{"id":49382174,"url":"https://github.com/onehouwong/Cellular-Security-Papers","last_synced_at":"2026-05-31T06:00:35.415Z","repository":{"id":169586409,"uuid":"645587845","full_name":"onehouwong/Cellular-Security-Papers","owner":"onehouwong","description":"A collection of academic papers / Git repos / conference talks / frameworks / tools related to cellular security and privacy.","archived":false,"fork":false,"pushed_at":"2026-03-06T17:15:18.000Z","size":156,"stargazers_count":180,"open_issues_count":0,"forks_count":34,"subscribers_count":23,"default_branch":"main","last_synced_at":"2026-03-06T20:50:46.725Z","etag":null,"topics":["5g","cellular","lte","o-ran","paper","privacy","security"],"latest_commit_sha":null,"homepage":"https://www.5gsec.com/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/onehouwong.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-05-26T01:54:32.000Z","updated_at":"2026-03-06T17:15:22.000Z","dependencies_parsed_at":"2024-08-28T19:16:29.352Z","dependency_job_id":"3432b951-a4f0-43af-8eca-ae7ac0979cf3","html_url":"https://github.com/onehouwong/Cellular-Security-Papers","commit_stats":null,"previous_names":["onehouwong/cellular-security-papers"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/onehouwong/Cellular-Security-Papers","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onehouwong%2FCellular-Security-Papers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onehouwong%2FCellular-Security-Papers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onehouwong%2FCellular-Security-Papers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onehouwong%2FCellular-Security-Papers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/onehouwong","download_url":"https://codeload.github.com/onehouwong/Cellular-Security-Papers/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onehouwong%2FCellular-Security-Papers/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33720897,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["5g","cellular","lte","o-ran","paper","privacy","security"],"created_at":"2026-04-28T06:00:28.382Z","updated_at":"2026-05-31T06:00:35.406Z","avatar_url":"https://github.com/onehouwong.png","language":null,"funding_links":[],"categories":["Related Lists"],"sub_categories":["Notable GitHub Issues \u0026 Discussions"],"readme":"# Cellular-Security-Papers\n\nThis repo collects academic papers / open source projects / conference talks / frameworks / tools related to the research of cellular security and privacy.\n\n## Table of Content\n\n- [Baseband Analysis](https://github.com/onehouwong/Cellular-Security-Papers#baseband-analysis)\n- [Vulnerability Discovery / Analysis](https://github.com/onehouwong/Cellular-Security-Papers#vulnerability-discovery--analysis)\n- [Defense](https://github.com/onehouwong/Cellular-Security-Papers#defense)\n- [O-RAN Related](https://github.com/onehouwong/Cellular-Security-Papers#o-ran-related)\n- [Core Network Security](https://github.com/onehouwong/Cellular-Security-Papers#core-network-security)\n- [Network Slicing Security](https://github.com/onehouwong/Cellular-Security-Papers#network-slicing-security)\n- [Survey \u0026 SoK](https://github.com/onehouwong/Cellular-Security-Papers/#survey--sok)\n- [Open Source Projects / Frameworks / Tools](https://github.com/onehouwong/Cellular-Security-Papers#open-source-projects--frameworks--tools)\n- [Testbeds](https://github.com/onehouwong/Cellular-Security-Papers#testbeds)\n- [Open Dataset](https://github.com/onehouwong/Cellular-Security-Papers#open-dataset)\n\n\n## Baseband Analysis \n### Baseband Reverse Engineering\n\n[awesome-baseband-research](https://github.com/lololosys/awesome-baseband-research) Nice summary of research works in baseband firmware RE. \n\n[Shannon (SAMSUNG) baseband reverse engineering](https://github.com/grant-h/ShannonBaseband)\n\n[MediaTec-baseband-LTE-RE](https://github.com/cyrozap/mediatek-lte-baseband-re)\n\n[Huawei baseband exploit](https://i.blackhat.com/us-18/Thu-August-9/us-18-Grassi-Exploitation-of-a-Modern-Smartphone-Baseband-wp.pdf) (BH 18) \n\n[How to design a baseband debugger (Samsung