Semantics Over Syntax: Uncovering Pre-Authentication 5G Baseband Vulnerabilities

TL;DR

This paper uncovers semantic vulnerabilities in 5G user equipment by generating valid yet semantically inconsistent messages, revealing critical attack surfaces and demonstrating the effectiveness of the ConSeT testing framework.

Contribution

The paper introduces ConSeT, a novel framework that systematically generates semantically invalid yet syntactically valid 5G messages to test and find vulnerabilities in UEs.

Findings

Discovered 7 previously unknown vulnerabilities in commercial smartphones, including 3 high-severity CVEs.

Triggered 29 distinct crash sites on open-source 5G UE.

Affected over 542 smartphone models and 64 chipset variants.

Abstract

Modern 5G user equipment (UE) processes Radio Resource Control (RRC) configuration messages during early control-plane exchanges, before authentication and integrity protection are established. Prior work for testing 5G UEs has largely focused on constructing syntactically invalid inputs. In contrast, we show that syntactically valid but semantically inconsistent messages, which violate specification-level field constraints or cross-field dependencies, can drive baseband implementations into invalid states, triggering assertion failures or modem crashes. These findings reveal semantic inconsistencies in pre-authentication signaling as a critical yet underexplored attack surface in 5G UE implementations. To address this gap, we present Constraint-Guided Semantic Testing (ConSeT), a framework that systematically extracts specification-level constraints and leverages them to generate targeted semantic violations for testing 5G UEs. ConSeT decodes RRC messages into structured fields, derives schema-based rules, infers cross-field dependencies using a Large Language Model (LLM) in an evidence-bounded manner, and produces syntactically valid test cases that intentionally violate semantic constraints. We evaluate ConSeT on both commercial and open-source 5G UEs. On commercial smartphones, it uncovers 7 previously unknown vulnerabilities through responsible disclosure, including 3 high-severity CVEs, affecting 64 chipset models and over 542 commercially available smartphone models. On the open-source OAI UE, ConSeT additionally triggers 29 distinct crash sites.