2 min read

What is 5Ghoul

What is 5Ghoul

5Ghoul is a new attack vector with 10 security defects that can be exploited to drop and freeze 5G connections on smartphones and routers and to conduct downgrading attacks. This new method impacts a large range of devices from Android to IOS devices. 

Mitigation Plans

  • Vendor Patching
  • Enable Mobile Endpoint Protection
  • Monitor Logs for Out of Bounds Events

Overview of 5Ghoul Attack Process

Once the target is connected to the rogue base station (gNB), the attacker simply launches the exploit script as shown in the command prompt with the Mobile Country Code (MCC) and the Mobile Network Code (MNC).


As illustrated in Figure 1, 5Ghoul  makes use of an attacker model which mimics a limited Dolev-Yao adversary. This is accomplished by exposing an Adversary-Controlled Downlink channel that can arbitrarily inject and/or modify 5G NR Downlink Packets generated from a real 5G stack implementation based on OpenAirInterface  (gNB) and Open5GS (5G Core Network).

More importantly, the attacker does not need to be aware of any secret information of the target UE e.g., SIM card details, to reach the beginning of the NAS network registration. The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters (e.g., SSB ARFCN, Tracking Area Code, Physical Cell ID, Point A Frequency). This can be easily accomplished using freely available applications like Cellular-Pro. Once the attacker is sufficiently close to the target UE and the Received Signal Strength Indicator (RSSI) of the adversarial gNB is higher than the legitimate gNB, the target UE will connect to the adversarial gNB. Then, the UE starts exchanging messages up to step 4 of Figure 1. Procedures that appear later are subjected to failure since key information from UE’s SIM card is unknown. However, throughout the message exchanges, the adversarial gNB can freely manipulate downlink messages to the target UE, opening a window of opportunities to launch attacks at any step of the 5G NR procedures shown in Figure 1.

In practicality, 5Ghoul  vulnerabilities can be easily exploited over-the-air by starting a malicious gNB within radio range of the target 5G UE device. This is a practical setup which relies on using Software Defined Radio (SDR) to behave as a cloned gNB. While USRP B210 used in our setup could be recognized from afar, thus making the attack visually noticeable, such type of equipment has already been miniaturized to the size of a Raspberry Pi . This, in turn, enables the use of SDR for visibly stealthy attacks.

CVE References

Qualcomm - https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2023-bulletin.html

Research Source - https://asset-group.github.io/disclosures/5ghoul/  

Lab (Threat Testing) - https://github.com/asset-group/5ghoul-5g-nr-attacks

What is 5Ghoul

What is 5Ghoul

5Ghoul is a new attack vector with 10 security defects that can be exploited to drop and freeze 5G connections on smartphones and routers and to...

Read More
What is DNSSEC

What is DNSSEC

DNSby itself is not secure DNSwas designed in the 1980s when the Internet was much smaller, and security was not a primary consideration in its...

Read More
What is BIMI

What is BIMI

Brand Indicators for Message Identification (BIMI) is an email standard that lets you add a brand logo to authenticated messages sent from your...

Read More