/Cellular-Security-Papers

A collection of academic papers / Git repos / conference talks / frameworks / tools related to cellular security and privacy.

Cellular-Security-Papers

This repo collects academic papers / open source projects / conference talks / frameworks / tools related to the research of cellular security and privacy.

Table of Content

Baseband Analysis

Baseband Reverse Engineering

awesome-baseband-research Nice summary of research works in baseband firmware RE.

Shannon (SAMSUNG) baseband reverse engineering

MediaTec-baseband-LTE-RE

Huawei baseband exploit (BH 18)

How to design a baseband debugger (Samsung Shannon)

Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks (USENIX WOOT 12)

BASESPEC: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols (NDSS 21)

BASECOMP: A Comparative Analysis for Integrity Protection in Cellular Baseband Software (USENIX Security 23)

Semantic-Enhanced Static Vulnerability Detection in Baseband Firmware (ICSE'24)

Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands (USENIX Security 24)

BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer (CCS 24)

Emulation and fuzzing

Emulating Samsung’s Baseband for Security Testing

BaseSAFE: Baseband SAnitized Fuzzing through Emulation (WiSec 20)

FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware (NDSS 22)

Vulnerability Discovery / Analysis

Formal verification

Formal Analysis of Access Control Mechanism of 5G Core Network (CCS 23)

Provable Non-Frameability for 5G Lawful Interception (Wisec 23)

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (NDSS 18)

Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion (NDSS 19)

5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol (CCS 19)

A Formal Analysis of 5G Authentication (CCS 18)

Fuzzing & Testing

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane (IEEE S&P 19)

ProChecker: An Automated Security and Privacy Analysis Framework for 4G LTE Protocol Implementations (ICDCS21)

Noncompliance as Deviant Behavior: An Automated Black-box Noncompliance Checker for 4G LTE Cellular Devices (CCS 21)

DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices (USENIX Sec 22)

Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness (WOOT 16)

UE Security Reloaded: Developing a 5G Standalone User-Side Security Testing Framework (Wisec 23)

SecChecker: Inspecting the security implementation of 5G Commercial Off-The-Shelf (COTS) mobile devices

Towards Automated Fuzzing of 4G/5G Protocol Implementations Over the Air

An Experimental Testbed for 5G Network Security Assessment

VET5G: A Virtual End-to-End Testbed for 5G Network Security Experimentation (CSET 22)

An Automated Vulnerability Detection Method for the 5G RRC Protocol Based on Fuzzing

5Greplay: a 5G Network Traffic Fuzzer - Application to Attack Injection

ASTRA-5G: Automated Over-the-Air Security Testing and Research Architecture for 5G SA Devices (Wisec'24)

RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces (CCS'24)

Specification analysis

Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis (IEEE S&P 21)

Seeing the Forest for the Trees: Understanding Security Hazards in the 3GPP Ecosystem through Intelligent Analysis on Change Requests (USENIX Security 22)

Sherlock on Specs: Building LTE Conformance Tests through Automated Reasoning (USENIX Security 23)

Instructions Unclear: Undefined Behaviour in Cellular Network Specifications (USENIX Security 23)

Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications (USENIX Security 24)

CellularLint: A Systematic Approach to Identify Inconsistent Behavior in Cellular Network Specifications (USENIX Security 24)

Lower Layer attacks

Breaking LTE on Layer Two (IEEE S&P 19)

IMP4GT: IMPersonation Attacks in 4G NeTworks (NDSS 20)

LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools (MilCom17)

On the Criticality of Integrity Protection in 5G Fronthaul Networks (USENIX Security 24)

Overshadowing attacks

Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE (USENIX Sec 19)

AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks (MobiCom 21)

LTRACK: Stealthy Tracking of Mobile Phones in LTE (Usenix Sec 22)

SigUnder: a stealthy 5G low power attack and defenses (Wisec 21)

Eavesdropping

Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE (USENIX Sec 20)

From 5G Sniffing to Harvesting Leakages of Privacy-Preserving Messengers (IEEE S&P 23)

LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper (Wisec 23)

SMS attacks

New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks (CCS 16)

