Mincheol Son*, Kwangmin Kim*, Beomseok Oh*, CheolJun Park**, and Yongdae Kim*
* KAIST, ** Kyung Hee University
CITesting is the first systematic testing framework designed to uncover Context Integrity Violations (CIVs) in LTE core networks. Its primary goal is to evaluate whether unauthenticated or improperly authenticated UE messages can alter the internal state of legitimate subscribers.
It selects test cases through specification-guided selections. Based on these generated messages, CITesting then automatically explores procedures by producing all valid procedure-compliant responses to core network requests. CITesting adopts a dual-UE architecture, with a victim UE controlled across different states (CONN., IDLE, DEREGI.) and a tester UE that sends test messages to the core network. Detection is guided by a behavioral oracle: after each exploration sequence, the victim UE performs state-specific service attempts, and deviations from expected responses are flagged as context modifications.
Our evaluation across two open-source (Open5GS, srsRAN) and two commercial (Nokia, Amarisoft) LTE core network implementations revealed 29, 22, 16, and 59 distinct CIVs, respectively. We further demonstrate that these CIVs can lead to critical security implications, including Denial-of-Service, IMSI exposure, and user presence detection.
Context Integrity Violation (CIV)
Any instance where the core network, in response to an unauthenticated or improperly authenticated interaction—including an entire procedure chain—modifies the internal state associated with a subscriber identity that is unrelated to and not authorized to be controlled by the originating UE.
CITesting introduces a dual-UE testing framework to reveal vulnerabilities that depend on subscriber state. Two UEs are coordinated:
Victim UE — a legitimate subscriber whose context is monitored.
Tester UE — a malicious device that sends crafted messages to the core network.
By precisely controlling the victim UE’s connection state and observing its behavior after each test, CITesting detects when the network improperly modifies subscriber context.
Victim UE Initialization
Before each test, the victim UE is placed into a specific connection state:
Connected (CONN.) — registered and active signaling.
Idle (IDLE) — registered but without active signaling.
Deregistered (DEREGI.) — not registered.
This controlled setup ensures that CIVs can be evaluated consistently across states.
Test Execution
The tester UE initiates a procedure by sending a crafted NAS message (e.g., Attach Request, Service Request, TAU Request). As the core network responds, the tester continues with procedure-compliant replies, exploring possible multi-step chains.
Oracle (Victim UE Behavior Validation)
After each test, the victim UE attempts a state-specific action to validate context integrity:
CONN.: Send a ping to confirm connectivity.
IDLE: Issue a Service Request to resume communication.
DEREGI.: Perform an Attach Request with stored identifiers (GUTI).
Any deviation from the expected baseline behavior signals a context integrity violation (CIV).
Evaluation
We evaluated CITesting across four LTE core network implementations:
Open-source: Open5GS, srsRAN
Commercial: Amarisoft, Nokia
Using our dual-UE framework, CITesting systematically explored 2,800–4,600 procedure chains per core, covering diverse message sequences, identifier values, and victim UE states.
Open5GS: 29 distinct CIVs after analysis
srsRAN: 22 distinct CIVs
Amarisoft: 16 distinct CIVs
Nokia: 59 distinct CIVs
In total, thousands of raw test cases were reduced to these distinct vulnerabilities through post-analysis.
CIVs Detected across Core Networks by UE State
Source-level analysis of open-source LTE core implementations (Open5GS and srsRAN) revealed that many of the distinct CIVs detected through black-box testing originate from a small number of flawed routines, such as improper context deletion and incorrect state transitions. These results demonstrate that subtle implementation errors can propagate across multiple procedures, underscoring the need for systematic testing.
Open5GS
1. Context deletion triggered by reject message transmission
In Open5GS, UE context is deleted upon transmission of any reject message, regardless of type. This includes removal of critical IMSI–GUTI mappings. Consequently, an adversary can spoof messages using the victim's identifier, inducing the network to send a reject and delete the associated context. Subsequent GUTI-based attach attempts by the victim lead to IMSI exposure, as the network, no longer recognizing the GUTI, initiates an identification procedure.