Shannon)](https://www.sstic.org/media/SSTIC2020/SSTIC-actes/how_to_design_a_baseband_debugger/SSTIC2020-Article-how_to_design_a_baseband_debugger-berard_fargues.pdf) \n\n[Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks](https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf) (USENIX WOOT 12) \n\n[BASESPEC: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols](https://www.ndss-symposium.org/wp-content/uploads/2021-365-paper.pdf) (NDSS 21)\n\n[BASECOMP: A Comparative Analysis for Integrity Protection in Cellular Baseband Software](https://www.usenix.org/system/files/usenixsecurity23-kim-eunsoo.pdf) (USENIX Security 23)\n\n[Semantic-Enhanced Static Vulnerability Detection in Baseband Firmware](https://dl.acm.org/doi/pdf/10.1145/3597503.3639158) (ICSE'24)\n\n[Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands](https://www.usenix.org/system/files/usenixsecurity24-tu.pdf) (USENIX Security 24)\n\n[BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer](https://arxiv.org/pdf/2409.00475) (CCS 24)\n\n[Stateful Analysis and Fuzzing of Commercial Baseband Firmware](https://www.computer.org/csdl/proceedings-article/sp/2025/223600b082/26hiU6JdGYE) (IEEE S\u0026P 25)\n\n### Emulation and fuzzing \n[Emulating Samsung’s Baseband for Security Testing](https://i.blackhat.com/USA-20/Wednesday/us-20-Hernandez-Emulating-Samsungs-Baseband-For-Security-Testing.pdf)\n\n[BaseSAFE: Baseband SAnitized Fuzzing through Emulation](https://dl.acm.org/doi/pdf/10.1145/3395351.3399360) (WiSec 20)\n\n[ARIstoteles – Dissecting Apple’s Baseband Interface](https://link.springer.com/chapter/10.1007/978-3-030-88418-5_7) (ESORICS 21)\n\n[FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware](https://www.ndss-symposium.org/wp-content/uploads/2022-136-paper.pdf) (NDSS 22)\n\n[BaseBridge: Bridging the Gap between Emulation and Over-The-Air Testing for Cellular Baseband Firmware](https://www.computer.org/csdl/proceedings-article/sp/2025/223600b101/26EkFnSdkOY) (IEEE S\u0026P 25)\n\n[FirmState: Bringing Cellular Protocol States to Shannon Baseband Emulation](https://dl.acm.org/doi/pdf/10.1145/3734477.3734726) (WiSec 25)\n\n[LLFuzz: An Over-the-Air Dynamic Testing Framework for Cellular Baseband Lower Layers](https://www.usenix.org/conference/usenixsecurity25/presentation/hoang) (USENIX Sec 25)\n\n\n\n## Vulnerability Discovery / Analysis\n\n### Formal verification\n\n[Formal Analysis of Access Control Mechanism of 5G Core Network](https://syed-rafiul-hussain.github.io/wp-content/uploads/2023/10/5GCVerif-ccs23.pdf) (CCS 23)\n\n[Provable Non-Frameability for 5G Lawful Interception](https://www.ida.liu.se/labs/rtslab/publications/2023/Felipe_WiSec2023.pdf) (Wisec 23)\n\n[LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_02A-3_Hussain_paper.pdf) (NDSS 18)\n\n[Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_06B-1_Cremers_paper.pdf) (NDSS 19)\n\n[5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol](https://dl.acm.org/doi/pdf/10.1145/3319535.3354263) (CCS 19)\n\n[A Formal Analysis of 5G Authentication](https://dl.acm.org/doi/pdf/10.1145/3243734.3243846) (CCS 18)\n\n[A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957) (IEEE Access 19)\n\n[From Control to Chaos: A Comprehensive Formal Analysis of 5G's Access Control](https://www.computer.org/csdl/proceedings-article/sp/2025/223600b043/26hiU5s1BGE) (IEEE S\u0026P 25)\n\n\n### Fuzzing \u0026 Testing\n[Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8835363) (IEEE S\u0026P 19)\n\n[ProChecker: An Automated Security and Privacy Analysis Framework for 4G LTE Protocol Implementations](https://ieeexplore.ieee.org/document/9546434) (ICDCS21)\n\n[Noncompliance as Deviant Behavior: An Automated Black-box Noncompliance Checker for 4G LTE Cellular Devices](https://dl.acm.org/doi/pdf/10.1145/3460120.3485388) (CCS 21)\n\n[DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices](https://www.usenix.org/system/files/sec22-park-cheoljun.pdf) (USENIX Sec 22)\n\n[Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness](https://www.usenix.org/system/files/conference/woot16/woot16-paper-rupprecht.pdf) (WOOT 16)\n\n[UE Security Reloaded: Developing a 5G Standalone User-Side