AI spots hidden security flaws in hundreds of 5G smartphone models

BUFFALO, N.Y. – New research led by the University at Buffalo has uncovered security flaws in more than 540 5G smartphone models worldwide that could allow attackers to disrupt service by exploiting a brief gap before devices confirm that a network connection is legitimate.

“Every time you make a call, send a text or stream video on a 5G smartphone, the device exchanges a rapid series of configuration messages with a nearby cell tower, some of which are processed prior to the phone verifying the tower’s authenticity,” said lead research investigator Hongxin Hu, PhD, professor and associate department chair in UB’s Department of Computer Science and Engineering. “Our team found that this process creates an opening for malicious interference, exposing vulnerabilities that affect smartphones from every major manufacturer.”

To address this risk, Hu and collaborators from UB and Texas A&M University developed an AI–driven testing framework called CONSET (Constraint‑Guided Semantic Testing) that detects these hidden weaknesses and helps manufacturers fix them before they can be exploited.

The 5G standard that governs how phones talk to cell towers was developed by the 3rd Generation Partnership Project (3GPP) and spans thousands of pages of technical specifications. Within those documents are detailed rules describing how different parts of a phone’s configuration messages are supposed to work together. When those relationships aren’t implemented correctly in device software, subtle logic errors can slip through the traditional testing methods used by manufacturers.

“In the past, testing often focused on crashing or disrupting phones by sending garbled or malformed messages. That’s essentially the digital equivalent of shouting nonsense,” Hu said. “Our approach with CONSET is different. We send messages that look normal on the surface but contain carefully crafted contradictions that violate the specification’s own rules.”

CONSET relies on a large language model (LLM) – the same class of AI technology behind tools like ChatGPT — to read and interpret the 3GPP standards. The model extracts requirements from the standards’ natural-language sections, converts them into machine-checkable rules and generates targeted test cases to reveal hidden vulnerabilities.

Using the AI framework, the researchers uncovered seven new vulnerabilities in commercial 5G smartphones, including three classified by industry as high severity. The confirmed flaws affect 64 modem chipsets – the components that handle cellular communication – used in 542 smartphone models. According to Hu, many of these flaws are buried in the gap between what the 5G standards require and how a device’s software interprets them.

The research team evaluated CONSET on eight commercial 5G smartphones across four major chipset families, delivering test messages wirelessly in a controlled laboratory setting. On devices with MediaTek and Qualcomm chipsets, the crafted messages triggered modem crashes and connection failures. In many cases, affected phones could not reconnect to the network without a manual reboot.

MediaTek assigned three high-severity Common Vulnerabilities and Exposures (CVEs) and released patches. Qualcomm confirmed several findings, with additional issues under review. For their efforts, the researchers received $16,000 in combined bug bounty awards, which are payments companies offer for responsibly reporting security flaws.

“An attacker using inexpensive radio equipment could set up a fake cell tower and crash nearby phones, cutting off calls, data and even emergency communications,” Hu said. “The good news is that, because we followed responsible disclosure practices, manufacturers were able to patch the vulnerabilities before they could be misused.”

The team also tested CONSET on an open‑source 5G platform, where it identified 29 distinct crash points and produced detailed traces to guide developer fixes. Four of those issues have already been resolved, with additional remediation underway.

More recently, the team discovered additional baseband system vulnerabilities affecting Apple and Google devices and is working with both companies to address them.

The team’s study, “Semantics Over Syntax: Uncovering Pre‑Authentication 5G Baseband Vulnerabilities,” was recently accepted to the 35th USENIX Security Symposium, one of the world’s leading academic conferences on computer and information security, which will be held later this summer in Baltimore.

The Global System for Mobile Communications Association has also formally acknowledged the team’s responsible disclosure and its contributions to strengthening the security of the global mobile ecosystem.

“5G is the backbone of our connected world, from consumer smartphones to critical infrastructure,” Hu said. “This work shows that AI can play an important role in making that backbone more secure.”

In addition to Hu, co-authors include UB PhD students Qiqing Huang and Xingyu Wang, as well as Wanda Guo and Guofei Gu of Texas A&M University. The work was supported in part by the National Science Foundation.