Communication Technology

Security In Cellular Communication

In any information technology, there has always been some risk of security / hacking. But until recently (probably until now) cellular communication is relatively hard (considered impossible to many people) to attack. However, I don't think it is the case any more and it is about the time to start thinking of security issues seriously in cellular communication.

Just for short, I can think of several possible points of security volnerability (i.e, points of attack). Of course, there would be more points that I failed to think of and will come out more.

Possible Points of Attacks

For most person, the point (A) (Security Attack by Mobile phone App) would be the most widely known type. But strictly speaking this type of attack would not be classified as security issues on cellular communication itself unless it is hacking the modem chipset or mobile radio protocol. It is more of conventional (?) type of attack that we often hear of for other application like PC etc.

Other type of attack that are relatively well known would be point (D). But Jammer can be used not for attack, but for an intended purpose (e.g, blocking culluar communication in workshop hall etc), but this can be considered as a serious attacker if it is blocking (or sometimes even harming directly on hardware of the system).

When I am talking about "Security In cellular communication", I would focus more on point (B), (C), (D). These are the main topics in this note.

Here’s a brief description of each attack point in cellular security as illustrated above

(A) Hacking App: This involves using software tools installed on a mobile device to exploit vulnerabilities in the cellular network. The app can intercept data, manipulate network behavior, or perform man-in-the-middle attacks.

(B) Fake Base Station: Also known as an IMSI catcher or Stingray, this device mimics a legitimate base station to trick nearby mobile phones into connecting to it. This allows the attacker to intercept calls, text messages, or gather device information.

(C) Sniffer: A sniffer captures cellular traffic between devices and base stations. This passive attack tool can be used to monitor and analyze communication, attempting to decode messages or track users without their knowledge.

(D) Jammer: A jammer emits radio signals to disrupt communication between mobile phones and legitimate base stations. This can cause a denial of service, preventing users from making calls, sending texts, or accessing data services.

(E) Fake Mobile Phone: An attacker may use a fake or modified mobile phone to exploit vulnerabilities in network protocols or services. This can be used for impersonating a legitimate user or testing network defenses.

(F) USIM Attack: This involves targeting the User SIM card (USIM) of a mobile phone, often through over-the-air (OTA) updates or malicious SIM cards. It aims to gain unauthorized access to SIM data or manipulate SIM-based authentication processes.

(G) Injector: This attack involves injecting malicious or spoofed signals into radio link(e.g, into a specific PHY subframe). By crafting signals that appear legitimate, the attacker can manipulate or disrupt normal network operations, trigger unauthorized actions on devices, or facilitate further exploits (e.g., man-in-the-middle attacks). The injected signals may impersonate valid network messages, overwhelm devices, or force them into vulnerable states, thereby enabling deeper compromise of the cellular ecosystem.

Why we didn't worry much of Cellular Security ?

For some reason, (at least from 3G or later technololgy) cellular communication is almost perfectly secure from any type of security attack. I don't know exactly what is the reasoning behind this perception... I personally would think of a few reason as follows :

The security algorithm in Cellular Communication is very robus by design. It has several differently layers of security protection mechanism running at multiple layers by default (e.g, authentication, integrity protection and ciphering). I am not an expert to technically verify that this kind of algorithm in cellular communication is stronger than other by design).
Security Key (e.g, K, AMF, OPc etc) is not managed by each individual user. Even the user would not know of those key values on their own devices. These information are stored in USIM card and data base in Carrier side. The structure of those key has a certain level of complexity by default (you cannot set something like 1234568 or your birthday or phone number etc for those key -:))
For attackers to develop any method of attacks, they need to do some research and experiments on the target system. But it has been prohibitably expensive to get access to those R&D system.
There are relatively small number of people who understand the details of the system to the point where the attacker understand the system and figure out the weakpoint of the system.

Why now we should worry of this ?

To me, I haven't see much differences from 3G through 5G in terms of fundamental security protection algorithm. Why we should consider seriously on this issue. What I have seen in terms of security issue is more of changes in environmental changes in accessbility of the technology. Some of those changes that I can think of are as follows.

Development of software technology and reduced cost of hardware : Now there are many implementations of purely software based protocols running on general purpose hardware (like PC, even in very low cost PC like Raspberry Pi). Of course, the original motivation of this kind of software based implementation on general purpose equipment is not for attacking anything. But historically we all know that most of these attack is just reuse the well-intentioned technology for ill-purposed application.
Also it would be getting more difficult to guarantee the quality assurance in terms of security as more diverse implementation comes out especially implemented in software running on general purpose. This concern is also raised in a 6G whitepaper from SamSung.
Number of people who are fluent at the technology : As mentioined above, I think the security attack is mostly based on ethical issues rather than on technical issues. Usually at the initial phase (early phase) of technology where there are not huge mass of experts on the specific technology, the ethics on utilization is relatively well maintained .. but as the technology gets more command and access to wider range of people it gets more and more difficult to maintain the ethics to what has originally intended.. and even the definition of the ethics varies depending on various factors.
Now there are active discussions on next generation cellular communication system (6G). It is good time to think of this from inovating the security protection algorithm itself through how to deal with the ethical issues using technology.

What to expect in Security Protection in next generation (6G) cellular system ?

In this section, I will try to compile various ideas and visions proposed by different sources.

Source : Roadmap to 6G (NextG Alliance)

Following is some suggestions in 6G whitepaper from SamSung at security point of view.

Hardware-based secure environment that provides secure operation of software code and protection of credential
Secure-by-design approach to guarantee that any hardware/software can be trusted
Transparency to ensure that the system identifies how and when the AI system accesses any code, training data, etc. related to personal information as well as how securely the AI system operates against adversarial machine learning
Mechanisms to securely utilize an unprecedented amount of information concerning business and human users and to strictly maintain the privacy of such information

Evolution of Cellular Technology and Coevolution of Attacking Strategy

From the early days of 1G analog systems to the lightning-fast 5G networks of today, each generation of cellular technology has brought significant advancements in speed, capacity, and reliability. However, as these technologies have evolved, so too have the strategies of those looking to exploit their vulnerabilities. The coevolution of attacking strategies alongside technological progress presents a dynamic landscape where innovation in security must keep pace with technological breakthroughs. here, we explore the intertwined journey of cellular technology advancements and the corresponding evolution of cyberattack methodologies, highlighting the challenges and solutions in this ever-changing digital battlefield.

Here, Norbert Ludant has provided a comprehensive and perceptive review on the evolution of security procedures and counteracting methodologies..

Security Vulanerability and Attacking stratgies along with generation of cellular technology

Initially, cellular communications were not very secure because they were designed with the attacker capabilities at that time in mind. For that reason, 2G did not even have mutual authentication, because they didn't think it would be doable for an attacker to actually create a rogue BS. However, with the proliferation of SDRs and low-cost hardware and software implementations, all this became possible. In fact to this day many attacks relied on downgrading a user to insecure 2G networks, and that is why Android for instance now allows the user to disable 2G. Moreover, if you look at the 5G standard, 5G-AKA now has an Anti-Bidding-down Between Architectures (ABBA) parameter to protect from downgrade attacks. Additionally, for instance in 38.331 Annex B.1, Protection of RRC Messages, I think there are indication that they are trying to protect from some of these downgrade attacks, e.g. "RRCRelease message sent before AS security activation cannot include deprioritisationReq, suspendConfig, redirectedCarrierInfo, cellReselectionPriorities information fields."

In 3G, 3GPP added mutual authentication, making rogue base stations less effective. However, user tracking is still a very important attack, which was possible both in 3G and 4G networks. In fact, law enforcement used this very often, basically by using IMSI catchers (Stingray). In essence, you can just start a rogue eNB with high power, and when users try to connect to your rogue BS, you would capture their IMSI, or if they send TMSI, you would send an Identity Request with type IMSI. There are various other ways of tracking users, researchers also showed that it is possible to localize users by linking TMSI to social media, phone number, etc, by listening to paging messages, for instance through silent SMS/phone calls.

However, in 5G, to fix the issue with user-tracking, the standard added the use of SUCI instead of sending the unprotected IMSI. In this way, it is not possible to implement IMSI catcher in 5G (except in some corner cases). Additionally, now it is also mandatory to change the TMSI after every paging procedure, which makes paging-procedure user tracking attacks also hard to perform. Other protection mechanisms were also added in 5G such as protection of the initial NAS message, or integrity protection of the user plane. Due to all these changes, the 5G RAN is considered quite more secure than its predecessor LTE.

Higher layer vs Lower Layer Attack

As mentioned above, there has been significant efforts devoted to enhancing security mechanisms in 5G, and it has become harder and harder to find vulnerabilities in the security protection mechanism at higher layers (e.g, exploitation of security related signaling procedure).

