TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

UDM

Unified Data Management β€” 5G subscriber data repository

Type

node

Generations

5G

Threat level

high
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The UDM β€” Unified Data Management β€” is the subscriber data authority in a 5G standalone network. It performs the same fundamental function as the HLR in 2G/3G and the HSS in 4G: it is the single source of truth for subscriber identity, authentication credentials, and subscription profile data. Every network function that needs to authenticate a subscriber, check their subscription entitlements, or register their current serving node queries the UDM.

Unlike the HLR (which used MAP over SS7) or the HSS (which used Diameter), the UDM exposes its data through the 5G Service-Based Interface (SBI) β€” a REST API over HTTP/2 with TLS. This is a significant architectural change. The SBI means that the UDM's interface is a web service rather than a binary signalling protocol, and the security model shifts from trust-by-topology (only SS7-connected nodes can query) to certificate-based mutual authentication between network functions.

The UDM consolidates several previously separate repositories. It holds the permanent subscription data that the HLR held, the IMS profile data that the HSS held for VoLTE, and the 5G-specific authentication data including the SUPI (Subscription Permanent Identifier) β€” the 5G equivalent of the IMSI β€” and the SUCI concealment key used to protect the SUPI on the radio interface.

The UDM works closely with the AUSF (Authentication Server Function), which performs the cryptographic authentication computation on behalf of the AMF. The UDM provides the authentication vectors; the AUSF computes the expected authentication response and validates the subscriber's challenge response. This separation of data storage (UDM) from authentication execution (AUSF) is a 5G design principle that allows each function to be independently scaled.

How it works

The UDM exposes a set of SBI services, each consumed by specific network functions. The primary services are subscription data management, UE context management, and authentication credential provision.

Subscription data retrieval (N8 β€” AMF to UDM)

When a subscriber initiates a 5G registration, the AMF needs to verify the subscriber exists and retrieve their subscription profile. The AMF calls the Nudm_SubscriberDataManagement (SDM) service on the UDM over the N8 interface, providing the SUPI. The UDM returns the Access and Mobility Subscription Data (including allowed network slices, default S-NSSAI, subscribed DNN list, and mobility restrictions), and registers the AMF as the subscriber's serving AMF. This is the 5G equivalent of the HLR's Insert Subscriber Data on the D interface.

Session management data (N10 β€” SMF to UDM)

When a subscriber establishes a PDU session, the SMF queries the UDM via N10 for the session management subscription data. This includes the allowed DNN list, default 5G QoS profile, and data volume limits for the subscriber. The UDM also registers the SMF as the serving node for the PDU session, maintaining a mapping of which SMF is managing each active session.

Authentication credential provision (N13 β€” AUSF to UDM)

The AUSF calls the Nudm_UEAuthentication service over N13 to retrieve authentication data for the subscriber identified by SUPI or SUCI. The UDM generates the 5G Home Environment authentication vector β€” incorporating the AMF separation bit and a sequence number counter β€” and returns it to the AUSF. The AUSF uses this vector to compute the expected HRES* and send the authentication challenge (RAND, AUTN) to the AMF, which relays it to the subscriber's handset.

Serving NF registration and deregistration

The UDM maintains a registry of which AMF and SMF instances are currently serving each subscriber. This allows other NFs to discover the subscriber's serving nodes without a full database scan. When a subscriber's serving AMF changes (e.g., handover to a new AMF), the UDM updates its registry and notifies the old AMF of the serving AMF change.

Architecture role

In the 5G Service-Based Architecture, the UDM is a stateful Network Function at the centre of the identity plane. All NFs that need subscriber data β€” the AMF for mobility management, the SMF for session management, the AUSF for authentication, and PCF for policy β€” query the UDM's SBI.

The UDM also maintains the UECM (UE Context Management) service that tracks which NF instances are serving a given SUPI. This supports the roaming architecture: in a roaming scenario, the home UDM is the authoritative source of subscriber data, and the visited network's AMF and SMF query it directly (or via the SEPP for inter-PLMN security).

In 5G SA (standalone): The UDM is a fully cloud-native NF, typically deployed as a Kubernetes service with horizontal scaling. Its stateful nature (it holds subscriber session registrations) requires careful database design for consistency across replicas.

In 5G NSA (non-standalone): The UDM coexists with the 4G HSS. Dual-stack subscribers β€” registered on LTE anchored to EPC while using 5G NR for the radio β€” may be served by either HSS (for EPC procedures) or UDM (for 5G-specific procedures) depending on which anchor core the call flow uses.

Roaming: In 5G roaming, the home network's UDM is queried by the visited network's NFs. This cross-PLMN SBI traffic transits via the SEPP, which applies JSON Web Encryption to the message body before it crosses the inter-PLMN boundary, preventing the IPX transit network from reading sensitive subscriber data.

