Date of Award

Fall 10-2023

Document Type


Degree Name

Doctor of Philosophy in Cyber Operations (PhDCO)


Computer Science

First Advisor

Kyle Cronin

Second Advisor

Bassam Farroha

Third Advisor

Michael Ham

Fourth Advisor

Viki Johnson

Fifth Advisor

Gale Pomper


The purpose of this study is to support fifth generation (5G) wireless network security by identifying vulnerabilities in 5G femtocell firmware. It addresses the problem of whether 5G femtocells are shipped to customers with firmware that contains vulnerabilities. This is a subproblem of supply chain security. The problem is significant because exploitation of latent vulnerabilities in the firmware of 5G network access points (such as femtocells) could compromise the security of network communications.

This study employs a design science research methodology consisting of a quasi-experiment which applies static analysis tools to 5G femtocell firmware samples. It seeks to answer the research question “can security vulnerabilities in 5G femtocell firmware be detected

by static analysis tools?”. The presence of vulnerabilities would imply that the firmware is insecure. This question directly supports the purpose of this research.

The quasi-experiment applied four commercially available static analysis security tools to five 5G femtocell firmware samples harvested from used 5G equipment. The static analysis tools were able to identify several known CVEs in each firmware sample. To lessen the chances of reporting false positives, each CVE reported by the tools was assigned a “confidence rating” corresponding to the number of tools reporting the presence of that CVE. The study found several CVEs in each firmware sample with confidence ratings of 1.0 (i.e., every tool in the study had reported the presence of that CVE). Further, many of these CVEs were publicly documented prior to the deployment of the firmware into the field. Because of these findings, the study was able to answer the research question in the affirmative.