Due to this, I think some of the security research may be shifting to study vulnerabilities in devices with low-capabilities (IoT), or unprotected low layers. In general the impact of vulnerabilities scales as you go to higher layers, because there is more persistent or relevant UE-related information being exchanged (e.g. IMSI, encrypted data, etc), however it is also easier to protect with proper security measures. The lower layers are tricky to protect, because there is a strong trade-off between security/privacy/reliability and performance, both in throughput and latency. In general I would say that the lower layers are harder to attack or have a strong impact because everything is less “static”; RRC connections can last for some seconds, which leads to temporary identifiers, whereas higher-layer connections are more persistent. Another aspect of working on the low-layers is that it requires expertise in many tough subjects required for PHY attacks, such as RF knowledge, security, and in-depth understanding of the complicated 3GPP procedures.

As an example of security/performance trade-off, due to the requirements for lower-latency communications, many procedures are being pushed to the lower layers, for instance, the initial 4G release had ~7 MAC CE in the specification, whereas the latest 5G release has more than 50. The MAC headers are sent unprotected, because encryption/integrity protection happens at PDCP, so attackers can sniff/inject control elements at low layers nowadays, which is very important too.

In my research, the increased security at higher layers, and the push for control in the lower layers, motivated me to analyze the security and privacy of the low layers of the 5G protocol stack. Particularly, as the encryption and integrity protection happen at the PDCP layer, we look for information leakages in the layers below, such as PHY/MAC. Moreover, with new use-cases such as URLLC, the reliability of the system becomes a crucial aspect, thus the standards for protection are raised, and attacks such as DoS become more important.

In one of our projects, for instance, we wanted to understand if it is still possible to track users, similarly to IMSI-catching, but in 5G, where all the new security enhancements are in place. To answer that we look at the low layers, at the resource-scheduling happening in the PHY/MAC. We leverage the fact that the RNTI (Radio Network Temporary Identifier) is tied to one RRC Connection, and would remain the same while there is an active connection. Then, we inject specific traffic pattern, and we look at the resources allocated to all users in a cell, if we are able to identify the pattern, then we would be able to tell if a user is in a certain area or not, and link it to the phone number/other high layer ID that we used to generate the traffic. Moreover, we create a modified signal app that sends a message with a wrong Message Authentication Code (MAC). In this way, you can send constant data to a signal app user, without the user receiving any notification, because the messages are discarded upon arrival due to wrong integrity checks. This makes the attack quite stealthy.

In general, I think attacks on the signaling level are more powerful, because they can contain long-term user-specific data (identifiers, location...), or modify the state of the UE. However, by looking at the PHY level, we showed that it is also possible to infer user information and violate the user-privacy and track users, finding alternatives for given attacks, and motivating the protection of low-layer information.

How to attack ?

Don't get me wrong. This is not about to let you know of tricks of attac to be an attacker. This is for illustrating some cases of volnerability and motivating you to get interested in how to improve those volnerability by design. I will also try to summarize what I have learned from various technichs introduced in various sources that I have read and experts who I have personal connection to.

Impersonalization Attack

I think this is the most well known type of attack. Basically it is hijacking the victim UE and network's authentication and security parameters and manipulate it in such a way that network would apply the lowest level of security mechanism (Authentication only and no integrity protection & Ciphering) and occupay the traffic channel with victim UE's access information.

Source : LTE security disabled: misconfiguration in commercial networks by Chlosta, Merlin et al.

The description of this procedure already described in very readable way -:), I am just copying the descrition from the original paper as it is :

(1) The benign UE connects to the attacker and sends an Attach Request, containing the IMSI and Security Capabilities.

(2) The attacker forwards the Attach Request but modifies the supported algorithms to EIA0 and EEA0 only.

(3) The commercial network starts the AKA with an Authentication Request containing the challenge and network authentication (RAND and AUTN).

(4) The attacker forwards the Authentication Request to the victim UE.

Note that in case the UE connects with Attach Request but identifies with TMSI, the attacker requests the IMSI with an Identity Request. If the UE connects with Service Request or Tracking Area Update, the attacker denies access with reason Implicitly Detached, forcing the UE to re-attach with Attach Request

Resource Depletion Attack

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim et al

Following is the direct citation from the paper linked above :

The adversary repeatedly performs Random Access and generates RRC Connections in order to increase the number of active RRC Connections as depicted in the diagram shown above. In a normal situation, immediately after the RRC Connection is established, an initial NAS Connection procedure proceeds through either an NAS Attach request or NAS Service request piggybacked on an RRC Connection complete message. In our attack, the adversary sends the NAS Attach request with an arbitrary user IMSI. Unlike the normal procedure, once the adversary receives the NAS Authentication request, it restarts Random Access to establish a new RRC Connection. The reason the adversary does not reply to the NAS Authentication request from the MME is to sustain the established RRC Connection while the MME waits for a valid NAS Authentication response. If the adversary replies with an invalid NAS Authentication response, it causes immediate RRC Connection release. One consideration for the attack to succeed is that the number of newly established RRC Connections has to be greater than the number of existing RRC Connections that are released.

Blind DoS Attack

This attack prevents the Network from sending paging to the victim UE or cause Radio Link Failure by continuously triggering RRC Connection with the victim's S-TMSI.

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim et al

For this kind of attack, the attacker should figure out Victim's S-TMSI first. How ? This is the quote from the paper linked above.

An adversary who has knowledge of the victims phone number or accounts on social media (such as Facebook and Whatsapp) could obtain the victims S-TMSI by performing a silent Paging attack.
An adversary located in the vicinity of the target user could operate a rogue eNB to obtain the NAS TAU request of the victim UE. This request contains the S-TMSI of the victim UE. As soon as this message is received, the adversary turns off the rogue eNB to enable the victim UE to recover the LTE service by connecting to a carrier network.
The adversary sniffs the RRC Connection procedure of the target UE to obtain the S-TMSI of the target UE as specified in the RRC Connection setup

Remote de-registration attack

Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim et al

User Identification Attack by PHY layer hacking

Most of the attacks described above was done by utilizing / analysing higher layer traffic (i.e, OTA signaling messages). However, the attack can be done at much fundamental level (i.e, PHY layer level). An example is illustrated below.

Source : From 5G Sniffing to Harvesting Leakages from Privacy-Preserving Messengers - Norbert Ludant et al

This is the overall procedure of this type of attack

Adversary Sends Messages: The adversary sends Signal messages to the victim's phone number (+1 (555) 111111). These messages are sent at known intervals and with a predictable size, leveraging the victim’s online identity.
Victim Receives Messages: The victim's smartphone, which has Signal installed and mobile data enabled, receives these messages. The phone automatically handles these push notifications.
Passive Sniffing: The adversary passively sniffs the downlink resource allocations from the gNB (gNodeB) serving the victim. This is done using a 5G sniffer equipped with an SDR (Software-Defined Radio).
Correlating Patterns(Determination of the victim's RNTI): By correlating the timing and size of the messages sent with the observed downlink resource allocations, the adversary can determine the victim's RNTI. Since the downlink traffic pattern for these messages is recognizable, it can be matched with the traffic generated by the victim's device.

The key point for this type of attack is to decode PDCCH and eventually get direct access to user traffic. This is done as illustrated below. This is my own summary of the paper : From 5G Sniffing to Harvesting Leakages from Privacy-Preserving Messengers

Here goes the verbal description of the above diagram by the author of the paper - Norbert Ludant

In order to obtain resource-scheduling information from a 5G cell, an attacker would need to decode the Physical Downlink Control Channel (PDCCH), which carries the Downlink Control Information (DCI), which ultimately contains information about resource scheduling. The DCI tells a user, addressed by its RNTI, which resources are directed to the user (DL traffic), or which UL resources to use to transmit its data (UL grant). The DCI contains information such as frequency and time domain resources allocated, the MCS used for the data, etc. By obtaining these DCIs, it is possible to infer the traffic of users in a given cell. In fact, some researchers have used this DCI information to determine which apps or type of service users are performing just by looking at the resources allocated to them, by using machine learning techniques. LTE sniffers were developed in the past, such as OWL or FALCON, but due to the increased complexity of the 5G RAN, developing a 5G Sniffer became more complicated. Some of the main difficulties come from changes in the encoding of the DCI, for instance, now the scrambling sequence uses as input both the RNTI and some scramblingID that is conveyed through protected RRC messages. This and other changes complicate considerably blindly decoding the DCI.

In order to decode the PDCCH, the receiver obtains the IQ samples from the frequency band that the gNB is operating, and performs time and frequency synchronization, as a normal UE would do. Then, the receiver would need to know the Bandwidth Part and CORESET configuration. However, this is conveyed through RRC messages, such as RRC Reconfiguration/RRC Setup or in MIB/SIB. The best option is to obtain these values by connecting a COTS UE and obtaining these messages, as the connection remains static for long periods of time, and common to all users in a cell. Using this prior information, the CORESET and BWP can be configured. Alternatively, it would be possible to blindly scan for DCIs by using all possible combinations of values, until a DCI is found, and then use that configuration.

