A comprehensive curated list of resources for 2G/3G/4G/5G cellular security research and analysis
This repository consolidates community knowledge in the cellular security space, including exploits, research papers, tools, and educational resources. The goal is to preserve and organize important security research that might otherwise become difficult to find.
- Rogue Base Stations
- Recent Updates (2024-2025)
- Software & Tools
- Hardware Setup
- Testing & Research Methodologies
- Attack Vectors
- Conference Talks
- Research Papers
- Equipment & Hardware
- Detection & Defense
- Cellular IoT & NB-IoT Security
- Satellite-Cellular Integration
- Private 5G Network Security
- Network Slicing & Edge Security
- Automotive & Industrial Cellular
- Forensics & Investigation
- Vulnerability Disclosure
- SIM Security
- SS7 & Telecom Infrastructure
- Surveillance Technology
- Recent CVEs & Updates
- International Research
- Training & Education
- Vendor-Specific Research
- Roaming & Interconnect Security
- Resources
-
How To Build Your Own Rogue GSM BTS For Fun and Profit
Guide to creating a portable GSM BTS for private networks or security testing. Covers the technical setup using relatively inexpensive equipment.
-
How to create an Evil LTE Twin/LTE Rogue BTS
Tutorial for setting up a 4G/LTE Evil Twin Base Station using srsRAN and USRP SDR devices.
-
Practical attacks against GSM networks: Impersonation
Detailed analysis of GSM Base Station impersonation using Software Defined Radio (SDR) and open source tools.
-
Tutorial: Analyzing GSM with Airprobe and Wireshark
Step-by-step guide for using RTL-SDR to analyze GSM signals with GR-GSM/Airprobe and Wireshark.
-
GSM/GPRS Traffic Interception for Penetration Testing
NCC Group's research on GSM/GPRS interception capabilities for penetration testing engagements.
- OpenBTS 2024 Reloaded: Updated for modern UHD drivers and Ubuntu 22.04/24.04 support
- OpenAirInterface (OAI): Major 5G platform with complete 3GPP Release-15+ implementation
- LimeNET CrowdCell: Network-in-a-box solution with integrated LimeSDR for small cell deployments
- Amarisoft LTEENB/gNB: Professional-grade LTE/5G NR base station software
- DragonOS: Ubuntu-based SDR distribution with preinstalled cellular tools
- Magma Core Network: Meta's distributed packet core now under Linux Foundation
- 5GBaseChecker: New tool for automated 5G baseband vulnerability detection
| Software | Description | Link |
|---|---|---|
| OpenBTS (2024 Reloaded) | Linux application using SDR to present 3GPP air interface (Updated for modern systems) | GitHub |
| OpenBTS (Original) | Original Range Networks implementation | SourceForge |
| YateBTS | GSM/GPRS radio access network implementation | Website |
| srsRAN Project | Open-source 5G O-RAN CU/DU software suite | GitHub |
| srsRAN 4G | Open-source 4G software radio suite | GitHub |
| OpenAirInterface | Complete 4G/5G protocol stack implementation | Website |
- LTE-Cell-Scanner - LTE cell detection and analysis
- gr-gsm - GSM analysis with GNU Radio
- IMSI-Catcher Detector - Android app for detecting IMSI catchers
- QCSuper - Capture 2G-4G traffic using Qualcomm phones
- 5GBaseChecker - Tool for detecting vulnerabilities in 5G baseband implementations (2024)
- FALCON LTE - Fast Analysis of LTE Control Channels for real-time analysis
- Kalibrate - GSM base station scanner and frequency calibration tool
- LTE Sniffer - Open-source LTE downlink/uplink eavesdropper
- OsmocomBB - Free firmware for mobile phone baseband processors
- Modmobmap - Mobile network mapping
- Modmobjam - Mobile jamming research
# Add Ettus Research repository
sudo add-apt-repository ppa:ettusresearch/uhd
sudo apt-get update
# Install UHD drivers and tools
sudo apt-get install libuhd-dev libuhd003 uhd-host
# Find connected devices
uhd_find_devices
# Download firmware images
cd /usr/lib/uhd/utils/
./uhd_images_downloader.py
# Test device connection
sudo uhd_usrp_probe[INFO] [UHD] linux; GNU C++ version 7.4.0; Boost_106501; UHD_3.14.1.1-release
[INFO] [B200] Detected Device: B*****
[INFO] [B200] Operating over USB 3.
[INFO] [B200] Initialize CODEC control...
[INFO] [B200] Initialize Radio control...
[INFO] [B200] Performing register loopback test...
