A team of researchers has introduced a groundbreaking cyberattack technique capable of crashing 5G-enabled devices and downgrading their connectivity to 4G, all without the need for a rogue base station.
What is Sni5Gect?
The attack, developed by the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), makes use of an open-source software toolkit named Sni5Gect (Sniffing 5G Inject). This tool can sniff unencrypted communication between a base station and a mobile device (User Equipment or UE) and then inject malicious messages directly into the target device over-the-air.
The researchers, Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou, explained that the toolkit can crash modems, force devices to fall back to earlier generations of networks, fingerprint devices, and even bypass authentication.
“Unlike rogue base stations that limit attack feasibility, Sni5Gect acts as a silent third party. It sniffs protocol messages during the UE attach process and injects targeted payloads into the downlink stream,” the researchers noted.
Building on Past Discoveries
This research builds on a 2023 ASSET study that uncovered 14 firmware vulnerabilities in Qualcomm and MediaTek 5G modems, known as 5Ghoul. Those flaws allowed attackers to cut off connectivity, freeze devices until manual reboot, or downgrade network strength from 5G to 4G.
How the Attack Works
Sni5Gect exploits the initial communication phase between a base station (gNB) and a phone, a stage where messages remain unencrypted. Since authentication has not yet occurred, attackers can sniff uplink and downlink traffic without needing user credentials.
image import
An attacker can listen to the Random Access Response (RAR) message, which includes the RNTI identifier needed to decode further communications. This enables them to:
- Crash the victim’s modem
- Fingerprint the target device
- Downgrade connectivity to vulnerable 4G networks, which can then be exploited for long-term location tracking
Real-World Testing
In controlled experiments across five smartphones, including OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro, the attack achieved:
- 80% accuracy in sniffing uplink/downlink traffic
- 70-90% injection success rate
- Effective range of up to 20 meters (65 feet)
Industry Response
The Global System for Mobile Communications Association (GSMA) has acknowledged the severity of this downgrade technique, assigning it the identifier CVD-2024-0096.
Future Implications
The researchers argue that Sni5Gect is more than just an exploit, calling it a vital research tool for 5G security. They highlight its potential to advance work on:
- Packet-level intrusion detection in 5G networks
- Security enhancements at the physical layer
- Development of improved mitigation measures for future wireless standards
