In mobile network research, the integration of real-world components such as User Equipment (UE) with open-source network infrastructure is essential yet challenging. To address these issues, we introduce open5Gcube, a modular framework designed to integrate popular open-source mobile network projects into a unified management environment. Our publicly available framework allows researchers to flexibly combine different open-source implementations, including different versions, and simplifies experimental setups through containerization and lightweight orchestration. We demonstrate the practical usability of open5Gcube by evaluating its compatibility with various commercial off-the-shelf (COTS) smartphones and modems across multiple mobile generations (2G, 4G, and 5G). The results underline the versatility and reproducibility of our approach, significantly advancing the accessibility of rigorous experimentation in mobile network laboratories.

This paper investigates the ongoing use of the A5/1 ciphering algorithm within 2G GSM networks. Despite its known vulnerabilities and the gradual phasing out of GSM technology by some operators, GSM security remains relevant due to potential downgrade attacks from 4G/5G networks and its use in IoT applications. We present a comprehensive overview of a historical weakness associated with the A5 family of cryptographic algorithms. Building on this, our main contribution is the design of a measurement approach using low-cost, off-the-shelf hardware to passively monitor Cipher Mode Command messages transmitted by base transceiver stations (BTS). We collected over 500,000 samples at 10 different locations, focusing on the three largest mobile network operators in Germany. Our findings reveal significant variations in algorithm usage among these providers. One operator favors A5/3, while another surprisingly retains a high reliance on the compromised A5/1. The third provider shows a marked preference for A5/3 and A5/4, indicating a shift towards more secure ciphering algorithms in GSM networks.

With critical infrastructure increasingly relying on wireless communication, using end-to-end security such as TLS becomes imperative. However, TLS introduces significant overhead for resource-constrained devices and networks prevalent in critical infrastructure. In this paper, we propose to leverage the degrees of freedom in configuring TLS to dynamically adapt algorithms, parameters, and other …

Open RAN has emerged as a transformative approach in the evolution of cellular networks, addressing challenges posed by modern applications and high network density. By leveraging disaggregated, virtualized, and software-based elements interconnected through open standardized interfaces, Open RAN introduces agility, cost-effectiveness, and enhanced competition in the Radio Access Network (RAN) domain. The Open RAN paradigm, driven by the O-RAN Alliance specifications, is set to transform the telecom ecosystem. Despite extensive technical literature, there is a lack of succinct summaries for industry professionals, researchers, and policymakers. This paper addresses this gap by providing a concise, yet comprehensive overview of Open RAN. Compared to previous work, our approach introduces Open RAN by gradually splitting up different components known from previous RAN architectures. We believe that this approach leads to a better understanding for people already familiar with the general concept of mobile communication networks. Building upon this general understanding of Open RAN, we introduce key architectural principles, interfaces, components and use-cases. Moreover, this work investigates potential security implications associated with adopting Open RAN architecture, emphasizing the necessity of robust network protection measures.

This paper investigates stealthy radio attacks targeting Automatic Identification System (AIS) broadcasts in maritime environments. The authors demonstrate how adversarial manipulation of AIS signals can compromise ship tracking systems and navigation safety. The work includes practical evaluations of attack feasibility and proposes mitigation strategies for integrated bridge systems.

This paper introduces a novel Wireshark dissector designed to facilitate the analysis of Service-Based Interface (SBI) communication in 5G Core Networks. Our approach involves parsing the OpenAPI schemes provided by the 5G specification to automatically generate the dissector code. Our tool enables the validation of 5G Core Network traces to ensure compliance with the specifications.

This work reports on a measurement study to estimate the attenuation of 450 MHz LTE networks. The LTE band 72 is currently deployed in Germany, in particular for smart grid applications. Due to this use-case, we assume that a significant amount of future devices will be deployed stationary and indoor which motivated our campaign. We designed a custom measurement device which uses commercial off-the-shelf hardware to assess the downlink RSRP of a public mobile network. In addition, a software has been developed to provide non-experts the possibility to conduct these measurements in the future. This software provides the possibility to determine the indoor position based on ground plans. We conducted measurements at three different buildings. Our results reveal, that the building attenuation of 450 MHz LTE networks is highly heterogeneous and mainly depends on the type of the building, the indoor position and in particular the height of the floor where the device is located.

