research
<(From left) Professor Yongdae Kim, PhD candidate Tuan Dinh Hoang, PhD candidate Taekkyung Oh from KAIST, Professor CheolJun Park from Kyung Hee University; and Professor Insu Yun from KAIST>
Smartphones must stay connected to mobile networks at all times to function properly. The core component that enables this constant connectivity is the communication modem (Baseband) inside the device. KAIST researchers, using their self-developed testing framework called 'LLFuzz (Lower Layer Fuzz),' have discovered security vulnerabilities in the lower layers of smartphone communication modems and demonstrated the necessity of standardizing 'mobile communication modem security testing.'
*Standardization: In mobile communication, conformance testing, which verifies normal operation in normal situations, has been standardized. However, standards for handling abnormal packets have not yet been established, hence the need for standardized security testing.
Professor Yongdae Kim's team from the School of Electrical Engineering at KAIST, in a joint research effort with Professor CheolJun Park's team from Kyung Hee University, announced on the 25th of July that they have discovered critical security vulnerabilities in the lower layers of smartphone communication modems. These vulnerabilities can incapacitate smartphone communication with just a single manipulated wireless packet (a data transmission unit in a network). In particular, these vulnerabilities are extremely severe as they can potentially lead to remote code execution (RCE)
The research team utilized their self-developed 'LLFuzz' analysis framework to analyze the lower layer state transitions and error handling logic of the modem to detect security vulnerabilities. LLFuzz was able to precisely extract vulnerabilities caused by implementation errors by comparing and analyzing 3GPP* standard-based state machines with actual device responses.
*3GPP: An international collaborative organization that creates global mobile communication standards.
The research team conducted experiments on 15 commercial smartphones from global manufacturers, including Apple, Samsung Electronics, Google, and Xiaomi, and discovered a total of 11 vulnerabilities. Among these, seven were assigned official CVE (Common Vulnerabilities and Exposures) numbers, and manufacturers applied security patches for these vulnerabilities. However, the remaining four have not yet been publicly disclosed.
While previous security research primarily focused on higher layers of mobile communication, such as NAS (Network Access Stratum) and RRC (Radio Resource Control), the research team concentrated on analyzing the error handling logic of mobile communication's lower layers, which manufacturers have often neglected.
These vulnerabilities occurred in the lower layers of the communication modem (RLC, MAC, PDCP, PHY*), and due to their structural characteristics where encryption or authentication is not applied, operational errors could be induced simply by injecting external signals.
*RLC, MAC, PDCP, PHY: Lower layers of LTE/5G communication, responsible for wireless resource allocation, error control, encryption, and physical layer transmission.
The research team released a demo video showing that when they injected a manipulated wireless packet (malformed MAC packet) into commercial smartphones via a Software-Defined Radio (SDR) device using packets generated on an experimental laptop, the smartphone's communication modem (Baseband) immediately crashed
※ Experiment video: https://drive.google.com/file/d/1NOwZdu_Hf4ScG7LkwgEkHLa_nSV4FPb_/view?usp=drive_link
The video shows data being normally transmitted at 23MB per second on the fast.com page, but immediately after the manipulated packet is injected, the transmission stops and the mobile communication signal disappears. This intuitively demonstrates that a single wireless packet can cripple a commercial device's communication modem.
The vulnerabilities were found in the 'modem chip,' a core component of smartphones responsible for calls, texts, and data communication, making it a very important component.
- Qualcomm: Affects over 90 chipsets, including CVE-2025-21477, CVE-2024-23385.
- MediaTek: Affects over 80 chipsets, including CVE-2024-20076, CVE-2024-20077, CVE-2025-20659.
- Samsung: CVE-2025-26780 (targets the latest chipsets like Exynos 2400, 5400).
- Apple: CVE-2024-27870 (shares the same vulnerability as Qualcomm CVE).
The problematic modem chips (communication components) are not only in premium smartphones but also in low-end smartphones, tablets, smartwatches, and IoT devices, leading to the widespread potential for user harm due to their broad diffusion.
Furthermore, the research team experimentally tested 5G vulnerabilities in the lower layers and found two vulnerabilities in just two weeks. Considering that 5G vulnerability checks have not been generally conducted, it is possible that many more vulnerabilities exist in the mobile communication lower layers of baseband chips.
