The fifth generation mobile communications protocol (5G) is perhaps the most complicated wireless protocol ever made. Featuring wildly fast download speeds, beam forming base stations, and of course non-standard additions, it’s rather daunting prospect to analyze for the home hacker and researcher alike. But this didn’t stop the ASSET Research Group from developing a 5G sniffer and downlink injector.

The crux of the project is focused around real-time sniffing using one of two Universal Software Radio Peripheral (USRP) software-defined radios (SDRs), and a substantial quantity of compute power. This sniffed data can even be piped into Wireshark for filtering. The frequency is hard-coded into the sniffer for improved performance with the n78 and n41 bands having been tested as of writing. While we expect most of you don’t have the supported USRP hardware, they provided a sample capture file for anyone to analyze.

https://github.com/asset-group/Sni5Gect-5GNR-sniffing-and-exploitation

Vulnerabilities in LTE/5G core infrastructure, some remotely exploitable, could lead to persistent denial-of-service to entire cities.

https://www.securityweek.com/lte-5g-vulnerabilities-could-cut-entire-cities-from-cellular-connectivity/

A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network.

The [119 vulnerabilities](https://cellularsecurity.org/ransacked), assigned 97 unique CVE identifiers, span seven LTE implementations – [Open5GS](https://open5gs.org/), [Magma](https://magmacore.org/), [OpenAirInterface](https://openairinterface.org/), [Athonet](https://www.hpe.com/us/en/solutions/athonet.html), [SD-Core](https://opennetworking.org/sd-core/), [NextEPC](https://nextepc.org/), [srsRAN](https://www.srsran.com/) – and three 5G implementations – Open5GS, Magma, OpenAirInterface, according to researchers from the University of Florida and North Carolina State University.

The findings have been detailed in a study titled “RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces.”

“Every one of the >100 vulnerabilities discussed below can be used to persistently disrupt all cellular communications (phone calls, messaging and data) at a city-wide level,” the researchers said.

“An attacker can continuously crash the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF) in an LTE/5G network, respectively, simply by sending a single small data packet over the network as an unauthenticated user (no SIM card required).”

The discovery is the result of a [fuzzing exercise](https://github.com/FICS/asnfuzzgen), dubbed RANsacked, undertaken by the researchers against Radio Access Network ([RAN](https://en.wikipedia.org/wiki/Radio_access_network))-Core interfaces that are capable of receiving input directly from mobile handsets and base stations.

The researchers said several of the identified vulnerabilities relate to buffer overflows and memory corruption errors that could be weaponized to breach the cellular core network, and leverage that access to monitor cellphone location and connection information for all subscribers at a city-wide level, carry out targeted attacks on specific subscribers, and perform further malicious actions on the network itself.

#2600net #irc #secnews #4g #5g #lte #vulnerabilities

Tieteilijät keksivät keinon vakoilla puhelinliikennettä huijaamalla puhelinta.

Pennsylvanian valtionylipiston tutkijat löysivät 5G-tekniikkaa käyttävistä älypuhelimista useita tietoturva-aukkoja. Haavoittuvuudet liittyvät lähinnä puhelimien käyttämiin baseband-piireihin, jotka vastaavat puheluiden, tekstiviestien ja tiedonsiirron hallinnasta.

Tieteilijät kehittivät tutkimustaan varten oman, GitHugista ladattavan analyysityökalunsa nimeltään 5GBaseChecker. Sen avulla he löysivät 12 haavoittuvuutta Samsungin, MediaTekin ja Qualcommin valmistamista piireistä liittyen baseband-haavoittuvuuksiin. Piirejä käytetään ainakin Googlen, Oppon, OnePlussan, Motorolan ja Samsungin puhelimissa.

Tutkijoiden onnistui huijata uhrien puhelimet liittymään väärennettyyn matkapuhelinmastoon, josta tieteilijät pystyivät tekemään hyökkäyksiä mastoon liittyneisiin puhelimiin. Yksi tutkimuksen toteuttamiseen osallistuneista henkilöistä kuvaili, että 5G-tietoturva rikkoutui täydellisesti, eikä puhelimen käyttäjä voinut havaita hyökkäystä.

Hyökkäyksen avulla voi esimerkiksi lähettää puhelimen omistajan nimissä tekstiviestejä. Puhelimen voi myös ohjata huijaussivustoille

5G-yhteyden pystyi tiputtamaan vanhempaan yhteystekniikkaan kuten 4G:hen tai vielä vanhempaan. Se helpotti entisestään ainakin salakuuntelua ja uhrin tekemisten seuraamista.

Tieteilijät ilmoittivat löytämistään haavoittuvuuksista teknologiayrityksille. Heidän löytämänsä 12 haavoittuvuutta on nyt korjattu, mutta verkko-operaattoreiden täytyy myös asentaa päivitykset.

Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.

It’s a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.

With the growing spectrum for commercial use, usage and popularization of private 5G networks are on the rise. The manufacturing, defense, ports, energy, logistics, and mining industries are just some of the earliest adopters of these private networks, especially for companies rapidly leaning on the internet of things (IoT) for digitizing production systems and supply chains. Unlike public grids, the cellular infrastructure equipment in private 5G might be owned and operated by the user-enterprise themselves, system integrators, or by carriers. However, given the growing study and exploration of the use of 5G for the development of various technologies, cybercriminals are also looking into exploiting the threats and risks that can be used to intrude into the systems and networks of both users and organizations via this new communication standard. This entry explores how normal user devices can be abused in relation to 5G’s network infrastructure and use cases.

“IMP4GTallows an active radio attacker to establish arbitrary TCP/IP connections to and from the Internet through the victim’s UE. IMP4GTexploits the lack of integrity protection along with ICMP reflection mechanisms. As a result, the attacker can circumvent any authorization, accounting, or firewall mechanism of the provider,” the researchers conclude.

The researchers, who contacted the GSMA last year to report the discovery, say that all network vendors are equally vulnerable and that their attack works on some 5G networks as well. All devices that connect to an LTE network are affected, including phones, tablets, and appliances.

The vulnerability could be addressed in the now-rolling-out 5G networks by implementing mandatory user-plane integrity protection, but that would require higher costs for network operators — the additional protection would generate more data during transmission — and the replacing of current mobile phones. Base stations would also need to be expanded.

https://imp4gt-attacks.net/