5G networks, pivotal for our digital mobile societies, are transitioning from 4G to 5G Stand-Alone (SA) networks. However, during this transition, 5G Non-Stand-Alone (NSA) networks are widely used. This paper examines potential security vulnerabilities in 5G NSA networks. Through an extensive literature review, we identify known 4G attacks that can theoretically be applied to 5G NSA. We organize these attacks into a structured taxonomy. Our findings reveal that 5G NSA networks may offer a false sense of security, as most security and privacy improvements are concentrated in 5G SA networks. To underscore this concern, we implement three attacks with severe consequences and successfully validate them on various commercially available smartphones. Notably, one of these attacks, the IMSI Leak, consistently exposes user information with no apparent security mitigation in 5G NSA networks. This highlights the ease of tracking individuals on current 5G networks.

Online advertising represents a main instrument for publishers to fund content on the World Wide Web. Unfortunately, a significant number of online advertisements often accommodates potentially malicious content, such as cryptojacking hidden in web banners – even on reputable websites. In order to protect Internet users from such online threats, the thorough detection of ad-malware campaigns plays a crucial role for a safe Web. Today, common Internet services like VirusTotal can label suspicious content based on feedback from contributors and from the entire Web community. However, it is open to which extent ad-malware is actually taken into account and whether the results of these services are consistent. In this pre-study, we evaluate who defines ad-malware on the Internet. In a first step, we crawl a vast set of websites and fetch all HTTP requests (particularly to online advertisements) within these websites. Then we query these requests both against popular filtered DNS providers and VirusTotal. The idea is to validate, how much content is labeled as a potential threat. The results show that up to 0.47% of the domains found during crawling are labeled as suspicious by DNS providers and up to 8.8% by VirusTotal. Moreover, only about 0.7% to 3.2% of these domains are categorized as ad-malware. The overall responses from the used Internet services paint a divergent picture: All considered services have different understandings to the definition of suspicious content. Thus, we outline potential research efforts to the automated detection of ad-malware. We further bring up the open question of a common definition of ad-malware to the Web community.

Critical infrastructure increasingly relies on wireless communication, transitioning from dedicated private wired networks to heterogeneous wireless systems. This shift introduces unique security challenges due to the use of public/shared networks and resource-constrained devices. The paper systematically identifies key challenges in reliability, mobility, network/device limitations, and security requirements, while proposing a comprehensive set of solutions including lower-layer security mechanisms, end-to-end security optimizations, hardware-based device security, and context-aware network adaptation strategies.

This paper introduces a modular framework to evaluate smart grid communication protocols (IEC 61850, IEC 60870-5-104, MQTT) over mobile networks like LTE-M. Our framework enables comparative analysis of protocol efficiency and cellular network impact through containerized substation emulators, SCADA applications, and network monitoring tools. Experimental results from 450 MHz LTE deployments reveal significant protocol-specific differences in uplink/downlink traffic patterns and radio resource utilization, providing actionable insights for smart grid operators.

Katti is a comprehensive tool designed to address technical challenges in web crawling and analysis, particularly for security and privacy research. The tool enables large-scale website analyses by providing modular components for crawling, data processing, and visualization, while ensuring scalability and adaptability to diverse research needs. Its architecture supports extensibility through custom plugins and parallelized execution for efficient processing of complex website structures.

Reliable and secure communication is needed to further digitize public infrastructure. LPWANs operating in license-exempt bands are a promising candidate. This work address the concept of a secure LPWAN by evaluating TLS over LoRaWAN. The overhead induced by TLS in combination with the duty cycle restrictions make this combination challenging. In this work, upper bounds of the usage are compiled by estimating the number of full TLS handshakes under various conditions. An airtime model is verified and integrated into a tool to estimate possible bounds on the duty cycle. The results reveal that a bottleneck exist in the downlink which depends on the Spreading Factor of LoRa and the selected cipher suite.

This paper presents EPF, a network protocol fuzzing framework combining evolutionary algorithms, protocol state modeling, and coverage-guided feedback. The tool integrates Scapy-based protocol definitions with state transition graphs to systematically explore protocol implementations. By employing a simulated annealing-driven mutation strategy and AFL++-style instrumentation, EPF achieves deeper protocol state penetration compared to traditional fuzzers, as demonstrated through case studies on IEC 60870-5-104 implementations in critical infrastructure systems.

Urban LoRa networks promise to provide a cost- efficient and scalable communication backbone for smart cities. One core challenge in rolling out and operating these networks is radio network planning, i.e., precise predictions about possible new locations and their impact on network coverage. Path loss models aid in this task, but evaluating and comparing different models requires a sufficiently …

The Covid-19 pandemic has challenged educators across the world to move their teaching and mentoring to remote. During semesters at their institutes, educators can directly provide students the software environment needed to support their learning - either in specialized computer labs or shared computer spaces. But how does one provide a specialized software environment for remote teaching?