Research
We drive innovation in privacy and security for cellular technologies alongside leading research institutions.
- Research06.29.26 · Mijin Shin, Wooram Park, Sangwook Bae, CheolJun Park, Seongmin Kim
Accountable Cross-Operator 5G Charging via TEEs
Presented at Wisec 2026. The 5G core network's control plane operates under a trust-based model. While sufficient for single-operator deployments, the model breaks down in cross-operator settings. In this work, we revisit this trust assumption from a charging accountability perspective. We identify key attack surfaces in cross-operator charging workflows by analyzing charging-relevant operations across network functions, where visibility is inherently limited. We derive design goals for accountable charging, outline a Trusted Execution Environment (TEE)-based approach that enables verifiable execution of charging-critical functions, develop a roaming testbed using Open5GS integrated with an online charging system, and conduct a preliminary evaluation of the TEE-based approach by measuring its overhead on charging-critical operations.
- Research05.19.26 · Taekkyung Oh, Duckwoo Kim, Hansung Bae, Beomseok Oh, CheolJun Park, Tyler Tucker, Nathaniel Bennett, Sangwook Bae, Byeongdo Hong, Patrick Traynor, Yongdae Kim
Devilray: A Systematic Adversarial Model Revealing Blind Spots in Fake Base Station Detection
Barriers to accessing commercial fake base stations (C-FBS) have limited visibility into real-world operation and forced detection systems to be designed around self-built prototypes. In this paper, we present Devilray, a reconfigurable baseline designed to explore the realistic adversarial space and identify blind spots in current detection. Devilray enables the systematic exploration of 2,592 feasible and realistic FBS instances, capturing a wide range of operational possibilities. Using Devilray, we evaluate seven FBS detectors and uncover coverage gaps across all seven, revealing blind spots rooted in assumption-bound design and evaluation.
- Research06.30.25 · Maurice Zhang, Stephen Dowhy, John Doyle, David Dunn, Joel Cornett, Sangwook Bae
When Diameter Firewall Meets User Devices
A Diameter firewall is essential for mobile operators to protect their subscribers, as Diameter networks lack end-to-end authentication and heavily rely on trust among partner operators. This poster introduces a user-interactive Diameter firewall, which incorporates user engagement by allowing subscribers to confirm suspicious attach requests.
- Research02.03.25 · Sangwook Bae
Cell Site Simulators at the DNC: Collaborating with EFF to Improve Detection
Cape worked with The Electronic Frontier Foundation (EFF) on research and advancements in Cell Site Simulator (CSS) detection to develop the EFF's Rayhunter tool. By reanalyzing wireless signal data collected during the event, Rayhunter was able to detect irregular control plane data flow indicative of a CSS.
- Research12.04.24 · Taekkyung Oh, Sangwook Bae, Junho Ahn, Yonghwa Lee, Tuan Dinh Hoang, Min Suk Kang, Nils Ole Tippenhauer, Yongdae Kim
Enabling Physical Localization of Uncooperative Cellular Devices
Presented at Mobicom 2024. Authorities may need to physically locate user devices to track criminals or illegal equipment by monitoring uplink signals with cellular operator assistance. This research introduces the Uncooperative Multiangulation Attack (UMA), which overcomes key challenges in tracking uncooperative cellular devices by forcing continuous transmission, maximizing signal strength, and distinguishing target signals from repeaters.
- Research06.28.23 · Tuan Dinh Hoang, CheolJun Park, Mincheol Son, Taekkyung Oh, Sangwook Bae, Junho Ahn, BeomSeok Oh, Yongdae Kim
LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper
Presented at Wisec 2023. LTE sniffers are important for security and performance analysis because they can passively capture the wireless traffic of users. However, existing LTE sniffers are limited and cannot decode data traffic. This paper introduces LTESNIFFER, the first open-source LTE sniffer that can passively decode uplink and downlink data traffic. We evaluated the performance of LTESNIFFER on both testbed and commercial network environments, and compared LTESNIFFER with AirScope, a popular commercial LTE sniffer.
- Research04.27.23 · Beomseok Oh, Junho Ahn, Sangwook Bae, Mincheol Son, Yonghwa Lee, Minsuk Kang, Yongdae Kim
Preventing SIM Box Fraud Using Device Model Fingerprinting
Presented at NDSS 2023. SIM boxes play a critical role in international-scale frauds that steal billions of dollars from individuals and MNOs across the globe. In this paper, we propose an access control logic that detects when unauthorized SIM boxes use cellular networks for communication using precise fingerprinting to distinguish device models and types, without relying on IMEI, which can be spoofed easily.
RESEARCH COLLABORATORS

A leading nonprofit defending privacy, free expression, and digital rights in the digital world.
Breakerspace, led by Dave Levin, researches next-gen network and systems security—earning recognition like the Internet Defense Prize.

The Air Force's research arm advances cutting-edge technologies, including cybersecurity and national defense systems.