Interact with mobile device & network using Software-Defined Radio

Assess security of devices, hunt for vulnerability, learn about core network attacks, and more!
Why choose this course?

Learn to interact with mobile device & network using Software-Defined Radio, and assess their security

During this class, we will demonstrate in practice several attacks that could be performed especially on User Equipment, but will also cover the topic of attacking the core network.

This courses will make use of Software-Defined Radio mostly to cover the maximum of attacks that could be appplied to: mobile phones, IoT modules, connected cars, and other infrastructures.

Contact us to request a quote! Look at the pricing

About the training

With this class students will learn how to hunt for vulnerability in mobile radio-communications and core networks:

  • Learn the difference betweend 2G, 3G, 4G, and 5G technologies
  • Understand the different security mechanisms
  • Downgrading security mechanisms
  • Protocol attacks
  • Setup of a 2G, 3G, 4G, 5G network
  • Vulnerabilities hunting in basebands
  • Get primary reflexes to attack embedded and IoT systems
  • Attacking the different core network from the outside and the inside

Day 1

Day 1 will introduce the mobile network, it’s evolution, and will compare security features of 2G, 3G, 4G, and 5G. During this day, attendees will see how to make testbeds with Software-Defined Radio for the different cellular technologies, and be able to analyze communications. We will learn how to observe the signaling and the data exchanged between devices and the mobile network and how to perform tests on devices connected/IoT devices for example.


  • Introduction to mobile networks and protocols (2G/3G/4G/5G)
  • Evolution
  • Security
  • Attack surface on user equipment and core network
  • Setup 2G, 3G and 4G for specific need with Software-Defined Radio
  • Alternative to Software-Defined Radio
  • Configuring a SIM/USIM/ISIM cards

Assignment 1

  • Setting a GSM base station with OpenBTS, OsmoBTS and YateBTS depending on SDR devices
  • Isolating the base station with a custom Faraday cage and some SDR setup
  • Testing the setup to send text message and voice

Assignment 2

  • Installing a GPRS base station
  • Capturing data packets of User Equipment

Assignment 3

  • Using a software SIM stack
  • Configuring a real SIM/USIM card
  • Using programmed secrets on the GSM station

Assignment 4

  • Installing a LTE eNodeB station
  • Testing the LTE eNodeB
  • Monitoring the setup

Additionally, participants will also get advice and see the limitations circumvent when using an SDR device as a mobile station.

Day 2 and 3

Days 2 and 3 will focus on attacking mobile devices in a Blackbox context, without physical access to devices. This will lead to basic and smart-jamming attacks to downgrade communications and be able to intercept a device. We will also see ways to perform fuzzing tests on mobile protocol stacks to find vulnerabilities over-the-air but also other ways to optimize bugs hunting.


  • Attacking cell phones and IoT device using the mobile network
  • Using endpoints as primary targets
  • Find bugs in protocol stacks
  • Pentest 2G, 3G, 4G and 5G core networks

Assignment 5

  • Intercepting devices
  • Impersonating messages and calls

Assignment 6

  • Capturing a call
  • Cracking the call with precomputed tables

Assignment 7

  • Downgrading a 3G device to 2G
  • Interacting with devices and capturing events
  • Attacking endpoints

Assignment 8

  • Fuzzing GSM and LTE protocol stacks
  • Using emulation on firmwares to find bugs efficiently

Assignment 9

  • Attacking the core with M2M mobile network

Going further on 5G-NR radio & NewCore

  • Feedback of our past missions and security challenges
  • Introduction 5G-NR devices assessments
  • Our tools

Note that a new training dedicated to 5G-NR and 5GNC will be released in March 2022 at Advanced Security Training first. Nevertheless, you can also order a private training focusing only on 5G by contacting us here

Content of private trainings can be arranged depending of your needs. We also provide additional content as follows:

  • Practical 5G security radio communication testing
  • Practical 5G core network assessment and use of our tools
  • Fuzzing the core network protocol stacks
  • etc.
  • Knowledge of Linux and a programming language such as C, C++, C# or Python is necessary
  • Understanding of pentesting (network and applications) or Red teaming
  • All attendees will need to bring a laptop running Linux, and with capacity of 8GB of RAM min.
  • Basic knowledge of radio is not mandatory but is a plus

Pricing (prices exclude 20% VAT in France)

Remote Single person
2 850€ for one person

3-day remote live training, including a Full-duplex TX/RX SDR kit (bladeRF 2.0 micro xA4), slides, Docker container, scripts/tools and captures. The content can be customized depending on the means and required days for the training.

Contact us!
Remote Private group
2 450€ /attendee
+ possible discount

3-day remote live training, including a Full-duplex TX/RX SDR kit (bladeRF 2.0 micro xA4), slides, Docker container, scripts/tools and captures. The content can be customized depending on the means and required days for the training.

An extra discount can be negotiated depending on the number of attendees.

Contact us!
Tailored content

Content can be fully tailored depending on your needs.

Contact us for more information!