Cybersecurity researchers from Singapore University of Technology and Design have developed a new framework called Sni5Gect that can intercept and manipulate 5G network communications in real-time, posing significant new security risks to commercial mobile devices worldwide.

The framework, presented at the 34th USENIX Security Symposium, represents a major advancement in 5G attack capabilities by eliminating the need for complex rogue base station setups.

Sni5Gect 5G Attack

Unlike previous 5G security testing approaches that relied on deploying fake base stations, which are expensive, easily detectable, and require forcing devices to connect to them, Sni5Gect operates as a passive third-party observer that silently monitors legitimate 5G traffic before striking with precisely timed message injections.

The framework exploits the critical pre-authentication window when devices first connect to 5G networks, a vulnerable period that occurs during common scenarios like exiting airplane mode, emerging from tunnels, or leaving elevators.

Singapore researchers unveil powerful open-source tool that bypasses 5G security without requiring rogue base stations.

During this brief window, control-plane messages between the base station (gNB) and user equipment (UE) remain unencrypted, allowing attackers to eavesdrop and manipulate protocol flows without requiring knowledge of device credentials.

The attack model mimics a partial Dolev-Yao adversary capable of eavesdropping, injecting, replaying, or modifying messages in downlink communications.

The Sni5Gect framework demonstrates impressive technical performance across multiple attack vectors.

Testing on five commercial 5G devices including OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro—revealed over 80% accuracy in both uplink and downlink traffic sniffing, with downlink-only monitoring achieving over 95% success rates.

The system successfully injects malicious payloads with 70-90% success rates at distances up to 20 meters using standard software-defined radio (SDR) equipment.

The framework consists of several sophisticated components working in concert: the Syncher aligns with target 5G cells and maintains synchronization; the Broadcast Worker extracts system information and monitors for new device connections; UETracker instances follow individual devices through dedicated sniffers; and the GNB DL Injector crafts and transmits spoofed messages that perfectly mimic legitimate base station communications.

Attack Categories and Real-World Impact

Researchers successfully demonstrated three primary attack categories using Sni5Gect. One-shot attacks involve injecting single malicious messages that immediately crash devices or downgrade connections from 5G to less secure 4G networks.

Response-based attacks inject messages and wait for specific device responses, enabling techniques like SUCI catching for device fingerprinting and tracking.

Most significantly, the team discovered a novel multi-stage downgrade attack that manipulates the T3520 timer within devices by injecting replayed Authentication Request messages containing invalid sequence numbers.

This forces devices to blacklist legitimate 5G base stations and permanently fall back to 4G connectivity, even after extended waiting periods. The GSM Association has acknowledged this vulnerability under coordinated disclosure identifier CVD-2024-0096.

The research builds upon previous 5G vulnerability discoveries, including the 5Ghoul attacks that affected over 700 smartphone models from 24 brands.

However, Sni5Gect’s ability to operate without rogue infrastructure makes it significantly more practical for real-world deployment. The attack hardware costs only a few thousand dollars and can be made portable, raising concerns about potential misuse.

The framework’s open-source availability through GitHub provides security researchers and network defenders with unprecedented capabilities for testing 5G infrastructure resilience.

However, the researchers have responsibly withheld “other serious exploits” from public release while making the core framework available for legitimate security research.

This development underscores the ongoing security challenges facing 5G networks as they become increasingly critical infrastructure. While manufacturers like Qualcomm and MediaTek have released patches for known vulnerabilities, the emergence of new attack vectors like those enabled by Sni5Gect highlights the need for continued vigilance in 5G security research and development.

The research team emphasizes that Sni5Gect serves as both an offensive security tool and a defensive testing framework, enabling organizations to evaluate the real-world security posture of their 5G deployments against sophisticated over-the-air attacks that bypass traditional security assumptions.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.