Cellular Security Research

Jan 4, 2025 ยท 16 min read

Over the past 15 years, I have been working on various issues on cellular security and published more than 18 papers in this topic. This page provides an overview of my research in this field and highlights the main findings and insights gained as well as its impact.

Insights and Motivations

My research focuses on a variety of cellular topics including privacy, accounting, application security, Middleboxes, automatic performance analysis, semi-automatic security testing and analysis, physical layers, and even solutions to criminal activities. My group conducts hands-on experiments on live commercial networks, commercial testbeds, and smartphones. We have also engaged with representatives from governments, law enforcement, and standard bodies such as 3GPP/GSMA, as well as researchers from network and mobile device vendors and cellular network operators. Through these studies, experiments, and interactions, I have identified several problems the cellular industry is facing, which have become the motivation for my research. I believe that these problems are the root cause of many of the vulnerabilities identified by researchers.

  • Pr1: Every decade, a new cellular generation is introduced, including new design, implementation and deployment. This can potentially lead to new vulnerabilities.
  • Pr2: A cellular network is a closed system, and each network operator has built a unique “walled garden” for their network by combining different operation policies, network configurations, and implementation optimizations.
  • Pr3: Cellular networks are backward compatible. However, once a standard for a generation is set, it will never be updated, which means that any vulnerabilities in the design remain unpatched indefinitely.
  • Pr4: Fuzzing operational cellular network is illegal in most countries, and cellular specification do not typically address security testing.
  • Pr5: Operators (and sometimes governments) have priories in determining security policy over vendors or the public.
  • Pr6: Standards are often written ambiguously, leading to misunderstandings among developers, without providing a reference implementation. Additionally, standards leave many implementation details to vendors.
  • Pr7: Standards are written in multiple documents, where multiple layers and parties co-work through multiple protocols. Combinations of these seven problems I identified become major parts of motivations as well as main ideas of my research, which I summarize below.

Research Overview

Systematic Security Testing

Pr1, Pr2, Pr4, Pr6 and Pr7 are main motivations for this.

VoLTE Security Testing

Different from 3G that uses circuit switching calls, LTE uses IP-based VoLTE (Voice over LTE). Multiple parts have changed such as Android permission, accounting, and a new VoIP server. We checked 60 security test cases in 5 operators (3 in Korea, 2 in the US), and found 10 new attacks (4 accounting bypasses, 2 caller spoofing attacks, 2 DoS attacks, and so on). Impact: At the time, only South Korea and the United States had widely deployed Voice over LTE (VoLTE) technology, so no other countries were affected. The vulnerabilities were jointly disclosed with the the US Cyber Emergency Response Team (US Cert) as VU#943167. At the time, none of the US operators acknowledged the vulnerabilities, but they later patched them silently. After this investigation, we received funding from SK Telecom to start investigating security of LTE networks. We were invited to make a presentation at GSMA, the organization of the operators. The findings were covered by multiple media outlets, such as IT World, Nexus Security Bulletin, DSLReports, Softpedia, tom’s guide, Pocketnow, FierceMobileIT, Techworm, Neowin, and Network World.

LTEFuzz: LTE Security Testing

After VoLTE paper, Korean operators have given us access to their LTE testbeds. While VoLTE paper focused on Pr1, this paper full explores Pr1, Pr2, Pr4, Pr6 and Pr7.

  • PR1: LTE is significantly different from 3G.
  • PR2: Operators choose their configurations. They could have made mistakes.
  • PR4: The networks were never tested for security. We had access to the testbed of all 3 operators.
  • PR6: Researchers from vendors or operators could have misunderstood the specification. Replay attack prevention was left to the vendors.
  • PR7: We focused on two main control plane operations. We sent negative test cases (i.e. test cases that are prohibited by the standard, e.g. messages with wrong message authentication code) to the operator network or smartphones, in order to see if they are dropped by the receiving parties. As a result, we uncovered 51 vulnerabilities (36 new and 15 previously known). Check LTEFuzz site for details. Impact: Immediately after the paper is published online, we’ve received inquiries from many operators such as Deutche Telecom, Google Project Fi, Singtel, etc if we can visit their site to test their networks. Unfortunately, we could not provide service to commercial operators, as students did not want to provide commercial services. We’ve also communicated with device vendors such as Apple, Samsung, Qualcomm, LG, Huawei, and Ericsson helping their patching process. Cellular security companies such as P1Security and Positive Technologies now provide protocol security testing as we did in LTEFuzz. We have received two CVEs (CVE-2019-20783 from LG and CVE-2019-5307 from Huawei.) This was also featured in multple media outlets, such as ZDNet, SecurityWeek, Huawei, Engadget, Tech Xplore, Security Affairs, E-Crypto, Cybersecurity Insiders, Israel Defense, ITPro, UK, TGDaily, Gizmodo, and DailyMail, UK. LTEFuzz paper was discussed in three SA3 meetings: TSGS3_95_Reno (S3-191230), TSGS3_97_Reno (S3-194063). TSGS3_101e (S3-202878).