[INFO] [B200] Register loopback test passed
| Hardware | Frequency Range | Bandwidth | Price Range | Use Case | Link |
|---|---|---|---|---|---|
| Ettus Research (USRP) | |||||
| USRP B210 | 70 MHz - 6 GHz | 61.44 MHz | $2,100 | Professional development, 2x2 MIMO | Ettus |
| USRP B200mini | 70 MHz - 6 GHz | 61.44 MHz | $775 | Compact USRP B-series | Ettus |
| USRP N210 | DC - 6 GHz | 25 MHz | $1,700 | High-performance networked SDR | Ettus |
| USRP N320 | 1 MHz - 6 GHz | 200 MHz | $8,000 | High-end networked 2x2 MIMO | Ettus |
| USRP X310 | DC - 6 GHz | 160 MHz | $6,000 | High-performance desktop/rack | Ettus |
| USRP X410 | 1 MHz - 7.2 GHz | 400 MHz | $15,000 | Latest high-performance 4x4 MIMO | Ettus |
| USRP X440 | 30 MHz - 4 GHz | 1.6 GHz | $25,000+ | Latest 8x8 MIMO RFSoC platform | Ettus |
| USRP E320 | 70 MHz - 6 GHz | 56 MHz | $4,000 | Embedded 2x2 MIMO SDR | Ettus |
| Nuand (BladeRF) | |||||
| BladeRF 2.0 xA4 | 47 MHz - 6 GHz | 61.44 MHz | $420 | Budget 2x2 MIMO development | Nuand |
| BladeRF 2.0 xA9 | 47 MHz - 6 GHz | 61.44 MHz | $720 | High FPGA resources, 2x2 MIMO | Nuand |
| BladeRF x40 (Legacy) | 300 MHz - 3.8 GHz | 40 MHz | $400 | Entry-level legacy model | Nuand |
| Great Scott Gadgets | |||||
| HackRF One | 1 MHz - 6 GHz | 20 MHz | $350 | Budget TX/RX development | GSG |
| YARD Stick One | 300-348, 391-464, 782-928 MHz | 2.5 MHz | $110 | Sub-GHz IoT frequencies | GSG |
| Lime Microsystems | |||||
| LimeSDR USB | 100 kHz - 3.8 GHz | 61.44 MHz | $289 | Open-source 2x2 MIMO | Lime Micro |
| LimeSDR Mini | 10 MHz - 3.5 GHz | 30.72 MHz | $139 | Compact LimeSDR variant | Lime Micro |
| LimeSDR Mini 2.0 | 10 MHz - 3.5 GHz | 30.72 MHz | $169 | Updated with ECP5 FPGA | Lime Micro |
| LimeSDR X3 | Various bands | Up to 61.44 MHz | $3,000+ | Professional 3x transceiver PCIe | Lime Micro |
| Analog Devices | |||||
| PlutoSDR | 325 MHz - 3.8 GHz | 20 MHz | $150 | Education and learning platform | Analog Devices |
| RTL-SDR Blog | |||||
| RTL-SDR V3 | 500 kHz - 1.75 GHz | 3.2 MHz | $35 | Ultra-budget RX-only scanner | RTL-SDR |
| RTL-SDR V4 | 500 kHz - 1.75 GHz | 3.2 MHz | $40 | Latest RTL-SDR with R828D | RTL-SDR |
| Airspy | |||||
| Airspy R2 | 24 MHz - 1.8 GHz | 10 MHz | $200 | High-performance VHF/UHF scanner | Airspy |
| Airspy Mini | 24 MHz - 1.8 GHz | 6 MHz | $99 | Compact Airspy in dongle format | Airspy |
| Airspy HF+ Discovery | 9 kHz - 31 MHz, 60-260 MHz | 768 kHz | $169 | Dedicated HF reception | Airspy |
| SDRplay | |||||
| RSP1A | 1 kHz - 2 GHz | 10 MHz | $119 | Wideband general purpose | SDRplay |
| RSPdx | 1 kHz - 2 GHz | 10 MHz | $299 | Professional features, dual antenna | SDRplay |
| Red Pitaya | |||||
| STEMlab 125-14 | DC - 60 MHz | 50 MHz | $600 | HF transceiver, lab instrument | Red Pitaya |
| STEMlab 122-16 | DC - 50 MHz | Variable | $625 | High-resolution HF SDR/scope | Red Pitaya |
| Issue | Possible Causes |
|---|---|
| Device not detected | Improper firmware, USB connection issues |
| Poor signal quality | Incorrect antennas, wrong frequency configuration |
| Connection failures | Wrong SIM, incorrect MCC/MNC codes |
| Performance issues | Virtualized platform limitations, wrong SDR firmware |
-
Budget-Friendly Baseband Fuzzing Setup - DefCon 32 2024
Guidelines for building cost-effective baseband fuzzing rigs using Software Defined Radios (SDRs). Includes methods for:
- Firmware acquisition and reverse engineering
- Using Large Language Models to accelerate protocol parser development
- Testing automotive ECUs, payment terminals, and mobile devices
- Practical vulnerability assessment in ISP networks
- 5GBaseChecker - Automated 5G baseband vulnerability detection
- certmitm - TLS hacking tool for finding insecure implementations
From NIST SP 800-187:
- Smart Jamming: Targeted channel interference timed to avoid detection
- Dumb Jamming: Broadband noise transmission across frequency ranges
