{"id":201685,"date":"2025-07-30T17:11:05","date_gmt":"2025-07-30T08:11:05","guid":{"rendered":"http:\/\/ee.presscat.kr\/?post_type=research-achieve&p=201685"},"modified":"2026-04-13T03:07:05","modified_gmt":"2026-04-12T18:07:05","slug":"professor-yongdae-kims-team-vulnerability-found-a-single-packet-can-paralyze-smartphones","status":"publish","type":"research-achieve","link":"http:\/\/ee.presscat.kr\/en\/research-achieve\/professor-yongdae-kims-team-vulnerability-found-a-single-packet-can-paralyze-smartphones\/","title":{"rendered":"Professor Yongdae Kim’s Team Vulnerability Found: A Single Packet Can Paralyze Smartphones"},"content":{"rendered":"
\"\"
<(From left) Professor Yongdae Kim, PhD candidate Tuan Dinh Hoang, PhD candidate Taekkyung Oh from KAIST, Professor CheolJun Park from Kyung Hee University; and Professor Insu Yun from KAIST><\/span><\/figcaption><\/figure>\n

Smartphones must stay connected to mobile networks at all times to function properly.\u00a0The corecomponent that enables this constant connectivity is the communication modem (Baseband) inside the device. KAIST researchers, using their self-developed testing framework called ‘LLFuzz (Lower Layer Fuzz),’ have discovered security vulnerabilities in the lower layers of smartphone communication modems and demonstrated the necessity of standardizing ‘mobile communication modem security testing.’\u00a0*Standardization: In mobile communication, conformance testing, which verifies normal operation in normal situations, has been standardized.<\/span> However, standards for handling abnormal packets have not yet been established, hence the need for standardized security testing.<\/span><\/p>\n

 <\/p>\n

Professor Yongdae Kim’s team from the School of Electrical Engineering at KAIST, in collaboration with Professor CheolJun Park’s team from Kyung Hee University, has discovered critical security vulnerabilities in the lower layers of smartphone communication modems. These vulnerabilities can incapacitate smartphone communication with just a single manipulated wireless packet (a data transmission unit in a network). In particular, they are extremely severe, as they can potentially lead to remote code execution (RCE).<\/span><\/div>\n
\u00a0<\/div>\n

The research team utilized their self-developed ‘LLFuzz’ analysis framework to analyze the lower layer state transitions and error handling logic of the modem to detect security vulnerabilities. LLFuzz was able to precisely extract vulnerabilities caused by implementation errors by comparing and analyzing 3GPP* standard-based state machines with actual device responses.\u00a0*3GPP: An international collaborative organization that creates global mobile communication standards.<\/span><\/span><\/p>\n

 <\/p>\n

The research team conducted experiments on 15 commercial smartphones from global manufacturers, including Apple, Samsung Electronics, Google, and Xiaomi, and discovered a total of 11 vulnerabilities. Among these, seven were assigned official CVE (Common Vulnerabilities and Exposures) numbers, and manufacturers applied security patches for these vulnerabilities. However, the remaining four have not yet been publicly disclosed.<\/span><\/p>\n

 <\/p>\n

While previous security research primarily focused on higher layers of mobile communication, such as NAS (Network Access Stratum) and RRC (Radio Resource Control), the research team concentrated on analyzing the error handling logic of mobile communication’s lower layers, which manufacturers have often neglected<\/span><\/p>\n

 <\/p>\n

\"\"
<LLFuzz Design><\/span><\/figcaption><\/figure>\n

 <\/p>\n

These vulnerabilities occurred in the lower layers of the communication modem (RLC, MAC, PDCP, PHY*), and due to their structural characteristics where encryption or authentication is not applied, operational errors could be induced simply by injecting external signals.\u00a0*RLC, MAC, PDCP, PHY: Lower layers of LTE\/5G communication, responsible for wireless resource allocation, error control, encryption, and physical layer transmission.<\/span><\/span><\/p>\n

 <\/p>\n

The research team released a demo video showing that when they injected a manipulated wireless packet (malformed MAC packet) into commercial smartphones via a Software-Defined Radio (SDR) device using packets generated on an experimental laptop, the smartphone’s communication modem (Baseband) immediately crashed<\/span><\/p>\n

 <\/p>\n

\u203b Experiment video:\u00a0https:\/\/drive.google.com\/file\/d\/1NOwZdu_Hf4ScG7LkwgEkHLa_nSV4FPb_\/view?usp=drive_link<\/a><\/span><\/p>\n

 <\/p>\n

The video shows data being normally transmitted at 23MB per second on the fast.com page, but immediately after the manipulated packet is injected, the transmission stops and the mobile communication signal disappears. This intuitively demonstrates that a single wireless packet can cripple a commercial device’s communication modem.<\/span><\/p>\n

 <\/p>\n

\"\"
<LTE Vulnerability Summary><\/span><\/figcaption><\/figure>\n

 <\/p>\n

The vulnerabilities were found in the ‘modem chip,’ a core component of smartphones responsible for calls, texts, and data communication, making it a very important component.<\/span><\/p>\n

 <\/p>\n