This work exposes a novel bit-flip attack in 5G networks that requires no decryption: an adversary can precisely flip bits in specific encrypted fields—such as QoS parameters or NAS signaling—inducing semantic-level corruption while evading integrity verification at the receiver. We systematically validate the attack’s feasibility and impact on a real-world, standards-compliant 5G testbed based on OpenAirInterface. To address this structural vulnerability inherent in the current 5G confidentiality-integrity design, we propose a lightweight keystream-driven field shuffling defense. Our mechanism dynamically permutes the positions of sensitive fields using the cipher’s keystream, requiring no plaintext access, imposing zero additional communication overhead, and maintaining full backward compatibility with existing 3GPP protocols. Experimental evaluation demonstrates that the scheme effectively prevents targeted field manipulation and significantly enhances data integrity protection, establishing a new paradigm for securing 5G air-interface protocols.

5G communication technology has become a vital component in a wide range of applications due to its unique advantages such as high data rate and low latency. While much of the existing research has focused on optimizing its efficiency and performance, security considerations have not received comparable attention, potentially leaving critical vulnerabilities unexplored. In this work, we investigate the vulnerability of 5G systems to bit-flipping attacks, which is an integrity attack where an adversary intercepts 5G network traffic and modifies specific fields of an encrypted message without decryption, thus mutating the message while remaining valid to the receiver. Notably, these attacks do not require the attacker to know the plaintext, and only the semantic meaning or position of certain fields would be enough to effect targeted modifications. We conduct our analysis on OpenAirInterface (OAI), an open-source 5G platform that follows the 3GPP Technical Specifications, to rigorously test the real-world feasibility and impact of bit-flipping attacks under current 5G encryption mechanisms. Finally, we propose a keystream-based shuffling defense mechanism to mitigate the effect of such attacks by raising the difficulty of manipulating specific encrypted fields, while introducing no additional communication overhead compared to the NAS Integrity Algorithm (NIA) in 5G. Our findings reveal that enhancements to 5G security are needed to better protect against attacks that alter data during transmission at the network level.