New 5Ghoul Attack Impacts 5G Devices From Popular Brands

   December 11, 2023  Posted in CyberSecurityNews


5G is the 5th generation mobile network, and this technology has significantly revolutionized communication by offering:-

  • Faster internet speeds
  • Reduced latency
  • Increased connectivity 

Besides this, 5G offers low-latency benefits in the following critical and essential domains:-

EHA

  • IoT
  • VR
  • Medical
  • Automation

However, cybersecurity researchers from the following organizations recently discovered the new 5Ghoul attack that impacts the 5G devices from popular brands:-

  • Singapore University of Technology and Design
  • 2I2R
  • A*STAR

New 5Ghoul Attack

5Ghoul exposes 5G vulnerabilities in Qualcomm and MediaTek modems, impacting smartphones, routers, and USB modems. 

Twelve new vulnerabilities were discovered, with 10 affecting these major modems, three being highly severe. Besides this, over 710 affected smartphone models were identified.

The exploited vulnerabilities lead to:-

  • Connection drops
  • Freezes
  • 5G-to-4G downgrades

5Ghoul uses a mimicked Dolev-Yao attacker model, exposing a controllable downlink channel to inject/modify 5G NR Downlink Packets without knowing the target UE’s secret information

The adversarial gNB manipulates downlink messages, enabling attacks at any 5G NR step, while later procedures face failure due to unknown SIM card details.

By deploying a malicious gNB using Software Defined Radio (SDR) within the target 5G UE’s radio range, the 5Ghoul vulnerabilities can be exploited easily over the air.

However, despite the visual detectability of the USRP B210 in the researchers’ setup, the miniaturized SDR equipment, like a Raspberry Pi, allows for stealthy and sophisticated attacks.

New 5Ghoul Attack Impacts 5G Devices From Popular Brands
5Ghoul  attack process (Source – Asset Group)

Exploitations

Here below, we have mentioned all the exploitations:-

  • Exploitation on Mobile Devices: Experts tested 5G vulnerabilities (V5 to V10) on Asus ROG Phone 5S (ARP5s, Qualcomm Modem) and OnePlus Nord CE 2 (OnePlus, MediaTek Modem). V5/V6 trigger temporary DoS on ARP5s, requiring continuous attacks for complete disruption. V7 downgrades to 4G, forcing manual reboot for 5G restoration; persistent impact observed. V8-V14 caused crashes on OnePlus with MediaTek Dimensity 900 5G Modem, necessitating modem reboots for 5G recovery. Continuous attacks disrupt 3G/4G/5G communications on OnePlus, echoing V5/V6 behavior.

  • Exploitation on Specialized 5G Products: Vulnerabilities V5-V14 impact 5G devices with Qualcomm and MediaTek modems, affecting smartphones, USB modems, and low-latency communication appliances. 

  • Downgrade Attacks: The vulnerability V7 (7.3) acts as a downgrade attack, blocking 5G connections while allowing access to older technologies like 4G. This exposes users to different design issues inherent to various network technologies (2G, 3G, 4G).

  • Estimating the reach of 5Ghoul: To gauge 5Ghoul’s impact on 5G smartphones, we use web scraping to find models with vulnerable Qualcomm and MediaTek modems. Mobile processors like Snapdragon 8XX (Qualcomm) or Dimensity XXXX (MediaTek) integrate CPU, 5G modem, GPU, and peripherals, simplifying chipset identification.
Smartphone models potentially affected by 5Ghoul (Source - Asset Group)
Smartphone models potentially affected by 5Ghoul (Source – Asset Group)

The complete list of the 5Ghoul-affected smartphones can be found here.

The Challenge of Delivering 5G Patches to the End-user: Ensuring a secure modem SDK prevents prolonged vulnerabilities. Issues in 5G modem implementation impact downstream vendors, causing delays in security updates due to software dependencies.

The chain involves carrier recertification, OS vendor integration, and product vendor manual patching, leading to a 6-month delay for end-users.

5G UE Software Supply Ecosystem (Source - Asset Group)
5G UE Software Supply Ecosystem (Source – Asset Group)

Vulnerabilities

Here below, we have mentioned all the vulnerabilities that were described:-

  • V5: Invalid MAC/RLC PDU (CVE-2023-33043)
  • V6: NAS Unknown PDU (CVE-2023-33044)
  • V7: Disabling 5G / Downgrade via Invalid RRC pdcch-Config (CVE-2023-33042)
  • V8: Invalid RRC Setup spCellConfig (CVE-2023-32842)
  • V9: Invalid RRC pucch CSIReportConfig (CVE-2023-32844)
  • V10: Invalid RLC Data Sequence (CVE-2023-20702)
  • V11: Truncated RRC physicalCellGroupConfig (CVE-2023-32846)
  • V12: Invalid RRC searchSpacesToAddModList (CVE-2023-32841)
  • V13: Invalid RRC Uplink Config Element (CVE-2023-32843)
  • V14: Null RRC Uplink Config Element (CVE-2023-32845)

The potential of 5G is vast, but deeper research is crucial for uncovering vulnerabilities in its software. 

The complex, multi-layered nature of 5G networks poses challenges, as seen in the discovery of 5Ghoul vulnerabilities in major chipset vendors despite their comprehensive testing resources.



Source link