- 5G telephones can be silently downgraded to uncertain 4G, leaving the device exposed
- Utilization works without creating expensive and complex fake towers
- Tested smartphones include flagship models from Samsung, Google, Huawei and OnePlus
At the end of 2023, scientists revealed a set of deficiencies in 5G modem -firmware from larger chipmakers, including Medatek and Qualcomm, which in total called 5Ghoul.
A group of academics at Singapore University of Technology and Design (SUTD) has now shown how 5G phones can fool into falling back to 4G networks through a method that avoids the need for a false base station.
Instead, it is targeted at a vulnerable stage of communication between telephone and tower, where critical messages do not remain encrypted.
Sni5gect Toolkit, card for “Sniffing 5G injection”, uses the small time window at the start of a connection attempt.
It is targeted at the pre-authentication phase when the data that passes between the tower and the phone remains unencrypted.
Because of this hole, attackers can intercept and inject messages without having to know the phone’s private credentials.
During this step, the system can catch identifiers sent from the tower and use them to read and change messages.
With such access, the striker can force a fashion accident, map a fingerprint on the device, or trigger a switch from 5G to 4G.
As 4G carries long known deficiencies, the forced downgrade leaves the target open to older tracking or placement attacks.
The tests revealed a success rate between 70% and 90% when tried from about twenty meters away, suggesting that the method works under realistic conditions.
Academics tested the framework on several smartphones, including popular models from Samsung, Google, Huawei and OnePlus.
In these cases, the researchers were able to intercept both uplink and downlink traffic with remarkable accuracy.
It is important that the method avoids the complexity of creating a junk base station, something that has long limited practical attacks on mobile networks.
The Global System for the Mobile Communications Association (GSMA) has since confirmed the problem and assigned the identifier CVD-2024-0096 that marks it as a down-to-adjust risk.
The claim from the team is that their tool set is not intended for criminal use, but for further research on wireless security.
They claim that it could help with the development of detection at the packaging level and new forms of 5G protection.
Still, the ability to break down devices or silently raise them questions about the resilience of the current networks.
Although there are no clear reports of abuse of the real world so far, the method is public and the software is open source, so the risk remains that talented actors could adapt it.
Unfortunately, users have direct opportunities to block such utilization of low level, although wider digital hygiene can help limit downstream risks.
Running of Updated Antivirus software, security of identification information with a password administrator and enabling an authentic app can reduce the effect of secondary attacks that may follow from a network downgrade.
Via the hacker news
