Q1. Is dynamic testing of a commercial network allowed to researchers?
Probably not. Researchers should comply with any special legal requirements in their jurisdictions. Fortunately, for the purpose of inspecting and validating the vulnerabilities, two MNOs gave us a permission to conduct dynamic security testing on their testbed.
* Some of the DoS methods can open up further vulnerabilities and explotations.
* Some of the DoS methods are bugs that could be triggered by normal equipment.
* Some of the DoS methods are easier to detect the source of. (i.e. it's a lot easier to detect and pinpoint a frequency jammer than a mobile phone sending invalid protocol messages)
Agreed. Local DoS is a complicated way to get the same result as jamming.
The approach has merits and value, but the novelty here is doing a LTE fuzzer and finding implementation bugs IMHO. Which is very useful, but the title may lead people to believe there are new weaknesses in the standard itself. There are some standard level attacks, but it's local DoS and already known as far as I can see.