Security Testing Framework](https://dl.acm.org/doi/pdf/10.1145/3558482.3590194) (Wisec 23)\n\n[SecChecker: Inspecting the security implementation of 5G Commercial Off-The-Shelf (COTS) mobile devices](https://www.sciencedirect.com/science/article/abs/pii/S0167404823002717)\n\n[Towards Automated Fuzzing of 4G/5G Protocol Implementations Over the Air](https://asset-group.github.io/papers/AutoFuzz4G5G.pdf)\n\n[An Experimental Testbed for 5G Network Security Assessment](https://inria.hal.science/hal-04364306/file/NOMS_2023.pdf)\n\n[VET5G: A Virtual End-to-End Testbed for 5G Network Security Experimentation](https://dl.acm.org/doi/pdf/10.1145/3546096.3546111) (CSET 22)\n\n[An Automated Vulnerability Detection Method for the 5G RRC Protocol Based on Fuzzing](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9849690)\n\n[5Greplay: a 5G Network Traffic Fuzzer - Application to Attack Injection](https://dl.acm.org/doi/pdf/10.1145/3465481.3470079)\n\n[ASTRA-5G: Automated Over-the-Air Security Testing and Research Architecture for 5G SA Devices](https://dl.acm.org/doi/pdf/10.1145/3643833.3656141) (Wisec'24)\n\n[RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces](https://nathanielbennett.com/publications/ransacked.pdf) (CCS'24)\n\n[Feedback-Guided API Fuzzing of 5G Network](https://www.ndss-symposium.org/wp-content/uploads/futureg25-71.pdf) (NDSS FutureG Workshop'25)\n\n[MOBIDOJO: A Virtual Security Combat Platform for 5G Cellular Networks](https://www.ndss-symposium.org/wp-content/uploads/futureg25-35.pdf) (NDSS FutureG Workshop'25)\n\n[GLaDoS: Location-aware Denial-of-Service of Cellular Networks](https://www.usenix.org/conference/usenixsecurity25/presentation/erni) (USENIX Sec 25)\n\n### Specification analysis\n\n[Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis](https://ieeexplore.ieee.org/document/9519388) (IEEE S\u0026P 21)\n\n[Seeing the Forest for the Trees: Understanding Security Hazards in the 3GPP Ecosystem through Intelligent Analysis on Change Requests](https://www.usenix.org/system/files/sec22-chen-yi.pdf) (USENIX Security 22)\n\n[Sherlock on Specs: Building LTE Conformance Tests through Automated Reasoning](https://www.usenix.org/system/files/sec23fall-prepub-518-chen-yi.pdf) (USENIX Security 23)\n\n[Instructions Unclear: Undefined Behaviour in Cellular Network Specifications](https://www.usenix.org/system/files/usenixsecurity23-klischies.pdf) (USENIX Security 23)\n\n[Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications](https://arxiv.org/pdf/2310.04381.pdf) (USENIX Security 24)\n\n[CellularLint: A Systematic Approach to Identify Inconsistent Behavior in Cellular Network Specifications](https://www.usenix.org/system/files/sec24fall-prepub-400-rahman.pdf) (USENIX Security 24)\n\n\n### Lower Layer attacks\n\n[Breaking LTE on Layer Two](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8835335) (IEEE S\u0026P 19)\n\n[IMP4GT: IMPersonation Attacks in 4G NeTworks](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24283.pdf) (NDSS 20)\n\n[LTE PHY Layer Vulnerability Analysis and Testing Using Open-Source SDR Tools](https://ieeexplore.ieee.org/document/8170787) (MilCom17)\n\n[On the Criticality of Integrity Protection in 5G Fronthaul Networks](https://www.usenix.org/system/files/usenixsecurity24-xing-jiarong.pdf) (USENIX Security 24)\n\n[Low-Layer Attacks Against 4G/5G Networks](https://dl.acm.org/doi/pdf/10.1145/3734477.3734725) (WiSec 25)\n\n[Breaking 5G on The Lower Layer](https://www.ndss-symposium.org/ndss-paper/auto-draft-698/) (FutureG 26)\n\n\n### Overshadowing / Injection attacks\n\n[Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE](https://www.usenix.org/system/files/sec19-yang-hojoon.pdf) (USENIX Sec 19)\n\n[AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks](https://dl.acm.org/doi/pdf/10.1145/3495243.3560525) (MobiCom 21)\n\n[LTRACK: Stealthy Tracking of Mobile Phones in LTE](https://www.usenix.org/system/files/sec22summer_kotuliak.pdf) (Usenix Sec 22)\n\n[SigUnder: a stealthy 5G low power attack and defenses](https://dl.acm.org/doi/pdf/10.1145/3448300.3467817) (Wisec 21)\n\n[SNI5GECT: A Practical Approach to Inject aNRchy