Researchers from University of Florida and NC State have published the RANsacked report, revealing a critical security landscape in telecommunications: 119 vulnerabilities (including 97 new CVEs) affecting the most commonly used LTE and 5G core network implementations. These flaws allow an attacker to collapse an entire city's cellular infrastructure by sending unauthenticated packets, posing an existential threat to mission-critical systems, connected vehicles, and IoT networks.
Incident Analysis: The Fragility of the 'Core' Cellular NetworkThe RANsacked study analyzed seven LTE implementations and three 5G ones, including high-profile open-source and commercial projects like Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, and srsRAN.
The most alarming findings include:
No-Subscription Attacks: Certain vulnerabilities allow the collapse of critical nodes such as MME (in LTE) or AMF (in 5G) without a valid SIM card. A single malformed and unauthenticated packet can cause massive Denial of Service (DoS).
Persistence and Reach: The flaws enable persistent disruptions that could leave entire metropolitan areas without cellular service, affecting not only mobile phones but also urban infrastructure connected to the network.
Rogue Base Stations: The ecosystem of available tools (cited in resources like Awesome Cellular Hacking) facilitates the creation of 'Evil Twins' for LTE. This allows attackers to intercept traffic, impersonate users, and capture sensitive metadata from devices within coverage areas.
The research, supported by findings from the KAIST institute, details how the mobile network signaling architecture remains vulnerable to injection attacks:
Exploitation of Signaling Protocols: The vulnerabilities reside in how the software processes signaling messages before the device is authenticated by the network.
Ease of Execution: With the rise of Software-Defined Radio (SDR) and detailed tutorials for creating false base stations, the entry barrier for both state and non-state actors has drastically decreased.
IoT Impact: Given that many industrial and transportation systems rely on continuous cellular network availability, such DoS can halt logistics operations and emergency systems.
These weaknesses undermine the assumption that cellular networks are inherently more secure than Wi-Fi or terrestrial networks. The ability to execute large-scale denial-of-service attacks and intercept communications through false base stations puts at risk:
The integrity of data transmitted by IoT and IIoT devices.
Business continuity in sectors that depend on mobile connectivity (logistics, autonomous vehicles, telemedicine).
The confidentiality of executive and operational communications.
To mitigate these risks, 5G private network operators must act immediately:
Software Updates: It is imperative to patch core network implementations (especially Open5GS, srsRAN, and similar) to their latest versions that already incorporate the RANsacked report fixes.
Signaling Monitoring: Implement specific cellular network intrusion detection systems that can identify anomalous traffic patterns in control plane layers.
Rogue BTS Defense: Use spectrum monitoring tools to detect unauthorized base stations or 'IMSI Catchers' in sensitive areas.
Upper Layer Encryption: Do not rely solely on cellular network encryption; implement VPN tunnels or end-to-end encryption for all critical data.
The discovery of nearly a hundred CVEs in one report suggests that the attack surface of 5G networks is still under exploration. It is expected that threat actors will start arming these vulnerabilities into more accessible exploitation kits, which compels organizations to treat their cellular infrastructure with the same level of security as their traditional corporate networks.