Once the configuration is known, the PDCCH symbols have to be decoded to obtain the DCI bits. However, the attacker does not know the aggregation level (AL), the RNTI or scramblingID, or other required parameters. In this case, we optimize finding possible DCIs by finding the correlation with pre-computed PDCCH-DMRS symbols, which accompany each DCI, and are generated by a pseudo-random sequence with the scramblingID used as seed value. Other optimizations come from exploiting redundancy in the rate-matching block, allowing to early determine if an RNTI is valid, or by prioritizing previously seen RNTIs, etc.

The decoded DCIs contain resource scheduling information that can be used for privacy-related attacks such as determining the presence of a user. In order to do so, an attacker would monitor a 5G cell, and decode all resource scheduling to all users. Then, it injects a specific traffic pattern that can be easily recognizable through the resource scheduling information. These patterns need to be robust against background traffic, delays in scheduling, and others. For instance, transmitting an ON-OFF signal which creates sharp peaks (e.g. transmitting 1 MB file periodically), leads to an easily recognizable pattern. The attacker then, will determine if the user is present in a specific cell, if its able to find the injected traffic pattern, and link the higher layer identity, such as phone number, to the RNTI, and determine that a user is present in a specific area delimited by the cell.

In addition, the resource scheduling information can be used for other privacy-related attacks. For instance, researchers have shown that it is possible to analyze the traffic for a specific user and identify which apps/services are being used, or which Youtube video an user is watching. This can lead to fingerprinting of specific users based on their usage patterns

Signal Overshadowing Attack

In cellular network attacks, Fake Base Stations (FBS), also known as rogue base stations, are a common method. These exploit user equipment (UE) by luring devices with stronger signals, establishing connections to extract sensitive information like IMSI, temporary identifiers, or communication data. This connection becomes the vector for attacks such as denial-of-service (DoS), tracking, or eavesdropping.

The Signal Overshadowing Attack, however, introduces a new methodology. Unlike FBS, it requires no connection with the victim UE. Instead, it leverages the principle that receivers decode the strongest signal when multiple signals are transmitted at the same frequency. By transmitting a stronger signal, attackers can inject malicious messages directly into the victim UE.

A key challenge is achieving precise timing and frequency synchronization with the legitimate base station. Attackers use synchronization signals like Primary Synchronization Signal (PSS) and Secondary Synchronization Signal (SSS) to align transmissions. This ensures that their stronger malicious signal overshadows the legitimate one.

Once synchronization is achieved, the attacker passively collects information from unprotected broadcast signals like Master Information Block (MIB), System Information Blocks (SIBs), and Paging messages from legitimate base stations. These messages, inherently unprotected in LTE, provide critical parameters like network configuration and timing information.

With synchronization and collected information, attackers can transmit malicious messages directly to the physical layer at a specific radio frame, exploiting precise timing and coordination. By leveraging these factors, they ensure that the malicious message arrives at the UE at the right moment to be processed instead of the legitimate message from the legitimate BTS. The technique relies on overpowering the legitimate signal, making it nearly impossible for the UE to distinguish between the two. By simply increasing the power of the malicious transmission, attackers effectively "overshadow" the original signal, forcing the UE to decode and process the malicious content instead. This deceptive manipulation of signal power and timing is the basis for the term "overshadowing."

Overall concept of Signal Overshadowing Attacking can be illustrated as follows.

Image Source : Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE

NOTE : For the full details on this technique, I strongly recommend to watch this well presented video : USENIX Security '19 - Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE and 36C3 - SigOver + alpha You will get a lot of insight not only in terms of security but also in terms of general LTE PHY processing

Where/When/How often to attack

In the context of LTE signaling flows, understanding where, when, and how often to target specific messages is critical for executing effective signal overshadowing attacks. These attacks leverage vulnerabilities in the timing and structure of LTE communications, particularly during key stages of connection establishment and message exchange. Broadcast messages, such as the Master Information Block (MIB) and System Information Block (SIB), are ideal targets because they are transmitted periodically and lack encryption or integrity protection. Similarly, unicast messages, like RRC Connection Release or Paging messages, present opportunities for manipulation, especially before the security context is fully activated. Attacks must be precisely timed to align with the broadcast intervals or specific signaling events, ensuring that malicious signals overshadow legitimate ones without disrupting overall decoding. The frequency of these attacks depends on the type of message being targeted, with broadcast message injections synchronized to periodic transmissions and unicast message injections strategically timed to exploit security gaps in real time.

Where in the signaling flow?

The attack is targeted at specific parts of the LTE signaling process, depending on the type of message and synchronization requirements. Key targets include:

Broadcast Messages: These include the Master Information Block (MIB) and System Information Block (SIB) messages, which are unprotected and critical during the initial synchronization and system information acquisition phase.
Unicast Messages: Such as RRC Connection Release messages or Paging messages that can redirect the UE to an attacker-controlled frequency or base station.

When in the signaling flow?

The attack's timing is crucial and depends on the synchronization between the attacker and the legitimate base station:
Broadcast Message Attacks (e.g., MIB/SIB):

These can be targeted right after the UE synchronizes with the PSS/SSS signals from the base station. At this point, the UE is decoding the broadcast messages to establish a connection.
Example: The attacker overshadows the legitimate SIB1 message to modify network parameters or inject malicious information.

Unicast Message Attacks (e.g., RRC Connection Release):

These are targeted after the UE has established an RRC connection but before the security activation phase, as this window allows unprotected message injection.
Example: The attacker injects an RRC Connection Release message with a redirection frequency field to move the UE to a fake base station.

How often to attack?

Too Frequent Attacks:

If the attack occurs too often,

the UE may fail to detect even the legitimage signals. So the attacking signal would act like simple jamming
the UE or network may detect abnormal behavior. Repeated interference can raise suspicion, prompting defensive measures such as flagging the activity or outright ignoring the injected messages.

Too Sparse Attacks: If the attack is too infrequent, the legitimate base station signals are more likely to dominate. This increases the chance of the UE successfully decoding the original messages instead of the attacker’s, reducing the attack’s effectiveness.
Optimal Frequency: The attack frequency must balance these extremes. It should be frequent enough to consistently overshadow the legitimate signal but sparse enough to avoid detection or triggering defensive mechanisms.
Key Consideration: Understanding the UE’s tolerance for timing and message anomalies is crucial to determining the ideal frequency. This ensures the attacker’s message is prioritized while minimizing the risk of detection.

Use Cases of Signal Overshadowing Attacks

Signal overshadowing attacks in LTE networks open up a range of malicious use cases that exploit vulnerabilities in the system's broadcast and signaling protocols. From overwhelming the core network with a Signaling Storm, selectively disabling services through Selective DoS, bypassing security mechanisms with IMSI Paging, to manipulating public behavior via Fake Emergency Alerts, these attacks highlight the risks posed by unprotected and insecure channels. Each of these use cases demonstrates how an attacker can target specific elements of the LTE signaling flow to disrupt operations, compromise security, and exploit user trust, often with minimal resources and low chances of detection.

Signaling Storm

Description: This attack exploits broadcast messages, such as System Information Block Type 1 (SIB1) or Tracking Area Update (TAU), to overload the core network.
Mechanism: By changing the Tracking Area Code (TAC) in broadcasted SIB1 messages, the attacker forces UEs in the coverage area to repeatedly perform Tracking Area Update (TAU) procedures.
Impact: Generates a massive amount of signaling messages, overwhelming the core network. For example, a normal UE sends about 600 signaling messages per hour, but during a signaling storm, this can rise to 400,000, representing a 640x increase.
Detection Avoidance: The attack does not disconnect UEs from their legitimate base station, making it harder for network operators to identify the cause.

Selective DoS (Denial of Service)

Description: Targets specific services, such as voice calls, video calls, or SMS, while allowing other services to function normally.
Mechanism: The attacker modifies fields in SIB2 or related signaling messages to prevent specific UEs from accessing certain services or delaying service access.
For example, barring only voice services during a disaster while allowing data services.
Impact: Can selectively disable critical services without completely disrupting the UE's overall connectivity.
Advantage Over Fake Base Stations: Unlike traditional attacks, which require disrupting the entire UE connection, Selective DoS only targets specific services, minimizing resource requirements and detection risks.

IMSI Paging

Description: Exploits the Paging Procedure by injecting malicious paging messages using the UE’s International Mobile Subscriber Identity (IMSI) or Temporary Identifier (TMSI).
Mechanism: The attacker sends a paging message with the UE's unique identifier, forcing the UE to disconnect and reattach, which resets the UE’s security context.
Impact: This process allows the attacker to bypass encryption and integrity protections temporarily, enabling the injection of unprotected signaling messages, such as RRC Connection Release.
Advantages for Attacker:

Bypasses the need for a persistent fake base station connection.
Exploits a legitimate LTE process to weaken the UE's security.

