A comprehensive curated list of resources for 2G/3G/4G/5G cellular security research and analysis
This repository consolidates community knowledge in the cellular security space, including exploits, research papers, tools, and educational resources. The goal is to preserve and organize important security research that might otherwise become difficult to find.
Disclaimer: This information is intended for educational and defensive security research purposes only. Use responsibly and in compliance with applicable laws and regulations.
- Getting Started
- Rogue Base Stations
- Recent Updates (2024-2025)
- Software and Tools
- Hardware Setup
- Testing and Research Methodologies
- Attack Vectors
- Conference Talks
- Research Papers
- Equipment and Hardware
- Detection and Defense
- Cellular IoT and NB-IoT Security
- Satellite-Cellular Integration
- Private 5G Network Security
- Network Slicing and Edge Security
- Automotive and Industrial Cellular
- Forensics and Investigation
- Vulnerability Disclosure
- SIM Security
- SS7 and Telecom Infrastructure
- Surveillance Technology
- Recent CVEs and Updates
- International Research
- Training and Education
- Vendor-Specific Research
- Roaming and Interconnect Security
- Community
- Resources
New to cellular security research? This section outlines the recommended path for building foundational skills.
Beginner (passive listening only)
- Hardware: RTL-SDR V3 or V4 ($35-$40), a laptop running Linux
- Software: GNU Radio, GQRX, gr-gsm
- First project: Scan and decode GSM frames passively using gr-gsm and Wireshark
- Reading: NIST SP 800-187 LTE Security Guide
Intermediate (active research lab)
- Hardware: HackRF One or LimeSDR Mini ($139-$350), programmable SIM cards (sysmoUSIM), a spare Android device
- Software: srsRAN 4G, Open5GS or Free5GC, OsmocomBB
- First project: Build a private LTE network in a Faraday cage and connect a test device
- Reading: srsRAN documentation, Open5GS tutorials
Advanced (protocol fuzzing and baseband research)
- Hardware: USRP B210 or BladeRF 2.0, multiple test devices
- Software: 5GBaseChecker, LTEFuzz, BaseBridge, SigPloit
- Focus areas: Baseband fuzzing, RAN-Core interface testing, SS7/Diameter signaling
- Linux host (Ubuntu 22.04 or 24.04 recommended)
- UHD drivers installed and device recognized (
uhd_find_devices) - Faraday cage or RF shielding for active transmissions
- Programmable SIM cards (sysmoUSIM-SJA2 or similar)
- Dedicated test devices (not your daily driver)
- Isolated network environment (no production network access)
- 3GPP Architecture Overview: how UE, eNodeB, MME, SGW, PGW fit together
- IMSI, IMEI, TMSI: subscriber identity fundamentals
- AKA Protocol: how authentication works in LTE
-
How To Build Your Own Rogue GSM BTS For Fun and Profit
Guide to creating a portable GSM BTS for private networks or security testing. Covers technical setup using relatively inexpensive hardware.
-
How to Create an Evil LTE Twin / LTE Rogue BTS
Tutorial for setting up a 4G/LTE Evil Twin base station using srsRAN and USRP SDR devices.
-
Practical Attacks Against GSM Networks: Impersonation
Detailed analysis of GSM base station impersonation using SDR and open source tools.
-
Tutorial: Analyzing GSM with Airprobe and Wireshark
Step-by-step guide for using RTL-SDR to analyze GSM signals with GR-GSM/Airprobe and Wireshark.
-
GSM/GPRS Traffic Interception for Penetration Testing
NCC Group research on GSM/GPRS interception capabilities for penetration testing engagements.
-
RANsacked: 100+ Flaws in LTE and 5G Implementations — University of Florida / NC State, Jan 2025
Researchers disclosed 119 vulnerabilities (97 CVEs) across seven LTE and three 5G implementations including Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, srsRAN. Every flaw can be used to persistently disrupt city-wide cellular communications. Some require no SIM card — a single unauthenticated packet can crash an MME or AMF.
-
CITesting: Context Integrity Violations in LTE Core Networks — KAIST, ACM CCS 2025 (Distinguished Paper)
KAIST researchers identified a new class of uplink attacks against LTE core networks. Unlike traditional downlink attacks, these work through legitimate base stations and can affect anyone in the same MME coverage area. All four tested implementations (Open5GS, srsRAN, Amarisoft, Nokia) were vulnerable.
