A general approach which can efficiently monitor a device's cellular network traffic and identify the presence of attacks

Download Paper


With the ever-increasing demand of cellular devices, the vulnerabilities pertaining to network traffic are increasing as well. Dealing with such vulnerabilities required a system that would thwart the network attack attempts and mitigate these vulnerabilites, hence proposed Phoenix. Following are the salient features of Phoenix:


Following are the two ways Phoenix can be deployed:

Phoenix in Modem
Figure 1: Phoenix deployed in the modem chip
Phoenix in Modem
Figure 2: Phoenix deployed in a mobile application

Following are the key components that constitute Phoenix (deployed as an android app)

Message Extractor

Firstly the message extractor reads events from the baseband processor. We used MobileInsight's dissector to efficiently capture traffic of NAS and RRC Layers. We then apply required propositions and forward the message to the monitor.

Monitor Component

We implemented our own monitors using Python For Android since MobileInsight is written in Python. Now let's discuss implementation of each monitor against attack signatures.


Now lets see how well Phoenix performed in a real world scenario and also have a look at it's energy consumption.

Energy Consumption

To measure energy consumed when Pheonix is used as an android app we connected the Nexus 6 phone to a Monsoon Power Meter. The results can be seen as follows:

Power consumption chart for Phoenix
Figure 3: Power Consumption with different monitors running on Phoenix

Real World Evaluation

We deployed pheonix on two Pixel 3 devices running on 4 major US Cellular networks. The experiment included running Pheonix for approximately 12 hours using Pixel as our daily devices. Following are the results showing warnings using different monitors in Phoenix:

Real World Evaluation running Phoenix on daily use devices
Figure 4: Warnings triggered when Phoenix ran on Pixel 3

As evident from the figure above we can see that DFA proves to be inadequate and produces a large amount of false warnings. Mealy machine on other hand produced no false warnings and thus won't disturb the user with false alarms. Whereas, PLTL produced some warnings which upon inspection turned out to be actual misconfigurations on part of the cellular providers. For example, we found that EMM information is sent in plaintext which is actual misconfiguration by the said cellular providers.


Vulnerability signatures synthesized using vulnerable and non-vulnerable traces and later pushed to the device. The device analyzes cellular traffic against these signatures to give corresponding warning.

Download Signatures

Attack Variants

Attack Variants generated during experiment when phoenix ran on phones.

Download NAS PCAP

Download RRC PCAP