Academic researchers from the ASSET Research Group at the Singapore University of Technology and Design are raising an alarm for more than a dozen vulnerabilities plaguing hundreds of smartphone models that employ specific 5G modems.
Collectively tagged as 5Ghoul, the 14 security defects can be exploited to drop and freeze 5G connections on smartphones and routers, and to conduct downgrading attacks, according to the research team. The majority of the flaws affect 5G modems from Qualcomm and MediaTek.
A typical exploit of the 5Ghoul vulnerabilities relies on a malicious base station (gNB) meant to ‘distract’ devices that employ vulnerable 5G modems into connecting to it. Once the connection is established, the flaws are exploited to target the devices’ connections, eventually forcing the users to manually reboot them.
“In practicality, 5Ghoul vulnerabilities can be easily exploited over-the-air by starting a malicious gNB within radio range of the target 5G UE device,” the researchers explained.
The attacker could use software defined radio (SDR) equipment, which may be the size of a Raspberry Pi, to behave like a cloned gNB, making the attack stealthy.
The targeted flaws, 12 of which are new, were identified in the 5G baseband modem firmware, meaning that all products using the affected modems are vulnerable. The impact, however, varies depending on the type of product.
Most of the security holes impact the radio resource control (RRC) attach procedure, which contains the RRC connection setup message. The authentication procedure is also affected, with all 5Ghoul issues “found during the pre-authentication stage of the communication between UE and gNB,” according to a paper documenting the issues.
The vulnerabilities can be triggered via malformed RRC connection setup messages or crafted NAS authentication requests.
Patches for the 5Ghoul bugs are expected to reach Android smartphones this month. Vulnerabilities impacting Apple devices, however, will be addressed at another time.
Three of the bugs – CVE-2023-33042, CVE-2023-33043, and CVE-2023-33044 – were identified in Qualcomm modems. The chip maker mentioned them in its December 2023 security bulletin, warning that more than 70 chipset models are affected.
Seven of the flaws – CVE-2023-32842, CVE-2023-32844, CVE-2023-20702, CVE-2023-32846, CVE-2023-32841, CVE-2023-32843, and CVE-2023-32845 – impact MediaTek modems. In its December 2023 security bulletin, the company warned that more than 30 chipset models are affected.
The researchers estimate that more than 700 smartphone models are affected, with devices from Vivo (13.4%), Xiaomi (10.5%), Oppo (9.5%), Samsung (7.5%), and Honor (6.8%) being impacted the most. Roughly 1.7% of the affected devices are iPhones.
The academics also warn that the 5Ghoul vulnerabilities impact other types of devices as well, due to their use of vulnerable 5G modems. Industrial IoT solutions are also affected, such as Qualcomm’s 315 5G IoT modem.