Scientists Say Tool Can Sniff 5G Traffic, Launch 'Attacks' Without Using Rogue Base Stations

by
janrinok
from SoylentNews on (#6ZE81)

An Anonymous Coward writes:

Sni5Gect research crew targets sweet spot during device / network handshake pause

https://www.theregister.com/2025/08/18/sni5gect/
https://archive.ph/buKXp

Security [scientists] have released an open source tool for poking holes in 5G mobile networks, claiming it can do up- and downlink sniffing and a novel connection downgrade attack - plus "other serious exploits" they're keeping under wraps, for now.

"Sni5Gect [is] a framework that sniffs messages from pre-authentication 5G communication in real-time," the researchers from the Singapore University of Technology and Design explained of their work, presented this week at the 34th USENIX security bash, "and injects targeted attack payload in downlink communication towards the UE [User Equipment, i.e. a phone]."

Designed to take advantage of the period just after a device connects to a 5G network and is still in the process of handshaking and authentication - which, the team points out, can occur when entering or leaving a lift, disembarking a plane and turning aeroplane mode off, or even passing through a tunnel or parking garage - Sni5Gect takes advantage of unencrypted messaging between the base station and a target handset.

"Since messages exchanged between the gNB [Next-Generation Node B, the base station] and the UE are not encrypted before the security context is established (pre-authentication state)," the researchers wrote, "an attacker does not require knowledge of the UE's credentials to sniff uplink/downlink [traffic] nor to inject messages without integrity protection throughout the UE connection procedure."

That's a flaw, and one the framework is designed to exploit. The team's testing showed it capable of sniffing both uplink and downlink traffic with more than 80 percent accuracy, at ranges of up to 20 meters between an off-the-shelf software-defined radio and the target mobile. For packet injection, the success rate varied between 70-90 percent - and delivered, among other things, proof of a novel downgrade attack by which a ne'er-do-well equipped with Sni5Gect could downgrade a connection from 5G to 4G to reduce its security and carry out further surveillance and attacks.

As Sni5Gect works in real-time, its creators have claimed, and can inject attack payloads, including multi-stage attacks, based on protocol state, it's suited to fingerprinting, denial-of-service attacks, and downgrading.

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments