This repo collects academic papers / open source projects / conference talks / frameworks / tools related to the research of cellular security and privacy.
- Baseband Analysis
- Vulnerability Discovery / Analysis
- Defense
- O-RAN Related
- Core Network Security
- Network Slicing Security
- Survey
- Open Source Projects / Frameworks / Tools
- Testbeds
- Open Dataset
awesome-baseband-research Nice summary of research works in baseband firmware RE.
Shannon (SAMSUNG) baseband reverse engineering
Huawei baseband exploit (BH 18)
How to design a baseband debugger (Samsung Shannon)
Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks (USENIX WOOT 12)
BASESPEC: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols (NDSS 21)
BASECOMP: A Comparative Analysis for Integrity Protection in Cellular Baseband Software (USENIX Security 23)
Semantic-Enhanced Static Vulnerability Detection in Baseband Firmware (ICSE'24)
Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands (USENIX Security 24)
BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer (CCS 24)
Emulating Samsung’s Baseband for Security Testing
BaseSAFE: Baseband SAnitized Fuzzing through Emulation (WiSec 20)
FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware (NDSS 22)
Formal Analysis of Access Control Mechanism of 5G Core Network (CCS 23)
Provable Non-Frameability for 5G Lawful Interception (Wisec 23)
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (NDSS 18)
Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion (NDSS 19)
A Formal Analysis of 5G Authentication (CCS 18)
Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane (IEEE S&P 19)
ProChecker: An Automated Security and Privacy Analysis Framework for 4G LTE Protocol Implementations (ICDCS21)
DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices (USENIX Sec 22)
Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness (WOOT 16)
UE Security Reloaded: Developing a 5G Standalone User-Side Security Testing Framework (Wisec 23)
Towards Automated Fuzzing of 4G/5G Protocol Implementations Over the Air
An Experimental Testbed for 5G Network Security Assessment
VET5G: A Virtual End-to-End Testbed for 5G Network Security Experimentation (CSET 22)
An Automated Vulnerability Detection Method for the 5G RRC Protocol Based on Fuzzing
5Greplay: a 5G Network Traffic Fuzzer - Application to Attack Injection
ASTRA-5G: Automated Over-the-Air Security Testing and Research Architecture for 5G SA Devices (Wisec'24)
RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces (CCS'24)
Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis (IEEE S&P 21)
Seeing the Forest for the Trees: Understanding Security Hazards in the 3GPP Ecosystem through Intelligent Analysis on Change Requests (USENIX Security 22)
Sherlock on Specs: Building LTE Conformance Tests through Automated Reasoning (USENIX Security 23)
Instructions Unclear: Undefined Behaviour in Cellular Network Specifications (USENIX Security 23)
Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications (USENIX Security 24)
CellularLint: A Systematic Approach to Identify Inconsistent Behavior in Cellular Network Specifications (USENIX Security 24)
Breaking LTE on Layer Two (IEEE S&P 19)
IMP4GT: IMPersonation Attacks in 4G NeTworks (NDSS 20)
LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools (MilCom17)
On the Criticality of Integrity Protection in 5G Fronthaul Networks (USENIX Security 24)
Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE (USENIX Sec 19)
AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks (MobiCom 21)
LTRACK: Stealthy Tracking of Mobile Phones in LTE (Usenix Sec 22)
SigUnder: a stealthy 5G low power attack and defenses (Wisec 21)
Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE (USENIX Sec 20)
From 5G Sniffing to Harvesting Leakages of Privacy-Preserving Messengers (IEEE S&P 23)
LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper (Wisec 23)
New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks (CCS 16)
Ghost Telephonist Impersonates You: Vulnerability In 4G LTE CS Fallback (CNS17)
Ghost Calls from Operational 4G Call Systems: IMS Vulnerability, Call DoS Attack, and Countermeasure (MobiCom 20)
This is Your President Speaking: Spoofing Alerts in 4G LTE Networks (MobiSys 19)
LTE Security Disabled—Misconfiguration in Commercial Networks (Wisec 19)
You have been warned: Abusing 5G’s Warning and Emergency Systems (ACSAC 22)
5G SUCI-Catchers: Still catching them all? (Wisec 21)
GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier (NDSS 18)
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems (NDSS 16)
Don’t hand it Over: Vulnerabilities in the Handover Procedure of Cellular Telecommunications (ACSAC 21)
Watching the Watchers: Practical Video Identification Attack in LTE Networks (USENIX Sec 22)
Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information (NDSS19)
SecureSIM: Rethinking Authentication and Access Control for SIM/eSIM (MobiCom 21)
SIMurai: Slicing Through the Complexity of SIM Card Security Research (USENIX Security 24)
Data-Plane Signaling in Cellular IoT: Attacks and Defense (MobiCom 21)
