A set of security vulnerabilities has been identified in the firmware implementation of 5G mobile network modems produced by major chipset manufacturers such as MediaTek and Qualcomm. These vulnerabilities affect USB and IoT modems, as well as numerous smartphone models running on Android and iOS.
Dubbed “5Ghoul” (a fusion of “5G” and “Ghoul”), the collection comprises 14 flaws, with 10 impacting 5G modems from MediaTek and Qualcomm, including three classified as high-severity vulnerabilities. The vulnerabilities pose risks such as launching continuous attacks to disrupt connections, freezing connections that necessitate manual reboots, or downgrading 5G connectivity to 4G.
The findings, detailed in a study released by researchers from the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), unveil the susceptibility of 714 smartphones from 24 different brands. Brands affected include Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google.
These vulnerabilities were disclosed by the same research team that uncovered BrakTooth in September 2021 and SweynTooth in February 2020.
In summary, the attacks aim to trick smartphones or 5G-enabled devices into connecting with a rogue base station (gNB), resulting in unintended consequences. The attacker doesn’t need knowledge of secret information about the target UE (User Equipment), such as SIM card details, and can accomplish the network registration by impersonating the legitimate gNB using known Cell Tower connection parameters.
A potential threat actor can utilize apps like Cellular-Pro to determine Relative Signal Strength Indicator (RSSI) readings, tricking user equipment into connecting to the adversarial station, which can be a software-defined radio or an inexpensive mini PC.
Notable among the 14 flaws is CVE-2023-33042, which allows an attacker within radio range to trigger a 5G connectivity downgrade or a denial-of-service (DoS) within Qualcomm’s X55/X60 modem firmware. This is achieved by sending malformed Radio Resource Control (RRC) frames to the target 5G device from a nearby malicious gNB.
Both MediaTek and Qualcomm have released patches for 12 out of the 14 flaws. Details about the other two vulnerabilities are currently confidential and will be disclosed in the future.
The researchers emphasize the significant downstream impact on product vendors resulting from flaws in the 5G modem implementation. They note that the reliance on the modem/chipset vendor by product vendors adds complexity, leading to delays of six months or more for 5G security patches to reach end-users through over-the-air (OTA) updates.
CyberSec84 | Cybersecurity news. 
Leave a comment