Femtocells are small, operator-deployed base stations designed to extend mobile network coverage, but their integration into operator mobile infrastructure introduces significant new attack surfaces. While 5G femtocell standards were only recently finalized, 4G LTE femtocells have already been standardized and widely implemented. In this work, we conducted the first systematic security evaluation of 4G LTE femtocells based on both real-world commercial devices and large-scale Internet measurements. We systematically analyzed both the software and hardware of 4 commercial femtocell devices and identified 5 critical and common vulnerabilities that can lead to local or remote compromise. Our Internet-wide measurement identified 86,108 suspected femtocell deployments, many of which are exposed to remote attack. Further, we experimentally validated in a real operator network that a single compromised femtocell can serve as a powerful entry point for attacks on both the mobile core network and its subscribers. Our findings highlight that femtocell security in operational 4G LTE networks remains an urgent concern. We reported our results to Global System for Mobile Communications Association (GSMA) and the 3rd Generation Partnership Project (3GPP) Service and System Aspects Working Group 3 (SA3). 3GPP SA3 has subsequently approved both a study item to further enhance the security of 5G femtocells and a work item to define the Security Assurance Specification (SCAS) for 5G femtocells.
Session Initiation Protocol (SIP) is a cornerstone of modern real-time communication systems, powering voice calls, text messaging, and multimedia sessions across services such as VoIP, VoLTE, and RCS. While SIP provides mechanisms for authentication and identity assertion, its inherent flexibility poses the risk of semantic ambiguity among implementations that can be exploited by attackers. In this paper, we present SIPChimera, a novel black-box fuzzing framework designed to systematically identify ambiguity-based identity spoofing vulnerabilities across SIP implementations. We evaluated SIPChimera against six widely used open-source SIP servers—including Asterisk and OpenSIPS—and nine popular user agents, uncovering that attackers could spoof their identity via manipulating identity headers and circumvent authentication. We demonstrate the real-world impact of these vulnerabilities by evaluating five VoIP devices, seven commercial SIP deployments, and three carrier-grade RCS-based SMS platforms. Our experiments show that attackers can exploit these vulnerabilities to perform caller ID spoofing in VoIP calls and send spoofed SMS messages over RCS, impersonating arbitrary users or services. We have responsibly disclosed our findings to affected vendors and received positive acknowledgments. We finally propose remedies to mitigate those issues.
Cellular backhaul and core networks have traditionally been considered as Walled Garden, with their security ensured by physical isolation. Therefore, prior security studies primarily focused on radio access networks with limited treatment of backhaul and core network interfaces. In this paper, we performed a security evaluation of real-world GPRS Tunnelling Protocol (GTP) deployments. GTP is the fundamental protocol for user traffic management between base stations and core networks (inside the Walled Garden) from 3G to 5G, thus often assumed inaccessible and non-exploitable from the Internet. However, our study reveals for the first time the troubling state of GTP access control in real-world deployments. Aided by a semi-automated tool, our measurements discovered around 749,000 valid GTP hosts accessible via the public Internet, spanning across 1,176 service providers in 162 countries. Our results demonstrate potential exposure of mobile core network infrastructures to external threats. We then evaluated the attack surface of exposed GTP infrastructures, and found out that as many as 38 types of GTP messages can be misused to launch various attacks such as denial-of-service and session hijacking. Our experiments using open source 4G and 5G projects in isolated lab environments further confirm the feasibility of those GTP-based attacks, including remote hijacking of user traffic sent through cellular core networks. In addition to threats against cellular networks and their subscribers, exposed GTP devices could also be weaponized to launch large-scale reflective denial-of-services (RDoS) attacks. We hope our findings will increase awareness of GTP vulnerabilities among operators and the security community, highlighting the urgent need to further strengthen security in cellular core networks.
5G messaging services, based on Global System for Mobile Communications Association (GSMA) Rich Communication Service (RCS) and 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS), have been deployed globally by more than 90 mobile operators serving over 421 million monthly active users via 1.2 billion devices. Despite the widespread use, security research of 5G messaging remains sparse. In this paper, we present a comprehensive security analysis and measurement of 5G messaging services, assisted by a semi-automated testing tool we developed. We considered both carrier-side deployment and phone-side software implementations by testing against three large operators, each with hundreds of millions of subscribers, and six popular 5G messaging-enabled devices. We uncovered 4 categories of vulnerabilities, allowing for a wide range of attacks, including Man-In-The-Middle (MITM) attacks, zero-click remote information leakage, phone storage exhaustion and mobile data consumption, and Denial-of-Services (DoS) attacks. Our study underscores the need for further security enhancements in security specifications, implementation, and deployment of 5G messaging services.
The Internet has become a complex distributed network with numerous middle-boxes, where an end-to-end HTTP request is often processed by multiple intermediate servers before it reaches its destination. However, a general problem in this distributed network is the extit{semantic gap attack}, which is defined as inconsistent semantic interpretations in the processing chain. While some studies have found individual semantic gap attacks, most of them are based on ad-hoc manual analysis, which is inadequate for fundamentally enhancing the security assurance of a system as complex as the HTTP network. In this work, we propose HDiff, a novel semi-automatic detecting framework, systematically exploring semantic gap attacks in HTTP implementations. We designed a documentation analyzer that employs natural language processing techniques to extract rules from specifications, and utilized differential testing to discover semantic gap attacks. We implemented and evaluated it to find three kinds of semantic gap attacks in 10 popular HTTP implementations. In total, HDiff found 14 vulnerabilities and 29 affected server pairs covering all three types of attacks. In particular, HDiff also discovered three new types of attack vectors. We have already duly reported all identified vulnerabilities to the involved HTTP software vendors and obtained 7 new CVEs from well-known HTTP software, including Apache, Tomcat, Weblogic, and Microsoft IIS Server.