into 5G NR](https://www.usenix.org/conference/usenixsecurity25/presentation/luo-shijie) (USENIX Sec 25)\n\n### Eavesdropping\n\n[Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE](https://www.usenix.org/system/files/sec20-rupprecht.pdf) (USENIX Sec 20)\n\n[From 5G Sniffing to Harvesting Leakages of Privacy-Preserving Messengers](https://www.khoury.northeastern.edu/home/noubir/publications-local/LRN2023.pdf) (IEEE S\u0026P 23)\n\n[LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper](https://syssec.kaist.ac.kr/pub/2023/wisec2023_tuan.pdf) (Wisec 23)\n\n### SMS attacks\n\n[New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks](https://dl.acm.org/doi/pdf/10.1145/2976749.2978393) (CCS 16)\n\n[IMS is Not That Secure on Your 5G/4G Phones](https://dl.acm.org/doi/pdf/10.1145/3636534.3649377) (MobiCom 24)\n\n[Preventing Artificially Inflated SMS Attacks through Large-Scale Traffic Inspection](https://www.usenix.org/conference/usenixsecurity25/presentation/huh) (USENIX Sec 25)\n\n### Emergency Systems\n\n[You have been warned: Abusing 5G’s Warning and Emergency Systems](https://dl.acm.org/doi/pdf/10.1145/3564625.3568000) (ACSAC 22)\n\n[Uncovering Problematic Designs Hindering Ubiquitous Cellular Emergency Services Access](https://dl.acm.org/doi/pdf/10.1145/3636534.3690704) (MobiCom 24)\n\n### Spoofing\n\n[Ghost Telephonist Impersonates You: Vulnerability In 4G LTE CS Fallback](https://ieeexplore.ieee.org/document/8228629) (CNS17)\n\n[Ghost Calls from Operational 4G Call Systems: IMS Vulnerability, Call DoS Attack, and Countermeasure](https://dl.acm.org/doi/pdf/10.1145/3372224.3380885?) (MobiCom 20)\n\n[This is Your President Speaking: Spoofing Alerts in 4G LTE Networks](https://dl.acm.org/doi/pdf/10.1145/3307334.3326082) (MobiSys 19)\n\n[LTE Security Disabled—Misconfiguration in Commercial Networks](https://dl.acm.org/doi/pdf/10.1145/3317549.3324927) (Wisec 19)\n\n### Tracking\n\n[5G SUCI-Catchers: Still catching them all?](https://dl.acm.org/doi/pdf/10.1145/3448300.3467826) (Wisec 21)\n\n[GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier](https://syssec.kaist.ac.kr/pub/2018/hong_ndss_2018.pdf) (NDSS 18)\n\n[Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems](https://arxiv.org/pdf/1510.07563.pdf) (NDSS 16) \n\n[Enabling Physical Localization of Uncooperative Cellular Devices](https://arxiv.org/pdf/2403.14963) (MobiCom 24)\n\n[FlashCatch: Minimizing Disruption in IMSI Catcher Operations](https://dl.acm.org/doi/pdf/10.1145/3734477.3734719) (WiSec 25)\n\n[Passive Multi-Target GUTI Identification via Visual-RF Correlation in LTE Networks](https://www.ndss-symposium.org/ndss-paper/passive-multi-target-guti-identification-via-visual-rf-correlation-in-lte-networks/) (NDSS 26)\n\n### Handover attacks\n\n[Don’t hand it Over: Vulnerabilities in the Handover Procedure of Cellular Telecommunications](https://dl.acm.org/doi/pdf/10.1145/3485832.3485914) (ACSAC 21)\n\n### Side-channel attacks\n\n[Watching the Watchers: Practical Video Identification Attack in LTE Networks](https://www.usenix.org/system/files/sec22summer_bae.pdf) (USENIX Sec 22)\n\n[Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05B-5_Hussain_paper.pdf) (NDSS19)\n\n### SIM Security\n\n[SecureSIM: Rethinking Authentication and Access Control for SIM/eSIM](https://dl.acm.org/doi/pdf/10.1145/3447993.3483254) (MobiCom 21)\n\n[SIMurai: Slicing Through the Complexity of SIM Card Security Research](https://www.usenix.org/system/files/usenixsecurity24-lisowski.pdf) (USENIX Security 24)\n\n[On the Performance and Consistency Trade-off of the eSIM M2M Remote Provisioning Protocol](https://dl.acm.org/doi/pdf/10.1145/3734477.3734712) (WiSec 25)\n\n[eSIMplicity or eSIMplification? Privacy and Security Risks in the eSIM Ecosystem](https://www.usenix.org/conference/usenixsecurity25/presentation/motallebighomi) (USENIX Sec 25)\n\n### Data-plane attack\n\n[Data-Plane Signaling in Cellular IoT: Attacks and Defense](https://dl.acm.org/doi/pdf/10.1145/3447993.3483255) (MobiCom 21)\n\n[Breaking Cellular IoT with Forged Data-plane Signaling: Attacks and Countermeasure](https://dl.acm.org/doi/pdf/10.1145/3534124) (MobiCom 