CITesting: Systematic Testing of Context Integrity Violations in Cellular Core Networks

While prior work mainly focused on downlink vulnerabilities, CITesting targets uplink-side context integrity violations (CIVs), where unauthenticated or improperly authenticated UEs can alter the core network state of other subscribers. To address this, we designed and implemented CITesting, a systematic testing framework that explores procedure chains, manages UE states with a dual-UE setup, and uses a behavioral oracle to detect context corruption Impact: We uncovered 29, 22, 16, and 59 distinct CIVs in Open5GS, srsRAN, Amarisoft, and Nokia LTE cores, respectively. These allow remote detachment, IMSI exposure, and presence detection without requiring proximity. We contributed patches to Open5GS and Amarisoft. CITesting will be released as an open-source tool to support future uplink security research.

LLFuzz: Over-the-Air Fuzzing of Cellular Baseband Lower Layers

Prior baseband fuzzing frameworks required rooted phones or focused only on NAS or RRC layers. To overcome these limitations, we developed LLFuzz, the first over-the-air fuzzing framework that targets the lower baseband layers (RLC, MAC, PDCP, PHY) of commercial smartphones. LLFuzz enables differential testing on unmodified devices by injecting malformed LTE packets and monitoring crashes via USB and silent calls. It implements protocol-aware mutation strategies and generates over 60,000 test cases. Impact: LLFuzz uncovered 11 previously unknown vulnerabilities across 15 commercial smartphones from major vendors including Qualcomm, MediaTek, Samsung, and Apple. Seven of these vulnerabilities have been assigned CVE identifiers and patched by vendors, while four remain undisclosed due to patch delays. The CVEs include:

LTEFuzz was stateless and checked only basic cases. To overcome this problem, we have designed and implemented DoLTEst, a negative testing framework for finding non-standard-compliant bugs in LTE protocol implementations of UEs. DoLTEst is stateful and covers all optional cases. It generates about 1,800 test cases to check vulnerabilities of UEs. Impact: This paper was discussed in a 3GPP SA3 meeting. It is currently open-sourced at https://github.com/SysSec-KAIST/DoLTEst. We uncovered 26 implementation flaws from 43 devices from 5 different baseband manufacturers by using DoLTEst. We have received 3 CVEs (CVE-2019-2289 from Qualcomm, CVE-2021-25516 from Samsung, and CVE-2021-30826 from Apple.) The Qualcomm bug allows an authentication bypass in all baseband processors manufactured by Qualcomm, requiring almost one year to finish the patch process.

BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications

All of the three testing methods above were dynamic. Not all vulnerabilites could be found by dynamic analysis. This work checks if we can run comparative static analysis of Baseband binaries and Cellular Specifications. The key intuition is that a message decoder in baseband software embeds the protocol specification in a machine-friendly structure to parse incoming messages. With BaseSpec, we analyzed the implementation of cellular standard L3 messages in 18 baseband firmware images of 9 devices models from one of the top three vendors. BaseSpec is recently extended to BaseComp, a semi-automated static analysis approach for analyzing integrity protection. Impact: It is currently open-sourced at https://github.com/SysSec-KAIST/BaseSpec. BaseSpec identified hundreds of functional or potentially vulnerable mismatches. Investigation of these bugs led to 5 functional errors and 4 memory-related vulnerabilities. These bugs are patched by the vendors. BaseComp is also open-sourced at https://github.com/kaist-hacking/BaseComp. BaseComp identified 29 bugs, including one NAS AKA bypass vulnerability.

Performance Bug Detection using a Comparative Analysis

We collected 6.4M control plane messages from 28 operators in 11 countries using 95 USIMs by generating 52K voice call events. Through this extensive dataset, we aimed to understand and confirm Pr2. We examined each control plane message to identify operators with abnormal processing times, sequence of events, or signaling failures. This study revealed a total of 7 bugs that occurred in only a few operators. For instance, a UE in a US operator experienced out-of-service for 11 seconds due to location update collisions. We confirmed that comparative analysis between operators is an effective way to detect performance bugs and their root causes. However, we are unable to release this dataset as it contains personal information (signaling messages from others).

