Article Details

New 5Ghoul attack impacts 5G phones with Qualcomm, MediaTek chips. A new set of vulnerabilities in 5G modems by Qualcomm and MediaTek, collectively called "5Ghoul," impact 710 5G smartphone models from Google partners (Android) and Apple, routers, and USB modems. 5Ghoul was discovered by university researchers from Singapore and consists of 14 vulnerabilities in mobile communication systems, 10 of which have been publicly disclosed and four withheld for security reasons. The 5Ghoul attacks range from temporary service disruptions to network downgrades, which may be more severe from a security standpoint. The researchers discovered the flaws while experimenting with 5G modem firmware analysis and report that the flaws are easy to exploit over-the-air by impersonating a legitimate 5G base station. This applies even when attackers lack information about the target's SIM card, as the attack occurs before the NAS authentication step. "The attacker does not need to be aware of any secret information of the target UE e.g., UE's SIM card details, to complete the NAS network registration," explains the researchers on their website. "The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters (e.g., SSB ARFCN, Tracking Area Code, Physical Cell ID, Point A Frequency)." The above is achievable at the cost of a few thousand USD, using open-source software for network analysis and fuzzing, a mini PC, a software defined radio (SDR), and miscellaneous equipment like cables, antennas, power supplies, etc. 5Ghoul vulnerability details The ten 5Ghoul vulnerabilities that have been publicly disclosed to Qualcomm and MediaTek as of December 7, 2023, are: CVE-2023-33042 is particularly concerning because it can force a device to disconnect from a 5G network and fall back to 4G, exposing it to potential vulnerabilities in the 4G domain that expose it to a broader range of attacks. The DoS flaws in these vulnerabilities cause the devices to lose all connectivity until they are rebooted. This isn't as critical, although it can still have significant implications in mission-critical environments that rely on cellular service. It is important to note that the disclosed flaws aren't limited to the devices mentioned in the above list.  Identifying all impacted models is ongoing, but the researchers have already confirmed that 714 smartphones from 24 brands are impacted. Some vulnerable brands include phones from POCO, Black, Lenovo, AGM, Google, TCL, Redmi, HTC, Microsoft, and Gigaset, with the complete list in the image below. To learn more about the 5Ghoul flaws, their exploitation potential and ramifications, and technical information can be found in the researchers' whitepaper. A proof-of-concept (PoC) exploit kit can also be found in their GitHub repository. Vendor response and fixes Both Qualcomm and MediaTek released security bulletins on Monday for the disclosed 5Ghoul vulnerabilities,  The security updates were made available to device vendors two months ago. Still, given the complexity of the software supply, especially on Android, it will be a while before the fixes reach the end users via security updates. Inevitably, some impacted smartphone models and other devices will never receive the fixes as they will likely reach end of support first. If you're overly worried about 5Ghool flaws, the only practical solution is to avoid using 5G entirely until fixes are available. Signs of a 5Ghoul attack include loss of 5G connections, inability to re-connect until the device is rebooted, and consistent drop to 4G despite the availability of a 5G network in the area.