21)\n\n[Invade the Walled Garden: Evaluating GTP Security in Cellular Networks](https://www.computer.org/csdl/proceedings-article/sp/2025/223600a028/21B7QiopxHq) (IEEE S\u0026P 25)\n\n[Uncovering hidden paths in 5G: Exploiting protocol tunneling and network boundary bridging]() (CCS 25)\n\n### Fingerprinting\n\n[Preventing SIM Box Fraud Using Device Model Fingerprinting](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f416_paper.pdf) (NDSS 23)\n\n[Targeted Privacy Attacks by Fingerprinting Mobile Apps in LTE Radio Layer](https://sefcom.asu.edu/publications/jaejong-dsn23.pdf) (DSN 23)\n\n[Show Me Your Attach Request and I’ll Tell You Who You Are: Practical Fingerprinting Attacks in 4G and 5G Mobile Networks](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9888899) (DSC 23)\n\n[New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities](https://dl.acm.org/doi/pdf/10.1145/3317549.3319728) (WiSec19)\n\n[AI-Assisted RF Fingerprinting for Identification of User Devices in 5G and FutureG](https://www.ndss-symposium.org/wp-content/uploads/futureg25-9.pdf) (NDSS FutureG Workshop'25)\n\n### Downgrade\n\n[Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G](https://radix-security.com/files/2021_downgrade.pdf) (WiSec 23)\n\n### Measurement\n\n[Modeling and Generating Control-Plane Traffic for Cellular Networks](https://dl.acm.org/doi/pdf/10.1145/3618257.3624808) (IMC 23)\n\n[Demystifying the Presence of Cellular Network Attacks and Misbehaviors](https://dl.acm.org/doi/pdf/10.1145/3517745.3563017) (IMC 23)\n\n[BigMac 🍔 Performance Overhead of User Plane Integrity Protection in 5G Networks](https://radix-security.com/files/bigmac.pdf) (Wisec 23)\n\n[European 5G Security in the Wild: Reality versus Expectations](https://arxiv.org/pdf/2305.08635.pdf) (Wisec 23)\n\n[MOBILEATLAS: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research](https://www.usenix.org/system/files/sec23fall-prepub-390-gegenhuber.pdf) (USENIX Security 23)\n\n[Characterizing and Modeling Control-Plane Traffic for Mobile Core Network](https://arxiv.org/ftp/arxiv/papers/2212/2212.13248.pdf)\n\n[Measuring the Deployment of 5G Security Enhancement](https://dl.acm.org/doi/pdf/10.1145/3507657.3528559) (Wisec 22)\n\n[Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging Services](https://dl.acm.org/doi/pdf/10.1145/3643833.3656131) (Wisec'24)\n\n[Demystifying Privacy in 5G Stand Alone Networks](https://arxiv.org/pdf/2409.17700) (MobiCom 24)\n\n[Assessing the Latency of Network Layer Security in 5G Networks](https://dl.acm.org/doi/pdf/10.1145/3734477.3734722) (WiSec 25)\n\n[Small Cell, Big Risk: A Security Assessment of 4G LTE Femtocells in the Wild](https://www.ndss-symposium.org/ndss-paper/small-cell-big-risk-a-security-assessment-of-4g-lte-femtocells-in-the-wild/) (NDSS 26)\n\n### Satellite Networks\n\n[The Dark Side of Scale: Insecurity of Direct-to-Cell Satellite Mega-Constellations](https://ieeexplore.ieee.org/document/10646850) (IEEE S\u0026P 24)\n\n### Software Analysis\n\n[Towards LLM-Assisted Vulnerability Detection and Repair for Open-Source 5G UE Implementations](https://www.ndss-symposium.org/wp-content/uploads/futureg25-21.pdf) (NDSS FutureG Workshop'25)\n\n## Defense\n\n### Protocol Modification\n[Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations](https://dl.acm.org/doi/pdf/10.1145/3433210.3453082) (ASIACCS 21)\n\n[A Vulnerability in 5G Authentication Protocols and Its Countermeasure](https://www.jstage.jst.go.jp/article/transinf/E103.D/8/E103.D_2019FOL0001/_pdf)\n\n[Privacy-Preserving and Standard-Compatible AKA Protocol for 5G](https://www.usenix.org/system/files/sec21-wang-yuchen.pdf) (USENIX Sec 21)\n\n[Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil](https://dl.acm.org/doi/pdf/10.1145/3317549.3323402) (Wisec 19)\n\n[BARON: Base-Station Authentication Through Core Network for Mobility Management in 5G Networks](https://dl.acm.org/doi/pdf/10.1145/3558482.3590187) (Wisec 23)\n\n[Fixing Insecure Cellular System Information Broadcasts For Good](https://dl.acm.org/doi/pdf/10.1145/3678890.3678924) (RAID 24)\n\n[AKMA+: Security and Privacy-Enhanced and Standard-Compatible AKMA for 