24.2k unique visitors in the last 3 days

Researchers Discover ‘5Ghoul’ Vulnerability That Allows Remote Downgrade of Many 5G Devices

5G is more secure than antecedents but that is irrelevant if hackers trick devices into using earlier generations of connectivity.

Each generation of mobile network has been more secure than its predecessors, forcing hackers and snoops to use increasingly elaborate methods to intercept communications. One of the most effective techniques in their toolkit is the enforced downgrade of the connection used by a mobile device. Put simply, there is no need to deal with the security inherent to 4G or 3G if you can get a handset to connect to a 2G signal instead. Connection downgrades are used widely by government spies and organized crime. For example, Iran requires all mobile operators to implement an API which gives the regulator the ability to disable 4G and 3G connectivity for any specific phone. Meanwhile, a string of smishing attacks in Asia and Europe have involved false base stations that were driven around towns, tricking phones within range into receiving SMS messages that were sent over 2G and which contain links to unsafe websites. Google responded to the threat this year by giving enterprise users the option to disable 2G for their Android phones. Now security researchers in Singapore have found a vulnerability in 5G modems that would allow them to trigger a downgrade.

The method involves a base station (or an equivalent system controlled by the spies) sending a malformed instruction during the establishment of the connection between the base station and the target device. A change to one specific byte in the instruction is sufficient to render Qualcomm devices incapable of connecting to 5G until they have been rebooted. The researchers warn that the vulnerability is ‘fairly easy’ to exploit because no information about the victim’s SIM card is required. The attack is executed by the base station before the steps involved in authenticating a device to a network. The widespread use of Qualcomm 5G modems means this vulnerability afflicts hundreds of smartphone models from at least 24 different brands including Microsoft, HTC, Lenovo and Google.

This particular vulnerability is one of 14 identified by a joint team from the Singapore University of Technology and Design (SUTD) and Singapore’s Agency for Science, Technology and Research (A*STAR). The other vulnerabilities could be used for denial of service attacks on 5G devices, all of which would be prompted by a rogue base station sending instructions that would interrupt the normal functioning of the target modem. The vulnerabilities were found using modems from Qualcomm and MediaTek. The researchers collectively refer to these vulnerabilities as ‘5Ghoul’. Both Qualcomm and MediaTek have issued security updates to device vendors but it is inevitable that these will not reach every end user.

The technology required for a 5Ghoul-capable false base station can be purchased for a few thousand dollars and involves the use of open source software, a small computer and a software defined radio. The equipment used by the researchers is photographed above. It is easy to see how a 5Ghoul false base station could be turned into a portable unit.

The 5Ghoul vulnerability disclosure report is available as both a PDF and webpage. The 5Ghoul Github repository is here. A YouTube video demonstrating an attack that downgrades a phone from 5G to 4G can be watched below.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email