CheolJun Park

CheolJun Park is an Assistant Professor in the School of Computing and the Graduate School of Convergence Security at Kyung Hee University (Yongin, South Korea). He received his Bachelor’s, Master’s, and Ph.D. degrees in Electrical Engineering from KAIST (Daejeon, South Korea) in 2017, 2019, and 2024, respectively. His research focuses on the security of cellular and wireless systems, including over-the-air testing of commercial basebands, protocol analysis, and intrusion prevention in 4G/5G networks. At Kyung Hee University, he leads the System Security (SysSec) Lab and collaborates with industry and government on cellular and 5G security projects. Previously, he worked as an engineering intern at Qualcomm Product Security Initiative (QPSI) in San Diego, where he contributed to the over-the-air security testing of Qualcomm basebands, and as a visiting researcher at CISPA Helmholtz Center for Information Security in Germany, where he investigated grammar-guided protocol testing. His research has uncovered numerous previously unknown implementation vulnerabilities in Qualcomm, Samsung, MediaTek, Google and Apple products, which have been assigned CVEs and patched by vendors.

Identifying Implementation Vulnerabilities in Cellular Basebands via Over-the-Air Testing

Mobile communication has become a foundational wireless technology supporting smartphones, unmanned systems, and critical infrastructure. At the heart of this ecosystem lies the baseband (modem chip), which integrates the essential functions required for cellular operation, from radio signal processing to protocol handling. Operating over the wireless medium and providing services with profound privacy implications, the baseband represents a highly security-sensitive yet exposed component. Recent advances in open-source protocol implementations and software-defined radio hardware have further facilitated sophisticated exploitation techniques, enabling critical attacks such as denial-of-service, eavesdropping, data spoofing, location tracking, and remote code execution. This talk presents dynamic methodologies for identifying two major classes of baseband vulnerabilities: logical bugs resulting from standards non-compliance and memory corruption bugs. It outlines the design of a security testing framework that leverages cellular standards and open-source protocol stacks to operate over the wireless interface, discusses key considerations for detecting the two vulnerability classes in practice, and addresses challenges inherent in testing the stateful operation of basebands. Furthermore, it describes strategies for systematically generating test messages in standards-based protocols. Using the logical-vulnerability testing framework, 43 commercial devices incorporating basebands from major vendors—including Qualcomm, Samsung, MediaTek, Huawei, and Intel—were evaluated, uncovering 26 vulnerabilities, 22 of which were previously unknown. Complementarily, two types of memory-vulnerability testing frameworks revealed 16 new memory corruption bugs, comprising 7 at Layer-3 and 9 at Layer-2. The talk concludes with insights from the design and implementation of these dynamic OTA testing frameworks and a discussion of the vulnerabilities discovered across commercial devices, highlighting implications for strengthening the robustness of cellular basebands.