5Gone: Uplink Overshadowing Attacks in 5G-SA

TL;DR

This work identifies a practical threat to 5G-SA by introducing 5Gone, an SDR-based uplink overshadowing framework that can covertly override victim UE messages in 100 MHz cells with sub-500 μs latency. It demonstrates four attack classes—cell-wide DoS, registration downgrade, SUCI extraction, and SUCI replay—achieving end-to-end attack execution on real devices and networks, including 64-UE parallel operation and real-world tests with multiple handset families. The authors develop a symbol-based processing stack that processes each UE’s control and data channels at symbol times, enabling fast PDCCH/PUSCH handling without specialized hardware. They also provide extensive evaluation logs, discuss ethical considerations, and offer countermeasures such as anomaly detection and transcript verification to mitigate these risks. Overall, the paper highlights significant 5G-SA vulnerabilities to uplink-based disruption and privacy breaches, underscoring the need for robust defenses and more research into secure attachment procedures and SUCI protection.

Abstract

5G presents numerous advantages compared to previous generations: improved throughput, lower latency, and improved privacy protection for subscribers. Attacks against 5G standalone (SA) commonly use fake base stations (FBS), which need to operate at a very high output power level to lure victim phones to connect to them and are thus highly detectable. In this paper, we introduce 5Gone, a powerful software-defined radio (SDR)-based uplink overshadowing attack method against 5G-SA. 5Gone exploits deficiencies in the 3GPP standard to perform surgical, covert denial-of-service, privacy, and downgrade attacks. Uplink overshadowing means that an attacker is transmitting at exactly the same time and frequency as the victim UE, but with a slightly higher output power. 5Gone runs on a COTS x86 computer without any need for dedicated hardware acceleration and can overshadow commercial 100 MHz cells with an E2E latency of less than 500$μ$s, which up to now has not been possible with any software-based UE implementation. We demonstrate that 5Gone is highly scalable, even when many UEs are connecting in parallel, and finally evaluate the attacks end-to-end against 7 phone models and three different chipset vendors both in our lab and in the real-world on public gNodeBs.

Figures (10)

• Figure 1: Illustration of an uplink overshadowing attack. An attacker transmits on the same uplink time and frequency resources as the victim UE, but with a slightly higher transmit power. The gNB will only decode the stronger signal, thus the attacker can change the data transmitted by the UE without the UE knowing anything about it.
• Figure 2: Elements of the 5G protocol stack that are relevant to uplink overshadowing attacks presented in this paper.
• Figure 3: Sequence Diagram of a UE connecting to the network for the first time, e.g., after rebooting or toggling flightmode.
• Figure 4: Attack on the Random-Access Procedure causing a Downgrade by preventing any connection establishment to a gNodeB.
• Figure 5: Registration Reject Downgrade Attack. In the upper half, the UE has a pre-existing session with the AMF and would like to resume it, which is blocked with a Service Reject attack and clears the session in the UE. In the botom half, the UE attempts to register to the network, but is immediately blocked with the cause value N1 mode not allowed, prompting the UE to downgrade to 4G.