From first principles to hands-on exploitation. No prior telecom experience needed — just bring the curiosity.
Mission Briefing
Welcome to the Telecom Village Security Lab. In this lab you'll go from zero to exploiting real cellular network vulnerabilities — the same classes of issues that have been used to track, intercept, and surveil people across the globe.
Cellular networks underpin modern society. Yet most security practitioners treat them as a black box. This lab tears the box open. You'll learn how your phone identifies itself to a network, how authentication works (and precisely where it doesn't), and how an attacker with the right tools can subvert both.
This intro section gives you the foundational knowledge you need before the scenarios start. The Cheat Sheet printed at your table is your quick-reference companion throughout — keep it face-up. When you're ready, move on to Section 1.
1
How Cellular Networks Work
Starting from what you already know — Wi-Fi
You've connected to Wi-Fi. Your phone talks wirelessly to a router, the router connects to the internet. Cellular works the same basic way — your phone talks wirelessly to a tower, the tower connects to the carrier's core network, which reaches the internet. But everything underneath is different: the scale, who controls it, and most importantly, how your phone identifies itself. That identity system is exactly what this lab is about.
Here are a few helpful definitions to start. We'll add more as we go — and the cheat sheet on the table has the full list.
Term
Full Name
What It Does
UE
User Equipment
Your phone or any device that connects to the cellular network. Contains a SIM card that holds your identity.
SIM
Subscriber Identity Module
Tamper-resistant chip inside the UE. Stores the IMSI and secret key Ki. Authentication math runs inside it — Ki never leaves the chip.
IMSI
International Mobile Subscriber Identity
15-digit permanent identity burned into your SIM at manufacture. The number the network uses to identify who you are. This is the target of IMSI catcher attacks.
MSISDN
Mobile Station International Subscriber Directory Number
Your phone number. Stored in the HLR alongside your IMSI — attackers who capture an IMSI can reverse-lookup your phone number via SS7.
MSC
Mobile Switching Center
The core switch that routes calls and SMS. Queries the HLR to authenticate subscribers and determine call routing. What the network's "brain" looked like in 2G/3G.
VLR
Visitor Location Register
A temporary database co-located with the MSC. Caches subscriber profile data for devices currently in its coverage area, so the MSC doesn't have to query the HLR on every call.
HLR
Home Location Register
The master subscriber database. Maps every IMSI to a phone number (MSISDN), stores subscription details, and tracks which MSC is currently serving a subscriber. SS7 attacks often target this.
AuC
Authentication Center
Always paired with the HLR. Stores each subscriber's secret key Ki and generates authentication vectors (RAND, SRES, Kc) that the MSC uses to verify a device is who it claims to be.
IMEI
International Mobile Equipment Identity
15-digit serial number that identifies the physical handset, not the SIM. Survives a SIM swap — the IMEI stays with the device. Carriers can block stolen devices by blacklisting their IMEI.
SS7
Signaling System No. 7
The signaling protocol that 2G and 3G networks use to route calls, SMS, and queries between carriers. Designed in the 1970s with no authentication between carriers — any node on the SS7 network can query subscriber location, forward calls, or intercept SMS. The backbone of the attacks in this lab.
Diameter
Diameter Protocol
The signaling protocol 4G LTE uses — SS7's modern replacement for core network functions. More structured than SS7 but still vulnerable to similar subscriber-tracking and routing attacks when carriers expose Diameter interfaces externally or via interconnects.
Wi-Fi — familiar
local · user-controlled
Short range (~30 m). You own and control the router. No permanent identity needed — the internet only sees an IP address. Connecting doesn't require proving who you are.
Cellular — same idea, very different scale
nationwide · carrier-controlled
Nationwide (~35 km per tower). The carrier controls every component. Before connecting, your phone must identify itself with a permanent SIM identity (the IMSI), which the carrier verifies against its subscriber database (HLR/AuC). That mandatory identity — and how each generation of network protects it — is the central thread of this lab.
Why identity changes everything: When you join Wi-Fi, the router just needs a password — it doesn't care who you are. When your phone registers on a cellular network, the carrier needs to know exactly who you are to bill you, route your calls, and track your location. That requirement is baked into the architecture. The IMSI — 15 digits permanently burned into your SIM — is the identity the carrier uses. Capturing, abusing, or concealing that identifier is the story of every attack in this lab.
Try It Yourself — Look Up Your Own IMSI / IMEI
Android
*#*#4636#*#*
Dial this in your Phone app (no need to press call — it launches automatically). Go to Phone information → scroll to find your IMSI. Works on most stock Android and Samsung devices; some OEMs disable it.
Also: Settings → About Phone → SIM Status → IMSI
iOS
*#06#
This shows your IMEI (hardware ID), not your IMSI. Apple doesn't expose the IMSI to users — it's locked inside the SIM. To see the ICCID (SIM card serial, also not the IMSI): Settings → General → About → ICCID.