Fake Emergency Alert

Description: Leverages the Commercial Mobile Alert System (CMAS) protocol to inject false emergency alerts into the UE.
Mechanism:
The attacker overshadows legitimate base station signals for CMAS-related messages, such as SL1, SL2, and Paging, to broadcast fake alerts.
These alerts bypass encryption and are displayed as legitimate emergency notifications on the UE.
Impact: Causes widespread panic or manipulates public behavior based on the false information presented.
Advantages Over Traditional Attacks:

The alert appears legitimate to users due to its alignment with expected CMAS formats.
Requires less power and is stealthier than conventional methods like fake base stations.

Attack by Unicast Message: RRC Connection Release

Description: This attack exploits the RRC Connection Release procedure, which is a unicast message used by the base station to command the UE to release its radio connection.
Mechanism:

The attacker targets the UE's specific Radio Network Temporary Identifier (RNTI) and crafts a malicious RRC Connection Release message.
The injected message includes additional fields, such as:

Redirected Carrier Information Field: Directs the UE to a specific frequency (e.g., an attacker-controlled fake base station).
Idle Mode Mobility Control Information Field: Alters the UE’s frequency selection priorities to prioritize the attacker's fake base station.

Upon receiving the message, the UE disconnects from the legitimate base station and connects to the redirected frequency, which could be an LTE, 3G, or even a 2G base station.

Impact:

Forced UE Redirection: The attacker can move the UE to their fake base station, gaining control over the UE’s signaling and data communication.
Man-in-the-Middle (MitM) Potential: Once connected to the fake base station, the attacker can intercept and manipulate UE traffic for further exploits.
Service Disruption: The UE’s legitimate connection is terminated, leading to temporary service loss until the redirection completes.

Challenges for the Attacker:

The attacker must know the victim UE's RNTI or IMSI to target it specifically.
Timing is critical, as the attack must occur before the UE’s security context is fully activated to avoid integrity-check failures.
The message must be precisely crafted and injected in the UE-specific space, where unicast messages are decoded.

Advantages Over Broadcast Attacks:

Precision: Only the targeted UE is affected, reducing collateral impact and making the attack harder to detect.
Versatility: The attacker can redirect the UE to vulnerable networks (e.g., 2G or 3G) or manipulate its behavior with greater control.

Advante of SigOver over Other method (e.g, Fake Base Station : FBS)

The SigOver attack offers several advantages over the Fake Base Station (FBS) method in LTE signal attacks:

No Connection Establishment Required:

SigOver does not require establishing a connection with the victim UE (User Equipment) to inject malicious messages. It works by physically overwriting the legitimate broadcast signal directly over the air.
FBS, on the other hand, must establish a connection with the victim UE, which requires disrupting the current connection between the victim UE and the legitimate base station.

Stealthiness:

SigOver is more difficult to detect because it simply modifies or overshadows parts of the legitimate broadcast signal without interrupting ongoing communication with the legitimate base station.
FBS is more noticeable as it actively disrupts and replaces the legitimate base station's connection, which can trigger denial-of-service (DoS) scenarios or alert monitoring systems.

UE Maintains Connection with the Legitimate Network:

During a SigOver attack, the victim UE continues communicating with the legitimate base station and core network. This ensures ongoing services and avoids detection through service interruptions.
In FBS attacks, the victim UE disconnects from the legitimate network, potentially causing denial-of-service issues and making the attack more conspicuous.

Attack Flexibility:

SigOver can inject malicious messages without the need for a full-blown fake base station setup. For example, it can alter broadcast messages like SIB1 (System Information Block Type 1) to trigger malicious procedures, such as frequent tracking area updates, causing a signaling storm.
FBS is limited to injecting messages after establishing a connection with the UE, reducing its flexibility.

Lower Power Requirements:

SigOver requires significantly less power since it only needs to overpower the legitimate broadcast signal by a small margin (e.g., 3 dB higher signal strength) to execute the overshadowing attack successfully.
FBS requires much higher power to entirely disrupt the legitimate base station's signal and establish itself as the dominant station, making it less efficient.

Uncooperative Multiangulation Attack (UMA)

The Uncooperative Multiangulation Attack (UMA) is a method used to locate mobile devices that do not cooperate or actively share their location. It works by taking advantage of weaknesses in LTE networks. UMA forces the device to continuously send signals and increases the strength of these signals to make them easier to detect. Using these signals, it calculates the device’s exact location, even in difficult situations, such as when the device is transmitting in low power or signal interference occurs in normal condition. It does not require access to private parts of the network or permission from the device being tracked.

Finding the location of mobile devices are is really important for things like helping police, ambulances, and people who manage phone networks. But finding devices that don't want to be found is super tricky. Usually these devices try to hide their location or don't send out signals frequently. UMA is a technique to resolve these issues and enables the positioning of specific UEs.

Why it is difficult to find the position of a UE in real situation ?

The answer to this question is well illustrated in following diagram.

Image Source : Enabling Physical Localization of Uncooperative Cellular Devices

This illustration presents the challenges faced when localizing devices in realistic scenarios, which are far more complex due to real-world factors:

Practical Challenges:

(C1) Non-constant uplink signal: Devices do not always transmit data. For instance, when idle or in low-traffic states, uplink traffic is sparse, making it difficult to localize.
(C2) Reduced transmit power: Devices close to the base station transmit signals at lower power to save energy, which weakens the signal strength for localization.
(C3) Too many signal replicas: Cellular repeaters amplify and relay signals, introducing multiple replicas that confuse the localizer about the actual source.

Real-World Complexities:

Idle Mode: Devices enter low-power states when not actively transmitting, further complicating the task.
Close Proximity to Base Stations: Devices transmit Weak signal transmission in close range (due to Uplink Power Control mechanism) and this makes the positioning of the device challenging.
Repeaters: Their presence distorts the localization process by introducing amplified copies of signals.

How UMA technique work around these problems ?

The answer to this question is well illustrated by the following sequence diagram. It highlights the sequence of steps an attacker follows to physically locate a target device (victim) by exploiting LTE network vulnerabilities. The process includes both active operations (red arrows) and passive operations (eye symbols), detailing how the attacker interacts with the victim, the eNodeB (eNB, base station), and the network.

Image Source : Enabling Physical Localization of Uncooperative Cellular Devices

Followings are breakdown description of the sequence

Silent Voice Calls/SMSes (Active Operation):

The attacker sends silent SMS messages or voice calls to the victim. These do not alert the victim but generate a detectable traffic pattern in the network.
Purpose: To create identifiable downlink traffic associated with the victim, which is used to extract the victim’s temporary network identifier (RNTI).

Monitoring Downlink Traffic (Passive Operation):

The attacker passively monitors downlink traffic from the eNB to identify the traffic pattern triggered by the silent calls/SMSes.
Outcome: The attacker acquires the victim’s Radio Network Temporary Identifier (RNTI), which is essential for tracking the victim's uplink signals.

Scheduling Manipulation Attack (Active Operation):

The attacker impersonates the victim and sends fake scheduling requests and Buffer Status Reports (BSRs) to the eNB, exploiting vulnerabilities in the LTE protocol.
Purpose: To force the eNB to continuously allocate uplink resources to the victim, ensuring the victim's uplink traffic remains active, even when the device has no data to send.

Power Boosting Attack (Active Operation):

The attacker injects manipulated Transmit Power Control (TPC) commands into the victim’s downlink messages.
Purpose: To increase the victim's uplink signal strength to the maximum level, overcoming challenges like low-power transmission or interference from repeaters.

Monitoring Victim’s Uplink Scheduling (Passive Operation):

The attacker passively monitors the eNB’s uplink scheduling information to identify the victim's uplink transmissions.
Purpose: To locate and measure the victim’s uplink signal.

AoA Measurements (Passive Operation):

The attacker uses Angle of Arrival (AoA) measurements with directional antennas to determine the direction of the victim’s uplink signals.
Purpose: To physically localize the victim by combining AoA measurements from multiple locations.

NOTE : Active vs. Passive Operations:

Active Operations: Direct interaction with the network or device(e.g., sending silent SMSes, fake scheduling requests, and TPC commands).
Passive Operations: Monitoring traffic and analyzing signals without modifying network behavior (e.g., observing downlink traffic and uplink scheduling).

What type of Attack can be possible with UMA ?

There are so many types of attack that can be done by this technique as listed below. Some of the attack model are described in Enabling Physical Localization of Uncooperative Cellular Devices and others are from chatGPT.

Physical Localization Attacks

Purpose: Determining the precise physical location of a target device.
How: UMA exploits vulnerabilities in LTE protocols, such as unprotected scheduling and power control messages, to track uncooperative devices.
Use Case: Law enforcement could use this to locate criminals, but malicious actors could misuse it to stalk individuals or spy on devices.

