Overall
This document is for educational and defensive security research purposes only.
All techniques described herein are analyzed in a controlled lab environment using your own equipment and licensed test SIMs. Applying any of these techniques to real-world cellular infrastructure, third-party devices, or spectrum you do not own is illegal under US federal law, including:
- 47 U.S.C. § 333 — Prohibits interference with radio communications. RF jamming is illegal for all private parties and state/local law enforcement with no exceptions. The FCC has imposed fines exceeding $34 million for marketing jamming devices.
- 47 U.S.C. § 301 — Requires an FCC license to transmit on licensed spectrum. Operating a fake base station (eNodeB/gNB) on live cellular frequencies without authorization violates this statute.
- 47 U.S.C. § 605 — Prohibits unauthorized interception of radio communications not intended for the recipient.
- 18 U.S.C. § 2511 (Wiretap Act) — Prohibits intentional interception of electronic communications, including voice (VoLTE/RTP) and data.
- 18 U.S.C. § 1029 — Prohibits fraud involving access devices. SIM cards are federally defined access devices; cloning, unauthorized key extraction, and related acts are federal crimes.
- 18 U.S.C. § 1030 (CFAA) — Prohibits unauthorized access to computer systems, including telecom signaling infrastructure (Diameter, GTP, SBI APIs).
Lab use requirements: All radio experiments must be conducted in an RF-shielded environment (Faraday cage) using test SIMs provisioned in your own Open5GS/srsRAN lab. No transmission on live cellular bands is permitted without an FCC experimental license.
This document does not constitute legal advice. Consult a licensed attorney before conducting any security research involving radio spectrum or telecommunications infrastructure.
Understood — thanks for the clarification. We'll set aside the mobile app penetration testing resources (Frida, APK reversing, eMAPT, CMPen, TCM Security, HTB Mobile Intro, etc.) and focus purely on the telecom / mobile networks security learning path you originally asked about.
Here's the revised self-study plan, now centered entirely on telecom foundations → 3G/4G/5G architecture & security → fiber backhaul → satellite / undersea cables → cross-cutting telecom security & resilience. No mobile app pen-testing content.
Updated Resource Table (Telecom-Focused Only)
| Resource Name | URL | Price / Access | Duration / Format | Priority |
|---|---|---|---|---|
| Mpirical – Introduction to Telecommunications Networks | https://www.mpirical.com/courses/multi-technology/introduction-to-telecommunications-networks | £395 for 6 months access | ~18 hours, self-paced online | High |
| Telefocal – An Overview of 3G / 4G / 5G Mobile Networks | https://www.telefocal.com/courses/3g-4g-5g-mobile-networks | Contact for quote | 2–5 days (classroom/virtual) | High |
| Coursera – 5G Network Fundamentals | https://www.coursera.org/learn/5g-network-fundamentals | Free to audit (certificate ~$49) | ~15–20 hours, self-paced | High |
| Blackbird Training – LTE 4G and 5G Mobile Networks Course | https://blackbird-training.com/course-LTE-4G-and-5G-Mobile-Networks-Course.htm | £2,700–£6,100 (varies by format) | Multi-day instructor-led | Medium |
| ENO Institute – 5G Wireless Security Training | https://www.enoinstitute.com/training-tutorials-courses/5g-wireless-security-training | Contact for quote | 4 days (online/onsite) | High |
| P1 Security Blog – 4G LTE Architecture and Security Explained | https://www.p1sec.com/blog/4g-architecture-and-security | Free | Article (~30–60 min read) | High |
| Versitron – Learn Why Fiber Optics is Used in 5G Networks | https://www.versitron.com/blogs/post/learn-why-fiber-optics-is-used-in-5g-networks | Free | Short article (~10–15 min) | Medium |
| Tonex – SATCOM Training | https://www.tonex.com/training-courses/satcom-training | $1,799 | Multi-day instructor-led | Medium |
| Upskill Development – Satellite, Space and Undersea Cable Communications Training | https://upskilldevelopment.com/satellite-space-and-undersea-cable-communications-training-course | $1,740 (online) / $2,900 (classroom) | Multi-day instructor-led | Medium |
| ITU Academy – Securing next-gen telecom: building resilience and trust | https://academy.itu.int/training-courses/full-catalogue/securing-next-gen-telecom-building-resilience-and-trust | Free | Multi-module online course | High |
| LinkedIn Learning – 5G Security in Depth | https://www.linkedin.com/learning/5g-security-in-depth-a-hands-on-approach-to-securing-ran-core-and-telco-cloud | LinkedIn Premium (~$30/month) | ~4–6 hours, self-paced | Medium-High |
6–9 Month Self-Study Plan (Telecom & Mobile Network Security Focus)
Goal: Go from zero telecom knowledge to solid understanding of 3G–5G architectures, security models, backhaul technologies (fiber/satellite), and modern telecom threat landscapes — suitable for security engineering, red-teaming telco environments, or critical infrastructure protection.
