriber has no leverage.
Scene 1.3 · Confirm one-way auth
Check whether the handset ever verifies the network.
auth verify-network

Walk — Downgrade & Interception

Chain the weaknesses into a real attack: force a modern device down to 2G, then intercept its identity and traffic.
Scene 2.1 · Establish the modern baseline
Confirm the target is on a secure network before you touch it.
attach --net 5g
Scene 2.2 · Force the downgrade
Deny the higher-generation cells so the device falls back.
cell rogue --suppress 5g,4g --advertise 2g
RAT=2G (downgrade succeeded)
--suppress is a teaching abstraction. Actual downgrade attacks are subtler and gradual than a one-command suppression; we compress the mechanics here for clarity.
Scene 2.3 · Intercept on the degraded link
Now that it's on 2G with null cipher, recover the identity and confirm interception.
sniff air
decode last
310260555000111 — same subscriber. Unrecoverable in 2.1, recoverable now purely due to the downgrade.
The device was perfectly secure seconds earlier. The vulnerability was the willingness to fall back without protection.

Run — 5G Mitigations & Mapping

Replay each earlier attack against 5G and watch it fail; produce the mitigation map.
Scene 3.1 · Replay the cleartext-IMSI capture → fails
Try the Stage-1 identity sniff against 5G.
sniff air
attach --net 5g
decode last
Scene 3.2 · Replay the null-cipher check → fails
Try to negotiate no encryption.
decode cipher
Scene 3.3 · Replay the downgrade → blocked
Run the Stage-2 downgrade again.
cell rogue --suppress 5g,4g --advertise 2g
Scene 3.4 · Produce the mitigation map
Summarize what defeated each attack. Submit the mapping.
submit map
SUCI+NEA+AKA (reasonable equivalents accepted)
Every 2G weakness has a named, specific 5G countermeasure — the point of the whole workshop.

Animated Protocol View

Idle
RAT: —

Teaching CLI

Type help
Flags: none yet
$

Attack → Mitigation

0 / 3 mitigated
Cleartext IMSI capture
Permanent identity sent unprotected on the Um interface.
→ SUCI / ECIES concealment
No network authentication
Handset can't verify the network — any rogue is trusted.
→ Mutual 5G-AKA (AUTN)
Weak / optional ciphering
A5/0 (null cipher) negotiable; subscriber has no leverage.
→ Mandatory NEA/NIA ciphering + integrity
Bid-down to 2G
Modern device falls back to insecure RAT under attacker pressure.
→ Bidding-down protection (in 5G-AKA)
Workshop Complete

Ready to attack a live 5G network?

You've seen the attack surface. Now put it to work. The TelcoBreak CTF runs 8 challenges on a real Open5GS 5G Standalone network — each one teaching something a carrier actually has to defend.

Register for CTF → Back to Learn