Scheduling Manipulation Attack

Purpose: Forcing the victim's device to continuously transmit uplink traffic. With this continous uplink transmission, the attacker can achieve to

Keep the victim's device in an active state with continuous uplink traffic.
Facilitate localization by providing a consistent uplink signal for tracking.
Waste the victim’s battery and resources, potentially impacting its performance.

How: The attacker manipulates the scheduling process by impersonating the victim.
Implication: This attack can generate unnecessary uplink traffic, keeping the victim's radio connection active. It forces the victim's device to waste battery power and can enable precise localization by continuously monitoring the uplink signals. Additionally, it unfairly consumes network resources that could impact other users' performance.
This attack is described in detail as follows.

Image Source : Enabling Physical Localization of Uncooperative Cellular Devices

Following is break down description of the sequence diagram

Step 1: RRC Connection Setup

The attacker monitors the RRC Connection Setup process between the victim's device and the eNodeB (base station).
During this process, the eNodeB assigns schedulingRequestConfig, which contains parameters for uplink scheduling.
The attacker captures this information, along with the victim's RNTI (Radio Network Temporary Identifier).

Step 2: Set SchedulingRequestConfig and RNTI

The attacker uses the captured schedulingRequestConfig and RNTI to impersonate the victim's device.
By doing this, the attacker establishes a forged uplink communication channel with the eNodeB, effectively hijacking the victim’s uplink resources.

Step 3: Fake Scheduling Request

The attacker sends a fake Scheduling Request to the eNodeB, claiming the victim's device needs uplink resources for data transmission.
Since the Scheduling Request message is not authenticated, the eNodeB believes it is coming from the victim.

Step 4: Buffer Status Report (BSR)

After receiving the Scheduling Request, the eNodeB allocates uplink resources for the victim’s RNTI.
The attacker then sends a fake Buffer Status Report (BSR), claiming there is data in the victim's buffer waiting to be sent.
This triggers the eNodeB to continuously allocate uplink resources for the victim’s device.

Step 5: Continuous Uplink Signal

The victim's device, unaware of the manipulation, uses the allocated resources to send dummy packets (padding data).
The attacker repeats Steps 3 and 4 to ensure that the victim’s device keeps transmitting uplink traffic continuously.

Privacy Violations and Location Tracking

Purpose: Identifying and tracking the movement of a device.
How: By repeatedly executing UMA, a malicious actor could monitor a target's location over time, even without the cooperation of the device or network operators.
Implication: Breaches user privacy and could lead to illegal surveillance or harassment.

Battery Draining Attack

Purpose: Forcing the target device to consume more power, leading to battery exhaustion.
How: The scheduling manipulation attack generates continuous uplink traffic, significantly increasing the device's power consumption.
Implication: Renders the device non-functional over time, potentially during critical moments.

Signal Overshadowing Attack

Purpose: Overriding legitimate LTE signals with manipulated ones.
How: UMA injects malicious signals using a signal overshadowing (SigOver) technique to manipulate transmission power control (TPC) or scheduling decisions.
Implication: Malicious actors could disrupt legitimate communications or force devices into specific states for further exploitation.

Distortion of Location-Based Services

Purpose: Manipulating or interfering with location-based services (LBS).
How: By tampering with uplink signal properties or amplifying signals, UMA could introduce inaccuracies in localization systems.
Implication: Impacts navigation, emergency response, or location-dependent security systems.

Amplification Attack Using Repeaters

Purpose: Misleading location efforts by exploiting repeaters.
How: UMA uses power boosting to differentiate between the actual device and repeater signals. However, repeaters themselves could be manipulated to relay deceptive signals.
Implication: Increases the difficulty of accurate localization and could deceive authorities.

Covert Surveillance

Purpose: Conducting undetectable surveillance on target devices.
How: UMA does not require privileged access to networks, making it possible to track devices without alerting network operators or users.
Implication: Enables espionage, stalking, or other malicious surveillance activities.

Denial of Service (DoS) Attacks

Purpose: Preventing legitimate use of the network.
How: UMA can lock the target device into a state of continuous uplink transmission or monopolize uplink resources, effectively blocking normal operations.
Implication: Disrupts service for both the target and other users within the network.

USIM Attack

The USIM (Universal Subscriber Identity Module) plays a critical role in mobile communication, serving as a secure element that stores user credentials and enables authentication with cellular networks. However, as the bridge between the user and the network, the USIM is also a potential target for various security threats. USIM attacks can range from attempts to intercept sensitive data to manipulating authentication protocols, exposing users to risks like unauthorized access, data theft, and identity spoofing. Understanding the vulnerabilities and implementing safeguards around USIM security is essential for maintaining the integrity of mobile communications.

Several typical ways an attacker could gain control of a SIM card are

Physical access to a device or SIM card
Remote SIM administration features
Supply chain attacks
Exploiting vulnerabilities in a SIM’s software

Recently I found a well documented paper on this subject which is SIMurai: Slicing Through the Complexity of SIM Card Security Research. Followings are brief highlights from the paper.

Purpose : The main purpose of this paper is to highlight the security risks posed by malicious SIM cards and introduce a new software tool, SIMURAI, to facilitate research in this area. The authors emphasize that hostile SIM cards represent a realistic yet often overlooked attack vector in cellular security. They aim to bring attention to this issue and provide researchers with the means to further investigate and mitigate these threats.

Key arguments and findings : SIM cards' privileged access to a device's baseband, combined with often outdated security measures, makes them vulnerable to exploitation, which tools like SIMURAI can analyze by emulating SIM behavior for research purposes

SIM cards have privileged access to a device's baseband. This access, coupled with the baseband's frequent lack of modern security features, makes it a prime target for exploitation.
Several realistic scenarios could enable an attacker to control a SIM card. These include physical access, remote administration features, supply chain attacks, and exploiting vulnerabilities in a SIM's software stack.
SIMURAI is a flexible software platform that enables a wide range of security-focused research on SIM cards. Unlike previous tools that relied on physical SIMs, SIMURAI allows researchers to emulate SIM card behavior and deliberately violate standards for testing purposes.

Exposed/Identified threat : The paper showcases SIMURAI's ability to replicate real-world SIM-based threats, conduct large-scale vulnerability research, and demonstrate practical attack scenarios, emphasizing the risks posed by malicious SIM cards.

Replication of SIM-based spyware: The authors easily re-implemented the core functionality of Simjacker, a known SIM-based spyware, using SIMURAI. This demonstrates the platform's ability to aid in analyzing and understanding real-world threats.
Fuzzing campaign against commercial baseband firmware: By integrating SIMURAI with the FirmWire emulation platform, the authors conducted a large-scale fuzzing campaign that uncovered two high-severity vulnerabilities in Google Pixel devices. This finding underscores the potential for malicious SIM cards to compromise device security.
Case studies demonstrating the feasibility of SIM-based attacks: The paper outlines two attack scenarios: using a SIM interposer to gain physical access and leveraging a rogue carrier's ability to remotely update a SIM. The authors successfully implemented proof-of-concept attacks for both scenarios using SIMURAI, highlighting the practical implications of hostile SIM cards.

Test Setup : The paper utilizes three distinct test setups to evaluate SIMURAI's capabilities and demonstrate the feasibility of SIM-based attacks, as illustrated bellow. These setups allow researchers to analyze SIM card interactions within different cellular network environments, ranging from physical devices to fully emulated systems.

Followings are brief descriptions of each setup :

Setup 1: Physical UE in 2G/4G/5G Networks

This setup uses real smartphones in conjunction with physical 2G, 4G, and 5G networks. The key element here is the SIMtrace2 device, a specialized hardware tool that acts as a bridge between the smartphone and SIMURAI.
SIMtrace2 connects to the smartphone through its SIM card slot and communicates with SIMURAI running on a separate workstation via USB.
SIMtrace2 runs cardem firmware which allows it to intercept and forward messages between the phone and SIMURAI, providing the electrical and transmission-layer interface necessary for data exchange
This setup allowed researchers to test SIMURAI's compatibility with various commercial smartphones and confirm its ability to establish network connections, access the SIM file system, and perform authentication procedures

Setup 2: Emulated, SRS-based Network

This setup leverages the srsRAN framework, a software suite that provides a nearly complete end-to-end emulated cellular environment.
srsRAN includes implementations for a core network, an eNodeB, and a UE, facilitating research without relying on physical hardware for these components.
The authors connected SIMURAI to the UE component (srsUE) using two approaches:

Via SIMtrace2, similar to Setup 1. This demonstrated SIMURAI's flexibility and confirmed consistent behavior across different setups.
Directly to the SIM layer of srsUE using its PC/SC interface. This method bypassed the need for any hardware, enabling a fully virtualized connection between the emulated UE and SIMURAI.
This direct integration represents a step towards achieving a completely virtual, end-to-end cellular setup, which can offer advantages in terms of scalability and control

Setup 3: Emulation Platform

This setup focuses on emulating the baseband firmware itself using the FirmWire platform.
FirmWire allows researchers to analyze the behavior of baseband firmware images from different devices in a controlled environment.
A key challenge was the lack of a built-in way to connect a SIM card in FirmWire.
To address this, the researchers reverse engineered the firmware for Samsung Exynos-based UEs and developed a custom USIM peripheral.
This peripheral acts as a virtual SIM card, utilizing SIMURAI's low-level interfaces to exchange data with the emulated baseband firmware in FirmWire.
This integration enables more realistic analysis of baseband behavior, especially for functionality that relies on SIM card interactions, such as SMS and USSD processing

Possible Attacks : Based on the sources, hostile SIM cards, including USIMs, are considered a realistic threat and an often overlooked yet realistic attack vector in cellular security threat models. SIMs have a direct, privileged, and unfiltered interface to the baseband, making them a potent source of attacks.