Breaking Cellular IoT with Forged Data-plane Signaling: Attacks and Countermeasure (MobiCom 21)
Preventing SIM Box Fraud Using Device Model Fingerprinting (NDSS 23)
Targeted Privacy Attacks by Fingerprinting Mobile Apps in LTE Radio Layer (DSN 23)
New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities (WiSec19)
Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G (WiSec 23)
Modeling and Generating Control-Plane Traffic for Cellular Networks (IMC 23)
Demystifying the Presence of Cellular Network Attacks and Misbehaviors (IMC 23)
BigMac 🍔 Performance Overhead of User Plane Integrity Protection in 5G Networks (Wisec 23)
European 5G Security in the Wild: Reality versus Expectations (Wisec 23)
MOBILEATLAS: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research (USENIX Security 23)
Characterizing and Modeling Control-Plane Traffic for Mobile Core Network
Measuring the Deployment of 5G Security Enhancement (Wisec 22)
Demystifying Privacy in 5G Stand Alone Networks (MobiCom 24)
The Dark Side of Scale: Insecurity of Direct-to-Cell Satellite Mega-Constellations (IEEE S&P 24)
Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations (ASIACCS 21)
A Vulnerability in 5G Authentication Protocols and Its Countermeasure
Privacy-Preserving and Standard-Compatible AKA Protocol for 5G (USENIX Sec 21)
Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil (Wisec 19)
BARON: Base-Station Authentication Through Core Network for Mobility Management in 5G Networks (Wisec 23)
Fixing Insecure Cellular System Information Broadcasts For Good (RAID 24)
Thwarting Smartphone SMS Attacks at the Radio Interface Layer (NDSS 23)
PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification (NDSS 21)
CellDAM: User-Space, Rootless Detection and Mitigation for 5G Data Plane (NSDI 23)
Murat: Multi-RAT False Base Station Detector
FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild (NDSS 17)
Lies in the Air: Characterizing Fake-base-station Spam Ecosystem in China (CCS 20)
FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting (AsiaCCS 18)
SeaGlass: Enabling City-Wide IMSI-Catcher Detection
IMSI-Catch Me If You Can: IMSI-Catcher-Catchers (ACSAC 14)
5G-Spector: An O-RAN Compliant Layer-3 Cellular Attack Detection Service (NDSS 24)
Developing xApps for Rogue Base Station Detection in SDR-Enabled O-RAN (INFOCOM WKSHPS 23)
A Fine-Grained Telemetry Stream for Security Services in 5G Open Radio Access Networks (EmergingWireless 22)
Det-RAN: Data-Driven Cross-Layer Real-Time Attack Detection in 5G Open RANs (INFOCOM 24)
AI Testing Framework for Next-G O-RAN Networks: Requirements, Design, and Research Opportunities
Taking 5G RAN Analytics and Control to a New Level (MobiCom 23)
dApps: Distributed Applications for Real-time Inference and Control in O-RAN
DeepBeam: Deep Waveform Learning for Coordination-Free Beam Management in mmWave Networks
Intelligence and Learning in O-RAN for Data-Driven NextG Cellular Networks
Understanding O-RAN: Architecture, Interfaces, Algorithms, Security, and Research Challenges
Securing 5G OpenRAN with a Scalable Authorization Framework for xApps
FlexRAN: A Flexible and Programmable Platform for Software-Defined Radio Access Networks
FlexRIC: An SDK for Next-Generation SD-RANs
Security Testing The O-RAN Near-Real Time RIC & A1 Interface (Wisec'24)
Evaluating the Security Posture of 5G Networks by Combining State Auditing and Event Monitoring (ESORICS'23)
A Systematic Analysis of 5G Networks With a Focus on 5G Core Security
Device-centric detection and mitigation of diameter signaling attacks against mobile core
On the Challenges of Automata Reconstruction in LTE Networks
5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network Functions (Wisec'24)
Performance Evaluation of Transport Layer Security in the 5G Core Control Plane (Wisec'24)
Towards Shielding 5G Control Plane Functions (DSN'24)
Slicure5G: Secure Slicing for 5G
SliceSecure: Impact and Detection of DoS/DDoS Attacks on 5G Network Slices
Secure5G: A Deep Learning Framework Towards a Secure Network Slicing in 5G and Beyond
5G core network security issues and attack classification from network protocol perspective
5G Security and Privacy – A Research Roadmap
Improving 4G/5G air interface security: A survey of existing attacks on different LTE layers
5Ghoul - 5G NR Attacks & 5G OTA Fuzzing⚡
Colosseum: Large-Scale Wireless Experimentation Through Hardware-in-the-Loop Network Emulation
Powder (the Platform for Open Wireless Data-driven Experimental Research)
Beyond Throughput, The Next Generation: a 5G Dataset with Channel and Context Metrics
SPEC5G: A Dataset for 5G Cellular Network Protocol Analysis
5G-NIDD: A Comprehensive Network Intrusion Detection Dataset Generated over 5G Wireless Network
5GAD-2022 5G attack detection dataset
5G Traffic Generation for Practical Simulations Using Open Datasets
5GC PFCP Intrusion Detection Dataset
TSpec-LLM: An Open-source Dataset for LLM Understanding of 3GPP Specifications
ORAN-Bench-13K: An Open Source Benchmark for Assessing LLMs in Open Radio Access Networks