With the recent SK Telecom hacking incident and the KT small payment fraud case following one after another, the importance of mobile network security is again in the spotlight. In the midst of this, a research team led by Kim Yong-dae at the Korea Advanced Institute of Science and Technology (KAIST) School of Electrical Engineering has identified, for the first time in the world, a new security vulnerability in the LTE Core Network—the core network for smartphones and Internet of Things (IoT) devices—that allows an unauthenticated attacker to remotely manipulate user information.
The LTE Core Network is the core part of the communications network that links mobile phones and base stations. It serves as the hub for all mobile services, including user authentication, data transmission, billing, and call connection. If this system comes under attack, not only phone and internet services but the services of entire base stations could be paralyzed.
The research team discovered a new type of vulnerability inside the LTE Core Network in which unauthenticated messages incorrectly alter internal information. In other words, if an attacker's tampered device sends erroneous data to the LTE core through a legitimate base station, that message can change a user's access information or connection status. The team named this a Context Integrity Violation (CIV).
For this study, the research team developed an automatic verification tool called "CITesting." The tool is designed to systematically detect vulnerabilities in the LTE core network. Whereas prior studies conducted only about 30 limited tests, CITesting can automatically check a wide range of scenarios numbering from 2,802 to 4,626.
Using this, the team analyzed four open-source and commercial LTE core systems (Open5GS, srsRAN, Amarisoft, Nokia) and confirmed that all had CIV vulnerabilities. Among them, a total of 59 unique vulnerabilities were also found in the Nokia system.
The most notable feature of this vulnerability is that there is no need to be near the victim. Whereas conventional fake base station attacks had to be physically close to the victim, this vulnerability can use a legitimate base station as a conduit to penetrate directly into the LTE core. As long as the attacker is within the same network area (MME), communications can be disrupted remotely or user information can be stolen.
In particular, the team demonstrated through experiments that this vulnerability can lead to denial-of-service attacks that cut off a user's access, exposure of the user's International Mobile Subscriber Identity (IMSI) stored on the SIM, and location-tracking attacks.
Professor Kim Yong-dae said, "Uplink (device→core) security has rarely been addressed due to the complexity of test environments and regulatory constraints," adding, "Context Integrity Violations can pose serious security risks." He added, "Based on the CITesting tool we developed and our verification results, we plan to expand the verification scope to 5G and private 5G industrial networks."
The research team disclosed the vulnerability to equipment manufacturers, and Amarisoft has already distributed a security patch, while Open5GS has integrated the team's patch into its official repository. However, Nokia said it was "not a standards violation" and did not announce a separate patch plan.
The study was presented at ACM CCS 2025, an international security conference, held in Taipei, Taiwan, from Oct. 13 to 17, and received the Distinguished Paper Award. ACM CCS is one of the world's four major security conferences, and this year only 30 out of about 2,400 papers were selected for awards.