Key interfaces

InterfaceBetweenProtocolPurpose
N8AMF ↔ UDMHTTP/2 + TLS (SBI)Subscription data retrieval; AMF registration for subscriber
N10SMF ↔ UDMHTTP/2 + TLS (SBI)Session management subscription data; SMF registration
N13AUSF ↔ UDMHTTP/2 + TLS (SBI)Authentication credential generation and retrieval
Nudm(Generic SBI label)HTTP/2 + TLS (SBI)Collective label for all UDM SBI service operations

Security posture

The UDM has a high threat level. It holds authentication keys (K) and subscription profiles for every subscriber in the network β€” the same data that made the HLR and HSS high-value targets. The shift from SS7/Diameter to SBI changes the attack model significantly: SBI uses mutual TLS, which means an attacker cannot query the UDM unless they have a valid TLS certificate from the operator's PKI. This is a material improvement over the HLR's zero-authentication MAP interface.

However, the SBI security model depends entirely on the integrity of the operator's PKI and NF registration process. If an attacker compromises any NF that is authorised to call Nudm services (e.g., an AMF or AUSF), they inherit its access rights and can query the UDM for any subscriber's data. The blast radius of a compromised NF is therefore determined by the UDM's per-NF authorisation granularity.

The 5G SBI also introduces a new attack surface not present in SS7 or Diameter: the HTTP/2 API itself. Web application attack classes (parameter injection, improper access control, excessive data exposure in API responses) are now relevant in the core network context. Operators accustomed to binary signalling protocol security may underestimate this.

Attack surface

Subscriber data extraction via rogue NF

An attacker who obtains a valid TLS certificate for a network function (e.g., by compromising an AMF, or by operating a network function in a roaming partner network with excessive trust) can call Nudm_SDM to retrieve the subscription profile of any SUPI. In a roaming scenario, the visited network's NFs have legitimate access to the home UDM via SEPP β€” a misconfigured SEPP that permits over-broad access can enable mass data extraction.

Impact: Mass subscriber profile extraction including subscription data, SUPI-MSISDN mapping, and subscribed services. Difficulty: Medium. Requires a valid operator TLS certificate and NRF registration β€” significantly harder than SS7 access, but achievable via supply-chain or vendor compromise.

Authentication vector theft via forged AUSF identity

The Nudm_UEAuthentication service provides 5G authentication vectors. A caller that successfully authenticates as an AUSF can request authentication vectors for any SUPI, enabling offline attacks against subscriber session keys.

Impact: Authentication material theft; potential for subscriber impersonation on the radio interface if the keys are exploited. Difficulty: High. Requires compromise of an AUSF certificate or the NRF authorisation system.

API-level denial of service

The Nudm SBI is an HTTP/2 API. Flooding it with valid but expensive queries (e.g., rapid successive subscription data requests for different SUPIs) can exhaust the UDM's database query capacity, degrading service for legitimate NFs.

Impact: Registration and authentication degradation across all subscribers; potential network-wide attach failure. Difficulty: Low to medium once API access is established.

Mitigations

  • Mutual TLS on all SBI connections: All connections to the UDM's SBI must use mutual TLS with certificates issued by the operator's 5G PKI (per 3GPP TS 33.310). Reject connections with self-signed or unrecognised certificates.

  • NRF-based access authorisation: The NRF maintains the registry of authorised NF instances and their allowed service operations. The UDM should validate NRF-issued OAuth 2.0 tokens on each API call to ensure only authorised NF types and instances can invoke specific Nudm services.

  • Per-NF and per-SUPI rate limiting: Apply rate limits at the API gateway in front of the UDM. No single NF instance should be able to query subscriber data at rates exceeding normal operational volumes for its function.

  • SEPP-enforced roaming access control: For cross-PLMN access, ensure the SEPP applies PLMN-level access control on Nudm service calls originating from the visited network β€” restricting them to the specific service operations and SUPI ranges that roaming partners are authorised to access.

  • Audit logging at SUPI granularity: Every Nudm API call should be logged with the calling NF identity, the SUPI accessed, and the operation performed. This enables detection of anomalous data access patterns and post-incident forensic analysis.

Spec references

  • 3GPP TS 29.503 β€” Unified Data Management Services. The normative SBI specification for the UDM. Section 5 defines the Nudm service operations; Section 6 defines the data models for subscription data, authentication data, and UE context.

  • 3GPP TS 23.502 β€” Procedures for the 5G System. Sections 4.2 and 4.7 define the registration and authentication procedures that the UDM participates in, including the N8 and N13 interactions.

  • 3GPP TS 33.501 β€” Security Architecture and Procedures for 5G System. Sections 6.1 and 6.2 define the 5G AKA and EAP-AKA' authentication procedures anchored at the UDM, and the SUCI concealment mechanism.

Related topics

The UDM supersedes the HLR (2G/3G) and HSS (4G). It works with the AUSF for authentication and the AMF for subscriber registration. In the roaming architecture, UDM access from the visited network is protected by the SEPP.

The UDM is part of the 5G standalone core network architecture and is present in some 5G NSA deployments. Its SBI design reflects the broader 5G shift from binary signalling protocols to REST-based microservices.

Relationships