IT security researchers at the University of Singapore for Technology and Design have discovered 14 security holes in the firmware for 5G modems from Mediatek and Qualcomm, among others, that allow denial-of-service attacks. They named the vulnerability collection, which includes a total of ten CVE entries, 5Ghoul. Updates are already available for some Android devices, while affected Apple iPhones are still waiting for security updates.
Advertisement
The IT researchers will explain details on a Project page for 5Ghoul. They discovered 14 gaps, twelve of which were new. Ten concern 5G modems from Mediatek and Qualcomm. The researchers classify three of these as high-risk gaps. During their search for vulnerable devices, they were able to locate more than 710 affected smartphone models. In descending order, devices from Vivo, Xiaomi, Oppo, Samsung, Honor, Motorola, Realme, Oneplus, Nubia, Huawai or ZTE are vulnerable. But smartphones from Asus, Sony, Nokia and Apple also contain vulnerable 5G modems.
5G attack scenarios
To carry out attacks on the vulnerable devices, IT security researchers only need a laptop with a Software-Defined Radio (SDR) and associated SDR hardware. They use this to build a malicious base station based on 5G implementations such as OpenAirinterface and Open5GS, which they can use to generate and send manipulated network packets. Attackers can copy information from a real base station – as soon as they get close enough to victims and the signal strength is higher, the 5G modems connect there.
The researchers note that the SDR solution used for detection is visible due to the size of the devices. But a shrunken solution based on Raspberry Pis can also be built. Camouflaged attacks are therefore possible.
Using freely available hardware, the researchers cloned a base station and used the fake to attack vulnerable devices.
(Image: asset-group.github.io / 5Ghoul project)
The security gaps start before the vulnerable devices are authenticated and therefore do not require any encrypted information from the SIM cards in them. The IT researchers explain that the gaps can be found in the “RRC Attach” and authentication procedures. They focused on RRC connection setup message processing. The vulnerabilities are all found in the pre-authentication phase between user devices and base stations.
Trigger: incorrectly formatted data fields
To trigger the vulnerabilities, only incorrectly formatted data fields were used in RRC connection setup messages and in NAS authentication request packets. Updates are already on the way to patch the faulty firmware of the 5G modems. However, it is a long road before the updates reach end users. For Android devices, the IT researchers expect bug fixes from the updates on Android’s December patch day.
For Apple-based smartphones, the patch schedule is not in line with the December updates. However, Qualcomm confirmed that the company provided its customers – i.e. smartphone manufacturers – with patches to close the gaps in August 2023. Mediatek, on the other hand, provided its OEM partners with corrected software two months before the December patch day. Smartphone users should therefore quickly apply security updates if they are offered by the device manufacturers.
On the Those interested can find extensive details on the 5Ghoul project page on the vulnerabilities and explanations of how they can be exploited.
(dmk)