Workshop on Security and Privacy of Next-Generation Networks (FutureG) 2025 Program

This panel aims to bring together various participants and stakeholders from government, industry, and academia to present and discuss recent innovations and explore options to enable recent 5G and anticipated key capabilities of interest to DoD in 6G securely. An expert panel will present its views and engage the attendees in discussions about the security and privacy of these future capabilities.

The workshop topics will include the following:

• 5G Device to device (D2D) aka “Sidelink” communication security
• Secure 5G Cellular Satellite Communication with Non Terrestrial Network (NTN)
• 6G Integrated Sensing and Communication (ISAC) security
• Additional advanced cellular communication capabilities of interest to DoD

As 5G networks expand to support increasingly complex and diverse applications, ensuring robust identification and authentication of user devices has become a critical requirement for physical layer security. This paper investigates the potential of machine learning techniques for radio frequency (RF) fingerprinting as a scalable solution for identifying and authorizing access to trusted user devices as well as detecting rogue user devices in 5G networks. Specifically, we evaluate the performance of three prominent deep learning architectures— ResNet, Transformer, and LSTM — across various configurations, including spectrogram and raw IQ slice inputs made from varying packet sizes. The results demonstrate that ResNet models, when paired with spectrogram inputs, achieve the highest classification accuracy and scalability, while effectively addressing challenges such as the Next-Day Effect. Contrary to existing works, which focus on training deep neural networks (DNNs) for device classification, we highlight the critical role of spectrograms in capturing distinct hardware impairments when used to train DNNs for RF fingerprint extraction. These RF fingerprints are then used to distinguish between trusted and rogue 5G devices, as well as for device classification and identification. By identifying the optimal configurations for these tasks and exploring their applicability to real-world datasets collected from an outdoor software-defined radio testbed, this paper provides a pathway for integrating AI-driven radio frequency fingerprinting for authentication of user devices in 5G and FutureG networks as a cornerstone for enhanced physical layer security.

The rapid evolution of software systems in 5G networks has heightened the need for robust security measures. Traditional code analysis methods often fail to detect vulnerabilities specific to 5G, particularly vulnerabilities stemming from complex protocol interactions. In this work, we explore the potential of LLM-assisted techniques in vulnerability detection and repair in open-source 5G implementations. We introduce a novel framework leveraging Chain-of-Thought (CoT) prompting in two phases: first, vulnerability detection based on 5G Vulnerability Properties (VPs); second, vulnerability repair guided by 5G Secure Coding Practices (SCPs). We conducted a case study on an open-source 5G User Equipment (UE) implementation that illustrates how our framework leverages vulnerability properties and SCPs to identify and remediate vulnerabilities. Our testing results indicate successful detection and repair, demonstrating the practicality and effectiveness of our approach. While challenges persist, including the identification of 5G-specific security properties and SCPs and the complexity of their integration, this study provides a foundation for advancing automated LLM-assisted solutions to strengthen the security of open-source 5G systems.

Despite known vulnerabilities in cellular networks, standardization bodies like GSMA and 3GPP have been reluctant to implement comprehensive security fixes, often claiming 'no one exploits these vulnerabilities'. To demonstrate real-world exploitability of these vulnerabilities, we present Cellular Metasploit, a penetration testing framework for cellular networks. This framework systematically catalogs and implements known attacks, providing essential security insights for future 6G design, security-enhanced 5G implementations, and safety-critical private networks. In this talk, I will demonstrate its capabilities and discuss how it can drive transparent security discussions in cellular network design.

Speaker's Biography: Yongdae Kim (IEEE Fellow) is a Professor in the Department of Electrical Engineering and the Graduate School of Information Security at KAIST, where he heads the Police Science and Technology Research Center. He received his PhD in Computer Science from the University of Southern California in 2002. From 2002 to 2012, he was a professor at the University of Minnesota - Twin Cities. At KAIST, he served as Chair Professor (2013-2016) and directed the Cyber Security Research Center (2018-2020). He has served as steering committee chair for NDSS (2024), program chair for ACM WiSec (2022), general chair for ACM CCS (2021), and associate editor for ACM TOPS. His research focuses on discovering and analyzing security vulnerabilities in emerging technologies, particularly drones, autonomous vehicles, and cellular networks.

The fifth-generation (5G) cellular network has advanced significantly, becoming a crucial component of modern communication. However, there are still many inherent security vulnerabilities in the 5G network standard, which advocates continuous research and development efforts. To this end, there are various open-source 5G software and public testbeds for 5G network testing and research. While those tools are valuable, users with limited expertise often struggle to deploy a 5G network and conduct sophisticated security testing with these platforms. To fill this gap, we introduce MOBIDOJO, the first virtual 5G security testing platform that supports one-click 5G deployment and security testing with web-based graphical user interfaces. MOBIDOJO is built on entirely virtual (i.e., no radio hardware required) open-source software - the OpenAirInterface’s 5G stack deployed as Docker containers, making it compatible with any commodity servers. Another critical capability of MOBIDOJO is its attack simulation plugins that allow users to execute existing attacks or create custom Packet Capture (PCAP)-based 5G attack payloads and test them within an isolated 5G test network. We anticipate MOBIDOJO could drive many valuable applications, including education, Capture-the-Flag (CTF) competitions, 5G security research, defense evaluation, etc., ultimately helping to improve the transparency and security of 5G networks.

