Security boffins have released an open source tool for poking holes in 5G mobile networks, claiming it can do up- and downlink sniffing and a novel connection downgrade attack – plus “other serious exploits” they’re keeping under wraps, for now.
“Sni5Gect [is] a framework that sniffs messages from pre-authentication 5G communication in real-time,” the researchers from the Singapore University of Technology and Design explained of their work, presented this week at the 34th USENIX security bash, “and injects targeted attack payload in downlink communication towards the UE [User Equipment, i.e. a phone].”
Designed to take advantage of the period just after a device connects to a 5G network and is still in the process of handshaking and authentication – which, the team points out, can occur when entering or leaving a lift, disembarking a plane and turning aeroplane mode off, or even passing through a tunnel or parking garage – Sni5Gect takes advantage of unencrypted messaging between the base station and a target handset.
“Since messages exchanged between the gNB [Next-Generation Node B, the base station] and the UE are not encrypted before the security context is established (pre-authentication state),” the researchers wrote, “an attacker does not require knowledge of the UE’s credentials to sniff uplink/downlink [traffic] nor to inject messages without integrity protection throughout the UE connection procedure.”
That’s a flaw, and one the framework is designed to exploit. The team’s testing showed it capable of sniffing both uplink and downlink traffic with more than 80 percent accuracy, at ranges of up to 20 meters between an off-the-shelf software-defined radio and the target mobile. For packet injection, the success rate varied between 70-90 percent – and delivered, among other things, proof of a novel downgrade attack by which a ne’er-do-well equipped with Sni5Gect could downgrade a connection from 5G to 4G to reduce its security and carry out further surveillance and attacks.
As Sni5Gect works in real-time, its creators have claimed, and can inject attack payloads, including multi-stage attacks, based on protocol state, it’s suited to fingerprinting, denial-of-service attacks, and downgrading.
“To the best of our knowledge,” they wrote in their paper’s introduction [PDF], “Sni5Gect is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB [base station].”
Given the scope of the tool, the researchers communicated with the GSM Association (GSMA), the organization responsible for the 5G standard, prior to presenting their findings; the GSMA confirmed their discovery of the novel downgrade attack, which leans on the tool’s ability to inject dynamically modified messages at different stages of the connection process, and assigned it CVD-2024-0096 under its common vulnerabilities and disclosures programme.
Some features limited to trusted pen testers
Not all of the capabilities claimed in the team’s paper have been fully disclosed, however. The team has kept private “other serious exploits leveraging the framework,” in order to “avoid abusing SNI5Gect to launch attacks against people’s smartphones[s].” These exploits, it is claimed, will be made available only to “trusted institutions like universities and research institutions” upon application and verification of their legitimate interest.
The Sni5Gect framework itself is available in full, alongside the exploits discussed in the team’s paper, on GitHub, under the GNU Affero General Public Licence 3, with the disclaimer that it’s “for research and educational purposes only” and that use on live networks “may violate local laws and regulations.”
More information, including a link to the open-access paper, is available on the project website. ®