privacy
The flaws and vulnerabilities of cellular networks are regularly exploited to attack subscribers. Malicious actors use devices with catchy names like IMSI Catcher (Stingray) or SMS blaster to track people’s movements and send them spam and malware. These attacks were easiest to carry out on 2G networks, becoming more difficult on 3G and 4G networks through the introduction of security features. But even 4G networks had implementation flaws that made it possible to track subscriber movements and cause other information leaks. Can we breathe a sigh of relief when we upgrade to 5G? Unfortunately not…
An upgrade in reverse
Many practical attacks, such as the aforementioned SMS blaster, rely on a downgrade: forcing the victim’s smartphone to switch to an older communication standard. Legacy standards allow attackers more leeway — from discovering the subscriber’s unique identifier (IMSI), to sending fake text messages under the guise of real companies. A downgrade typically uses a device that jams the signal of the legitimate carrier’s base station, and broadcasts its own. However, this method can be detected by the carrier, and it will become less effective in the future as smartphones increasingly incorporate built-in protection against these attacks, which prevents the switch to 2G and sometimes even 3G networks.
Researchers at Singapore University of Technology and Design have demonstrated a SNI5GECT attack, which works on the latest 5G networks without requiring easy-to-detect actions like jamming legitimate base station signals. An attacker within a 20-meter radius of the victim can make the target device’s modem reboot and then force-switch it to a 4G network, where the subscriber is easier to identify and track. So how does this attack work?
Before a device and a 5G base station connect to each other, they exchange some information — and the initial stages of this process aren’t encrypted. Once they establish a secure, encrypted connection, the base station and the smartphone exchange handshakes, but coordinate the session parameters in a plain, unencrypted format. The attacker’s device monitors this process and selects the precise moment to inject its own information block before the legitimate base station does. As a result, the victim’s modem processes malicious data. Depending on the modem and the contents of the data packet, this either causes the modem to switch to a 4G network and refuse to reconnect to said 5G base station, or to crash and reboot. The latter is only good for temporarily disconnecting the victim, while the former brings all known 4G-based surveillance attacks into play.
The attack was demonstrated on the OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro smartphones. These devices use completely different cellular modems (MediaTek, Qualcomm, Samsung, Huawei, respectively), but the problem lies in the characteristics of the standard itself — not in the particular smartphones. The differences are subtle: some modems can be rebooted while others can’t; on some modems, inserting a malicious packet has a 50% success rate, while on others it’s 90%.
The practicality of SNI5GECT
In its current form, the attack is unlikely to become widespread since it has two major limitations. First, the distance between the attacker and the victim can’t be over 20 meters under ideal conditions — even less in a real urban environment. Second, if the smartphone and the 5G base station have already established a connection, the attack cannot proceed. The attacker has to wait for a moment when the victim’s movement or changes in the radio environment require the smartphone to re-register with the base station. This happens regularly, but not every minute, so the attacker has to literally shadow the victim.
Still, such conditions may exist in certain situations, like when targeting people attending a specific meeting, or in an airport business lounge, or similar scenarios. The attacker would also need to combine SNI5GECT with legacy 4G/3G/2G attacks to achieve any practical results, which means making some radio noise.
SNI5GECT plays a significant role as a stepping stone toward more complex and dangerous future attacks. As 5G becomes more popular and older generations of connectivity are phased out, researchers will increasingly work with the new radio protocol, and apply their findings to the next stages of the mobile arms race.
Currently, there is no defense against 5G attacks. Disabling 5G for protection is pointless, as the smartphone just switches to a 4G network, which is exactly what hypothetical attackers want. Therefore, we have three pieces of advice:
- Regularly patch and update your smartphone’s OS — this usually also updates the modem firmware to fix bugs and vulnerabilities.
- Turn on airplane mode before confidential meetings; to be super-safe — leave your device at home.
- Consider disabling legacy communication standards (2G/3G) on your smartphone — we discussed the pros and cons of this solution in our post on SMS blasters.