SIM Box Detection using Control Plane Fingerprints

In 2022, we received USD 5 million in funding from the Korean police to develop a network-based solution to combat voice phishing crime. (Voice phishing resulted in financial losses of over USD 0.5 billion in Korea in 2021.) As part of this project, we are developing multiple solutions. The first solution we have published is to develop methodologies to distinguish SIM Box (a VoIP gateway that converts VoIP call to and from cellular call) from other smartphones. The key idea is that fingerprints, which were constructed from network-layer auxiliary information with more than 31K features, are mostly distinct among 85 smartphones as well as SIM boxes. Impact: We are currently testing our solution with a major operator in Korea. Future Plan: ** Several hundred vulnerabilities were responsively disclosed and patched in the devices and networks. Many of them were found in Korea and the US, even before other countries have launched. After publishing LTEFuzz, we have been continuously communicating with 3GPP and GSMA to incorporate systematic negative testing into cellular testing specification. Additionally, we were invited by organizations such as GSMA, device vendors such as Qualcomm, Ericsson, Huawei, and several universities to give presentations about security testing. Understanding differences and similarities among operators and vendors is crucial for detecting both security and performance bugs. We plan to create another large-scale dataset, probably through crowd-sourcing, to reveal insecure configuration among different operators over the world.

Exploiting Design Vulnerabilities

This research mainly exploits Pr3 and Pr5. Designs in cellular specifications often contain vulnerabilities that can only be fixed in the next generation. We have been identifying such vulnerabilities, proposing fixes, or developing new exploits to accelerate the patching process.

Cellular Identities and Location Tracking

Cellular network utilizes multiple identities, which include IMSI (International Mobile Subscriber Identity, a permanent identifier associated with a subscriber), TMSI (Temporary Mobile Subscriber Identity, a temporary identifier assigned to a subscriber for protecting subscriber privacy), RNTI (Radio Network Temporary Identifier, a temporary network identifier for a subscriber in a cell), and IMEI (International Mobile Equipment Identity, a permanent device identifier). Considering the wireless nature of the cellular network, expose of identities is directly associated with a user privacy. To protect user privacy, most of the cellular protocol messages only include temporary identifiers. In 2012, for the first time, we demonstrated that the TMSI remains unchanged in 2G and 3G. By repeatedly calling a victim, an attacker can determine if the victim is in the same cell by intersecting TMSIs contained in unencrypted paging messages, breaking subscriber location privacy. Wireless and unencrypted paging messages allow this binding between phone number and the temporary ID. Shaik et. al showed that the same attack is possible in VoLTE. In LTE, a mechanism called GUTI_Reallocation is employed, which forcibly changes the GUTI after each instance of its exposure in a message. This requirement, though, does not enforce either the linkability or unpredictability of the changing IDs. We verified if this is the case with the large dataset we built (the dataset containing 6.4M control plane messages from 28 operators in 11 countries). Out of 28 carriers, 20 carriers have at least one byte fixed (GUTI is 4 byte long), allowing the attacker to fingerprint a particular user. More detailed analysis on 4 carriers showing seemingly random assignment reveals that the attacker can make the GUTI unchanged after invoking GUTI_reallocation multiple times within a short time period. Impact: Our first paper in 2012 was discussed in three SA3 meetings held in 2017 across multiple documents: TSG3_086_Sophia (S3-170205, S3-170333, S3-170458). TSGS3_86b_Busan (S3-170758), and TSGS3_87_Ljubljana (S3-171294). GUTI reallocation paper was the focal point to add unpredictability of GUTI in LTE, discussed in S3-220075. Now in 5G, unpredictability in GUTI after every exposure is mandatory. Unfortunately, a recent report about China and our measurement in Korea show that this is not the case.

Signal Overshadowing Attack

4G and 5G cellular networks do not provide protection for the integrity of broadcasting, paging, or some unicasting messages, making them vulnerable to Man-in-the-Middle (MitM) attacks. An MitM attacker can hijack and modify these unauthenticated messages by implementing a fake base station (FBS) and a fake user equipment (UE, or smartphone). To the victim UE and the victim BS, the FBS and the fake UE should look like a legitimate BS and UE, respectively. Implementing a fully functional cellular MitM attacker is a complex task, as none of the academic papers have successfully done so. Therefore, instead of implementing this type of attacker, we implemented signal overshadowing, where the attacker overwrites the broadcast message from the base station to UEs (i.e. downlink). It took a total of two years to implement this attack, as the overshadowing signal had to be sent with precise timing and frequency. Our intention was to spark renewed discussions on how to protect these unauthenticated cellular messages within standard bodies. Impact: The initial response from GSMA was disappointing as they viewed this work as only academically interesting. However, it turned out to be important for both academia and standard bodies. After it was initially discussed in 2019 Reno 97th 3GPP meeting (S3-194063), a lot of documents (and probably discussions) tried to address this attack accross multiple 3GPP meetings: TSGS3_100Bis-e (S3-202556, S3-202738, S3-202740), TSGS3_100e (S3-202026, S3-202109, S3-202150), TSGS3_101e (S3-202983, S3-202984, S3-203158, S3-203160, S3-203364, S3-203447), TSGS3_102Bis-e (S3-211345), TSGS3_102e (S3-210131, S3-210778, S3-210783), TSGS3_103e (S3-212351), TSGS3_104e (S3-212748, S3-213244), TSGS3_105e (S3-214408), and TSGS3_107e (S3-221266). In addition, the attack is extended to sigover attack over unicast channel by us, layer 2 messages by Tan et. al. and uplink channel by Erni et. al.. In 5G, SA3 failed to secure these unauthenticated channels due to various technical problems. I hope to solve these problems before 6G design is complete, which will start in 2 years.