Weekly commitment: 6–10 hours (adjustable).
Budget estimate: $500–$2,500 depending on how many paid courses you take (many strong free options exist).
Months 1–2: Telecom & Mobile Network Foundations
Build the mental model first — understand how networks are structured before diving into attacks.
-
Week 1–3
Mpirical – Introduction to Telecommunications Networks (£395, ~18 h)
→ Core concepts: OSI/TCP-IP in telecom, circuit vs packet, SS7/Diameter basics, access vs core, transport layers. -
Week 4–6
Coursera – 5G Network Fundamentals (free audit)
Telefocal Overview of 3G/4G/5G (if budget allows; otherwise read their free blog/articles)
→ 5G architecture (RAN: gNB, Core: AMF/SMF/UPF), NR, service-based architecture, interworking with LTE. -
Week 7–8
P1 Security Blog – 4G LTE Architecture and Security Explained (free, deep read + note-taking)
→ Interfaces (S1/X2/SGi), protocols (GTPv2, Diameter), EPC roles, baseline security controls.
Milestone: Draw a simplified diagram of a 4G EPC and 5G SBA; explain key differences.
Months 3–5: Mobile Network Security Deep Dive
Shift to threats, authentication, privacy, and attack surfaces.
-
Week 9–12
ENO Institute – 5G Wireless Security Training (if budget allows; otherwise read their free whitepapers + 3GPP security specs summaries)
→ 2G–5G evolution, AKA / 5G-AKA, SUPI/SUCI privacy, NAS/AS security, key derivation, air-interface attacks. -
Week 13–16
Re-read P1 Security blog + ITU Academy – Securing next-gen telecom (free modules on threat landscape, zero trust, supply chain)
→ Fake base stations (IMSI catchers/Stingrays), signaling storms, core exposure (SS7/Diameter abuse), IoT mass exploitation. -
Week 17–20
LinkedIn Learning – 5G Security in Depth (if you have Premium)
→ Practical controls: RAN hardening, core segmentation, telco-cloud security (Kubernetes/OpenStack).
Milestone: Create a one-page threat model for a typical 5G subscriber session (air interface → core → internet breakout).
Months 6–8: Backhaul & Critical Infrastructure (Fiber, Satellite, Subsea)
Understand how towers/POPs/data centers are actually connected and secured.
-
Week 21–22
Versitron article (quick read) + research free resources on DWDM/OTN/fiber fronthaul/backhaul
→ Physical risks: tapping, splice-box compromise, metro vs long-haul differences. -
Week 23–26
Tonex SATCOM Training or Upskill Satellite/Undersea course (pick one based on budget)
ITU Academy resilience modules (free)
→ RF jamming/spoofing, ground station endpoint security, subsea cable cuts, geopolitical risks. -
Week 27–30
National/international standards context: read CISA/FCC telecom guidance (free PDFs), NIST IR 8323 (5G security), 3GPP TS 33.501 (5G security architecture – free spec).
Milestone: Write a short report on “Why fiber + satellite redundancy matters for 5G critical infrastructure resilience”.
Month 9: Integration, Review & Capstone
- Revisit weak areas (e.g., 5G AKA vs LTE AKA differences).
- Read recent telco breach reports / P1 Security / ENO blog posts (2024–2025).
- Capstone project (choose one):
- Build a personal “Telco Security Playbook” (controls across RAN/core/backhaul/satellite).
- Analyze a real-world incident (e.g., Salt Typhoon or a public telco vuln disclosure).
- Simulate a signaling attack scenario on paper/whiteboard.
Tips for Plano, TX
- Check local events: Dallas/Fort Worth has occasional cybersecurity meetups (BSidesDFW, DEF CON groups, InfraGard chapters) — good for networking with telco/security pros.
- Free resources like 3GPP specs, GSMA documents, and CISA alerts are excellent supplements.
Let me know which phase you're starting with, if you want to prioritize free-only, or if you'd like more granular weekly breakdowns / alternative free substitutes for any paid course. Happy studying!