5Gone: Uplink Overshadowing Attacks in 5G-SA

TL;DR

This paper introduces 5Gone, a novel SDR-based uplink overshadowing attack on 5G-SA that can perform covert denial-of-service and privacy attacks with high scalability and low latency using standard hardware.

Contribution

The paper presents 5Gone, a new software-defined radio attack method exploiting 3GPP standard flaws to perform covert uplink overshadowing on 5G-SA networks.

Findings

5Gone can overshadow commercial 100 MHz cells with <500μs latency.

The attack is highly scalable with multiple UEs.

Effective against various phone models and chipsets in lab and real-world environments.

Abstract

5G presents numerous advantages compared to previous generations: improved throughput, lower latency, and improved privacy protection for subscribers. Attacks against 5G standalone (SA) commonly use fake base stations (FBS), which need to operate at a very high output power level to lure victim phones to connect to them and are thus highly detectable. In this paper, we introduce 5Gone, a powerful software-defined radio (SDR)-based uplink overshadowing attack method against 5G-SA. 5Gone exploits deficiencies in the 3GPP standard to perform surgical, covert denial-of-service, privacy, and downgrade attacks. Uplink overshadowing means that an attacker is transmitting at exactly the same time and frequency as the victim UE, but with a slightly higher output power. 5Gone runs on a COTS x86 computer without any need for dedicated hardware acceleration and can overshadow commercial 100 MHz cells with an E2E latency of less than 500$\mu$s, which up to now has not been possible with any software-based UE implementation. We demonstrate that 5Gone is highly scalable, even when many UEs are connecting in parallel, and finally evaluate the attacks end-to-end against 7 phone models and three different chipset vendors both in our lab and in the real-world on public gNodeBs.