When Connectivity Is Not Enough: Cross-Layer Attacks on UAV C2 over 5G

TL;DR

This paper demonstrates that connectivity indicators like registration and IP reachability are insufficient for UAV C2 security over 5G, as cross-layer attacks can cause unsafe control failures despite seemingly valid connections.

Contribution

It introduces three threat models showing how 5G-based UAV command and control can be compromised through cross-layer attacks, with experimental validation and discussion of mitigations.

Findings

Attacks cause stale telemetry and delay under User Plane contention.

Handover failures lead to loss of control during Control Plane instability.

Command rewriting enables navigation hijacking at a compromised gNodeB.

Abstract

Beyond Visual Line of Sight (BVLOS) unmanned aerial vehicle (UAV) operations increasingly use 5G standalone (SA) networks for command and control (C2) between the UAV and the ground control station (GCS). The 3rd Generation Partnership Project (3GPP) has specified mechanisms for authentication and authorization of unmanned aircraft systems (UAS) in this architectural setting. As a result, operators may treat registration state, Protocol Data Unit (PDU) session status, and IP reachability as evidence that the C2 path is available. In practice, however, these connectivity indicators alone do not guarantee that closed-loop control remains operationally safe. Attacks can degrade UAS C2 when timeliness degrades under shared User Plane contention, mobility continuity fails during Control Plane instability, or command integrity is violated at a trusted next-generation Node B (gNodeB). Such failures undermine connectivity as the central security indicator for UAV operations. In this paper, we demonstrate these issues using three distinct threat models on a reproducible Open5GS and UERANSIM testbed that carries Micro Air Vehicle Link (MAVLink) over the 5G User Plane, and we use a commercial Nokia core to ground deployment assumptions. We address timeliness, availability, and integrity through experiments in which attack success is defined as forcing an unsafe closed-loop state without a clean disconnect. We observe stale telemetry and heavy-tailed delay under co-tenant User Plane contention, failsafe after handover under Control Plane instability, and navigation hijacking after command rewriting at a compromised gNodeB. We further discuss why each threat model arises and evaluate mitigations for these cross-layer failures. Across the study, we disclosed five robustness issues: three CVEs have already been assigned, and two additional CVE requests are pending.