본문 바로가기 대메뉴 바로가기

KAIST

NEWS

홈페이지 통합검색

-
KOREAN

%59%6f%6e%67%64%61%65%20%4b%69%6d

KAIST Researchers Uncover Critical Security Flaws in Global Mobile Networks Breakthrough Discovery Reveals How Attackers Can Remotely Manipulate User Data Without Physical Proximity DAEJEON, South Korea — In an era when recent cyberattacks on major telecommunications providers have highlighted the fragility of mobile security, researchers at the Korea Advanced Institute of Science and Technology have identified a class of previously unknown vulnerabilities that could allow remote attackers to compromise cellular networks serving billions of users worldwide. The research team, led by Professor Yongdae Kim of KAIST's School of Electrical Engineering, discovered that unauthorized attackers could remotely manipulate internal user information in LTE core networks — the central infrastructure that manages authentication, internet connectivity, and data transmission for mobile devices and IoT equipment. The findings, presented at the 32nd ACM Conference on Computer and Communications Security in Taipei, Taiwan, earned the team a Distinguished Paper Award, one of only 30 such honors selected from approximately 2,400 submissions to one of the field's most prestigious venues. A New Class of Vulnerability The vulnerability class, which the researchers termed "Context Integrity Violation" (CIV), represents a fundamental breach of a basic security principle: unauthenticated messages should not alter internal system states. While previous security research has primarily focused on "downlink" attacks — where networks compromise devices — this study examined the less-scrutinized "uplink" security, where devices can attack core networks. "The problem stems from gaps in the 3GPP standards," Professor Kim explained, referring to the international body that establishes operational rules for mobile networks. "While the standards prohibit processing messages that fail authentication, they lack clear guidance on handling messages that bypass authentication procedures entirely." The team developed CITesting, the world's first systematic tool for detecting these vulnerabilities, capable of examining between 2,802 and 4,626 test cases — a vast expansion from the 31 cases covered by the only previous comparable research tool, LTEFuzz. Widespread Impact Confirmed Testing four major LTE core network implementations — both open-source and commercial systems — revealed that all contained CIV vulnerabilities. The results showed: Open5GS: 2,354 detections, 29 unique vulnerabilities srsRAN: 2,604 detections, 22 unique vulnerabilities Amarisoft: 672 detections, 16 unique vulnerabilities Nokia: 2,523 detections, 59 unique vulnerabilities The research team demonstrated three critical attack scenarios: denial of service by corrupting network information to block reconnection; IMSI exposure by forcing devices to retransmit user identification numbers in plaintext; and location tracking by capturing signals during reconnection attempts. Unlike traditional attacks requiring fake base stations or signal interference near victims, these attacks work remotely through legitimate base stations, affecting anyone within the same MME (Mobility Management Entity) coverage area as the attacker — potentially spanning entire metropolitan regions. Industry Response and Future Implications Following responsible disclosure protocols, the research team notified affected vendors. Amarisoft deployed patches, and Open5GS integrated the team's fixes into its official repository. Nokia, however, stated it would not issue patches, asserting compliance with 3GPP standards and declining to comment on whether telecommunications companies currently use the affected equipment. "Uplink security has been relatively neglected due to testing difficulties, implementation diversity, and regulatory constraints," Professor Kim noted. "Context integrity violations can pose serious security risks." The research team, which included KAIST doctoral students Mincheol Son and Kwangmin Kim as co-first authors, along with Beomseok Oh and Professor CheolJun Park of Kyung Hee University, plans to extend their validation to 5G and private 5G environments. The tools could prove particularly critical for industrial and infrastructure networks, where breaches could have consequences ranging from communication disruption to exposure of sensitive military or corporate data. The research was supported by the Ministry of Science and ICT through the Institute for Information & Communications Technology Planning & Evaluation, as part of a project developing security technologies for 5G private networks. With mobile networks forming the backbone of modern digital infrastructure, the discovery underscores the ongoing challenge of securing systems designed in an era when such sophisticated attacks were barely conceivable — and the urgent need for updated standards to address them.
2025.11.03 View 2306
Vulnerability Found: One Packet Can Paralyze Smartphones <(From left) Professor Yongdae Kim, PhD candidate Tuan Dinh Hoang, PhD candidate Taekkyung Oh from KAIST, Professor CheolJun Park from Kyung Hee University; and Professor Insu Yun from KAIST> Smartphones must stay connected to mobile networks at all times to function properly. The core component that enables this constant connectivity is the communication modem (Baseband) inside the device. KAIST researchers, using their self-developed testing framework called 'LLFuzz (Lower Layer Fuzz),' have discovered security vulnerabilities in the lower layers of smartphone communication modems and demonstrated the necessity of standardizing 'mobile communication modem security testing.' *Standardization: In mobile communication, conformance testing, which verifies normal operation in normal situations, has been standardized. However, standards for handling abnormal packets have not yet been established, hence the need for standardized security testing. Professor Yongdae Kim's team from the School of Electrical Engineering at KAIST, in a joint research effort with Professor CheolJun Park's team from Kyung Hee University, announced on the 25th of July that they have discovered critical security vulnerabilities in the lower layers of smartphone communication modems. These vulnerabilities can incapacitate smartphone communication with just a single manipulated wireless packet (a data transmission unit in a network). In particular, these vulnerabilities are extremely severe as they can potentially lead to remote code execution (RCE) The research team utilized their self-developed 'LLFuzz' analysis framework to analyze the lower layer state transitions and error handling logic of the modem to detect security vulnerabilities. LLFuzz was able to precisely extract vulnerabilities caused by implementation errors by comparing and analyzing 3GPP* standard-based state machines with actual device responses. *3GPP: An international collaborative organization that creates global mobile communication standards. The research team conducted experiments on 15 commercial smartphones from global manufacturers, including Apple, Samsung Electronics, Google, and Xiaomi, and discovered a total of 11 vulnerabilities. Among these, seven were assigned official CVE (Common Vulnerabilities and Exposures) numbers, and manufacturers applied security patches for these vulnerabilities. However, the remaining four have not yet been publicly disclosed. While previous security research primarily focused on higher layers of mobile communication, such as NAS (Network Access Stratum) and RRC (Radio Resource Control), the research team concentrated on analyzing the error handling logic of mobile communication's lower layers, which manufacturers have often neglected. These vulnerabilities occurred in the lower layers of the communication modem (RLC, MAC, PDCP, PHY*), and due to their structural characteristics where encryption or authentication is not applied, operational errors could be induced simply by injecting external signals. *RLC, MAC, PDCP, PHY: Lower layers of LTE/5G communication, responsible for wireless resource allocation, error control, encryption, and physical layer transmission. The research team released a demo video showing that when they injected a manipulated wireless packet (malformed MAC packet) into commercial smartphones via a Software-Defined Radio (SDR) device using packets generated on an experimental laptop, the smartphone's communication modem (Baseband) immediately crashed ※ Experiment video: https://drive.google.com/file/d/1NOwZdu_Hf4ScG7LkwgEkHLa_nSV4FPb_/view?usp=drive_link The video shows data being normally transmitted at 23MB per second on the fast.com page, but immediately after the manipulated packet is injected, the transmission stops and the mobile communication signal disappears. This intuitively demonstrates that a single wireless packet can cripple a commercial device's communication modem. The vulnerabilities were found in the 'modem chip,' a core component of smartphones responsible for calls, texts, and data communication, making it a very important component. Qualcomm: Affects over 90 chipsets, including CVE-2025-21477, CVE-2024-23385. MediaTek: Affects over 80 chipsets, including CVE-2024-20076, CVE-2024-20077, CVE-2025-20659. Samsung: CVE-2025-26780 (targets the latest chipsets like Exynos 2400, 5400). Apple: CVE-2024-27870 (shares the same vulnerability as Qualcomm CVE). The problematic modem chips (communication components) are not only in premium smartphones but also in low-end smartphones, tablets, smartwatches, and IoT devices, leading to the widespread potential for user harm due to their broad diffusion. Furthermore, the research team experimentally tested 5G vulnerabilities in the lower layers and found two vulnerabilities in just two weeks. Considering that 5G vulnerability checks have not been generally conducted, it is possible that many more vulnerabilities exist in the mobile communication lower layers of baseband chips. Professor Yongdae Kim explained, "The lower layers of smartphone communication modems are not subject to encryption or authentication, creating a structural risk where devices can accept arbitrary signals from external sources." He added, "This research demonstrates the necessity of standardizing mobile communication modem security testing for smartphones and other IoT devices." The research team is continuing additional analysis of the 5G lower layers using LLFuzz and is also developing tools for testing LTE and 5G upper layers. They are also pursuing collaborations for future tool disclosure. The team's stance is that "as technological complexity increases, systemic security inspection systems must evolve in parallel." First author Tuan Dinh Hoang, a Ph.D. student in the School of Electrical Engineering, will present the research results in August at USENIX Security 2025, one of the world's most prestigious conferences in cybersecurity. ※ Paper Title: LLFuzz: An Over-the-Air Dynamic Testing Framework for Cellular Baseband Lower Layers (Tuan Dinh Hoang and Taekkyung Oh, KAIST; CheolJun Park, Kyung Hee Univ.; Insu Yun and Yongdae Kim, KAIST) ※ Usenix paper site: https://www.usenix.org/conference/usenixsecurity25/presentation/hoang (Not yet public), Lab homepage paper: https://syssec.kaist.ac.kr/pub/2025/LLFuzz_Tuan.pdf ※ Open-source repository: https://github.com/SysSec-KAIST/LLFuzz (To be released) This research was conducted with support from the Institute of Information & Communications Technology Planning & Evaluation (IITP) funded by the Ministry of Science and ICT.
2025.07.25 View 3998
3rd KAIST Junghoon Cho Academic Award Ceremony 3rd KAIST Junghoon Cho Academic Award Ceremony 3rd KAIST Junghoon Cho Academic Award CeremonyAcademic award to Sehoon Kim, scholarship to Yougdae Kim, Daehyun Kim, Sunchul Park KAIST (President Nam Pyo Suh) had the 3rd KAIST Junghoon Cho Academic Award ceremony at the conference room in the main administration building, Friday, May 11, at 2 pm with President Suh and the bereaved family attended. Sehoon Kim, a doctoral researcher at the Agency for Defense Development (ADD) and KAIST graduate, was named as the 3rd recipient of the Junghoon Cho Academic Award in recognition of his achievement that establishes the design method of supersonic vacuum device. The scholarship was granted to Yongdae Kim (doctoral student of Aerospace Engineering, KAIST), Daehyun Kim (master student of Mechanical Engineering, Korea University), and Suncheol Park (senior of the Attached High School to the College of Education at kongju National University). The prize money is 20 million won, and the scholarship amounts to 3 million and 2 million won for university and high school students, respectively. “Junghoon Cho Academic Award” is a meaningful award established by the donation of compensation money and personal properties, amounting to about 470 billion won, by Donggil Cho, father of the late Ph.D. Junghoon Cho who died at the explosion accident at the Wind Tunnel Laboratory in 2002, ▲ Ph.D. Sehonn Kim
2007.05.14 View 19931