Professor Yongdae Kim explained, "The lower layers of smartphone communication modems are not subject to encryption or authentication, creating a structural risk where devices can accept arbitrary signals from external sources." He added, "This research demonstrates the necessity of standardizing mobile communication modem security testing for smartphones and other IoT devices."
The research team is continuing additional analysis of the 5G lower layers using LLFuzz and is also developing tools for testing LTE and 5G upper layers. They are also pursuing collaborations for future tool disclosure. The team's stance is that "as technological complexity increases, systemic security inspection systems must evolve in parallel."
First author Tuan Dinh Hoang, a Ph.D. student in the School of Electrical Engineering, will present the research results in August at USENIX Security 2025, one of the world's most prestigious conferences in cybersecurity.
※ Paper Title: LLFuzz: An Over-the-Air Dynamic Testing Framework for Cellular Baseband Lower Layers (Tuan Dinh Hoang and Taekkyung Oh, KAIST; CheolJun Park, Kyung Hee Univ.; Insu Yun and Yongdae Kim, KAIST)
※ Usenix paper site: https://www.usenix.org/conference/usenixsecurity25/presentation/hoang (Not yet public), Lab homepage paper: https://syssec.kaist.ac.kr/pub/2025/LLFuzz_Tuan.pdf
※ Open-source repository: https://github.com/SysSec-KAIST/LLFuzz (To be released)
This research was conducted with support from the Institute of Information & Communications Technology Planning & Evaluation (IITP) funded by the Ministry of Science and ICT.
-
research KAIST Confirms Reduction of Amyloid-β Using Red OLED-Restores Memory in Alzheimer’s Model
<Professor Kyung Cheol Choi, Dr. Byeongju Noh, Ph.D candidate Young-Hun Jung, Ph.D candidate Minwoo Park, Dr.Ja Wook Koo, Researcher Jiyun Lee, Researcher Ji-Eun Lee, Dr. Hyang Sook Hoe, Dr. Hyun-Ju Lee, Dr. Sora Kang, Researcher Seokjun Oh> A Korean research team, raising the question “Which OLED light color can actually improve memory and pathological markers in Alzheimer’s patients?”, has identified the most effective OLED color capable of enhancing cognitive fun
2025-11-24 -
event IEEE President Professor Kramer Holds Special Lecture on Artificial Intelligence in the Electrical Engineering Department
Kathleen A. Kramer, President of the IEEE (Institute of Electrical and Electronics Engineers), the world's largest technical professional organization dedicated to electrical and electronic technology, visited our university on the 30th and delivered a special lecture under the theme, 'Drawing the Future of Artificial Intelligence Together.' < IEEE Leadership and KAIST EE Meeting KITIS Director (Sung-Hyun Hong), KAIST EE Professors (Joonwoo Bae), (Ian Oakley), (Hye-Won Jeong), (Chang-Shik
2025-11-06 -
research KAIST Researchers Uncover Critical Security Flaws in Global Mobile Networks
Breakthrough Discovery Reveals How Attackers Can Remotely Manipulate User Data Without Physical Proximity DAEJEON, South Korea — In an era when recent cyberattacks on major telecommunications providers have highlighted the fragility of mobile security, researchers at the Korea Advanced Institute of Science and Technology have identified a class of previously unknown vulnerabilities that could allow remote attackers to compromise cellular networks serving billions of users worldwide. Th
2025-11-03 -
research Semiconductor Leadership Spotlighted in Nature Sister Journal
<(From Left) Prof. Shinhyun Choi, Prof. Young Gyu Yoon, Prof.Seunghyub Yoo from the School of Electrical Engineering, Prof. Kyung Min Kim from Materials Science and Engineering> KAIST (President Kwang Hyung Lee) announced on the 5th of September that its semiconductor research and education achievements were highlighted on August 18 in Nature Reviews Electrical Engineering, a sister journal of the world-renowned scientific journal Nature. Title: Semiconductor-related research and educa
2025-09-05 -
research KAIST develops world’s most sensitive light-powered photodetector—20 times more sensitive, operating without electricity
<(From left) Ph.D candidate Jaeha Hwang, Ph.D candidate Jungi Song ,Professor Kayoung Lee from Electrical Engineering> Silicon semiconductors used in existing photodetectors have low light responsivity, and the two-dimensional semiconductor MoS₂ (molybdenum disulfide) is so thin that doping processes to control its electrical properties are difficult, limiting the realization of high-performance photodetectors. The KAIST research team has overcome this technical limitation and developed
2025-08-16