Controlling a SIM card to launch attacks can be achieved through various methods as listed below.

Physical Access to a UE or SIM: An attacker gains physical access to the victim's phone or SIM, even for a short period.

Example: Installing an interposer, a thin device placed between the SIM and the phone. The interposer can intercept and manipulate communications. Attackers can load patched firmware onto commercially available interposers to trigger baseband vulnerabilities, as demonstrated by modifying firmware with only dozens of bytes. This can be done quickly by inserting the interposer with the original SIM into the tray.

Remote SIM Administration Features: Rogue or compromised carriers can leverage standardized features for remotely managing SIMs.

Example: Using Over-the-Air (OTA) updates, often delivered via binary SMS messages, to provision malicious additions, install malicious applets (cardlets), or modify the file system content on SIMs deployed in the field. These updates require pre-shared keys known to the carrier. Once installed, a malicious applet can send commands to the baseband.

Supply-Chain Attacks: Access to the SIM during manufacturing or distribution allows an attacker to implement backdoors.

Example: Implementing backdoors on SIM cards at any stage between their production and distribution. Real-world examples suggest attacks against SIM manufacturers have occurred.

Vulnerabilities in a SIM's Software Stack: Exploiting flaws in the SIM's own software to compromise it.

Example: The Simjacker malware leveraged vulnerabilities in a pre-installed SIM Application Toolkit (SAT) cardlet to compromise the SIM and distribute spyware

Once a SIM is controlled through one of these methods, it can launch various attacks against the mobile device and its baseband. Some examples demonstrated or discussed include:

Triggering Baseband Vulnerabilities: Hostile SIMs can send malicious or malformed messages directly to the baseband to exploit implementation flaws. Research using SIMURAI enabled fuzzing baseband firmware with malicious proactive commands, leading to the discovery of high-severity vulnerabilities like a null-pointer dereference during SEND SMS and a heap buffer overflow during SEND SS command handling. These vulnerabilities could be triggered by a hostile SIM
Implementing Spyware: Leveraging SIM capabilities, such as proactive commands, to exfiltrate sensitive user information.

Example: Using proactive commands like PROVIDE LOCAL INFORMATION (to get location, IMEI, battery status, etc.) and SEND SHORT MESSAGE (to exfiltrate collected data via SMS) to steal a victim's location, phonebook, SMS messages, and call logs. This technique was observed in attacks like Monkeycalendar, Gopherset, and Simjacker.

Exploiting Proactive Command Features as Attack Surface: Specific proactive commands offer functionalities that can be misused.

Example: The OPEN BROWSER command can attempt to open the terminal's browser to a SIM-specified URL. While user confirmation is often required, the notification text can be controlled by the SIM, potentially aiding social engineering. This could provide a 1-click exploit attack surface.
Example: The RUN AT command could directly execute SIM-specified AT commands on the UE. Previous research has shown AT commands can have severe consequences, such as lock screen bypass or flashing compromised firmware. Code paths for this command were found in baseband firmware even where terminals did not report support, introducing an unnecessary attack surface.

SIMBox

A SIMbox is a piece of hardware that can hold anywhere from a handful to several hundred mobile-network SIM cards. It sits between the internet (often a VoIP soft-switch) and the radio access network. When an international call or A2P SMS reaches the VoIP side, the SIMbox selects one of its local SIMs, dials the called number over the air interface, and makes the traffic look like an ordinary on-net or domestic call. From the serving network’s point of view, the device behaves like a swarm of normal handsets that just happen to live in the same rack. This lets the fraudster pocket the difference between high-margin international termination rates and the low local retail tariff—or avoid paying altogether.

A SIMbox is not a vulnerability in cryptographic algorithms; it is an abuse of business logic and identity proof.
The security impact is two-fold: (i) economic (revenue, tax, QoS) and (ii) operational/law-enforcement (identity masking, spam, social engineering).
Because fraudsters continuously rotate SIMs, time-to-detect is the critical metric; ML-assisted analytics fed by rich, low-latency data streams outperform periodic batch reports.
Countermeasures work best when radio, core, billing and regulatory levers are pulled together—no single layer can defeat SIMbox fraud in isolation.

Image Source : Preventing SIM Box Fraud Using Device Model Fingerprinting

Why it is a security problem ?

A SIM box may start out looking like an ordinary fraud toolkit for shaving off international-termination fees or pushing phishing calls, but the moment those hundreds of prepaid cards sit in one rack it becomes a genuine security problem for a mobile network. First, it destroys identity integrity. Because each SIM was activated with forged or throw-away credentials, every voice call and SMS that the core network logs appears to come from a legitimate domestic subscriber even though the real caller is overseas and completely untraceable. That breaks lawful-interception workflows: investigators who follow the IMSI or calling-line ID end up at a dead end.

The same device manipulates the caller-ID field so the target’s phone displays a familiar local number. That makes voice-phishing and smishing far more convincing, and when a victim sends back a one-time password the SIM box can receive it instantly through one of the other SIMs in its pool. Meanwhile, the radio side suffers. Hundreds of “virtual handsets” camp in a single cell, attaching and detaching in rapid rotation to avoid usage caps. The paging storms and signalling spikes this generates degrade quality of service for nearby customers and can mask other anomalous traffic.

Because all of that activity is concentrated in one physical spot, a motivated attacker can treat the farm as a low-cost measurement probe. By logging broadcast channels and system information blocks across many SIMs, they can map operator frequencies, power levels and mobility parameters with far greater detail than a normal handset could provide. Those measurements feed directly into the design of targeted jammers, IMSI catchers or RRC-layer exploits. In other words, a revenue-skimming appliance quietly widens the attack surface of the entire RAN.

Finally, the accounting distortion matters. All of the grey-route traffic is recorded as domestic, so the operator’s traffic forecasts, capacity planning and even security-appliance sizing rely on polluted data. Investment is steered toward the wrong cells, and firewalls or DPI platforms are scaled for an inaccurate threat picture. What begins as a commercial loss therefore evolves into a systemic weakness: reduced visibility, slower incident response and an environment in which more serious attacks can hide in plain sight.

Risk area	How SIMbox activity undermines cellular security
Anonymity & KYC bypass	Bulk prepaid SIMs are usually bought with forged or incomplete identity documents, so the real user of the radio interface is hidden.
Lawful interception & threat intelligence gaps	The CLI/IMSI you see on the CDR points to a random prepaid subscriber, not the true originator abroad, so LEAs cannot confidently trace calls in real time.
Spoofing & social-engineering attacks	Because the SIMbox can overwrite CLI, a fraudster can present a familiar local number to the victim, making smishing or vishing campaigns far more convincing.
Network-layer abuse	Hundreds of radios camped in one spot generate abnormal paging and signalling bursts, degrade QoS for nearby legitimate users, and can even be used to probe radio parameters for later attacks.
Stepping-stone for other crimes	The same infrastructure is often reused to terminate grey-route A2P spam, deliver mule-controlled OTPs, or provide disposable voice channels for organised crime.

KYC : Know Your Customer – regulatory process of verifying a subscriber’s real-world identity when issuing SIMs.
CLI : Calling Line Identification – the caller’s phone number presented in signalling (a.k.a. Caller ID).
CDR : Call Detail Record – metadata log of each call/SMS (time, duration, IMSI/IMEI, cell ID, etc.) used for billing and forensics.
LEA : Law Enforcement Agency – police, national security or other authority that performs lawful interception or investigations.
A2P : Application-to-Person – high-volume messaging where an app or platform sends SMS to end-users (e.g., 2-FA codes, alerts).
OTP : One-Time Password – single-use code (often delivered by SMS) for multi-factor authentication.

How to Detect ?