5G Communication](https://www.usenix.org/conference/usenixsecurity25/presentation/yang-yang) (USENIX Sec 25)\n\n[Standing Firm in 5G: A Single-Round, Dropout-Resilient Secure Aggregation for Federated Learning](https://dl.acm.org/doi/pdf/10.1145/3734477.3734719) (WiSec 25)\n\n[5G-RNAKA: A Random Number-based Authentication and Key Agreement Protocol for 5G Systems]() (CCS 25)\n\n### Defense in UE\n\n[Thwarting Smartphone SMS Attacks at the Radio Interface Layer](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f432_paper.pdf) (NDSS 23)\n\n[PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_4A-3_24390_paper.pdf) (NDSS 21)\n\n[CellDAM: User-Space, Rootless Detection and Mitigation for 5G Data Plane](https://www.usenix.org/system/files/nsdi23-tan.pdf) (NSDI 23)\n\n[M2HO: Mitigating the Adverse Effects of 5G Handovers on TCP](https://www.cs.ucr.edu/~zhiyunq/pub/mobicom24_5g_handover.pdf) (MobiCom 24)\n\n[Gotta Detect ’Em All: Fake Base Station and Multi-Step Attack Detection in Cellular Networks](https://www.usenix.org/conference/usenixsecurity25/presentation/mubasshir) (USENIX Sec 25)\n\n### Fake Base Station Detection\n\n[Murat: Multi-RAT False Base Station Detector](https://arxiv.org/pdf/2102.08780.pdf)\n\n[FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild](https://www.ccs.neu.edu/home/cbw/static/pdf/li-ndss17.pdf) (NDSS 17)\n\n[Lies in the Air: Characterizing Fake-base-station Spam Ecosystem in China](https://dl.acm.org/doi/pdf/10.1145/3372297.3417257) (CCS 20)\n\n[FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting](https://dl.acm.org/doi/pdf/10.1145/3196494.3196521) (AsiaCCS 18)\n\n[SeaGlass: Enabling City-Wide IMSI-Catcher Detection](https://techpolicylab.uw.edu/wp-content/uploads/2018/07/SeaGlass-Enabling-City-Wide-IMSI-Catcher-Detection.pdf)\n\n[IMSI-Catch Me If You Can: IMSI-Catcher-Catchers](https://dl.acm.org/doi/pdf/10.1145/2664243.2664272) (ACSAC 14)\n\n[Catch You Cause I Can: Busting Rogue Base Stations using CellGuard and the Apple Cell Location Database](https://dl.acm.org/doi/pdf/10.1145/3678890.3678898) (RAID 24)\n\n[Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic](https://www.ndss-symposium.org/wp-content/uploads/2025-1115-paper.pdf) (NDSS 25)\n\n[Gotta Detect 'Em All: Fake Base Station and Multi-Step Attack Detection in Cellular Networks](https://arxiv.org/pdf/2401.04958) (USENIX Security 25)\n\n[Evaluating Time-Bounded Defense Against RRC Relay in 5G Broadcast Messages](https://dl.acm.org/doi/pdf/10.1145/3734477.3734718) (WiSec 25)\n\n### Defense on O-RAN\n\n[5G-Spector: An O-RAN Compliant Layer-3 Cellular Attack Detection Service](http://web.cse.ohio-state.edu/~wen.423/papers/5G-Spector-NDSS24.pdf) (NDSS 24)\n\n[Developing xApps for Rogue Base Station Detection in SDR-Enabled O-RAN](https://ieeexplore.ieee.org/document/10225868) (INFOCOM WKSHPS 23)\n\n[A Fine-Grained Telemetry Stream for Security Services in 5G Open Radio Access Networks](https://dl.acm.org/doi/pdf/10.1145/3565474.3569070) (EmergingWireless 22)\n\n[Det-RAN: Data-Driven Cross-Layer Real-Time Attack Detection in 5G Open RANs](https://ece.northeastern.edu/wineslab/papers/scalingi2024infocom.pdf) (INFOCOM 24)\n\n[6G-XSec: Explainable Edge Security for Emerging OpenRAN Architectures](https://dl.acm.org/doi/pdf/10.1145/3696348.3696881) (HotNets 24)\n\n[SpotLight: Accurate, Explainable and Efficient Anomaly Detection for Open RAN](https://dl.acm.org/doi/pdf/10.1145/3636534.3649380) (MobiCom 24)\n\n[MobiLLM: An Agentic AI Framework for Closed-Loop Threat Mitigation in 6G Open RANs](https://arxiv.org/pdf/2509.21634) (6GSECC 25)\n\n### Network Diagnosis\n\n[SEEN: ML Assisted Cellular Service Diagnosis](https://dl.acm.org/doi/pdf/10.1145/3636534.3690678) (MobiCom 24)\n\n## O-RAN related\n\n[AI Testing Framework for Next-G O-RAN Networks: Requirements, Design, and Research Opportunities](https://arxiv.org/pdf/2211.03979.pdf)\n\n[Taking 5G RAN Analytics and Control to a New Level](https://dl.acm.org/doi/pdf/10.1145/3570361.3592493) (MobiCom 23)\n\n[dApps: Distributed Applications for Real-time Inference and Control in O-RAN](https://arxiv.org/pdf/2203.02370.pdf)\n\n[DeepBeam: Deep Waveform Learning for Coordination-Free Beam Management in mmWave Networks](https://arxiv.org/pdf/2012.14350.pdf)\n\n[Intelligence and Learning in O-RAN for Data-Driven NextG Cellular Networks](https://ece.northeastern.edu/wineslab/papers/bonati2021intelligence.pdf)\n\n[ColO-RAN: Developing Machine Learning-based xApps for Open RAN Closed-loop Control on Programmable Experimental Platforms](https://arxiv.org/pdf/2112.09559.pdf)\n\n[Understanding O-RAN: Architecture, Interfaces, Algorithms, Security, and Research Challenges](https://arxiv.org/pdf/2202.01032.pdf)\n\n[Securing 5G OpenRAN with a Scalable Authorization Framework for xApps](https://arxiv.org/pdf/2212.11465.pdf)\n\n[Programmable and Customized Intelligence for Traffic Steering in 5G Networks Using Open RAN Architectures](https://arxiv.org/pdf/2209.14171.pdf)\n\n[FlexRAN: A Flexible and Programmable Platform for Software-Defined Radio Access Networks](https://dl.acm.org/doi/pdf/10.1145/2999572.2999599)\n\n[FlexRIC: An SDK for Next-Generation SD-RANs](https://dl.acm.org/doi/pdf/10.1145/3485983.3494870)\n\n[Security Testing The O-RAN Near-Real Time RIC \u0026 A1 Interface](https://dl.acm.org/doi/pdf/10.1145/3643833.3656118) (Wisec'24)\n\n[System-level Analysis of Adversarial Attacks and Defenses on Intelligence in O-RAN based Cellular Networks](https://dl.acm.org/doi/pdf/10.1145/3643833.3656119) (Wisec'24)\n\n[Implementing and Evaluating Security in O-RAN: Interfaces, Intelligence, and Platforms](https://arxiv.org/pdf/2304.11125) (IEEE Network Magazine)\n\n[ABElity: Attribute Based Encryption for Securing RIC Communication in Open RAN](https://www.ndss-symposium.org/wp-content/uploads/futureg25-99.pdf) (NDSS FutureG Workshop'25)\n\n[AI5GTest: AI-Driven Specification-Aware Automated Testing and Validation of 5G O-RAN Components](https://dl.acm.org/doi/pdf/10.1145/3734477.3734703) (WiSec 25)\n\n[Towards Bridging the Telemetry Gap for Security Applications in 6G OpenRANs via eBPF](https://www.ndss-symposium.org/ndss-paper/auto-draft-701/) (FutureG 26)\n\n[Assessing Supply Chain Risks in 5G O-RAN Components Using Static Analysis](https://www.ndss-symposium.org/ndss-paper/auto-draft-699/) (FutureG 26)\n\n## Core Network Security\n\n[Evaluating the Security Posture of 5G Networks by Combining State Auditing and Event Monitoring](https://cisr.encs.concordia.ca/papers/ESORICS_2023_paper_377_5GSPE.pdf) (ESORICS'23)\n\n[A Systematic Analysis of 5G Networks With a Focus on 5G Core Security](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9709835)\n\n[Device-centric detection and mitigation of diameter signaling attacks against mobile core](https://ieeexplore.ieee.org/document/9705031)\n\n[On the Challenges of Automata Reconstruction in LTE Networks](https://dl.acm.org/doi/pdf/10.1145/3448300.3469133)\n\n[5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network Functions](https://dl.acm.org/doi/pdf/10.1145/3643833.3656134) (Wisec'24)\n\n[PROV5GC: Hardening 5G Core Network Security with Attack Detection and Attribution Based on Provenance Graphs](https://dl.acm.org/doi/pdf/10.1145/3643833.3656129) (Wisec'24)\n\n[Performance Evaluation of Transport Layer Security in the 5G Core Control Plane](https://dl.acm.org/doi/pdf/10.1145/3643833.3656140) (Wisec'24)\n\n[Towards Shielding 5G Control Plane Functions](https://dsn2024uq.github.io/Proceedings/pdfs/DSN2024-6rvE3SSpzFYmysif75Dkid/410500a302/410500a302.pdf) (DSN'24)\n\n[Examining Cryptography and Randomness Failures in Open-Source Cellular Cores](https://www.enck.org/pubs/english-codaspy24.pdf) (CODASPY'24)\n\n[Towards Establishing a Systematic Security Framework for Next Generation Cellular Networks](https://www.ndss-symposium.org/wp-content/uploads/futureg25-84.pdf) (NDSS FutureG Workshop'25)\n\n[CoreCrisis: Threat-Guided and Context-Aware Iterative Learning and Fuzzing of 5G Core Networks](https://www.usenix.org/conference/usenixsecurity25/presentation/dong-yilu) (USENIX Sec 25)\n\n[CITesting: Systematic Testing of Context Integrity Violations in Cellular Core Networks]() (CCS 25)\n\n## Network Slicing Security\n\n[Slicure5G: Secure Slicing for 5G](https://www.cs.purdue.edu/homes/fahmy/posters/nsdi23poster5G.pdf)\n\n[SliceSecure: Impact and Detection of DoS/DDoS Attacks on 5G Network Slices](https://uregina.ca/~nss373/papers/slice-secure.pdf)\n\n[Secure5G: A Deep Learning Framework Towards a Secure Network Slicing in 5G and Beyond](https://ieeexplore.ieee.org/abstract/document/9031158)\n\n[DeepSecure: Detection of distributed denial of service attacks on 5G network slicing—Deep learning approach](https://ieeexplore.ieee.org/abstract/document/9638941)\n\n## Survey \u0026 SoK\n\n[5G core network security issues and attack classification from network protocol perspective](https://isyou.info/jisis/vol10/no2/jisis-2020-vol10-no2-01.pdf)\n\n[5G Security and Privacy – A Research Roadmap](https://arxiv.org/ftp/arxiv/papers/2003/2003.13604.pdf)\n\n[Improving 4G/5G air interface security: A survey of existing attacks on different LTE layers](https://www.sciencedirect.com/science/article/pii/S1389128621004576)\n\n[SoK: Evaluating 5G-Advanced Protocols Against Legacy and Emerging Privacy and Security Attacks](https://dl.acm.org/doi/pdf/10.1145/3734477.3734716) (WiSec 25)\n\n\n## Open Source Projects / Frameworks / Tools\n\n### RAN\n\n[srsRAN](https://github.com/srsran)\n\n[openairinterface5g](https://gitlab.eurecom.fr/oai/openairinterface5g)\n\n[UERANSIM](https://github.com/aligungr/UERANSIM)\n\n[YateBTS](https://yatebts.com/)\n\n### Core\n\n[Open5GS](https://github.com/open5gs/open5gs)\n\n[Free5gc](https://github.com/free5gc/free5gc)\n\n[OAI 5GC](https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-fed/)\n\n[QCore](https://github.com/nplrkn/qcore)\n\n### O-RAN RIC / xApps / rApps\n\n[O-RAN SC](https://wiki.o-ran-sc.org/display/ORAN)\n\n[SDRAN-in-a-Box (RiaB)](https://docs.sd-ran.org/master/sdran-in-a-box/README.html)\n\n[FlexRIC](https://gitlab.eurecom.fr/mosaic5g/flexric)\n\n[Open AI Cellular](https://www.openaicellular.org/)\n\n### Misc\n\n[Awesome-Cellular-Hacking](https://github.com/W00t3k/Awesome-Cellular-Hacking)\n\n[awesome-5g](https://github.com/calee0219/awesome-5g)\n\n[5Ghoul - 5G NR Attacks \u0026 5G OTA Fuzzing⚡](https://github.com/asset-group/5ghoul-5g-nr-attacks)\n\n## Testbeds\n\n[Colosseum](https://www.northeastern.edu/colosseum/) \n\n[Colosseum: Large-Scale Wireless Experimentation Through Hardware-in-the-Loop Network Emulation](https://arxiv.org/pdf/2110.10617.pdf)\n\n[Powder (the Platform for Open Wireless Data-driven Experimental Research)](https://powderwireless.net/)\n\n\n## Open Dataset\n\n[5G Traffic Datasets](https://ieee-dataport.org/documents/5g-traffic-datasets)\n\n[Beyond Throughput, The Next Generation: a 5G Dataset with Channel and Context Metrics](https://github.com/uccmisl/5Gdataset)\n\n[SPEC5G: A Dataset for 5G Cellular Network Protocol Analysis](https://arxiv.org/pdf/2301.09201.pdf)\n\n[OpenRAN Gym](https://openrangym.com/datasets)\n\n[5G-NIDD: A Comprehensive Network Intrusion Detection Dataset Generated over 5G Wireless Network](https://arxiv.org/pdf/2212.01298.pdf)\n\n[OpenCellid](https://www.opencellid.org/#zoom=16\u0026lat=37.77889\u0026lon=-122.41942)\n\n[MobileInsight](http://www.mobileinsight.net/data.html)\n\n[5GAD-2022 5G attack detection dataset](https://github.com/IdahoLabResearch/5GAD)\n\n[5G Traffic Generation for Practical Simulations Using Open Datasets](https://github.com/0913ktg/5G-Traffic-Generator)\n\n[5GC PFCP Intrusion Detection Dataset](https://ieee-dataport.org/documents/5gc-pfcp-intrusion-detection-dataset-0)\n\n[TSpec-LLM: An Open-source Dataset for LLM Understanding of 3GPP Specifications](https://huggingface.co/datasets/rasoul-nikbakht/TSpec-LLM)\n\n[ORAN-Bench-13K: An Open Source Benchmark for Assessing LLMs in Open Radio Access Networks](https://arxiv.org/pdf/2407.06245)\n\n[Gotta Detect ’Em All: Fake Base Station and Multi-Step Attack Detection in Cellular Networks](https://arxiv.org/pdf/2401.04958)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fonehouwong%2FCellular-Security-Papers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fonehouwong%2FCellular-Security-Papers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fonehouwong%2FCellular-Security-Papers/lists"}