In late 2023, security researchers identified a series of vulnerabilities in 5G modem firmware produced by major chipmakers, including MediaTek and Qualcomm. The flaws, collectively named 5Ghoul, have since been further investigated by a team of academics at the Singapore University of Technology and Design (SUTD). Their research reveals a novel attack method that can compel modern smartphones to downgrade from 5G to 4G networks without the user’s knowledge, thereby exposing devices to longstanding security vulnerabilities in 4G technology.
Unlike many previous mobile network exploits, this technique does not require attackers to set up a fake base station, which has traditionally been a significant barrier to practical attacks. Instead, it targets an early and vulnerable stage of communication between a phone and a cell tower, where some critical messages are sent without encryption. By exploiting this phase, attackers can manipulate network behaviour and compromise device security.
Exploiting weaknesses with the SNI5GECT toolkit
The researchers developed a proof-of-concept framework known as SNI5GECT, short for Sniffing 5G Inject, which exploits a brief time window at the start of a device’s connection attempt to a network. During this pre-authentication stage, data exchanged between the mobile device and the network tower remains unencrypted, allowing attackers to intercept and inject malicious messages without access to private credentials.
Through this exploit, attackers can crash a modem, map a device fingerprint, or force the device to switch from 5G to 4G. Since 4G networks have long-documented vulnerabilities, the downgrade could allow attackers to conduct location tracking or intercept communications more easily.
Testing showed a success rate of between 70% and 90% when carried out from a distance of around 20 metres, demonstrating its practicality in real-world conditions. The team tested the exploit on a variety of devices, including popular models from Samsung, Google, Huawei, and OnePlus, and successfully intercepted both uplink and downlink traffic with high precision.
The researchers emphasised that this approach reduces the complexity of mobile network attacks because it bypasses the need to set up a rogue base station, making it significantly easier to execute than previous downgrade exploits.
Industry response and security recommendations
The Global System for Mobile Communications Association (GSMA) has acknowledged the vulnerability, assigning it the identifier CVD-2024-0096 and classifying it as a downgrade risk. The researchers have released the toolkit as open-source software, stating that they intend to encourage further study and development of more robust 5G defences, including packet-level detection systems.
Despite their intentions, the ability to silently crash devices or downgrade connections raises concerns about the resilience of mobile networks. Although there have been no confirmed cases of real-world abuse so far, the public availability of the software means skilled attackers could adopt and refine the technique.
Currently, mobile users have limited options to block such low-level exploits directly. However, experts advise improving general digital security to mitigate the risks of downstream attacks. Practices such as keeping antivirus software up to date, storing credentials securely in a password manager, and using multi-factor authentication can help protect sensitive data even if a network-level vulnerability is exploited.
