A team of researchers from the Singapore University of Technology and Design have discovered vulnerabilities in many 5G-capable commercial products such as smartphones, customer-premises equipment (CPE) routers and USB modems using Qualcomm and MediaTek chips.
The 14 vulnerabilities, 10 of which have been publicly disclosed and four withheld for security reasons, have impacted over 700 5G smartphone models from 24 brands.
According to the research paper, the 5Ghoul vulnerabilities may be “exploited” to continuously launch attacks to drop the connections, freeze the connection or downgrade the 5G connectivity to 4G.
A notable feature of the vulnerabilities is that they can all be quite easy to exploit by an attacker over-the-air by impersonating a legitimate 5G base station using the known cell tower connection parameters (e.g., SSB ARFCN, tracking area code, physical cell ID, point A frequency), as no information about the victim’s SIM card is required.
“The attacker does not need to be aware of any secret information of the target UE e.g., UE’s SIM card details, to complete the NAS network registration,” the study explained.
This is achievable with apps like Cellular-Pro to determine the Relative Signal Strength Indicator (RSSI) readings and trick the user equipment to connect to the adversarial station – a setup that consists of a software-defined radio as well as an inexpensive mini PC, among others.
Among the list of vulnerabilities, researchers have noted that CVE-2023-33042 is particularly concerning as it can permit an attacker within radio range to trigger a 5G connectivity downgrade or denial of service within Qualcomm’s X55/X60 modem firmware by sending malformed Radio Resource Control (RRC) frame to the target 5G device from a nearby malicious gNB.
Successful exploitation of the flaws can cause the devices to lose all connectivity until the user manually reboots.
Both Qualcomm and MediaTek have released patches for the disclosed 5Ghoul vulnerabilities.
While finding issues in the implementation of the 5G modem vendor heavily impacts product vendors downstream, the researchers said it can often take six or more months for 5G security patches to finally reach the end-users.
“This is because the software dependency of product vendors on the Modem / Chipset Vendor adds complexity and hence delays to the process of producing and distributing patches to the end-user,” the paper explained.