-
Uncovering Hidden Paths in 5G: Protocol Tunneling and Network Boundary Bridging — ACM CCS 2025
New research on exploiting protocol tunneling in 5G networks to cross network boundaries and reach components that should be isolated.
-
BaseBridge: Over-the-Air and Emulation Testing for Cellular Baseband Firmware — IEEE S&P 2025
Bridges the gap between over-the-air and emulation-based testing for cellular baseband firmware analysis.
-
5G Network Slicing: Security Challenges, Attack Vectors, and Mitigation — PMC, July 2025
Comprehensive classification of attacks across orchestration, virtualization, and inter-slice communication layers in 5G.
-
Survey on 5G Physical Layer Security Threats and Countermeasures — MDPI Sensors, 2024
In-depth review of PHY layer attack surface in 4G/5G: jamming, spoofing, eavesdropping, pilot contamination, and current SDR-based research tooling.
- OpenBTS 2024 Reloaded — Updated for modern UHD drivers and Ubuntu 22.04/24.04
- OpenAirInterface (OAI) — Complete 3GPP Release-15+ implementation with active 5G development
- LimeNET CrowdCell — Network-in-a-box with integrated LimeSDR for small cell deployments
- Amarisoft LTEENB/gNB — Professional-grade LTE/5G NR base station software
- DragonOS — Ubuntu-based SDR distro with cellular tools pre-installed
- Magma Core Network — Meta's distributed packet core, now under the Linux Foundation
- 5GBaseChecker — Automated 5G baseband vulnerability detection tool
| Software | Description | Link |
|---|---|---|
| OpenBTS (2024 Reloaded) | Updated Linux SDR-based GSM air interface for modern systems | GitHub |
| OpenBTS (Original) | Range Networks implementation | SourceForge |
| YateBTS | GSM/GPRS radio access network implementation | Website |
| srsRAN Project | Open-source 5G O-RAN CU/DU software suite | GitHub |
| srsRAN 4G | Open-source 4G software radio suite | GitHub |
| OpenAirInterface | Complete 4G/5G protocol stack | Website |
| Free5GC | Open-source 5G core network implementation | GitHub |
| Kamailio | Open-source SIP server used in IMS/VoLTE labs | Website |
- LTE-Cell-Scanner — LTE cell detection and analysis
- gr-gsm — GSM analysis with GNU Radio
- IMSI-Catcher Detector — Android app for detecting IMSI catchers
- QCSuper — Capture 2G-4G traffic using Qualcomm phones
- 5GBaseChecker — Automated 5G baseband vulnerability detection (Penn State, 2024)
- FALCON LTE — Fast analysis of LTE control channels in real-time
- Kalibrate — GSM base station scanner and frequency calibration
- LTE Sniffer — Open-source LTE downlink/uplink eavesdropper
- OsmocomBB — Free firmware for mobile phone baseband processors
- Modmobmap — Mobile network mapping
- Modmobjam — Mobile jamming research tool
- CITesting — Systematic testing of context integrity violations in LTE core networks (KAIST, 2025)
- SigPloit — SS7/Diameter/GTP/SIP signaling security testing framework
- LTEFuzz — LTE protocol fuzzer from KAIST, predecessor to CITesting; generates malformed NAS/RRC messages
- Crocodile Hunter — EFF open-source tool for detecting rogue cell towers by wardriving
- SCAT — Signaling Collection and Analysis Tool; captures diagnostic logs from Qualcomm and Samsung basebands
- ss7map — SS7 network exposure mapping by P1 Security
- Diameter EAP Tool (DET) — Diameter protocol fuzzing and testing
- Osmocom Suite — Complete open-source GSM/GPRS stack: osmo-nitb, osmo-bts, osmo-sgsn, osmo-msc and more
# Add Ettus Research repository
sudo add-apt-repository ppa:ettusresearch/uhd
sudo apt-get update
# Install UHD drivers and tools
sudo apt-get install libuhd-dev libuhd003 uhd-host