The techniques summarized below illustrate the layered approach operators use to detect and shut down SIM-box fraud. Each method focuses on a different observable “signature,” from deliberately seeded probe calls and historical CDR patterns to radio-frequency fingerprints, SIM-to-device binding anomalies, machine-learning–driven anomaly scoring, and cross-border location inconsistencies. While no single technique is fool-proof—probe routes can be whitelisted, analytics lag behind real-time abuse, and RF clustering may misclassify dense offices—their combined use allows a fraud-management system to surface suspicious traffic quickly, prioritize investigations, and bar offending SIMs before they can rotate out.

Technique	Signal(s) it looks for	Typical pros / cons
Test-Call Generation (TCG)	Sends probe calls with known CLIs; if CLI is altered or received locally, flag the route.	High precision, but expensive and easy for fraudsters to whitelist probe ranges.
CDR/UDR analytics	Unnatural ratio of MO:MT, many short-duration calls, night-time-only traffic, one IMEI ⇄ many IMSIs mapping.	Relies on historic data; lag before block.
RF fingerprinting / Cell-ID clustering	Hundreds of “subscribers” anchored to one Cell-ID or GPS coordinate.	Needs RF probes or UE location in the core; may mis-label dense offices.
SIM-IMEI binding & velocity rules	IMEI change >> IMSI after every few calls.	Simple to deploy in HLR/HSS/UDM but raises false positives for dual-SIM devices.
AI/ML anomaly detection	Multi-dimensional pattern learning on CDRs, signalling, location, top-up behaviour.	Vendors (e.g., Subex, NeuralTech ActivML) claim near-real-time classification.
Geofencing with roaming data	IMSI seen locally and abroad within impossibly short interval.	Helps spot SIMbox farms using multi-country SIM pools.

Hardening the network against SIMbox abuse

For a cellular-security engineer, the lesson is that SIM-box fraud does not exploit weaknesses in air-interface ciphers but in the business-logic and identity layers of the network, producing a dual threat: direct economic loss through bypassed termination fees and degraded quality of service, and operational risk as spoofed identities frustrate lawful interception and enable large-scale social-engineering campaigns. Because fraudsters can swap SIMs in seconds, the effectiveness of a defence hinges on how fast anomalies are detected—real-time, machine-learning analytics fed by signalling, billing and location data dramatically outperform slow batch reports. Ultimately, success depends on orchestrating controls across radio access, core signalling, billing policy and regulatory enforcement; no single layer, acting alone, can shut down a well-run SIM-box operation.

Tighten SIM lifecycle controls – Enforce KYC rigorously, limit per-ID SIM counts, and bind IMSI to IMEI where regulations allow.
Dynamic tariffing & surcharge – Introduce “anti-bypass surcharges” or footprint-based rating so that genuine domestic traffic is cheap but VoIP-ingress behaviour becomes uneconomical.
Core-side analytics – Feed signalling (SS7/Diameter), CDRs, data-probe and RF probe outputs into a near-real-time ML engine; auto-bar or force SIMs into CAMEL hot-lists.
Device fingerprinting on the radio side – Use 3GPP RRC security capabilities (UE Capability Enquiry, 5G “SUCI check”) to detect generic GSM gateways that declare minimal feature sets.
Collaborate with ecosystem – Share hot-IMSI/IMEI lists via the GSMA Fraud Intelligence service; coordinate test-call campaigns with transit carriers to choke grey routes quickly

Fuzzing

Fuzzing is an automated technique that bombards an implementation with massive numbers of deliberately malformed or semi-valid inputs and watches for crashes, hangs, memory-safety errors, or protocol violations. In the cellular world those inputs are air-interface frames, control-plane messages, core-network APIs, or even whole baseband-firmware packets, rather than ordinary files or HTTP requests.

Target layer	Typical fuzz-input corpus
UE baseband firmware	Encoded RRC/NAS frames, PHY descriptors, Wi-Fi coexistence packets
gNB/eNB ⇄ core interfaces	NGAP/S1AP, PFCP, GTP-U, HTTP / REST SBI calls
5GC service-based APIs	JSON/HTTP or gRPC messages between NFs
Management planes	NETCONF/YANG, O-RAN E2/E1, O-RAN fronthaul messages

Fuzzing in cellular networks is both a double-edged sword and a necessity. Offensively, it lowers the barrier to high-impact baseband and core-network attacks; defensively, it is currently the most effective way to stress-test the sprawling, fast-evolving 4G/5G stack. The engineering frontier lies in state-aware, performance-efficient, spec-driven fuzzers that can keep pace with Rel-19/6G complexity without requiring a full RF lab for every campaign.

Fuzzing as a security attack

Attackers run fuzzers for exactly the same reason defenders do—but they keep the crashes for themselves. A rogue base-station or malicious SIM application can continuously spray tampered RRC, NAS or PFCP messages, hoping to:

Crash the victim (baseband or core-NF denial-of-service).
Gain code-execution inside the modem or the AMF/UPF and pivot toward the OS or other subscribers.
Bypass billing or policy by tricking state machines (e.g., fake bearer release).

Over-the-Air (OTA) Fuzzing as an Offensive Technique

In the attacker’s playbook, OTA fuzzing is the practice of broadcasting mutated radio-layer messages to nearby devices with the explicit goal of crashing baseband firmware or coercing it into executing injected code. Instead of validating a product in a lab, the adversary uses the same automation loop—generate, transmit, observe, refine—to turn protocol edge-cases into reliable exploits that travel invisibly over the air.

For threat actors, OTA fuzzing turns the air interface into an invisible attack surface that bypasses app-store vetting, phishing filters, and even OS-level hardening. A single unpatched baseband bug can yield silent RCE against every phone in range—illustrating why defensive teams now treat radio-layer fuzz results with the same urgency as critical CVEs in web browsers or VPN gateways.

Generate a hostile corpus

“Generate a hostile corpus” refers to the preparatory phase of an over-the-air (OTA) attack in which an adversary systematically produces thousands—or even millions—of carefully mutated cellular-protocol messages intended to stress or break a target device’s baseband stack. Rather than tossing random noise onto the airwaves, the attacker uses protocol-aware tools, coverage-guided fuzzers, and even AI-driven generators to craft inputs that are malformed just enough to probe deep parsing logic while still passing basic sanity checks. The resulting message set—the hostile corpus—becomes the ammunition that is later transmitted via a rogue cell or malicious user equipment to crash, confuse, or hijack nearby phones.

Spec-guided mutation: Tools that understand 3GPP ASN.1 trees flip length fields, reorder Information Elements (IEs), or set illegal enum values while keeping the overall frame “legit” enough to pass superficial checks.
Coverage-driven mining: By running the target firmware inside an emulator or re-hosted environment, attackers let feedback fuzzers discover byte patterns that reach deep parsing code and expose memory-safety bugs.
Adversarial AI synthesis: Some researchers train language-model agents to craft messages that look benign yet trigger edge-case logic—an emerging tactic for hitting state-machine flaws rather than just buffer overruns.

Weaponize the payload over RF

Once a crash-inducing frame is distilled, the attacker integrates it into a rogue cell or malicious UE built on open-source stacks (e.g. srsRAN, OpenAirInterface) and transmits via a software-defined radio (SDR). Because cellular devices automatically select the strongest or most attractive cell, nearby phones may camp on the attacker’s signal without any user interaction. Mutated control messages—now riding on legitimate timing, scrambling, and power—reach the modem exactly as if they came from a commercial network.

Trigger, persist, and pivot

This is about the post-delivery phase of an OTA baseband attack, where the attacker turns an initial crash or foothold into sustained control and broader impact. Once the malicious radio payload reaches the modem, the adversary may first induce repeated crashes and reboots that sap battery life or deny service, but a more sophisticated exploit leverages memory-corruption bugs to achieve remote code execution that hides entirely inside the baseband firmware. From that invisible stronghold, the attacker can pivot through high-speed inter-processor links into the application processor, escalating their privileges to exfiltrate data, scrape voicemail, or fully compromise the device

Crash & reboot: Even a non-exploitable crash can force repeated re-attachments, draining batteries or causing denial of service in dense venues.
Remote code execution (RCE): When a memory-corruption bug is exploitable, attackers plant shellcode that lives entirely inside the baseband, invisible to the phone’s OS and security apps.
Lateral movement: Modern chipsets share memory and high-speed links between modem and application processor; a baseband foothold can escalate to full device compromise, voicemail scraping, or data exfiltration.

Why OTA fuzzing is attractive to adversaries

Over-the-air fuzzing offers attackers a uniquely potent blend of stealth, scale, and convenience. Because mutated signalling traffic looks indistinguishable from everyday radio chatter, adversaries can deliver exploits without links, prompts, or any user interaction. The global reliance on just a handful of baseband chipsets means that a single flaw discovered in one model can instantly imperil millions of devices. Crucially, many vulnerable parsers operate before cryptographic handshakes occur, giving attackers pre-authentication reach into even the most up-to-date 5G handsets. And since most fuzzing and exploit development can be performed quietly in emulators, the only on-air activity involves short, low-power transmissions—minimizing legal exposure while maximizing impact.