Spoofing

Ghost Telephonist Impersonates You: Vulnerability In 4G LTE CS Fallback (CNS17)

Ghost Calls from Operational 4G Call Systems: IMS Vulnerability, Call DoS Attack, and Countermeasure (MobiCom 20)

This is Your President Speaking: Spoofing Alerts in 4G LTE Networks (MobiSys 19)

LTE Security Disabled—Misconfiguration in Commercial Networks (Wisec 19)

You have been warned: Abusing 5G’s Warning and Emergency Systems (ACSAC 22)

Tracking

5G SUCI-Catchers: Still catching them all? (Wisec 21)

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier (NDSS 18)

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems (NDSS 16)

Handover attacks

Don’t hand it Over: Vulnerabilities in the Handover Procedure of Cellular Telecommunications (ACSAC 21)

Side-channel attacks

Watching the Watchers: Practical Video Identification Attack in LTE Networks (USENIX Sec 22)

Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information (NDSS19)

SIM Security

SecureSIM: Rethinking Authentication and Access Control for SIM/eSIM (MobiCom 21)

SIMurai: Slicing Through the Complexity of SIM Card Security Research (USENIX Security 24)

Data-plane attack

Data-Plane Signaling in Cellular IoT: Attacks and Defense (MobiCom 21)

Breaking Cellular IoT with Forged Data-plane Signaling: Attacks and Countermeasure (MobiCom 21)

Fingerprinting

Preventing SIM Box Fraud Using Device Model Fingerprinting (NDSS 23)

Targeted Privacy Attacks by Fingerprinting Mobile Apps in LTE Radio Layer (DSN 23)

Show Me Your Attach Request and I’ll Tell You Who You Are: Practical Fingerprinting Attacks in 4G and 5G Mobile Networks (DSC 23)

New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities (WiSec19)

Downgrade

Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G (WiSec 23)

Measurement

Modeling and Generating Control-Plane Traffic for Cellular Networks (IMC 23)

Demystifying the Presence of Cellular Network Attacks and Misbehaviors (IMC 23)

BigMac 🍔 Performance Overhead of User Plane Integrity Protection in 5G Networks (Wisec 23)

European 5G Security in the Wild: Reality versus Expectations (Wisec 23)

MOBILEATLAS: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research (USENIX Security 23)

Characterizing and Modeling Control-Plane Traffic for Mobile Core Network

Measuring the Deployment of 5G Security Enhancement (Wisec 22)

Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging Services (Wisec'24)

Demystifying Privacy in 5G Stand Alone Networks (MobiCom 24)

Satellite Networks

The Dark Side of Scale: Insecurity of Direct-to-Cell Satellite Mega-Constellations (IEEE S&P 24)

Defense

Protocol Modification

Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations (ASIACCS 21)

A Vulnerability in 5G Authentication Protocols and Its Countermeasure

Privacy-Preserving and Standard-Compatible AKA Protocol for 5G (USENIX Sec 21)

Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil (Wisec 19)

BARON: Base-Station Authentication Through Core Network for Mobility Management in 5G Networks (Wisec 23)

Fixing Insecure Cellular System Information Broadcasts For Good (RAID 24)

Defense in UE

Thwarting Smartphone SMS Attacks at the Radio Interface Layer (NDSS 23)

PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification (NDSS 21)

CellDAM: User-Space, Rootless Detection and Mitigation for 5G Data Plane (NSDI 23)

Fake Base Station Detection

Murat: Multi-RAT False Base Station Detector

FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild (NDSS 17)

Lies in the Air: Characterizing Fake-base-station Spam Ecosystem in China (CCS 20)

FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting (AsiaCCS 18)

SeaGlass: Enabling City-Wide IMSI-Catcher Detection

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers (ACSAC 14)

Catch You Cause I Can: Busting Rogue Base Stations using CellGuard and the Apple Cell Location Database (RAID 24)

Defense on O-RAN

5G-Spector: An O-RAN Compliant Layer-3 Cellular Attack Detection Service (NDSS 24)

Developing xApps for Rogue Base Station Detection in SDR-Enabled O-RAN (INFOCOM WKSHPS 23)