⚠ Full IMSI not directly accessible on iOS
What you're looking at: Your IMSI starts with a 3-digit MCC (Mobile Country Code — 310 or 311 for the US), followed by a 2–3 digit MNC (Mobile Network Code — 260 for T-Mobile), then your unique subscriber number. The IMSI your SIM broadcasts when you power on is exactly what a rogue cell tower captures (more on this later!).
Want more codes to explore? — secret menus, field test modes & network diagnostics(Click to expand)▸
Your phone exposes more about itself than most people realize. These codes unlock diagnostic screens built into every handset — originally for carrier technicians. The diagnostic and SAR codes are read-only. The band-locking codes actively change your radio configuration — they're reversible, but set them back when you're done. Exit any screen by pressing Home or the Back button.
iOSfield test mode
*3001#12345#*
iPhone Field Test Mode
Opens a full radio diagnostic screen. Tap LTE → Serving Cell Info to see the actual tower you're connected to: Cell ID (tower identifier), Physical Cell ID, TAC (Tracking Area Code), MCC/MNC, and your real signal strength in dBm instead of bars. This is exactly the data an IMSI catcher uses to impersonate your real tower.
iOSregulatory
*#07#
SAR & Regulatory Info
Shows your phone's SAR value (Specific Absorption Rate) — how much RF energy your body absorbs from the device's radio. Regulated by the FCC in the US. Also shows the RF Exposure PDF filed with regulators. Mostly trivia, but a reminder that your phone is constantly radiating energy that networks can triangulate.
Android (Samsung)service mode
*#0011#
Samsung Service Mode
On Samsung devices, opens a detailed network service screen showing Cell ID, LAC/TAC, signal levels, network state, and which band you're on. Useful for confirming exactly which tower you're attached to — and whether something has moved you to a weaker or older network unexpectedly.
iOS & Androidcall forwarding
*#21#
Check Call Forwarding Status
Queries your carrier for active unconditional call forwarding rules on your line. If an attacker has set up call forwarding (via SS7 manipulation or SIM swap), this will surface it. A clean line returns "Not Active." One of the simplest things you can check right now to verify your account hasn't been tampered with.
Android (Samsung)band locking
*#2263#
Samsung RF Band Selection
Opens a band picker for Samsung devices. You can lock your radio to specific LTE bands (B2, B4, B12, B66, etc.) or 5G NR bands — or force the device to 2G/3G/LTE only. Security relevance: locking to LTE-only prevents 2G downgrade attacks. This is one of the practical defenses we cover later in the lab. To reset, select Automatic before you leave.
Android (MediaTek)engineering mode
*#*#3646633#*#*
MediaTek Engineering Mode
For phones with MediaTek chipsets — common in OnePlus, Motorola, and many mid-range Android devices. Opens a deep engineering menu with full band selection, network type forcing, and TX power controls. Similar capability to Samsung's `*#2263#` but for the MTK radio stack. If this code doesn't open anything, your phone is Qualcomm-based — OEM codes vary too much to list reliably.
iOSnetwork mode
Settings path (no code)
iOS Voice & Data Mode
Apple doesn't expose band locking via USSD. Instead: Settings → Cellular → Cellular Data Options → Voice & Data. Options vary by carrier but typically include 5G Auto, 5G On, LTE, and (on older devices) 3G. Selecting LTE forces the radio off 5G and prevents 2G/3G downgrade — the same defensive move the Samsung and MTK codes enable, just buried in settings instead of a dial code.
2
Network Generations
2G → 3G → LTE → 5G: 40 years of protocol evolution
Network History: Each generation introduced real security improvements — but older generations are still live. An attacker who can force your device onto 2G inherits all of 2G's weaknesses, even today in 2026. Click through the different versions below.
2G
GSM — Global System for Mobile Communications
Deployed ~1991. Still live today across much of the world.
Auth direction
One-way only
Air identity
IMSI in cleartext
Encryption
A5/1 (broken) or A5/0 (none)
Auth algorithm
A3/A8 (COMP128)
Core protocol
MAP over SS7
IMSI catcher risk
Trivially high
GSM brought mobile to the masses. Its authentication is simple: the network sends the SIM a random number (RAND), the SIM computes a response using its secret key Ki via algorithm A3. If it matches the network's expected value, you're in.
The fundamental flaw: the phone never verifies the network. If a fake tower broadcasts the right network codes, every nearby 2G device will attach to it — sending their permanent IMSI identity in cleartext, no authentication required. This is the IMSI catcher (commercially known as a "Stingray"), and it is a direct consequence of the one-sided authentication model built into GSM.
2G encryption (A5/1) has been fully broken since 2009. A5/0 — no encryption at all — is still negotiated in many real-world deployments today.
