A team of researchers has developed a groundbreaking attack framework known as SNI5GECT, designed to downgrade 5G connections to lower generations without the need for rogue base stations. This exceptional, strategic approach advances previous research. That study found major security vulnerabilities in the firmware of mobile network modems produced by MediaTek and Qualcomm.
In a new study by Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou, the researchers uncovered a major hazard. They even showed how much attackers could victimize people with these vulnerabilities. The results reveal 14 serious vulnerabilities dubbed “5Ghoul.” These defects may create disconnections, lock up devices and require manual restarting or downgrade the 5G network to 4G.
Technical Breakdown of SNI5GECT
SNI5GECT works by intercepting messages sent during the session establishment process. The framework enables adversaries to actively sniff valid messages and decode their content on the fly. With a testing accuracy of 80% in both uplink and downlink sniffing, the researchers assessed five popular smartphones: OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro.
The study demonstrated that attackers could inject targeted payloads with a success rate of 70-90% from distances up to 20 meters (65 feet). This unique capability facilitates some of the most sophisticated and nefarious cyber operations. Such crashing can open user equipment (UE) modems to fingerprinting or other exploitation for subsequent events.
“To the best of our knowledge, SNI5GECT is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB.” – Researchers
Implications for Security
The implications of this research are profound. Without needing rogue base stations, simply downgrading connections increases the success rate of attacks on 5G networks. This capability means that such attacks are far more practical and accessible. By serving as a man-in-the-middle in communication, SNI5GECT can passively sniff and decode messages in the UE attach procedure.
Researchers also cautioned that the brief communication window of the Random Access Channel (RACH) procedure would be a ripe target for attackers. This vulnerability takes place just prior to NAS security context being set up. This vulnerability allows them to capture any Random Access Response (RAR) messages sent by the gNB. These messages carry important information that is required to decrypt UE messages further.
“For example, an attacker can exploit the short UE communication window that spans from the RACH process until the NAS security context is established. Such an attacker actively listens for any RAR message from the gNB, which provides the RNTI to decode further UE messages.” – Researchers
Future of 5G Security Research
The development of the SNI5GECT framework is a major step forward in terms of conducting impactful 5G security research. It greatly increases the ease with which over-the-air exploitation can occur. Moreover, it lays the foundation for subsequent research into packet-level intrusion detection and mitigation techniques. The researchers say that this framework is a necessary step toward better security measures at the physical layer of 5G networks.
“We argue that SNI5GECT is a fundamental tool in 5G security research that enables not only over-the-air 5G exploitation but advancing future research on packet-level 5G intrusion detection and mitigation, security enhancements to 5G physical layer security and beyond.” – Researchers
