Critical security flaws uncovered in global mobile networks

In an era where cyber attacks on major telecommunications providers have highlighted the fragility of mobile security, researchers at the Korea Advanced Institute of Science and Technology (KAIST) have identified a class of previously unknown vulnerabilities that could allow remote attackers to compromise cellular networks serving billions of users worldwide.

The research team, led by Professor Yongdae Kim, discovered that unauthorised attackers could remotely manipulate internal user information in LTE core networks — the central infrastructure that manages authentication, internet connectivity and data transmission for mobile devices and IoT equipment. Their findings, presented at the 32nd ACM Conference on Computer and Communications Security in Taiwan, earned the team a Distinguished Paper Award.

The vulnerability class, which the researchers termed a ‘context integrity violation’ (CIV), represents a fundamental breach of a basic security principle: unauthenticated messages should not alter internal system states. While previous security research has primarily focused on ‘downlink’ attacks — where networks compromise devices — this study examined the less-scrutinised ‘uplink’ security, where devices can attack core networks.

“The problem stems from gaps in the 3GPP standards,” Kim explained, referring to the international body that establishes operational rules for mobile networks. “While the standards prohibit processing messages that fail authentication, they lack clear guidance on handling messages that bypass authentication procedures entirely.”

The team developed CITesting, understood to be the world’s first systematic tool for detecting these vulnerabilities, capable of examining between 2802 and 4626 test cases — a vast expansion from the 31 cases covered by the only previous comparable research tool, LTEFuzz. Testing four major LTE core network implementations — both open-source and commercial systems — revealed that all contained CIV vulnerabilities, with the results as follows:

• Open5GS: 2354 detections, 29 unique vulnerabilities
• srsRAN: 2604 detections, 22 unique vulnerabilities
• Amarisoft: 672 detections, 16 unique vulnerabilities
• Nokia: 2523 detections, 59 unique vulnerabilities
   

The research team demonstrated three critical attack scenarios: denial of service by corrupting network information to block reconnection; IMSI exposure by forcing devices to retransmit user identification numbers in plaintext; and location tracking by capturing signals during reconnection attempts. Unlike traditional attacks requiring fake base stations or signal interference near victims, these attacks work remotely through legitimate base stations, affecting anyone within the same MME (Mobility Management Entity) coverage area as the attacker — potentially spanning entire metropolitan regions.

“Uplink security has been relatively neglected due to testing difficulties, implementation diversity and regulatory constraints,” Kim said. “Context integrity violations can pose serious security risks.”

Following responsible disclosure protocols, the research team notified affected vendors. They say that Amarisoft deployed patches, while Open5GS integrated the team’s fixes into its official repository. Nokia apparently stated that it would not issue patches, asserting compliance with 3GPP standards and declining to comment on whether telecommunications companies currently use the affected equipment.

The research team now plans to extend their validation to 5G and private 5G environments, where it could prove particularly critical for industrial and infrastructure networks — environments where breaches could have consequences ranging from communication disruption to exposure of sensitive military or corporate data. Their discovery thus underscores the ongoing challenge of securing systems designed in an era where sophisticated cyber attacks were barely conceivable — and the urgent need for updated standards to address them.

Image credit: iStock.com/Yuliya Taba