Cellular core networks are deployed as a set of Virtual Network Functions (VNFs) to dynamically provide customized connectivity for specific use cases. These VNFs are software-based applications whose trust management and security rely on well-established network domain solutions and certificate-based trust mechanisms. As VNFs are frequently redeployed, migrated, and scaled across a diverse ecosystem, the reliance on static trust solutions introduces bottlenecks and operational complexities. This approach to trust undermines the ability to ensure seamless, secure, and efficient interactions in a rapidly evolving cellular ecosystem. Addressing these challenges necessitates a fundamental shift toward an architectural foundation that inherently embeds security and trust into the communication fabric. Named Data Networking (NDN) offers such a foundation by focusing on data-centric security, where trust is embedded within the data itself rather than being dependent on external entities or channels. Leveraging named entities, NDN makes it possible to construct fine-grained trust relationships across cellular domains, tenants, and network slices. This paradigm shift enables the cellular core to move beyond static security solutions, providing a cohesive and scalable framework for managing trust in next-generation cellular networks. In this paper, we propose the adoption of the NDN network model to address the limitations of traditional approaches and achieve seamless security that evolves with the dynamic demands of 5G and beyond networks.

We present our work-in-progress on designing and implementing a black-box evolutionary fuzzer for REST APIs, specifically targeting 5G core networks that utilize a service-based architecture (SBA). Unlike existing tools that rely on static generation-based approaches, our approach progressively refines test inputs to explore deeper code regions in the target system. We incorporate a thorough analysis of the limited response message feedback available in black-box settings and employ a carefully crafted mutation method to generate effective state-aware test inputs. Evaluation of our current implementation has uncovered two previously unknown vulnerabilities in open-source 5G core network implementations, resulting in the assignment of two CVEs. Additionally, our approach already demonstrates superior performance compared to existing black-box fuzzing methods.

The recent emergence of decentralized wireless networks empowers individual entities to own, operate, and offer subscriptionless connectivity services in exchange for monetary compensation. While traditional connectivity providers have built trust over decades through widespread adoption, established practices, and regulation, entities in a decentralized wireless network, lacking this foundation, may be incentivized to exploit the service for their own advantage. For example, a dishonest hotspot operator can intentionally violate the agreed upon connection terms in an attempt to increase their profits. In this paper, we examine and develop a taxonomy of adversarial behavior patterns in decentralized wireless networks. Our case study finds that provider-driven attacks can potentially more than triple provider earnings. We conclude the paper with a discussion on the critical need to develop novel techniques to detect and mitigate adversarial behavior in decentralized wireless networks.

The decentralized and modular architecture of open radio access networks (O-RAN) enhances flexibility and interoperability but introduces significant challenges in efficiently managing resource allocation. The disaggregation of network functions across distributed unit, centralized unit, and RAN intelligent controller (RIC) creates complexities in coordinating resources across multiple network slices, each with distinct and dynamic quality of service (QoS) requirements. Traditional machine learning (ML) approaches for resource management often rely on extensive offline training, which is impractical in the highly variable and real-time environments of O-RAN systems. This paper presents LLM-xApp, a novel large language model (LLM)-powered xApp framework for adaptive radio resource management in O-RAN systems. The proposed framework is based on intelligently prompting LLM agents to dynamically optimize resource allocation to different network slices. Experimental evaluations are conducted on the OpenAI Cellular (OAIC) platform showcasing significant improvements in average data rates as well as the reliability of the slices, demonstrating the potential of LLMs to enhance real-time decision-making in next-generation wireless networks.

The A1 and R1 interfaces in Open Radio Access Networks (O-RAN) play crucial roles in facilitating RAN Intelligent Controller (RIC) communication within the RAN ecosystem. The A1 interface enables high-level policy communication between the Non-Real-Time RIC (Non-RT RIC) and the Near-Real-Time RIC (Near-RT RIC), while the R1 interface connects rApps with the Non-RT RIC to support intelligent RAN operations. Current implementations of both interfaces primarily rely on Transport Layer Security (TLS) to ensure secure communication and Role Based Access Control (RBAC) for authorization. However, the evolving landscape of cyber threats and the movement towards Zero-Trust Architecture (ZTA) demands more advanced security mechanisms. This paper explores the integration of Attribute-Based Encryption (ABE) as a security enhancement for both A1 and R1 communications. ABE offers fine-grained access control by leveraging attributes, providing greater security and flexibility compared to traditional methods. We present a comprehensive threat model, justify the adoption of ABE, and evaluate its advantages over existing solutions. Additionally, we propose a novel ABE-based framework tailored to the A1 and R1 interfaces, emphasizing its scalability, efficiency, and suitability for dynamic and distributed O-RAN environments.