A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS.
Of the 14 flaws – collectively called 5Ghoul (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities.
"5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers said in a study published today.
As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google.
The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), who also previously uncovered BrakTooth in September 2021 and SweynTooth in February 2020.
The attacks, in a nutshell, attempt to deceive a smartphone or a 5G-enabled device to connect a rogue base station (gNB), resulting in unintended consequences.
"The attacker does not need to be aware of any secret information of the target UE e.g., UE's SIM card details, to complete the NAS network registration," the researchers explained. "The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters."
A threat actor can accomplish this by using apps like Cellular-Pro to determine the Relative Signal Strength Indicator (RSSI) readings and trick the user equipment to connect to the adversarial station – a setup that consists of a software-defined radio as well as an inexpensive mini PC, among others.
Notable among the 14 flaws is CVE-2023-33042, which can permit an attacker within radio range to trigger a 5G connectivity downgrade or a denial-of-service (DoS) within Qualcomm's X55/X60 modem firmware by sending malformed Radio Resource Control (RRC) frame to the target 5G device from a nearby malicious gNB.
Successful exploitation of the other DoS vulnerabilities could require a manual reboot of the device to restore 5G connectivity.
Patches have been released by both MediaTek and Qualcomm for 12 of the 14 flaws. Details of the two other vulnerabilities have been withheld due to confidentiality reasons and are expected to be disclosed in the future.
"Finding issues in the implementation of the 5G modem vendor heavily impacts product vendors downstream," the researchers said, adding that "it can often take six or more months for 5G security patches to finally reach the end-user via an OTA update."
"This is because the software dependency of product vendors on the Modem / Chipset Vendor adds complexity and hence delays to the process of producing and distributing patches to the end-user."