SNI5GECT: A New Framework Exposes Major Vulnerabilities in 5G Networks
A team of researchers has unveiled a new framework, SNI5GECT, which exposes vulnerabilities in fifth-generation mobile networks at the very earliest stages of connection establishment. Unlike attacks that rely on counterfeit base stations—complex to implement and easily detected by monitoring systems—SNI5GECT operates as a “third party”: it intercepts unencrypted exchanges between a device and a base station before authentication occurs and is capable of injecting its own messages into the communication stream. This enables targeted attacks on a smartphone or modem without knowledge of its identifiers and without coercing the terminal into connecting to a fraudulent gNB.
During testing, the researchers deployed SNI5GECT on five different 5G devices, using both open-source base station implementations (srsRAN) and commercial solutions (Effnet). The experiments revealed that the system successfully intercepted more than 80% of uplink and downlink exchanges, with the success rate of forged message injection reaching 70–90%, even at distances of up to 20 meters. In one case, the attack triggered modem crashes on smartphones powered by MediaTek chips; in another, it enabled a novel downgrade technique whereby the terminal blacklisted the base station, permanently losing 5G connectivity and reverting to LTE. This scenario has already been acknowledged by the GSMA industry consortium and assigned the identifier CVD-2024-0096.
The practical danger lies in the fact that unencrypted communication windows regularly occur: when a signal is lost in an elevator, when switching to airplane mode, or when exiting a tunnel, the device initiates reconnection. It is precisely at such moments that an attacker can intercept and manipulate the exchange. Consequently, the vulnerability spans a wide range of real-world scenarios.
SNI5GECT also facilitates the modeling of complex attack chains involving sequential injection and analysis of device responses. For instance, an attacker could enforce a forged registration denial, pushing the terminal toward a less secure network, or induce repeated authentication failures that cause the smartphone to blacklist the base station and fall back to 4G. Such conditions pave the way for IMSI catchers, surveillance, and the harvesting of sensitive data.
The authors emphasize that their tool is the first open framework of its kind to study weaknesses in 5G without the need to operate a fake base station. The project’s source code is openly available on GitHub, while the actual exploits will only be shared with vetted organizations to prevent misuse. The researchers underscore that their publication is made in the community’s interest, aiming to strengthen security rather than facilitate malicious exploitation.
At the core of SNI5GECT lies the Syncher, which synchronizes with a legitimate cell and extracts essential data from the Master Information Block (MIB). This synchronization must occur in real time with minimal latency, as even a single missed slot results in the loss of critical messages and failure of the attack. The Syncher runs in a dedicated high-priority thread, ensuring precise alignment with time slots, enabling the decoding of both the control channel (PDCCH) and user data (PDSCH and PUSCH).
Next, the Broadcast Worker analyzes the System Information Block Type 1 (SIB1), which contains fundamental radio interface settings—access parameters, channel configurations, and random access algorithms. Once SIB1 is parsed, the component begins monitoring new devices attempting to connect. The first indicator of such an event is the Random Access Response (RAR), which provides a temporary RA-RNTI identifier. Upon receiving it, the system launches UETracker, a module that tracks the subscriber until a permanent C-RNTI is assigned.
UETracker is itself divided into three subcomponents. The UE DL Worker decodes downlink traffic by extracting Downlink Control Information from the PDCCH and reconstructing PDSCH messages to determine the protocol state of the connection. At this stage, it becomes possible to craft malicious payloads tailored to the procedure’s exact step. The gNB UL Worker processes the uplink channel, where timing discrepancies pose a challenge: uplink transmissions do not align with downlink ones, and packets are often shifted due to Timing Advance commands. SNI5GECT compensates for this offset, enabling successful decoding of PUSCH and access to critical UE requests before a secure context is established. Finally, the gNB DL Injector forges and inserts counterfeit packets, masquerading them as legitimate base station traffic. Crucially, it does not simply inject a message, but generates its own DCI and scheduling for the PDSCH, ensuring that the smartphone accepts the forged packet as genuine.
The principal challenge lies in timing precision. Even microsecond-level discrepancies lead to discarded packets due to CRC errors. The researchers overcame this by optimizing delay: first recording IQ samples at a given point, then calibrating delay values until the terminal successfully decoded a counterfeit frame. This optimized value could then be applied to attack other devices within the same 20-meter radius.
Architecturally, SNI5GECT is built upon the integration of srsRAN with the WDissector library. It employs an SDR USRP B210, which simultaneously handles both interception and injection processes. In experiments, the system successfully attacked not only open gNB implementations but also commercial Effnet solutions, proving the universality of the approach. Furthermore, while the framework is openly available on GitHub, the exploits themselves will only be distributed to trusted research institutions, minimizing the risk of abuse.
