A team of researchers from the Singapore University of Technology and Design has disclosed the details of a new 5G attack that does not require the use of a malicious base station.
As part of the project, the researchers have released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. The attack targets the 5G New Radio (NR) radio access technology that powers 5G networks.
Previously demonstrated 5G attacks involved the use of a rogue base station that the victim needs to connect to, which can limit the practicality of an attack, the researchers said.
The Sni5Gect attack, on the other hand, involves an attacker who is in range of the victim intercepting unencrypted messages exchanged between the base station and the targeted user’s phone.
The attack targets the connection before authentication and before the traffic is protected, which means the attacker does not need the victim device’s credentials. This can be achieved by waiting for the targeted phone to lose connection and reinitiate it.
The researchers pointed out that it’s not uncommon for devices to reconnect to the network, including when the user disables airplane mode after a flight, when passing through a tunnel or underground parking garage, or when riding an elevator.
If the attacker can initialize an attack prior to the connection being secured, they can intercept unencrypted messages and inject malicious payloads. This enables the hacker to crash the modem on the victim’s device, fingerprint and later track the targeted device, and downgrade the connection to 4G, which has known vulnerabilities that can be exploited by the attacker.
The Sni5Gect attack has been tested against five smartphones, including OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro.
During their tests, the researchers achieved 80% accuracy in uplink and downlink sniffing, and managed to inject messages with a success rate of 70-90% from a distance of up to 20 meters (65 feet).
“Compared to prior state-of-the-art works, the Sni5Gect framework does not require rogue gNodeB (gNB) stations when executing over-the-air sniffing and stateful injections. The absence of a rogue gNB is significant as it reduces setup complexities while increasing stealth,” explained Yee Ching Tok of the SANS Internet Storm Center.
GSMA, the organization that represents the interests of mobile network operators, has acknowledged the findings and assigned the attack the identifier CVD-2024-0096 (CVD rather than CVE identifiers are assigned to security issues affecting the mobile industry).
The Sni5Gect framework has been made available as open source.
Related: LTE, 5G Vulnerabilities Could Cut Entire Cities From Cellular Connectivity
Related: Telecom Giant Orange Hit by Cyberattack
Related: China’s Salt Typhoon Hackers Target Canadian Telecom Firms
Source: securityweek.com