2. Security context deletion during incomplete authentication
We discovered a vulnerability in the network where the UE's security context is deleted during authentication and is not restored even if the procedure fails. When authentication begins, the network clears the existing security context associated with the UE. If authentication is interrupted or fails, the network fails to restore the original context, leaving the UE without valid security parameters in the network. This enables an attack where a malicious UE can use a victim's identifier (i.e., GUTI or IMSI) to trigger authentication they intentionally fail to complete, causing the victim's security context to be removed. When the victim UE attempts to access services, it will need to undergo authentication again due to the missing security context.
srsRAN
1. Improper EMM state transition during authentication
In srsRAN, a spoofed Attach Request causes the network to transition the victim UE's EMM state to 'deregistered,' even before authentication completes. If authentication fails, the state is not restored, leading to a persistent mismatch between the network and the victim UE (still in CONN. or IDLE). This inconsistency results in connection failures or rejected Service Request.
2. Security context manipulation during GUTI attach
Our analysis identified a vulnerability where an attacker can use a victim's GUTI to send spoofed Attach Request messages, causing the victim's security context (including security keys) to be modified without proper validation. When the network receives a GUTI-based Attach Request, it processes the UE as previously attached and initiates authentication procedures. During this process, the security context is altered but is not properly restored if authentication fails. This results in a persistent key mismatch between the victim UE and the network, rendering the victim incapable of accessing network services due to key verification failures in subsequent communications.
3. NAS context deletion during IMSI attach
We discovered that when an attacker sends an Attach Request using a victim's IMSI, the network incorrectly deletes the victim's previous NAS context. Upon receiving an IMSI-based Attach Request for a known user, the network immediately deletes the existing context associated with that identity. When the legitimate victim UE later attempts to connect using a GUTI-based attach, integrity verification fails due to the deleted context, forcing a complete re-authentication.
4. No update of UE network capability during GUTI attach
A significant vulnerability exists in how UE network capabilities are handled during attach procedures. We found that the network fails to update the UE network capabilities when processing a GUTI-based Attach Request. When a legitimate victim UE performs a GUTI attach, the system does not read or process the network capabilities from the UE's attach message. Instead, it continues to use previously stored values. If an attacker had earlier used the victim's IMSI to send a spoofed Attach Request with modified network capabilities, the network maintains these attacker-supplied values rather than updating them from the legitimate UE's message. This leads the network to send Security Mode Command messages with incorrect capabilities, leading the victim UE to detect the mismatch and reject the security mode command. This implementation flaw allows an attacker to manipulate security algorithm negotiation, causing service disruption through security verification failures.
5. NAS context reset when processing Service Request with invalid MAC
We identified a vulnerability in the handling of Service Request messages with invalid short MAC values. When the network receives such a message, instead of simply rejecting it, the network resets the UE's NAS context, including critical state information such as the EMM state. When the legitimate victim UE later sends a Service Request, the network responds that the UE is not registered and sends a Service Reject with an "implicitly detach" cause. This allows an attacker to remotely deregister any UE from the network by simply sending a Service Request with the victim's identity and an invalid MAC, causing significant service disruption without any indication to the legitimate user.
Context Integrity Violations (CIVs) create inconsistencies between the subscriber’s local state and the network’s internal context. These inconsistencies manifest as three broad categories of security implications
Description.
CIVs can corrupt registration or session state, causing the network to reject valid requests or prematurely drop active connections. As a result, victim UEs are unable to attach, resume service, or maintain connectivity.
Security Impact.
Remote service disruption from within the same MME region.
Description.
When temporary identifiers (GUTI) are invalidated, the network falls back to the Identification procedure, forcing the UE to reveal its permanent identity (IMSI) over the air. CIVs thus indirectly trigger IMSI leakage even without fake base stations.
Security Impact.
Exposure of permanent subscriber identifiers.
Description.
CIVs can cause the core to initiate identity exchanges during reconnection. If the attacker already knows the victim’s IMSI, they can passively monitor whether this IMSI is transmitted in an Identity Response, thereby confirming the victim’s presence in the area.
Security Impact.
Stealthy detection of user presence near a sniffer.
Permanent DoS (Denial-of-Service)
CITesting_Permanent_DoS.mp4IMSI Exposure (w/ Identity Request)
CITesting_IMSI_Exposure_(ID_req).mp4IMSI Exposure (w/ IMSI Attach Request)
CITesting_IMSI_Exposure_(IMSI_Attach).mp4TBD