• 5g
• Core Network
• Framework
• SCAS

5G networks bring advanced capabilities but also new security challenges that demand robust testing. To address this, 3GPP defined the Security Assurance Methodology (SECAM) and Security Assurance Specifications (SCAS) for verifying 5G Core security. This thesis introduces SCAScan-5G, an open-source, Python-based framework designed to automate selected SCAS test cases and assess the security of open-source 5G Core implementations like Free5GC, OpenAirInterface, and Open5GS. SCAScan-5G uses containerized network functions, a custom SCTP proxy for traffic manipulation, and a controller for orchestrating tests. Though not formally accredited, SCAScan-5G can integrate into CI/CD pipelines, supporting early detection of vulnerabilities and promoting secure development practices.
Testing showed Open5GS as the most robust, passing all implemented tests, while Free5GC and OpenAirInterface exhibited significant flaws. OpenAirInterface was vulnerable to NAS replay attacks. Both Free5GC and OpenAirInterface mishandled invalid UE security capabilities, risking connections without proper encryption or integrity. Free5GC further failed to properly align NAS and NGAP security contexts. Finally, both Free5GC and OpenAirInterface used predictable, incremental 5G-TMSI allocation, weakening user privacy. Future work aims to expand test coverage, adopt plugins for flexibility, and foster a community-driven evolution toward standardized 5G security assurance.