- UE Interface Jamming: Preventing UE signaling to eNodeB
- eNodeB Interface Jamming: Disrupting base station communications
- Privacy Attacks on 4G/5G Paging Protocols
- European 5G Security in the Wild
- 5G Threat Modeling Framework
- ENISA 5G Threat Landscape
- 5GReasoner Analysis Framework
- 5G NR Jamming, Spoofing, and Sniffing
- New Vulnerabilities in 5G Networks
- New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols
- Insecure Connection Bootstrapping in Cellular Networks
- Protecting 4G and 5G Cellular Paging Protocols
- LTRACK: Stealthy Mobile Phone Tracking
- Detecting Fake 4G Base Stations
- BaseSAFE: Baseband Fuzzing
- LTE Public Warning System Attacks
- Signal Overshadowing Attacks
- Breaking LTE on Layer Two
- LTE/LTE-A Jamming, Spoofing, and Sniffing
- LTE Protocol Exploits
- Practical Attacks Against Privacy and Availability
- LTE Security Assessment
- Hiding in Plain Signal: Physical Signal Overshadowing
- LTE Security Disabled—Misconfiguration in Commercial Network
- All The 4G Modules Could Be Hacked
- Paging Storm Attacks against 4G/LTE Networks
- Hacking Public Warning System in LTE
- Analysis of the LTE Control Plane
- Baseband Attacks: Remote Exploitation
- LTE Security and Protocol Exploits - ShmooCon 2016
- Military Communications Conference 2018 - Slides
- WiSec 2019 - Final Paper
-
5G Baseband Vulnerability Research by Penn State
Researchers from Pennsylvania State University presented findings about 12 vulnerabilities in 5G basebands made by Samsung, MediaTek, and Qualcomm, affecting phones by Google, OPPO, OnePlus, Motorola, and Samsung. They released 5GBaseChecker tool on GitHub for vulnerability research.
-
Economizing Mobile Network Warfare: Budget-Friendly Baseband Fuzzing by Janne Taponen
Explores the role of Software Defined Radios (SDRs) in making baseband fuzzing accessible and affordable. Covers building cost-effective baseband fuzzing rigs, using Large Language Models to accelerate protocol parser development, and discovering vulnerabilities in device radio access network (RAN) interfaces across automotive ECUs, payment terminals, cellular modems, and mobile phones.
-
Dirty Use of USSD Codes in Cellular Networks by Ravi Borgaonkar
Analysis of Unstructured Supplementary Service Data (USSD) vulnerabilities in cellular networks and how they can be exploited for malicious purposes.
- NSA PLAYSET GSM
- VoLTE Phreaking - Ralph Moonen
- RF Exploitation: IoT/OT Hacking with SDR
- Bye-Bye-IMSI-Catchers
- Side Channel Analysis in 4G and 5G
-
Starshields for iOS: Navigating the Security Cosmos in Satellite Communication
First comprehensive security analysis of Apple's satellite communication features for iPhones. Researchers reverse-engineered Apple's proprietary satellite protocol, analyzed security/privacy properties, demonstrated restriction bypasses, and created a simulation testbed. Covers Emergency SOS, Find My, roadside assistance, and iMessage/SMS over satellite.
-
5GBaseChecker Tool Release - Penn State University
Open-source tool for detecting vulnerabilities in 5G baseband implementations. Used to discover 12 critical vulnerabilities in Samsung, MediaTek, and Qualcomm basebands.
| Component | Purpose | Link |
|---|---|---|
| Ettus USRP B210 | Software Defined Radio | Product Page |
| srsENB | 4G/5G Base Station Software | GitHub |
| Open5GS | 5G Core Network | GitHub |
| sysmo-usim-tool | SIM Programming | Project Page |
| pysim | SIM Analysis Tool | GitHub |
| CoIMS | VoLTE Testing | Play Store |
| Docker Open5GS | Containerized Core | Tutorial |
-
CellGuard - NEW 2024 🔥
Advanced iOS app that detects rogue base stations and cellular attacks targeting iPhones. Analyzes baseband packets in real-time to identify suspicious activities and IMSI catchers. Developed by SEEMOO lab with cutting-edge research into cellular surveillance detection.
