- 5G phones can be silently downgraded to insecure 4G, leaving the device exposed
- The exploit works without setting up expensive and complex fake towers
- Tested smartphones include flagship models from Samsung, Google, Huawei, and OnePlus
In late 2023, researchers uncovered a set of flaws in 5G modem firmware from major chipmakers, including MediaTek and Qualcomm, collectively named 5Ghoul.
A group of academics at the Singapore University of Technology and Design (SUTD) has now shown how 5G phones can be tricked into falling back to 4G networks through a method that avoids the need for a fake base station.
Instead, it targets a vulnerable stage of communication between phone and tower, where critical messages remain unencrypted.
The SNI5GECT toolkit, short for “Sniffing 5G Inject,” makes use of the tiny time window at the start of a connection attempt.
It targets the pre-authentication phase, when the data passing between the tower and the phone remains unencrypted.
Because of this gap, attackers can intercept and inject messages without needing to know the phone’s private credentials.
During this stage, the system can capture identifiers sent from the tower and use them to read and modify messages.
With such access, the attacker can force a modem crash, map a device fingerprint, or trigger a switch from 5G to 4G.
Since 4G carries long-known flaws, the forced downgrade leaves the target open to older tracking or location attacks.
The tests revealed a success rate between 70% and 90% when attempted from around twenty meters away, suggesting the method works in realistic conditions.
The academics tested the framework on several smartphones, including popular models from Samsung, Google, Huawei, and OnePlus.
In these cases, the researchers were able to intercept both uplink and downlink traffic with notable accuracy.
Importantly, the method avoids the complexity of setting up a rogue base station, something that has long limited practical attacks on mobile networks.
The Global System for Mobile Communications Association (GSMA) has since confirmed the issue and assigned it the identifier CVD-2024-0096, marking it as a downgrade risk.
The claim from the team is that their toolkit is not meant for criminal use but for further research into wireless security.
They argue it could help with the development of packet-level detection and new forms of 5G protection.
Still, the ability to crash devices or silently downgrade them raises questions about the resilience of current networks.
While no clear reports exist of real-world abuse so far, the method is public and the software is open source, so the risk remains that skilled actors could adapt it.
Unfortunately, users have few direct options to block such low-level exploits, though broader digital hygiene may help limit downstream risks.
However, running updated antivirus software, securing credentials with a password manager, and enabling an authenticator app for accounts can reduce the impact of secondary attacks that might follow from a network downgrade.
Via The Hacker News
