Cyber Blog

A team of researchers has uncovered over 100 security vulnerabilities affecting LTE and 5G network implementations, which could potentially be exploited to disrupt services or gain unauthorized access to cellular core networks.

The study identified 119 vulnerabilities, with 97 assigned unique CVE identifiers, spanning seven LTE implementations—Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, and srsRAN—and three 5G implementations—Open5GS, Magma, and OpenAirInterface. These findings were reported by academics from the University of Florida and North Carolina State University.

The vulnerabilities are detailed in a study titled “RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces.”

“Every one of the >100 vulnerabilities discussed below can be used to persistently disrupt all cellular communications (phone calls, messaging, and data) at a city-wide level,” the researchers stated.

“An attacker can continuously crash the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF) in an LTE/5G network simply by sending a single small data packet as an unauthenticated user, without requiring a SIM card.”

The vulnerabilities were discovered during a fuzzing exercise called RANsacked, which targeted Radio Access Network (RAN)-Core interfaces. These interfaces process input directly from mobile handsets and base stations, making them critical to network functionality.

Many of the vulnerabilities stem from issues such as buffer overflows and memory corruption, which could be exploited to breach the cellular core network. Once inside, an attacker could monitor cellphone locations and connection data for all subscribers within a city, launch targeted attacks on specific users, or execute other malicious actions against the network.

The flaws identified fall into two main categories: those exploitable by any unauthenticated mobile device and those that require an adversary to compromise a base station or femtocell.

Out of the 119 vulnerabilities, 79 were found in MME implementations, 36 in AMF implementations, and four in SGW implementations. Notably, 25 vulnerabilities enable Non-Access Stratum (NAS) pre-authentication attacks that can be executed by any mobile device.

“The introduction of home-use femtocells and more accessible gNodeB base stations in 5G deployments represents a shift in security dynamics. Previously secured RAN equipment is now more exposed to physical adversarial threats,” the study noted.

The research emphasizes the urgency of addressing these vulnerabilities by highlighting the increasing accessibility of RAN equipment and the growing potential for significant disruption. By leveraging performant fuzzing techniques, the researchers demonstrated the critical need to reassess the security assumptions of RAN-Core interfaces to prevent imminent threats.