UNIVERSITY PARK, Pa. — As mobile networks expand globally and get more sophisticated, critical vulnerabilities often emerge that need to be addressed, according to a team of Penn State researchers led by Syed Rafiul Hussain, assistant professor of computer science and engineering (CSE) in the Penn State School of Electrical Engineering and Computer Science.  

The research team — which includes doctoral students in CSE Kai Tu, Abdullah Al Ishtiaq, Tianchang Yang, Yilu Dong, Ali Ranjbar, Syed Md Mukit Rashid, Tianwei Wu and Mujtahid Akon and graduate student in CSE Weixuan Wang — recently published papers to address a variety of these vulnerabilities, covering issues in hardware, coding and networking, that leave everyone, from the network providers to the end user of the phone, at risk. They discussed their work in a Q&A with Penn State News. 

Q: What is your team’s overall goal with this research? 

A: Syed Rafiul Hussain: Our research highlights 5G's complex infrastructure and how this complexity can introduce new security challenges that require proactive detection, patching and structured implementation standards across devices and network protocols. By addressing these vulnerabilities, we are aiming to make the 5G ecosystem safer and more resilient against both direct and indirect attacks. 

Q. In one of your papers, which received a best paper award at the 33rd USENIX Security Symposium, you discovered security gaps in 5G basebands — the modem layer of a 5G network that manages radio signals — that could enable attackers to create a false network and force a user to use this network without realizing. What specifically was the vulnerability? 

A: Kai Tu: Our team aimed to find logical vulnerabilities in 5G control plane protocols, particularly in commercial baseband implementations, which allow attackers to bypass security measures such as encryption and integrity protection. We found numerous vulnerabilities exist in many of the commercial products. We reported all of these vulnerabilities to corresponding vendors. They released their patch to mitigate those vulnerabilities, and those patches are now available to the end users. Users are advised to ensure their devices are updated to avoid being exposed to unauthorized monitoring and phishing attacks. 

Q: In a separate research paper, cellular network protocols, which are implemented through complex and lengthy documents, are examined. What errors or issues did your team find with the way these documents are structured, and how could these errors affect the end user?  

A: Abdullah Al Ishtiaq: Cellular network protocols are described and implemented using natural language specifications within documents that can be hundreds or even thousands of pages long. These documents are prone to design issues and implementation errors due to ambiguities and a lack of structure when composing. Our research — which is being conducted in collaboration with Rui Zhang, assistant professor of CSE, and doctoral student Sarkar Das — proposed a structured and machine-readable representation of these protocols to ensure accurate and secure implementations. Our research mainly benefits the developers composing these protocols, but, eventually, if we have more secure implementations in place, users will experience more secure phones and networks because potential errors would be mitigated.  

Q: In another paper, security risks of the Open Radio Access Network (RAN) are discussed. What is the Open RAN and why is it more vulnerable than traditional telecommunication networks?  

A: Tianchang Yang: The Open Radio Access Network (RAN) is an industry-driven initiative led by major telecom operators like AT&T, T-Mobile and various global operators to standardize a more flexible, interoperable framework for 5G network components. Traditional telecom networks rely on hardware from specific vendors for cell towers and radio access networks, resulting in high costs and vendor lock-in. The Open RAN allows telecom operators to mix and match hardware and software components from various vendors. 

There are many benefits to the Open RAN, including increased flexibility and reduced costs, integrating components from multiple vendors and allowing network optimization applications, which are often open source. However, interacting with these components opens the system to potential vulnerabilities. These diverse implementations must work together seamlessly, so one bug could crash the entire network. My research — which I am conducting with Gang “Gary” Tan, professor of CSE — revealed 19 bugs in two Open RAN implementations, leading to potential crashes or non-responsiveness of the controller, affecting both misbehaving and legitimate nodes on the network. 

Q: What is the importance of Open RAN going forward? 

A: Syed Rafiul Hussain: The U.S. Department of Defense (DoD) and National Telecommunications and Information Administration are investing heavily in the Open RAN, particularly for deployment in military operations abroad. The DoD’s interest stems from the potential to integrate third-party networks and share intelligence securely. I am scheduled to present our research on the Open RAN’s security challenges at the International Conference on Open RAN Symposium organized by the Institute for Telecommunication Sciences. This event is expected to gather telecom operators, vendors and researchers to discuss the feasibility and security implications of deploying Open RAN on a large scale.