# Find connected devices
uhd_find_devices
# Download firmware images
cd /usr/lib/uhd/utils/
./uhd_images_downloader.py
# Test device connection
sudo uhd_usrp_probe| Hardware | Frequency Range | Bandwidth | Price Range | Use Case | Link |
|---|---|---|---|---|---|
| Ettus Research (USRP) | |||||
| USRP B210 | 70 MHz - 6 GHz | 61.44 MHz | $2,100 | Professional development, 2x2 MIMO | Ettus |
| USRP B200mini | 70 MHz - 6 GHz | 61.44 MHz | $775 | Compact USRP B-series | Ettus |
| USRP N210 | DC - 6 GHz | 25 MHz | $1,700 | High-performance networked SDR | Ettus |
| USRP N320 | 1 MHz - 6 GHz | 200 MHz | $8,000 | Networked 2x2 MIMO | Ettus |
| USRP X310 | DC - 6 GHz | 160 MHz | $6,000 | High-performance desktop/rack | Ettus |
| USRP X410 | 1 MHz - 7.2 GHz | 400 MHz | $15,000 | Latest high-performance 4x4 MIMO | Ettus |
| USRP X440 | 30 MHz - 4 GHz | 1.6 GHz | $25,000+ | Latest 8x8 MIMO RFSoC platform | Ettus |
| USRP E320 | 70 MHz - 6 GHz | 56 MHz | $4,000 | Embedded 2x2 MIMO SDR | Ettus |
| Nuand (BladeRF) | |||||
| BladeRF 2.0 xA4 | 47 MHz - 6 GHz | 61.44 MHz | $420 | Budget 2x2 MIMO development | Nuand |
| BladeRF 2.0 xA9 | 47 MHz - 6 GHz | 61.44 MHz | $720 | High FPGA resources, 2x2 MIMO | Nuand |
| BladeRF x40 (Legacy) | 300 MHz - 3.8 GHz | 40 MHz | $400 | Entry-level legacy model | Nuand |
| Great Scott Gadgets | |||||
| HackRF One | 1 MHz - 6 GHz | 20 MHz | $350 | Budget TX/RX development | GSG |
| YARD Stick One | 300-348, 391-464, 782-928 MHz | 2.5 MHz | $110 | Sub-GHz IoT frequencies | GSG |
| Lime Microsystems | |||||
| LimeSDR USB | 100 kHz - 3.8 GHz | 61.44 MHz | $289 | Open-source 2x2 MIMO | Lime Micro |
| LimeSDR Mini | 10 MHz - 3.5 GHz | 30.72 MHz | $139 | Compact LimeSDR variant | Lime Micro |
| LimeSDR Mini 2.0 | 10 MHz - 3.5 GHz | 30.72 MHz | $169 | Updated with ECP5 FPGA | Lime Micro |
| LimeSDR X3 | Various bands | Up to 61.44 MHz | $3,000+ | Professional 3x transceiver PCIe | Lime Micro |
| Analog Devices | |||||
| PlutoSDR | 325 MHz - 3.8 GHz | 20 MHz | $150 | Education and learning platform | Analog Devices |
| RTL-SDR Blog | |||||
| RTL-SDR V3 | 500 kHz - 1.75 GHz | 3.2 MHz | $35 | Ultra-budget RX-only scanner | RTL-SDR |
| RTL-SDR V4 | 500 kHz - 1.75 GHz | 3.2 MHz | $40 | Latest with R828D tuner | RTL-SDR |
| Airspy | |||||
| Airspy R2 | 24 MHz - 1.8 GHz | 10 MHz | $200 | High-performance VHF/UHF scanner | Airspy |
| Airspy Mini | 24 MHz - 1.8 GHz | 6 MHz | $99 | Compact Airspy in dongle format | Airspy |
| Airspy HF+ Discovery | 9 kHz - 31 MHz, 60-260 MHz | 768 kHz | $169 | Dedicated HF reception | Airspy |
| SDRplay | |||||
| RSP1A | 1 kHz - 2 GHz | 10 MHz | $119 | Wideband general purpose | SDRplay |
| RSPdx | 1 kHz - 2 GHz | 10 MHz | $299 | Professional features, dual antenna | SDRplay |
| Red Pitaya | |||||
| STEMlab 125-14 | DC - 60 MHz | 50 MHz | $600 | HF transceiver, lab instrument | Red Pitaya |
| STEMlab 122-16 | DC - 50 MHz | Variable | $625 | High-resolution HF SDR/scope | Red Pitaya |
| Issue | Possible Causes |
|---|---|
| Device not detected | Improper firmware, USB connection issues |
| Poor signal quality | Incorrect antennas, wrong frequency configuration |
| Connection failures | Wrong SIM, incorrect MCC/MNC codes |
| Performance issues | Virtualized platform limitations, wrong SDR firmware |
-
Budget-Friendly Baseband Fuzzing Setup — DefCon 32, Janne Taponen
Covers building cost-effective baseband fuzzing rigs using SDRs, using LLMs to accelerate protocol parser development, and testing automotive ECUs, payment terminals, and mobile devices.
