A crew of teachers has devised a novel assault that can be utilized to downgrade a 5G connection to a decrease era with out counting on a rogue base station (gNB).
The assault, per the ASSET (Automated Programs SEcuriTy) Analysis Group on the Singapore College of Expertise and Design (SUTD), depends on a brand new open-source software program toolkit named Sni5Gect (quick for “Sniffing 5G Inject”) that is designed to smell unencrypted messages despatched between the bottom station and the person tools (UE, i.e., a cellphone) and inject messages to the goal UE over-the-air.
The framework can be utilized to hold out assaults equivalent to crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, in line with Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou.
“Versus utilizing a rogue base station, which limits the practicality of many 5G assaults, SNI5GECT acts as a third-party within the communication, silently sniffs messages, and tracks the protocol state by decoding the sniffed messages throughout the UE connect process,” the researchers mentioned. “The state data is then used to inject a focused assault payload in downlink communication.”
The findings construct upon a previous examine from ASSET in late 2023 that led to the invention of 14 flaws within the firmware implementation of 5G cell community modems from MediaTek and Qualcomm, collectively dubbed 5Ghoul, that could possibly be exploited to launch assaults to drop connections, freeze the connection that includes handbook reboot, or downgrade the 5G connectivity to 4G.
The Sni5Gect assaults are designed to passively sniff messages throughout the preliminary connection course of, decode the message content material in real-time, after which leverage the decoded message content material to inject focused assault payloads.
Particularly, the assaults are designed to make the most of the part earlier than the authentication process, at which level the messages exchanged between the gNB and the UE are usually not encrypted. Because of this, the risk mannequin doesn’t require information of the UE’s credentials to smell uplink/downlink site visitors or inject messages.
“To the perfect of our information, SNI5GECT is the primary framework that empowers researchers with each over-the-air sniffing and stateful injection capabilities, with out requiring a rogue gNB,” the researchers mentioned.
“For instance, an attacker can exploit the quick UE communication window that spans from the RACH course of till the NAS security context is established. Such an attacker actively listens for any RAR message from the gNB, which supplies the RNTI to decode additional UE messages.”
This permits the risk actor to crash the modem on the sufferer’s gadget, fingerprint the focused gadget, and even downgrade the connection to 4G, which has identified vulnerabilities that may be exploited by the attacker to trace the UE location over time.
In exams in opposition to 5 smartphones, together with OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Professional, the examine achieved 80% accuracy in uplink and downlink sniffing, and managed to inject messages with successful fee of 70-90% from a distance of as much as 20 meters (65 ft).
The International System for Cell Communications Affiliation (GSMA), a non-profit commerce affiliation that represents cell community operators worldwide and develops new applied sciences, has acknowledged the multi-stage, downgrade assault, and assigned it the identifier CVD-2024-0096.
“We argue that SNI5GECT is a elementary instrument in 5G security analysis that allows not solely over-the-air 5G exploitation however advancing future analysis on packet-level 5G intrusion detection and mitigation, security enhancements to 5G bodily layer security and past,” the researchers concluded.
