“Sni5Gect [is] a framework that sniffs messages from pre-authentication 5G communication in real-time,” the researchers from the Singapore University of Technology and Design explained of their work, presented this week at the 34th USENIX security bash, “and injects targeted attack payload in downlink communication towards the UE [User Equipment, i.e. a phone].”
Designed to take advantage of the period just after a device connects to a 5G network and is still in the process of handshaking and authentication – which, the team points out, can occur when entering or leaving a lift, disembarking a plane and turning aeroplane mode off, or even passing through a tunnel or parking garage – Sni5Gect takes advantage of unencrypted messaging between the base station and a target handset.
“Since messages exchanged between the gNB [Next-Generation Node B, the base station] and the UE are not encrypted before the security context is established (pre-authentication state),” the researchers wrote, “an attacker does not require knowledge of the UE’s credentials to sniff uplink/downlink [traffic] nor to inject messages without integrity protection throughout the UE connection procedure.”
That’s a flaw, and one the framework is designed to exploit. The team’s testing showed it capable of sniffing both uplink and downlink traffic with more than 80 percent accuracy, at ranges of up to 20 meters between an off-the-shelf software-defined radio and the target mobile. For packet injection, the success rate varied between 70-90 percent – and delivered, among other things, proof of a novel downgrade attack by which a ne’er-do-well equipped with Sni5Gect could downgrade a connection from 5G to 4G to reduce its security and carry out further surveillance and attacks.
As Sni5Gect works in real-time, its creators have claimed, and can inject attack payloads, including multi-stage attacks, based on protocol state, it’s suited to fingerprinting, denial-of-service attacks, and downgrading.
“To the best of our knowledge,” they wrote in their paper’s introduction [PDF], “Sni5Gect is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB [base station].”
[…]
Not all of the capabilities claimed in the team’s paper have been fully disclosed, however. The team has kept private “other serious exploits leveraging the framework,” in order to “avoid abusing SNI5Gect to launch attacks against people’s smartphones[s].” These exploits, it is claimed, will be made available only to “trusted institutions like universities and research institutions” upon application and verification of their legitimate interest.
[…]
More information, including a link to the open-access paper, is available on the project website.
Source: Boffins release 5G traffic sniffing tool • The Register
Find the git repository here
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft