This post is also available in:
עברית (Hebrew)
Researchers at the Korea Advanced Institute of Science and Technology (KAIST) have identified previously unknown security flaws in LTE mobile networks that could put billions of users at risk. The vulnerabilities, discovered in the core infrastructure responsible for authentication, connectivity, and data transmission, allow attackers to manipulate internal network information remotely.
The team presented their findings at the 32nd ACM Conference on Computer and Communications Security (ACM CCS 2025) in Taipei, where their work received a Distinguished Paper Award. The newly identified vulnerability class, called Context Integrity Violation (CIV), arises when unauthenticated messages can alter network states—a breach of a fundamental security principle.
Most prior research focused on downlink attacks, where networks compromise connected devices. In contrast, this study examined uplink security, exploring how mobile devices could attack the networks themselves. The researchers attributed the issue to gaps in 3GPP standards, which prohibit processing unauthenticated messages but do not fully address scenarios in which messages bypass authentication entirely.
According to TechXplore, to detect these vulnerabilities, the team developed CITesting, a new tool capable of running thousands of test cases, far exceeding previous tools like LTEFuzz. Using this system, they analysed four major LTE core network implementations and found CIV vulnerabilities across all of them:
- Open5GS: 2,354 detections, 29 unique vulnerabilities
- srsRAN: 2,604 detections, 22 unique vulnerabilities
- Amarisoft: 672 detections, 16 unique vulnerabilities
- Nokia: 2,523 detections, 59 unique vulnerabilities
Demonstrated attack scenarios included denial-of-service by corrupting network data, exposure of user identification numbers (IMSI) in plaintext, and location tracking. These attacks can be executed remotely through legitimate base stations, potentially affecting anyone within the same network coverage area.
Following disclosure, Amarisoft released patches and Open5GS incorporated fixes into its official repository, while Nokia declined to patch, citing compliance with existing standards.
They emphasized that uplink security has historically received less attention, leaving core networks vulnerable. The team plans to expand testing to 5G and private 5G networks, where similar vulnerabilities could threaten industrial, corporate, and critical infrastructure systems.
The findings highlight the ongoing challenge of protecting mobile networks as they remain a central component of global communication infrastructure, and stress the need for updated security standards to address emerging threats.
