5Ghoul is a new attack vector with 10 security defects that can be exploited to drop and freeze 5G connections on smartphones and routers and to conduct downgrading attacks. This new method impacts a large range of devices from Android to IOS devices.
Enable Mobile Endpoint Protection
Monitor Logs for Out of Bounds Events
Overview of 5Ghoul Attack Process
Once the target is connected to the rogue base station (gNB), the attacker simply launches the exploit script as shown in the command prompt with the Mobile Country Code (MCC) and the Mobile Network Code (MNC).
As illustrated in Figure 1,5Ghoul makes use of an attacker model which mimics alimitedDolev-Yao adversary. This is accomplished by exposing anAdversary-ControlledDownlink channelthat can arbitrarily inject and/or modify 5G NR Downlink Packets generated from a real 5G stack implementation based on OpenAirInterface (gNB) and Open5GS (5G Core Network).
More importantly, the attacker does not need to be aware of any secret information of the target UE e.g., SIM card details, to reach the beginning of the NAS network registration. The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters (e.g., SSB ARFCN, Tracking Area Code, Physical Cell ID, Point A Frequency). This can be easily accomplished using freely available applications like Cellular-Pro. Once the attacker is sufficiently close to the target UE and the Received Signal Strength Indicator (RSSI) of the adversarial gNB is higher than the legitimate gNB, the target UE will connect to the adversarial gNB. Then, the UE starts exchanging messages up to step 4 of Figure 1. Procedures that appear later are subjected to failure since key information from UE’s SIM card is unknown. However, throughout the message exchanges, the adversarial gNB can freely manipulate downlink messages to the target UE, opening a window of opportunities to launch attacks at any step of the 5G NR procedures shown in Figure 1.
In practicality, 5Ghoul vulnerabilities can be easily exploited over-the-air by starting a malicious gNB within radio range of the target 5G UE device. This is a practical setup which relies on using Software Defined Radio (SDR) to behave as a cloned gNB. While USRP B210 used in our setup could be recognized from afar, thus making the attack visually noticeable, such type of equipment has already been miniaturized to the size of a Raspberry Pi . This, in turn, enables the use of SDR for visibly stealthy attacks.