5Ghoul is a new attack vector with 10 security defects that can be exploited to drop and freeze 5G connections on smartphones and routers and to conduct downgrading attacks. This new method impacts a large range of devices from Android to IOS devices.
Mitigation Plans
Overview of 5Ghoul Attack Process
Once the target is connected to the rogue base station (gNB), the attacker simply launches the exploit script as shown in the command prompt with the Mobile Country Code (MCC) and the Mobile Network Code (MNC).
As illustrated in Figure 1, 5Ghoul makes use of an attacker model which mimics a limited Dolev-Yao adversary. This is accomplished by exposing an Adversary-Controlled Downlink channel that can arbitrarily inject and/or modify 5G NR Downlink Packets generated from a real 5G stack implementation based on OpenAirInterface (gNB) and Open5GS (5G Core Network).
More importantly, the attacker does not need to be aware of any secret information of the target UE e.g., SIM card details, to reach the beginning of the NAS network registration. The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters (e.g., SSB ARFCN, Tracking Area Code, Physical Cell ID, Point A Frequency). This can be easily accomplished using freely available applications like Cellular-Pro. Once the attacker is sufficiently close to the target UE and the Received Signal Strength Indicator (RSSI) of the adversarial gNB is higher than the legitimate gNB, the target UE will connect to the adversarial gNB. Then, the UE starts exchanging messages up to step 4 of Figure 1. Procedures that appear later are subjected to failure since key information from UE’s SIM card is unknown. However, throughout the message exchanges, the adversarial gNB can freely manipulate downlink messages to the target UE, opening a window of opportunities to launch attacks at any step of the 5G NR procedures shown in Figure 1.
In practicality, 5Ghoul vulnerabilities can be easily exploited over-the-air by starting a malicious gNB within radio range of the target 5G UE device. This is a practical setup which relies on using Software Defined Radio (SDR) to behave as a cloned gNB. While USRP B210 used in our setup could be recognized from afar, thus making the attack visually noticeable, such type of equipment has already been miniaturized to the size of a Raspberry Pi . This, in turn, enables the use of SDR for visibly stealthy attacks.
CVE References
CVE-2023-33043
CVE-2023-33044
CVE-2023-33042
CVE-2023-32842
CVE-2023-32844
CVE-2023-20702
CVE-2023-32846
CVE-2023-32841
CVE-2023-32843
CVE-2023-32845
Qualcomm - https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2023-bulletin.html
Research Source - https://asset-group.github.io/disclosures/5ghoul/
Lab (Threat Testing) - https://github.com/asset-group/5ghoul-5g-nr-attacks