A crew of lecturers has devised a novel assault that can be utilized to downgrade a 5G connection to a decrease technology with out counting on a rogue base station (gNB).
The assault, per the ASSET (Automated Techniques SEcuriTy) Analysis Group on the Singapore College of Know-how and Design (SUTD), depends on a brand new open-source software program toolkit named Sni5Gect (brief for “Sniffing 5G Inject”) that is designed to smell unencrypted messages despatched between the bottom station and the person gear (UE, i.e., a cellphone) and inject messages to the goal UE over-the-air.
The framework can be utilized to hold out assaults comparable to crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, in line with Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou.
“Versus utilizing a rogue base station, which limits the practicality of many 5G assaults, SNI5GECT acts as a third-party within the communication, silently sniffs messages, and tracks the protocol state by decoding the sniffed messages through the UE connect process,” the researchers mentioned. “The state data is then used to inject a focused assault payload in downlink communication.”
The findings construct upon a previous examine from ASSET in late 2023 that led to the invention of 14 flaws within the firmware implementation of 5G cell community modems from MediaTek and Qualcomm, collectively dubbed 5Ghoul, that could possibly be exploited to launch assaults to drop connections, freeze the connection that includes guide reboot, or downgrade the 5G connectivity to 4G.
The Sni5Gect assaults are designed to passively sniff messages through the preliminary connection course of, decode the message content material in real-time, after which leverage the decoded message content material to inject focused assault payloads.
Particularly, the assaults are designed to make the most of the section earlier than the authentication process, at which level the messages exchanged between the gNB and the UE usually are not encrypted. Consequently, the risk mannequin doesn’t require information of the UE’s credentials to smell uplink/downlink visitors or inject messages.
“To the very best of our information, SNI5GECT is the primary framework that empowers researchers with each over-the-air sniffing and stateful injection capabilities, with out requiring a rogue gNB,” the researchers mentioned.
“For instance, an attacker can exploit the brief UE communication window that spans from the RACH course of till the NAS safety context is established. Such an attacker actively listens for any RAR message from the gNB, which offers the RNTI to decode additional UE messages.”
This permits the risk actor to crash the modem on the sufferer’s system, fingerprint the focused system, and even downgrade the connection to 4G, which has identified vulnerabilities that may be exploited by the attacker to trace the UE location over time.
In checks in opposition to 5 smartphones, together with OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Professional, the examine achieved 80% accuracy in uplink and downlink sniffing, and managed to inject messages with a hit price of 70-90% from a distance of as much as 20 meters (65 toes).
The World System for Cell Communications Affiliation (GSMA), a non-profit commerce affiliation that represents cell community operators worldwide and develops new applied sciences, has acknowledged the multi-stage, downgrade assault, and assigned it the identifier CVD-2024-0096.
“We argue that SNI5GECT is a elementary software in 5G safety analysis that allows not solely over-the-air 5G exploitation however advancing future analysis on packet-level 5G intrusion detection and mitigation, safety enhancements to 5G bodily layer safety and past,” the researchers concluded.
