A team of academics has devised a novel attack that can be used to downgrade a 5G connection to a lower generation without relying on a rogue base station (gNB).
The attack, per the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), relies on a new open-source software toolkit named Sni5Gect (short for “Sniffing 5G Inject”) that’s designed to sniff unencrypted messages sent between the base station and the user equipment (UE, i.e., a phone) and inject messages to the target UE over-the-air.
The framework can be used to carry out attacks such as crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, according to Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou.
“As opposed to using a rogue base station, which limits the practicality of many 5G attacks, SNI5GECT acts as a third-party in the communication, silently sniffs messages, and tracks the protocol state by decoding the sniffed messages during the UE attach procedure,” the researchers said. “The state information is then used to inject a targeted attack payload in downlink communication.”
The findings build upon a prior study from ASSET in late 2023 that led to the discovery of 14 flaws in the firmware implementation of 5G mobile network modems from MediaTek and Qualcomm, collectively dubbed 5Ghoul, that could be exploited to launch attacks to drop connections, freeze the connection that involves manual reboot, or downgrade the 5G connectivity to 4G.
The Sni5Gect attacks are designed to passively sniff messages during the initial connection process, decode the message content in real-time, and then leverage the decoded message content to inject targeted attack payloads.
Specifically, the attacks are designed to take advantage of the phase before the authentication procedure, at which point the messages exchanged between the gNB and the UE are not encrypted. As a result, the threat model does not require knowledge of the UE’s credentials to sniff uplink/downlink traffic or inject messages.
“To the best of our knowledge, SNI5GECT is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB,” the researchers said.
“For example, an attacker can exploit the short UE communication window that spans from the RACH process until the NAS security context is established. Such an attacker actively listens for any RAR message from the gNB, which provides the RNTI to decode further UE messages.”
This enables the threat actor to crash the modem on the victim’s device, fingerprint the targeted device, and even downgrade the connection to 4G, which has known vulnerabilities that can be exploited by the attacker to track the UE location over time.
In tests against five smartphones, including OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro, the study achieved 80% accuracy in uplink and downlink sniffing, and managed to inject messages with a success rate of 70-90% from a distance of up to 20 meters (65 feet).
The Global System for Mobile Communications Association (GSMA), a non-profit trade association that represents mobile network operators worldwide and develops new technologies, has acknowledged the multi-stage, downgrade attack, and assigned it the identifier CVD-2024-0096.
“We argue that SNI5GECT is a fundamental tool in 5G security research that enables not only over-the-air 5G exploitation but advancing future research on packet-level 5G intrusion detection and mitigation, security enhancements to 5G physical layer security and beyond,” the researchers concluded.
