Boffins say tool can sniff 5G traffic, launch 'attacks' without using rogue base stations

UPdated Security boffins have released an open source tool for poking holes in 5G mobile networks, claiming it can do up- and downlink sniffing and a novel connection downgrade attack - plus "other serious exploits" they're keeping under wraps, for now.

"Sni5Gect [is] a framework that sniffs messages from pre-authentication 5G communication in real-time," the researchers from the Singapore University of Technology and Design explained of their work, presented this week at the 34th USENIX security bash, "and injects targeted attack payload in downlink communication towards the UE [User Equipment, i.e. a phone]."

Designed to take advantage of the period just after a device connects to a 5G network and is still in the process of handshaking and authentication - which, the team points out, can occur when entering or leaving a lift, disembarking a plane and turning aeroplane mode off, or even passing through a tunnel or parking garage - Sni5Gect takes advantage of unencrypted messaging between the base station and a target handset.

"Since messages exchanged between the gNB [Next-Generation Node B, the base station] and the UE are not encrypted before the security context is established (pre-authentication state)," the researchers wrote, "an attacker does not require knowledge of the UE's credentials to sniff uplink/downlink [traffic] nor to inject messages without integrity protection throughout the UE connection procedure."

That's a flaw, and one the framework is designed to exploit. The team's testing showed it capable of sniffing both uplink and downlink traffic with more than 80 percent accuracy, at ranges of up to 20 meters between an off-the-shelf software-defined radio and the target mobile. For packet injection, the success rate varied between 70-90 percent - and delivered, among other things, proof of a novel downgrade attack by which a ne'er-do-well equipped with Sni5Gect could downgrade a connection from 5G to 4G to reduce its security and carry out further surveillance and attacks.

As Sni5Gect works in real-time, its creators have claimed, and can inject attack payloads, including multi-stage attacks, based on protocol state, it's suited to fingerprinting, denial-of-service attacks, and downgrading.

"To the best of our knowledge," they wrote in their paper's introduction [PDF], "Sni5Gect is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB [base station]."

• The White House could end UK's decade-long fight to bust encryption
• Trump seeing green as he weighs deal to allow Nvidia Blackwell GPU sales to China
• The tiny tech tribe who could change the world tomorrow but won't
• Open source's superior security is a matter of eyeballs: Be kind to the brains behind them

The researchers communicated with the GSM Association (GSMA) prior to presenting their findings; the GSMA confirmed their discovery of the novel downgrade attack, which leans on the tool's ability to inject dynamically modified messages at different stages of the connection process, and assigned it CVD-2024-0096 under its common vulnerabilities and disclosures programme.

Some features limited to trusted pen testers

Not all of the capabilities claimed in the team's paper have been fully disclosed, however. The team has kept private "other serious exploits leveraging the framework," in order to "avoid abusing SNI5Gect to launch attacks against people's smartphones[s]." These exploits, it is claimed, will be made available only to "trusted institutions like universities and research institutions" upon application and verification of their legitimate interest.

The Sni5Gect framework itself is available in full, alongside the exploits discussed in the team's paper, on GitHub, under the GNU Affero General Public Licence 3, with the disclaimer that it's "for research and educational purposes only" and that use on live networks "may violate local laws and regulations."

More information, including a link to the open-access paper, is available on the project website. ®

Updated to add on August 22:

A GSMA spokesperson told The Reg they were "grateful for the responsible approach the researchers have taken in engaging with us through the GSMA's industry-wide Coordinated Vulnerability Disclosure (CVD) programme, ahead of publishing their findings.

"Following an assessment, the CVD panel has determined that devices adhering to the 3GPP's TS 24.501 and TS 38.304 standards are not susceptible to the extended loss of 5G connectivity described by the researchers. We have therefore advised our members to comply with these 3GPP standards." The spokesperson said the org welcomed "research that strengthens the security and reliability of mobile services and appreciate the efforts of the academic and security communities in contributing to this vital work. We encourage the research community to work with the mobile ecosystem, through the GSMA CVD programme, to remedy any new findings."