A team of scholars have devised a new attack that can be used to downgrade 5G connections to low-generations without relying on rogue base stations (GNBs).
According to the Assets (Automatic System Security) Research Group at the Singapore Institute of Technology Design (SUTD), the attack relies on a new open source software toolkit called SNI5GECT (short for “sniffing 5G Injec”).
According to Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay and Jianying Zhou, the framework can be used to carry out attacks such as UE modem crashes, previous generation networks, fingerprinting, authentication bypassing, and more.
“In contrast to the use of rogue base stations that limit the practicality of many 5G attacks, SNI5GECT acts as a third party in communications, quietly sniffing messages and tracks protocol state by decoding sniffing messages during the UE attachment procedure,” the researchers said. “The state information is then used to inject targeted attack payloads into downlink communications.”
The findings were built on previous research from assets in late 2023, and found 14 flaws in firmware implementations of 5G mobile network modems from MediaTek and Qualcomm. This will freeze connections with manual reboots or reduce connectivity to 4G to launch an attack, collectively called 5Ghoul.
The SNI5GECT attack is designed to passively sniff messages during the initial connection process, decoding message content in real time and leveraging the decoded message content to inject target attack payloads.
Specifically, the attack is designed to utilize a phase prior to the authentication procedure, at which point the messages exchanged between GNB and UE are not encrypted. As a result, the threat model does not require knowledge of UE credentials to insert UP-link/downlink traffic or messages.
“To our knowledge, SNI5GECT is the first framework to enhance both air olfactory and stateful injection capabilities for researchers without the need for fraudulent GNB,” the researchers said.
“For example, an attacker can exploit a short UE communication window in the range of the RACH process until the security context of the NAS is established. Such an attacker will actively hear RAR messages from GNB.
This causes threat actors to crash the modems on the victim’s devices, leading targeted devices to fingerprints, and even downgrade connections to 4G.
In tests on five smartphones, including the OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro, this study achieved 80% accuracy for uplink and downlink sniffing, and injected messages with a success rate of 70-90% (65 feet).
The Mobile Communications Association (GSMA), a nonprofit association that represents mobile network operators around the world and develops new technologies, has recognized multi-stage, downgrade attacks and assigned the identifier CVD-2024-0096.
“SNI5GECT is a fundamental tool for 5G security research, not only enables the use of 5G in 5G, but also allows future research into security enhancements such as packet-level 5G intrusion detection and mitigation, and security of the physical layer of 5G,” concluded.
Source link