- Real-time baseband packet analysis
- Suspicious activity detection algorithms
- Integration with Apple Cell Location Database
- TestFlight beta available for testing
- Website & Documentation
- TestFlight Beta
- SeaGlass: City-Wide IMSI-Catcher Detection
- SeaGlass Research Paper
- White-Stingray Detection App Evaluation
- IMSI-Catcher Detector (Android) - Android app for detecting IMSI catchers
- NB-IoT Security Analysis Framework - Narrowband IoT security research
- Cat-M1/LTE-M Attack Vectors - GSMA IoT security guidelines
- Cellular IoT Botnet Research - IoT cellular malware analysis
- Starlink Security Research - Satellite cellular convergence attacks
- 3GPP Non-Terrestrial Networks (NTN) Security - Official 5G satellite integration specs
- LEO Satellite Cellular Vulnerabilities - Low Earth Orbit security research
- O-RAN Security Research - Open RAN security specifications
- Private 5G Penetration Testing Guide - Enterprise private network testing
- Campus 5G Security Assessment - NIST private 5G security guidance
- 5G Network Slicing Attack Research - IEEE research papers
- Multi-Access Edge Computing (MEC) Vulnerabilities - ETSI MEC security specs
- Network Function Virtualization (NFV) Attacks - Virtual network function security
- V2X Security Research - Vehicle-to-everything communications
- Cellular-V2X Attack Vectors - Automotive cellular security
- Industrial IoT Cellular Security - IIoT cellular threat landscape
- XRY Mobile Forensics - Commercial cellular forensics platform
- Cellebrite UFED - Mobile device extraction tools
- MSAB Cellular Evidence Analysis - Network evidence collection
- NIST Mobile Forensics Guidelines - Mobile device forensics standards
- Android Security Bulletins - Regular Android/baseband patches
- Qualcomm Security Bulletins - Snapdragon security updates
- Samsung Mobile Security - Galaxy security research program
- Apple Security Research - iOS/baseband security program
- Rooting SIM Cards
- SIM Port Hack Case Study
- SIM Cloning with Oscilloscope
- Small Tweaks do Not Help: MILENAGE Analysis
- DHS Stingray Surveillance
- Stingray Cost Analysis
- NYCLU Stingray Information
- EFF Cell Site Simulators
- CVE Database Search - Search for cellular-related vulnerabilities
- Project Zero Cellular Security Research - Google's ongoing mobile security research
- Samsung Security Bulletins - Regular baseband security updates
- SIMjacker and Simswap Updates - Evolution of SIM-based attacks
- China Mobile Security Research - Chinese cellular security papers
- European Cybersecurity Agency (ENISA) 5G Reports - EU 5G security assessments
- Japanese 5G Security Guidelines - Japan cybersecurity strategy
- Korean KISA Mobile Security - Korean mobile security research
- SANS Mobile Security Training - Professional mobile security courses
- Offensive Security Mobile Testing - Advanced mobile penetration testing
- Cellular Security Lab Environments - Open-source 5G lab setup
- SDR University Courses - GNU Radio educational materials
- Ericsson Security Research - Network equipment security
- Nokia Bell Labs Security - Cellular infrastructure research
- Huawei Security Research - Equipment security analysis
- ZTE Security Bulletins - Network equipment vulnerabilities
- GRX/IPX Security Research - GSMA roaming security
- International Roaming Attacks - Cross-border cellular security
- Diameter Protocol Security - 4G/5G signaling security
- RTL-SDR Community - Software Defined Radio resources
- MCC-MNC Database - Mobile Country/Network Code reference
- RFSec-ToolKit - RF security testing tools
- FakeBTS - Base station attack resources
- RF Security Documentation
- Conference Proceedings Collections - IEEE research database
- ACM Digital Library - ACM research papers
- USENIX Security Papers - Security conference proceedings
- FCC Equipment Authorization Rules - US cellular equipment regulations
- CISA 5G Security Guidance - US critical infrastructure guidance
- European 5G Cybersecurity Certification - EU certification requirements
- Analyzing GSM Downlink with USRP
- AT&T Microcell Analysis
- Dynamic Security Analysis
- Touching the Untouchables
- LTE Recon - (DefCon 23)
- BMW Security Assessment using OpenBTS
- LTE Security Guide
- 4G Access Level Security Assessment
- Demystifying Mobile Networks
- LTE Pwnage: Core Network Elements
- WiFi IMSI Catcher
This is a community-driven project. To contribute:
- Fork the repository
- Add your resources with proper descriptions
- Ensure links are working and content is relevant
- Submit a pull request with a clear description
This repository is for educational and research purposes only. Users are responsible for complying with all applicable laws and regulations. The maintainers do not endorse or encourage any illegal activities.
Last Updated: June 2025
Maintainer: @W00t3k
If you find broken links or have resources to add, please open an issue or submit a pull request.