Ddos 
Message flow of potential adversary inputs | Source: Florida Institute
A team of researchers from the Florida Institute for Cybersecurity Research has introduced “RANsacked,” a domain-informed fuzzing framework designed to test LTE and 5G core components for security flaws. Their study uncovered 119 vulnerabilities across widely-used cellular systems, with 93 of them receiving CVE identifiers. This discovery raises significant concerns about the security and reliability of cellular networks globally.
As the backbone of modern communication, cellular network infrastructure must withstand sophisticated cyber threats. However, the researchers note, “Compromised base station attacks against the core are a rising threat to cellular networks, while user device inputs have long been considered as an attack vector.” Many vulnerabilities arise from architectural choices and insufficient validation of inputs from the Radio Access Network (RAN).
The study highlights serious security issues in both open-source and proprietary LTE/5G core implementations, such as Open5GS, Magma, and OAI. These include:
- Denial of Service at Scale: Vulnerabilities allow attackers to crash Mobility Management Entities (MME) or other critical components with a single packet. The team emphasized, an attacker could “deny access to cellular services across a wide metropolitan area.”
- Unauthorized Access: Certain vulnerabilities lead to buffer overflows and memory corruption errors, enabling attackers to gain unauthorized access to the cellular core network. Researchers noted, “Attackers could monitor cellphone locations, perform targeted attacks on specific subscribers, and even disrupt nationwide cell service by targeting the Home Subscriber Service (HSS) or Unified Data Management (UDM).”
- Pre-Authentication Exploits: The study emphasized that some vulnerabilities can be exploited by any unauthenticated device, while others require compromised access to base stations. With the widespread deployment of Wi-Fi Calling, attackers can exploit these vulnerabilities from anywhere on the Internet, without needing SIM cards or specialized equipment.
The team followed best practices in vulnerability disclosure, notifying the maintainers of affected projects and granting a 90-day patching period before publicizing the findings. In some cases, where maintainers failed to respond, patches were provided directly via GitHub repositories.
RANsacked stands out by introducing ASNFuzzGen, a tool that translates ASN.1 protocol specifications into structure-aware fuzzing modules. This innovation enables the efficient testing of cellular protocols like S1AP and NGAP.