-
RANsacked Fuzzing Framework — University of Florida / NC State, ACM CCS 2024
Domain-informed fuzzing approach targeting RAN-Core interfaces. Discovered 119 vulnerabilities across ten network implementations.
-
BaseBridge — IEEE S&P 2025
Framework that bridges over-the-air and emulation-based testing for cellular baseband firmware.
- 5GBaseChecker — Automated 5G baseband vulnerability detection
- CITesting — Context integrity violation testing for LTE core networks
- certmitm — TLS implementation testing tool
From NIST SP 800-187:
- Smart Jamming — Targeted channel interference timed to avoid detection
- Dumb Jamming — Broadband noise across frequency ranges
- UE Interface Jamming — Preventing UE signaling to eNodeB
- eNodeB Interface Jamming — Disrupting base station communications
- Privacy Attacks on 4G/5G Paging Protocols — NDSS 2019
- European 5G Security in the Wild — 2023
- 5G Threat Modeling Framework
- ENISA 5G Threat Landscape
- 5GReasoner Analysis Framework
- 5G NR Jamming, Spoofing, and Sniffing
- New Privacy Threat on 3G, 4G, and 5G AKA Protocols
- Insecure Connection Bootstrapping in Cellular Networks
- Protecting 4G and 5G Cellular Paging Protocols
- Uncovering Hidden Paths in 5G: Protocol Tunneling — ACM CCS 2025
- 5G Network Slicing Attack Classification — MDPI, July 2025
- LTRACK: Stealthy Mobile Phone Tracking — USENIX Security 2022
- Detecting Fake 4G Base Stations in Real Time — Black Hat 2020
- BaseSAFE: Baseband Fuzzing
- LTE Public Warning System Attacks
- Signal Overshadowing Attacks — USENIX Security 2019
- Breaking LTE on Layer Two
- LTE/LTE-A Jamming, Spoofing, and Sniffing
- LTE Protocol Exploits
- Practical Attacks Against Privacy and Availability
- LTE Security Assessment
- LTE Security Disabled: Misconfiguration in Commercial Networks
- All The 4G Modules Could Be Hacked — Black Hat 2019
- Paging Storm Attacks Against 4G/LTE Networks
- Analysis of the LTE Control Plane — IEEE S&P 2019
- Baseband Attacks: Remote Exploitation of Memory Corruptions — WOOT 2012
- CITesting: Context Integrity Violations in LTE Core Networks — ACM CCS 2025 (Distinguished Paper)
- New Vulnerabilities in 4G and 5G Cellular Access Network Protocols — WiSec 2019
-
CITesting: Systematic Testing of Context Integrity Violations in LTE Core Networks — KAIST (Distinguished Paper)
New class of uplink attacks against LTE core networks that work through legitimate base stations — no rogue BTS required. All four tested implementations were vulnerable, including commercial systems from Nokia and Amarisoft.
-
Uncovering Hidden Paths in 5G: Exploiting Protocol Tunneling and Network Boundary Bridging
Demonstrates how attackers can use protocol tunneling to traverse network boundaries and reach isolated 5G components.
-
BaseBridge: Bridging Over-the-Air and Emulation Testing for Cellular Baseband Firmware
New framework for cellular baseband firmware security testing that combines emulation and OTA testing approaches.
-
5G Baseband Vulnerabilities — Penn State University
Researchers disclosed 12 vulnerabilities in 5G basebands from Samsung, MediaTek, and Qualcomm, affecting devices from Google, OPPO, OnePlus, Motorola, and Samsung. Accompanied by the release of the 5GBaseChecker tool.
-
Economizing Mobile Network Warfare: Budget-Friendly Baseband Fuzzing — Janne Taponen
Making baseband fuzzing accessible with affordable SDR hardware. Covers LLM-assisted protocol parser development and vulnerability discovery across automotive ECUs, payment terminals, and cellular modems.
- NSA PLAYSET GSM — DEF CON 22
- VoLTE Phreaking — Ralph Moonen
- RF Exploitation: IoT/OT Hacking with SDR — HITB 2019
- Bye-Bye IMSI Catchers: Security Enhancements in 5G — HITB 2018
- Side Channel Attacks in 4G and 5G — Black Hat Europe 2019
- Dirty Use of USSD Codes in Cellular Networks — TROOPERS 2013, Ravi Borgaonkar
- Hacking LTE Public Warning Systems — HITB 2019
-
CITesting: Systematic Testing of Context Integrity Violations in LTE Core Networks — ACM CCS 2025 (Distinguished Paper Award)
KAIST's CITesting tool runs thousands of test cases against LTE core implementations, dwarfing the 31-case coverage of prior tooling (LTEFuzz). All four tested implementations contained CIV vulnerabilities.