Advantage	Attacker benefit
Covert delivery	Radio traffic looks like normal signalling; no phishing links or user prompts are required.
Hardware monoculture	One bug in a popular baseband (e.g. Shannon, MTK, Snapdragon X60) scales to millions of devices worldwide.
Pre-authentication reach	Many attack surfaces are exposed before mutual authentication or encryption, so even 5G SA does not save a handset if its early parsers are flawed.
Low legal risk in preparation	All fuzzing and exploit development can be done offline in emulators; on-air time is short and low-power, reducing the attacker’s exposure.

Real-world echoes

Various public disclosures show that OTA fuzzing is not hypothetical; coordinated vulnerability efforts have forced firmware updates across major Android vendors and pushed 3GPP to tighten message-length checks. The same research also demonstrates how quickly a crash found in emulation can be ported to an SDR and reproduced in the field.

Barriers attackers still face

Even the most sophisticated over-the-air attackers must contend with practical and technical hurdles that limit the scale and reliability of their campaigns. To begin with, a rogue cell has to overpower legitimate towers in the same area, so wide-area exploitation typically demands a physical presence in high-foot-traffic locations such as airports or stadiums. On the device side, new chipsets increasingly employ hardening features—memory-tagging, pointer authentication, and fine-grained control-flow integrity—that raise the bar for turning a crash into stable code execution, even though older LTE code paths may still lag behind. Finally, regulators and operators are sharpening their response: continuous spectrum monitoring and RF-fingerprinting can expose unauthorized SDR activity, pressuring attackers to rely on brief “hit-and-run” transmissions before they can be traced.

Locality: Rogue cells must out-signal legitimate towers, so mass exploitation generally requires a physical presence (airport lounge, stadium, conference hotel).
Modern mitigations: Memory-tagging, pointer authentication, and control-flow integrity in newer chipsets raise the exploit bar—but legacy LTE code paths often remain vulnerable.
Spectrum enforcement: Active monitoring and radio-fingerprinting can unmask illegal SDR activity; attackers favour short “hit-and-run” windows to avoid detection.

Fuzzing as a vulnerability-testing method

When defenders embrace fuzzing, it becomes a proactive quality-assurance step rather than an attack tool, threading directly into the CI/CD pipelines that build and deploy radio-access and core-network software. By continuously generating protocol-aware mutations, measuring code-coverage feedback, and running thousands of test cases per second on emulated baseband firmware, engineers can discover deep-seated parsing faults and logic errors long before a product ever hits the field. The approach is not theoretical: campaigns such as RANsacked have already uncovered well over a hundred implementation flaws and forced dozens of CVE assignments across both commercial and open-source cellular stacks, underscoring fuzzing’s value as a frontline defensive technique.

Structure-aware fuzzers (e.g., Ericsson’s Berserker or RANsacked’s ASNFuzzGen) derive their grammars directly from 38.331/29.244 ASN.1, so they stay in sync with every new 3GPP release.
Feedback-guided engines (AFL++, libFuzzer, honggfuzz) measure coverage inside gNB stacks or 5GC NFs and mutate only the fields that explore new code paths.
Emulation-based baseband fuzzers (BaseSAFE, FirmWire) re-host closed blobs under QEMU to reach thousands of executions per second without radio hardware.

The payoff is real: the RANsacked campaign uncovered 119 implementation flaws and triggered 93 assigned CVEs across seven commercial and open-source cores.

Challenges when fuzzing cellular systems

Fuzzing cellular systems is far more intricate than throwing random packets at a stateless protocol: every mutated message must navigate strict call-flow sequencing and tight timing windows, survive deeply nested ASN.1 grammars, and often pass through layers of encryption and integrity protection before it can reach the vulnerable code paths that matter. This complexity is compounded by practical hurdles—booting entire core networks or SDR stacks for each test dramatically reduces throughput, radio transmissions are restricted by spectrum regulations, and the message specifications themselves evolve with every new 3GPP release. As a result, successful fuzz campaigns demand state-aware harnesses, auto-generated parsers, clever snapshotting or re-hosting techniques, and relentless upkeep to stay in lockstep with an ever-shifting standard.

Challenge	Why it matters	Recent mitigations
Statefulness & timeouts	RRC/NAS/NGAP messages must follow strict call-flow order and timing; random mutations are rejected before hitting deep code.	Stateful or model-based fuzzers replay valid sessions, then mutate selected IE fields.
Huge, nested grammars	1400+ PER types in NGAP alone overwhelm naïve fuzzers; 95 % of random inputs are silently discarded.	Tools like ASNFuzzGen auto-generate parsers and mutators from ASN.1.
Slow start-up & external dependencies	Spinning up a full core network or SDR stack for each test case kills throughput.	Snapshotting, in-memory harnesses, and baseband re-hosting boost exec/s.
Encrypted and integrity-protected layers	Post-RRC security prevents mutating ciphered payloads.	Fuzz pre-security layers, patch test UE/gNB to expose plaintext, or emulate keys.
Hardware/regulatory constraints	OTA fuzzing may violate spectrum licenses; real UEs crash unpredictably.	Use cabled RF enclosures, virtual gNB/UE, or strict SDR power limits.
Version churn (Rel-15 → Rel-19 & 6G drafts)	Message layouts evolve frequently (e.g, new 3GPP release in every few months).	Spec-driven fuzzers (Berserker) regenerate grammars from each new TS automatically.

Reference

SDR System Security
Firmwire
SIMBox bypass frauds in cellular networks: Strategies,evolution, detection, and future directions - HAL openscience
SECURITY CONSIDERATIONS FOR SOFTWARE DEFINED RADIOS - (2002)
Security Aspects in Software Defined Radio and Cognitive Radio Networks: A Survey and A Way Ahead - npstc (2005)
A Systematic Approach for Adversarial Testing of 4G LTE (2018)
LTE security disabled: misconfiguration in commercial networks (2019)
Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane (2019)
Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE (2019)
SIM Card Sniffing with Wireshark - Nick vs Networking (2021)
A Slice in Time: Slicing Security in 5G Core Networks - AdaptiveMobile Security (2021)
A Technical Review of Wireless security for the Internet of things: Software Defined Radio perspective - arXiv (2021)
[Introduction to 5G] 5G air interface main security threats and response (2021)
From 5G Sniffing to Harvesting Leakages from Privacy-Preserving Messengers (2023)
Preventing SIM Box Fraud Using Device Model Fingerprinting - KAIST (2023)
SIMurai: Slicing Through the Complexity of SIM Card Security Research (LinkedIn post) (2024)
RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces∗ - CCS (2024)
Security, Trust and Privacy challenges in AI-driven 6G Networks - arXiv (2024)
Enabling Physical Localization of Uncooperative Cellular Devices - KAIST (2024)
5G-Fuzz: An Attack Generator for Fuzzing 5GC, using Generative Adversarial Networks - ResearchGate (2024)

YouTube

DEF CON 18 - Chris Paget - Practical Cellphone Spying - DEFCONConference (2013)
Mobile Phone Vulnerabilities - Office of the Director of National Intelligence (Feb 2016)
Catching IMSI Catchers - ITSEC & Cyberrisks Baltics (2016)
How do SIM Cards work? - SIMtrace - LiveOverflow (2018)
USENIX Security '19 - Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE - USENIX (2019)
36C3 - SigOver + alpha - media.ccc.de (2019)
WiFi-Based IMSI Catcher - Black Hat (2020)
New Vulnerabilities in 5G Networks - Black Hat (2020)
2021 New Glocalme SIMBOX Free Roaming Box full operation tutorial detail - FutureLife (2020)
MAJOR 5G Vulnerabilities Discovered... - Seytonic (Apr 2021)
2022 - OpenRAN – 5G hacking just got a lot more interesting - WHY2025 (2022)
How All Phones Can Be Hacked - Rob Braxman Tech (2022)
The Truth About SIM Card Cloning - Janus Cycle (2023)
SIM Card Emulator Vs Motorola StarTAC- Janus Cycle (2023)
Sim Box fraud: All you need to know | Tech It Out - WION (2023)
NDSS 2023 - Preventing SIM Box Fraud Using Device Model Fingerprinting - NDSS Symposium (2023)
Wavefront Manipulation Attack via Programmable mmWave Metasurfaces: from Theory to Experiments - ACM WiSec (2023)
JaX: Detecting and Cancelling High-power Jammers Using Convolutional Neural Network- ACM WiSec (2023)
Exposing The Flaw In Our Phone System - Veritasium (Sep 2024)
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations - google_treanding (Jan 2025)
RANsacked: Over 100 Security Flaws Found in LTE and 5G Networks! - Tech Fold Insights (Jan 2025)

PodCast

USIM Security

Fuzzing