CITesting: Systematic Testing of Context Integrity Violations in LTE Core Networks

Cellular networks increasingly support critical infrastructure, yet their security remains an ongoing concern. While prior research has focused mainly on downlink vulnerabilities, uplink security—how user equipment (UE) affects the core network—has received limited attention. We study a class of uplink vulnerabilities, which we define as context integrity violations (CIVs), where an unauthenticated or improperly authenticated UE modifies the internal state of other subscribers. Prior work identified a few instances of CIVs, but the broader attack surface remains unexplored. We present CITesting, the first framework for systematically detecting CIVs in LTE core networks. CITesting explores diverse procedure chains, tests a broad range of Information Elements (IEs), and validates behavior across UE connection states. It introduces stateful dual-UE control testing to manage victim UE state and employs a behavioral oracle to detect context modifications in black-box networks. We evaluated CITesting on two open-source (Open5GS, srsRAN) and two commercial (Amarisoft, Nokia) LTE core network implementations, identifying 29, 22, 16, and 59 distinct CIVs after post-analysis. These findings enable remote attacks including UE detachment, IMSI exposure, and presence detection attacks. Note that traditional attack models such as fake base station and active SigOver require the active attacker to be co-located in the same cell. In contrast, our attacks require the active attacker to be in the same MME region (significantly broader than a cell) as the victim UE. All findings were responsibly disclosed, and patches were contributed to Amarisoft and Open5GS.