-
Uncovering Hidden Paths in 5G: Protocol Tunneling and Network Boundary Bridging — ACM CCS 2025
-
5G Network Slicing: Security Challenges, Attack Vectors, and Mitigation Approaches — MDPI, July 2025
-
Starshields for iOS: Navigating the Security Cosmos in Satellite Communication — NDSS 2025
First comprehensive security analysis of Apple's satellite communication features. Researchers reverse-engineered the proprietary protocol, demonstrated restriction bypasses, and built a simulation testbed covering Emergency SOS, Find My, roadside assistance, and iMessage over satellite.
-
RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces — ACM CCS 2024
119 vulnerabilities, 97 CVEs, across ten implementations. Any one of them enables city-wide disruption of cellular communications.
-
Survey on 5G Physical Layer Security Threats and Countermeasures — MDPI Sensors 2024
Comprehensive review of PHY-layer attack surface covering eavesdropping, jamming, spoofing, pilot contamination, and SDR-based research frameworks.
-
5GBaseChecker Tool Release — Penn State University
Open-source tool for detecting vulnerabilities in 5G baseband implementations. Used to find 12 critical bugs in Samsung, MediaTek, and Qualcomm chipsets.
-
Privacy Attacks on 4G/5G Paging Protocols — NDSS 2019
-
New Vulnerabilities in 4G and 5G Cellular Access Network Protocols — WiSec 2019
Three new attack classes exploiting unprotected device capability information: identification, bidding-down, and battery drain.
| Component | Purpose | Link |
|---|---|---|
| Ettus USRP B210 | Software Defined Radio | Product Page |
| srsENB | 4G/5G Base Station Software | GitHub |
| Open5GS | 5G Core Network | GitHub |
| sysmo-usim-tool | SIM Programming | Project Page |
| pysim | SIM Analysis Tool | GitHub |
| CoIMS | VoLTE Testing | Play Store |
| Docker Open5GS | Containerized Core | Tutorial |
-
CellGuard — SEEMOO Lab, 2024
iOS app that detects rogue base stations by analyzing baseband packets in real-time. Integrates with the Apple Cell Location Database for anomaly detection. Website — TestFlight Beta
- SeaGlass: City-Wide IMSI-Catcher Detection — UW
- SeaGlass Research Paper — PETS 2017
- Evaluating IMSI Catcher Detectors — Oxford
- IMSI-Catcher Detector (Android)
- NB-IoT Security Analysis Framework — Narrowband IoT security research
- Cat-M1/LTE-M Attack Vectors — GSMA IoT security guidelines
- Monitoring 5G Core Networks Vulnerabilities With eBPF — IEEE Networking Letters 2025
- Starshields for iOS: Satellite Communication Security — NDSS 2025
- 3GPP Non-Terrestrial Networks (NTN) Security — Official 5G satellite integration specs
- LEO Satellite Cellular Vulnerabilities — Low Earth Orbit security research
- O-RAN Security Research — Open RAN security specifications
- Private 5G Penetration Testing Guide — Enterprise private network testing
- Campus 5G Security Assessment — NIST private 5G security guidance
- 5G Network Slicing Attack Research — MDPI, July 2025
- Multi-Access Edge Computing (MEC) Vulnerabilities — ETSI MEC security specs
- Network Function Virtualization (NFV) Attacks — Virtual network function security
- V2X Security Research — Vehicle-to-everything communications
- Cellular-V2X Attack Vectors — Automotive cellular security
- BMW Security Assessment using OpenBTS — Keen Lab / Tencent
- XRY Mobile Forensics — Commercial cellular forensics platform
- Cellebrite UFED — Mobile device extraction tools
- NIST Mobile Forensics Guidelines — NIST SP 800-101r1
- Android Security Bulletins — Regular Android/baseband patches
- Qualcomm Security Bulletins — Snapdragon security updates
- Samsung Mobile Security — Galaxy security research program
- Apple Security Research — iOS/baseband security program
- Rooting SIM Cards — Black Hat 2013, Karsten Nohl
- SIM Port Hack Case Study
- Cloning 3G/4G SIM Cards With a PC and an Oscilloscope — Black Hat 2015
- Bypassing GSMA SS7 Recommendations — Kirill Puzankov
- Attacking SS7 Networks — HES 2010
- SS7: Locate. Track. Manipulate. — 31C3 2014, Tobias Engel; live demonstration of cross-network subscriber tracking
