Cellular networks are not merely data access networks to the Internet. Their distinct services and ability to form large complex compounds for roaming purposes make them an attractive research target in their own right. Their promise of providing a consistent service with comparable privacy and security across roaming partners falls apart at close inspection. Thus, there is a need for controlled testbeds and measurement tools for cellular access networks doing justice to the technology's unique structure and global scope. Particularly, such measurements suffer from a combinatorial explosion of operators, mobile plans, and services. To cope with these challenges, we built a framework that geographically decouples the SIM from the cellular modem by selectively connecting both remotely. This allows testing any subscriber with any operator at any modem location within minutes without moving parts. The resulting GSM/UMTS/LTE measurement and testbed platform offers a controlled experimentation environment, which is scalable and cost-effective. The platform is extensible and fully open-sourced, allowing other researchers to contribute locations, SIM cards, and measurement scripts. Using the above framework, our international experiments in commercial networks revealed exploitable inconsistencies in traffic metering, leading to multiple phreaking opportunities, i.e., fare-dodging. We also expose problematic IPv6 firewall configurations, hidden SIM card communication to the home network, and fingerprint dial progress tones to track victims across different roaming networks and countries with voice calls.

翻译：摘要：蜂窝网络不仅仅是互联网的数据接入网络。其独特的服务以及为漫游目的形成大型复合网络的能力，使其本身成为极具吸引力的研究对象。它们承诺在漫游伙伴之间提供具有相当隐私和安全性的统一服务，但这一承诺在仔细审视下便不攻自破。因此，需要针对蜂窝接入网络建立受控测试平台和测量工具，以充分体现该技术的独特结构和全球范围。特别是，此类测量面临运营商、移动套餐和服务的组合爆炸式增长。为应对这些挑战，我们构建了一个框架，通过选择性远程连接SIM卡与蜂窝调制解调器，在空间上实现两者的解耦。这使得无需移动任何物理部件，即可在数分钟内使用任意调制解调器位置的任意运营商测试任意用户。由此产生的GSM/UMTS/LTE测量与测试平台提供了一个可控、可扩展且成本低廉的实验环境。该平台可扩展且完全开源，允许其他研究人员贡献位置、SIM卡和测量脚本。利用上述框架，我们在商业网络中进行的国际实验揭示了流量计费中可利用的不一致性，从而发现了多种盗打（即逃费）的机会。我们还揭露了有问题的IPv6防火墙配置、SIM卡与归属网络之间的隐蔽通信，以及利用振铃提示音通过语音通话跨不同漫游网络和国家追踪受害者的方法。