A Fine-Grained Telemetry Stream for Security Services in 5G Open Radio Access Networks (EmergingWireless 22)

Det-RAN: Data-Driven Cross-Layer Real-Time Attack Detection in 5G Open RANs (INFOCOM 24)

O-RAN related

AI Testing Framework for Next-G O-RAN Networks: Requirements, Design, and Research Opportunities

Taking 5G RAN Analytics and Control to a New Level (MobiCom 23)

dApps: Distributed Applications for Real-time Inference and Control in O-RAN

DeepBeam: Deep Waveform Learning for Coordination-Free Beam Management in mmWave Networks

Intelligence and Learning in O-RAN for Data-Driven NextG Cellular Networks

ColO-RAN: Developing Machine Learning-based xApps for Open RAN Closed-loop Control on Programmable Experimental Platforms

Understanding O-RAN: Architecture, Interfaces, Algorithms, Security, and Research Challenges

Securing 5G OpenRAN with a Scalable Authorization Framework for xApps

Programmable and Customized Intelligence for Traffic Steering in 5G Networks Using Open RAN Architectures

FlexRAN: A Flexible and Programmable Platform for Software-Defined Radio Access Networks

FlexRIC: An SDK for Next-Generation SD-RANs

Security Testing The O-RAN Near-Real Time RIC & A1 Interface (Wisec'24)

System-level Analysis of Adversarial Attacks and Defenses on Intelligence in O-RAN based Cellular Networks (Wisec'24)

Core Network Security

Evaluating the Security Posture of 5G Networks by Combining State Auditing and Event Monitoring (ESORICS'23)

A Systematic Analysis of 5G Networks With a Focus on 5G Core Security

Device-centric detection and mitigation of diameter signaling attacks against mobile core

On the Challenges of Automata Reconstruction in LTE Networks

5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network Functions (Wisec'24)

PROV5GC: Hardening 5G Core Network Security with Attack Detection and Attribution Based on Provenance Graphs (Wisec'24)

Performance Evaluation of Transport Layer Security in the 5G Core Control Plane (Wisec'24)

Towards Shielding 5G Control Plane Functions (DSN'24)

Network Slicing Security

Slicure5G: Secure Slicing for 5G

SliceSecure: Impact and Detection of DoS/DDoS Attacks on 5G Network Slices

Secure5G: A Deep Learning Framework Towards a Secure Network Slicing in 5G and Beyond

DeepSecure: Detection of distributed denial of service attacks on 5G network slicing—Deep learning approach

Survey

5G core network security issues and attack classification from network protocol perspective

5G Security and Privacy – A Research Roadmap

Improving 4G/5G air interface security: A survey of existing attacks on different LTE layers

Open Source Projects / Frameworks / Tools

RAN

srsRAN

openairinterface5g

UERANSIM

YateBTS

Core

Open5GS

Free5gc

OAI 5GC

O-RAN RIC / xApps / rApps

O-RAN SC

SDRAN-in-a-Box (RiaB)

FlexRIC

Open AI Cellular

Misc

Awesome-Cellular-Hacking

awesome-5g

5Ghoul - 5G NR Attacks & 5G OTA Fuzzing⚡

Testbeds

Colosseum

Colosseum: Large-Scale Wireless Experimentation Through Hardware-in-the-Loop Network Emulation

Powder (the Platform for Open Wireless Data-driven Experimental Research)

Open Dataset

5G Traffic Datasets

Beyond Throughput, The Next Generation: a 5G Dataset with Channel and Context Metrics

SPEC5G: A Dataset for 5G Cellular Network Protocol Analysis

OpenRAN Gym

5G-NIDD: A Comprehensive Network Intrusion Detection Dataset Generated over 5G Wireless Network

OpenCellid

MobileInsight

5GAD-2022 5G attack detection dataset

5G Traffic Generation for Practical Simulations Using Open Datasets

5GC PFCP Intrusion Detection Dataset

TSpec-LLM: An Open-source Dataset for LLM Understanding of 3GPP Specifications

ORAN-Bench-13K: An Open Source Benchmark for Assessing LLMs in Open Radio Access Networks