Application Layer Privacy

DCI (Downlink Control Indicator) refers to the control signaling that is transmitted from the BS to the UE. DCI carries information that is used by the UE to decode the downlink data, such as the resource allocation, the modulation and coding scheme used for the data as well as uplink channel assignment. When the UE receives a DCI, it uses the RNTI to determine if the DCI is intended for it. As none of the information in DCI is encrypted, if an attacker can identify a victim’s RNTI, the attacker can obtain the victim’s resource usage or uplink scheduling. Using the victim’s resource usage, an unprivileged adversary equipped with a software-defined radio can 1) identify mobile users who are watching target videos of the adversary’s interest and then 2) infer the video title that each of these users is watching. Impact: Although it is too early to determine the impact of the video identification work, it was discussed in 2022 August 3GPP meeting (S3-221922). We plan to exploit information leakage in the uplink scheduling. If we can identify a victim’s uplink signal, an attacker may use this information to find a physical location of the victim, by combining with a directional antenna. We received funding from Korean police to find the physical location of the SIM Boxes used for voice phishing.

LTESniffer

Many of the communication messages are not encrypted. Even for encrypted messages, some are not encrypted securely. For analyzing LTE data and control plane messages, one might need a tool to collect wireless signal between UE and eNB. LTESniffer is a tool that can capture the LTE wireless messages that are sent between a cell tower and smartphones connected to it. LTESniffer supports capturing the messages in both directions, from the tower to the smartphones, and from the smartphones back to the cell tower. Note that LTESniffer CANNOT DECRYPT encrypted messages between the cell tower and smartphones. It can be used for analyzing unencrypted parts of the communication between the cell tower and smartphones. For example, for encrypted messages, it can allow the user to analyze unencrypted parts, such as headers in MAC and physical layers. However, those messages sent in plaintext can be completely analyzable. For example, the broadcast messages sent by the cell tower, or the messages at the beginning of the connection are completely visible. Impact: LTESniffer is open-sourced at https://github.com/SysSec-KAIST/LTESniffer). It is very popular in github, receiving 1,212 stars with 128 forked project. There are at least five youtube videos explaining how to use LTESniffer with more than 2k views. As far as I know, there are three commercial counterparts (Wavejudge, ThinkRF and Airscope): The first one supporting uplink and downlink sniffing costing USD 25,000 and the last one only supports downlink sniffing.

Accounting Bypass

Cellular networks have different accounting mechanisms for data and voice. Data usage is typically tracked and billed based on bandwidth usage, while voice usage is tracked and billed based on the duration of the call. Different countries have different accounting policy. For example, Korean government prohibits operators to charge TCP-retransmitted packets, and as per our measurements from different countries, we discovered that Korea is the only country with this policy. We show that an attacker may exploit such policy to bypass data charging, by implementing a proxy server that manipulates TCP sequence number. To mitigate this issue, we also implement a practical DPI (Deep Packet Inspection) system, which can detect such attack. Impact: We discovered that Korean operators are more concerned with over-charging than charging bypass. This is because over-charging can result in penalties from the government. The bug has not been patched so far. Future Plan: ** As my research has highlighted, there are still significant design vulnerabilities present in LTE and 5G networks. However, as 5G design is complete, these design vulnerabilities will likely not be patched. In the coming years, 3GPP will begin preparations for 6G. To ensure that these vulnerabilities are addressed in 6G, it is important to include them in the study items. With my students, we are preparing a document containing all current design vulnerabilities and potential fixes, which should be included in 6G study items. Additionally, we will continue to research and identify new vulnerabilities and attacks. Finally, we also plan to design fixes for existing vulnerabilities that can be accepted by both 3GPP and GSMA.