3G
UMTS — Universal Mobile Telecommunications System
Deployed ~2001. Introduced the USIM and mutual authentication.
Auth direction
Mutual (network + UE)
Air identity
IMSI on first attach
Encryption
KASUMI / SNOW 3G
Auth algorithm
MILENAGE / USIM
Core protocol
MAP over SS7
IMSI catcher risk
Lower, but downgrade possible
UMTS fixed 2G's one-way authentication problem. Now both sides prove themselves: the SIM proves it knows Ki (Ki is the secret key burned into your SIM at manufacture — it never leaves the chip), and the network proves it holds a valid Authentication Token (AUTN) derived from the home network's keys. A rogue tower without access to the home network can no longer successfully authenticate.
But the IMSI is still sent in cleartext on the very first attach, before any authentication runs — a privacy leak that persists through 4G. And the core network (SS7) remained wide open to global routing abuse, which Section 2 explores.
4G
LTE — Long-Term Evolution
Deployed ~2009. All-IP architecture. Same IMSI privacy weakness as 3G.
Auth direction
Mutual (EPS-AKA)
Air identity
IMSI cleartext first attach
Encryption
AES-128 (mandatory)
Auth algorithm
EPS-AKA (MILENAGE)
Core protocol
Diameter (+ SS7 interop)
IMSI catcher risk
Via 2G/3G downgrade
LTE moved the core network to Diameter, replacing SS7 for 4G signaling. Stronger crypto (AES-128 mandatory), all-IP architecture, mutual authentication inherited from UMTS. But the IMSI-in-cleartext problem persisted, and because LTE must interoperate with SS7 networks, old attack routes remained open.
LTE's Diameter interfaces introduced a new class of routing-based attacks. Meanwhile, downgrade attacks could force an LTE device onto 2G, instantly restoring all of 2G's weaknesses.
5G
5G NR — New Radio
Deployed ~2019–present. First generation to address identity privacy.
Auth direction
Mutual (5G-AKA)
Air identity
SUCI (encrypted SUPI)
Encryption
128/256-bit, mandatory
Auth algorithm
5G-AKA / EAP-AKA'
Core protocol
HTTP/2 + TLS (SBA)
IMSI catcher risk
Designed to prevent
5G's headline privacy feature: SUCI (Subscription Concealment Identifier). Instead of transmitting the IMSI (now called SUPI) over the air, the device encrypts it using the home network's public key via elliptic-curve cryptography (ECIES). An IMSI catcher captures only an encrypted, rotating blob it cannot decrypt without the home network's private key.
The core network moved to a Service-Based Architecture (SBA) using HTTP/2 and TLS — replacing SS7 and Diameter for new functions. Combined with mandatory mutual authentication (5G-AKA), 5G closes the foundational holes present in every prior generation.
However: 5G networks must interoperate with 4G, 3G, and 2G. That legacy interop remains a meaningful part of the security surface — the older signaling protocols and their authentication gaps don't disappear just because 5G is present.
↓
Live Protocol Flows
Watch a phone attach and authenticate — auto-playing, loops continuously
What you're watching: The same basic event — a phone registering on a network — shown across two protocol eras. Pay attention to who proves what to whom. In SS7 (2G/3G), only the phone proves itself. In Diameter (4G), both sides prove themselves. That single difference is the dividing line between IMSI catchers working and not working.
SS7 · 2G / 3G Attach
↺ Replay
Starting…
Diameter · 4G LTE Attach
↺ Replay
Starting…
3
How It Works
The key components of a cellular network
Why this matters: The lab scenarios involve specific components — UE, BTS, MSC, HLR/AuC. Knowing what each one does tells you where each attack lands and what it actually achieves.
Network Architecture — Simplified
Hover a component to highlight it
UE / MS + SIM
Your handset plus the SIM card. The SIM is a tamper-resistant chip that stores your permanent identity (IMSI) and secret key (Ki). Authentication and encryption keys are derived inside the SIM — Ki never leaves it.
BTS / gNB (Radio Tower)
The base station. Manages the air interface between your device and the network. Multiple base stations connect to a controller (BSC/RNC), which aggregates them into the core. The BTS is what an IMSI catcher impersonates.
HLR / AuC (Home Database)
Home Location Register + Authentication Center. The authoritative database for your subscription: maps IMSI to phone number, stores Ki, generates authentication vectors. SS7 queries to HLR/AuC are what make subscriber tracking attacks possible.
What happens when you power on your phone: Your device scans for the strongest cell signal, sends its IMSI (or TMSI) to the base station, and the network runs an authentication challenge using your SIM's Ki via the HLR/AuC. If it passes, the network issues a Temporary Mobile Subscriber Identity (TMSI) to use instead of your permanent IMSI — at least for 2G/3G. In 5G, that cleartext IMSI never goes out at all.
→
Your Lab Roadmap
Four sections. Work through them in order — each builds on the last.