Aug 26, 2025Ravie LakshmananVulnerability / Cellular Safety
A staff of lecturers has devised a novel assault that can be utilized to downgrade a 5G connection to a decrease technology with out counting on a rogue base station (gNB).
The assault, per the ASSET (Automated Techniques SEcuriTy) Analysis Group on the Singapore College of Know-how and Design (SUTD), depends on a brand new open-source software program toolkit named Sni5Gect (brief for “Sniffing 5G Inject”) that is designed to smell unencrypted messages despatched between the bottom station and the person gear (UE, i.e., a telephone) and inject messages to the goal UE over-the-air.
The framework can be utilized to hold out assaults resembling crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, in line with Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou.
“Versus utilizing a rogue base station, which limits the practicality of many 5G assaults, SNI5GECT acts as a third-party within the communication, silently sniffs messages, and tracks the protocol state by decoding the sniffed messages throughout the UE connect process,” the researchers mentioned. “The state data is then used to inject a focused assault payload in downlink communication.”
The findings construct upon a previous research from ASSET in late 2023 that led to the invention of 14 flaws within the firmware implementation of 5G cell community modems from MediaTek and Qualcomm, collectively dubbed 5Ghoul, that might be exploited to launch assaults to drop connections, freeze the connection that entails handbook reboot, or downgrade the 5G connectivity to 4G.
The Sni5Gect assaults are designed to passively sniff messages throughout the preliminary connection course of, decode the message content material in real-time, after which leverage the decoded message content material to inject focused assault payloads.
Particularly, the assaults are designed to make the most of the part earlier than the authentication process, at which level the messages exchanged between the gNB and the UE usually are not encrypted. Because of this, the menace mannequin doesn’t require data of the UE’s credentials to smell uplink/downlink site visitors or inject messages.
“To one of the best of our data, SNI5GECT is the primary framework that empowers researchers with each over-the-air sniffing and stateful injection capabilities, with out requiring a rogue gNB,” the researchers mentioned.
“For instance, an attacker can exploit the brief UE communication window that spans from the RACH course of till the NAS safety context is established. Such an attacker actively listens for any RAR message from the gNB, which gives the RNTI to decode additional UE messages.”
This permits the menace actor to crash the modem on the sufferer’s machine, fingerprint the focused machine, and even downgrade the connection to 4G, which has identified vulnerabilities that may be exploited by the attacker to trace the UE location over time.
In exams in opposition to 5 smartphones, together with OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Professional, the research achieved 80% accuracy in uplink and downlink sniffing, and managed to inject messages with successful fee of 70-90% from a distance of as much as 20 meters (65 ft).
The International System for Cellular Communications Affiliation (GSMA), a non-profit commerce affiliation that represents cell community operators worldwide and develops new applied sciences, has acknowledged the multi-stage, downgrade assault, and assigned it the identifier CVD-2024-0096.
“We argue that SNI5GECT is a basic device in 5G safety analysis that allows not solely over-the-air 5G exploitation however advancing future analysis on packet-level 5G intrusion detection and mitigation, safety enhancements to 5G bodily layer safety and past,” the researchers concluded.
