Publications

Impact: LLFuzz uncovered 11 previously unknown vulnerabilities across 15 commercial smartphones from major vendors including Qualcomm, MediaTek, Samsung, and Apple. Seven of these vulnerabilities have been assigned CVE identifiers and patched by vendors, while four remain undisclosed due to patch delays. The CVEs include: itemize Qualcomm: CVE-2025-21477, CVE-2024-23385 – affecting over 90 chipsets. MediaTek: CVE-2024-20076, CVE-2024-20077, CVE-2025-20659 – affecting over 80 chipsets. Samsung: CVE-2025-26780 – affecting Exynos 2400 series and Modem 5400. Apple: CVE-2024-27870 – equivalent to CVE-2025-21477 in Qualcomm modems. itemize LLFuzz revealed systemic flaws in how lower-layer baseband logic is implemented across vendors. In one test, a single malformed MAC-layer packet immediately disabled a device during data streaming. These results demonstrate that lower layers remain a blind spot in mobile security. LLFuzz is open-sourced at https://github.com/SysSec-KAIST/LLFuzz.

Impact: We uncovered 29, 22, 16, and 59 distinct CIVs in Open5GS, srsRAN, Amarisoft, and Nokia LTE cores, respectively. These allow remote detachment, IMSI exposure, and presence detection without requiring proximity. We contributed patches to Open5GS and Amarisoft. CITesting will be released as an open-source tool to support future uplink security research.

Impact: We are currently testing our solution with a major operator in Korea.

Impact: LTESniffer is open-sourced at https://github.com/SysSec-KAIST/LTESniffer). It is very popular in github, receiving 1,212 stars with 128 forked project. There are at least five youtube videos explaining how to use LTESniffer with more than 2k views. As far as I know, there are three commercial counterparts (Wavejudge, ThinkRF and Airscope): The first one supporting uplink and downlink sniffing costing USD 25,000 and the last one only supports downlink sniffing.

Impact: Although it is too early to determine the impact of the video identification work, it was discussed in 2022 August 3GPP meeting (S3-221922). We plan to exploit information leakage in the uplink scheduling. If we can identify a victim’s uplink signal, an attacker may use this information to find a physical location of the victim, by combining with a directional antenna. We received funding from Korean police to find the physical location of the SIM Boxes used for voice phishing.

Impact: This paper was discussed in a 3GPP SA3 meeting. It is currently open-sourced at https://github.com/SysSec-KAIST/DoLTEst. We uncovered 26 implementation flaws from 43 devices from 5 different baseband manufacturers by using DoLTEst. We have received 3 CVEs (CVE-2019-2289 from Qualcomm, CVE-2021-25516 from Samsung, and CVE-2021-30826 from Apple.) The Qualcomm bug allows an authentication bypass in all baseband processors manufactured by Qualcomm, requiring almost one year to finish the patch process.

Impact: Immediately after the paper is published online, we’ve received inquiries from many operators such as Deutche Telecom, Google Project Fi, Singtel, etc if we can visit their site to test their networks. Unfortunately, we could not provide service to commercial operators, as students did not want to provide commercial services. We’ve also communicated with device vendors such as Apple, Samsung, Qualcomm, LG, Huawei, and Ericsson helping their patching process. Cellular security companies such as P1Security and Positive Technologies now provide protocol security testing as we did in LTEFuzz. We have received two CVEs (CVE-2019-20783 from LG and CVE-2019-5307 from Huawei.) This was also featured in multple media outlets, such as ZDNet, SecurityWeek, Huawei, Engadget, Tech Xplore, Security Affairs, E-Crypto, Cybersecurity Insiders, Israel Defense, ITPro, UK, TGDaily, Gizmodo, and DailyMail, UK. LTEFuzz paper was discussed in three SA3 meetings: TSGS3_95_Reno (S3-191230), TSGS3_97_Reno (S3-194063). TSGS3_101e (S3-202878).

Impact: The initial response from GSMA was disappointing as they viewed this work as only academically interesting. However, it turned out to be important for both academia and standard bodies. After it was initially discussed in 2019 Reno 97th 3GPP meeting (S3-194063), a lot of documents (and probably discussions) tried to address this attack accross multiple 3GPP meetings: TSGS3_100Bis-e (S3-202556, S3-202738, S3-202740), TSGS3_100e (S3-202026, S3-202109, S3-202150), TSGS3_101e (S3-202983, S3-202984, S3-203158, S3-203160, S3-203364, S3-203447), TSGS3_102Bis-e (S3-211345), TSGS3_102e (S3-210131, S3-210778, S3-210783), TSGS3_103e (S3-212351), TSGS3_104e (S3-212748, S3-213244), TSGS3_105e (S3-214408), and TSGS3_107e (S3-221266). In addition, the attack is extended to sigover attack over unicast channel by us~bae2022watching, layer 2 messages by Tan et. al.~tan2021data and uplink channel by Erni et. al.~erni2022adaptover. In 5G, SA3 failed to secure these unauthenticated channels due to various technical problems. I hope to solve these problems before 6G design is complete, which will start in 2 years.

Impact: Our first paperkune2012location in 2012 was discussed in three SA3 meetings held in 2017 across multiple documents: TSG3_086_SophiaSA3 meeting as part of 86th 3GPP meeting held in Sophia (S3-170205, S3-170333, S3-170458). TSGS3_86b_Busan (S3-170758), and TSGS3_87_Ljubljana (S3-171294). GUTI reallocation paper~hong2018guti was the focal point to add unpredictability of GUTI in LTE, discussed in S3-220075. Now in 5G, unpredictability in GUTI after every exposure is mandatory. Unfortunately, a recent report about China and our measurement in Korea show that this is not the case.

Impact: At the time, only South Korea and the United States had widely deployed Voice over LTE (VoLTE) technology, so no other countries were affected. The vulnerabilities were jointly disclosed with the the US Cyber Emergency Response Team (US Cert) as VU#943167. At the time, none of the US operators acknowledged the vulnerabilities, but they later patched them silently. After this investigation, we received funding from SK Telecom to start investigating security of LTE networks. We were invited to make a presentation at GSMA, the organization of the operators. The findings were covered by multiple media outlets, such as IT World, Nexus Security Bulletin, DSLReports, Softpedia, tom’s guide, Pocketnow, FierceMobileIT, Techworm, Neowin, and Network World.

Impact: We discovered that Korean operators are more concerned with over-charging than charging bypass. This is because over-charging can result in penalties from the government. The bug has not been patched so far.

Impact: We discovered that Korean operators are more concerned with over-charging than charging bypass. This is because over-charging can result in penalties from the government. The bug has not been patched so far.

Impact: Our first paperkune2012location in 2012 was discussed in three SA3 meetings held in 2017 across multiple documents: TSG3_086_SophiaSA3 meeting as part of 86th 3GPP meeting held in Sophia (S3-170205, S3-170333, S3-170458). TSGS3_86b_Busan (S3-170758), and TSGS3_87_Ljubljana (S3-171294). GUTI reallocation paper~hong2018guti was the focal point to add unpredictability of GUTI in LTE, discussed in S3-220075. Now in 5G, unpredictability in GUTI after every exposure is mandatory. Unfortunately, a recent report about China and our measurement in Korea show that this is not the case.