- SS7 Map — P1 Security; map of SS7 exposure across global carriers
- Diameter Vulnerabilities Exposure — GSMA FS.07; official Diameter security guidance for 4G roaming
- GSMA FS.11 SS7 Security — GSMA baseline SS7 network security requirements
- SigPloit — Modular testing framework for SS7, Diameter, GTP, and SIP; covers location tracking, call/SMS interception, and DoS scenarios
- ss7map — Automated SS7 network topology and exposure mapper
- SCTP scanner — Discovers SCTP-based SS7 endpoints on IP networks
- DHS Stingray Surveillance — Wired
- Stingray Cost Analysis — Vice
- NYCLU Stingray Information
- EFF: Cell Site Simulators / IMSI Catchers
- WiFi IMSI Catcher — Black Hat Europe 2016
- NVD CVE Search — Search for cellular-related CVEs
- Google Project Zero — Ongoing mobile security research
- Samsung Security Bulletins — Regular baseband updates
- SIMjacker Research — SIM-based attack evolution
- ENISA 5G Reports — EU 5G security assessments
- KAIST SysSec Lab — Leading cellular security research group (CITesting, LTEFuzz, LTESniffer)
- Japanese 5G Security Guidelines — Japan national cybersecurity strategy
- SANS Mobile Security — Professional mobile security courses
- Offensive Security Mobile Testing — Advanced mobile penetration testing
- OpenAirInterface Lab Setup — Open-source 5G lab environment
- GNU Radio / SDR University Courses — SDR educational materials
- Ericsson Security Research
- Nokia Bell Labs Security
- Qualcomm Security Bulletins
- MediaTek Product Security
- GRX/IPX Security Research — GSMA roaming security
- Diameter Protocol Security — 4G/5G signaling security
- GSMA FS.19 IPX Security — Security requirements for IPX providers handling roaming traffic
- Roaming Attacks via Diameter — P1 Security analysis of Diameter-based roaming attack surface
- GTP Vulnerabilities in 4G/5G Roaming — GTP-C and GTP-U attack surface at the roaming interface
- AdaptiveMobile SS7 Firewall Research — Carrier-grade SS7/Diameter firewall bypass techniques
- RTL-SDR Community — SDR resources and tutorials
- MCC-MNC Database — Mobile Country/Network Code reference
- RFSec-ToolKit — RF security testing tools
- cellularsecurity.org — Community resource for cellular security research
- RF Security Documentation
- USENIX Security Papers — Security conference proceedings
- ACM Digital Library — ACM research papers
- IEEE Xplore — IEEE research database
- FCC Equipment Authorization Rules — US cellular equipment regulations
- CISA 5G Security Guidance — US critical infrastructure guidance
- NIST 5G Cybersecurity — NIST cellular security frameworks
- Analyzing GSM Downlink with USRP
- AT&T Microcell Analysis
- LTE Recon — DefCon 23
- LTE Security Guide — NIST SP 800-187
- LTE Pwnage: Core Network Elements — HITB 2013
- Osmocom Mailing Lists — Active developer and user lists for OpenBTS, OsmocomBB, srsRAN topics
- srsRAN Discussions — GitHub Discussions for the srsRAN Project
- OpenAirInterface Forum — OAI issue tracker and community support
- Reddit r/RTLSDR — Active SDR community covering cellular scanning and analysis
- Reddit r/cellmapper — Cell tower mapping and analysis community
- Osmocom IRC — #osmocom on libera.chat; real-time support for Osmocom tools
- DEF CON RF Village — Annual RF hacking community track at DEF CON
- DEF CON — RF Village, Wireless Village, and main track cellular talks
- Black Hat USA/Europe — Regular cellular/baseband research presentations
- WiSec — ACM Conference on Security and Privacy in Wireless and Mobile Networks
- IEEE S&P / CCS / USENIX Security — Top-tier academic venue for cellular security papers
- HITB — Regular telecom security talks
Fork the repo, add resources with descriptions, verify links are active, and submit a pull request with context on what was added.
This repository is for educational and research purposes only. Users are responsible for complying with all applicable laws and regulations. The maintainers do not endorse or encourage illegal activities.
Last Updated: March 2026 Maintainer: @W00t3k
Broken links or new resources? Open an issue or submit a PR.
