By Alfaiz Nova, Cybersecurity Expert

Home
5G attack

Sni5Gect 5G attack: real-time sniffing and malware injection risk 2025.

Sni5Gect can intercept pre‑auth 5G messages and inject payloads in real time, enabling device crashes, downgrades, and identity theft.

 

A close-up of a 5G cell tower with a glowing data stream being intercepted by an SDR device, with UI overlays showing "pre-auth sniff" and "payload inject


Your 5G connection may be more fragile than it looks. Singapore researchers have introduced Sni5Gect, a practical framework that passively sniffs 5G control‑plane messages during the pre‑authentication window and then injects targeted payloads—all in real time and without spinning up a rogue base station. The work, presented at USENIX Security 2025, demonstrates device crashes, forced downgrades to 4G, and other “stateful” exploits relying on protocol timing before encryption and integrity protections kick in.usenix+1

What is Sni5Gect?

Sni5Gect is a research framework that tracks the UE↔gNB protocol state and exploits the moment between Random Access Channel (RACH) and NAS security establishment when messages aren’t yet protected. By decoding those broadcasts on the fly, an attacker can inject downlink messages precisely when the UE accepts them—enabling denial‑of‑service, session manipulation, or downgrade to weaker radio stacks. Crucially, it does not require a fake (rogue) base station; an off‑the‑shelf SDR and proximity (tested up to ~20 meters) suffice.thehackernews+1

Why it works: the pre‑authentication window

  • Unencrypted control messages: Before the 5G security context is established, gNB↔UE messages lack encryption/integrity, allowing eavesdropping and carefully timed injection.cybersecuritynews+1

  • Stateful injection: By listening for the Random Access Response (RAR) and extracting RNTI, Sni5Gect maintains protocol state to craft valid‑looking downlink messages at the right moment.theregister+1

Demonstrated impacts

  • Device crashes and connection drops: Researchers showed targeted denial techniques that crash phones or freeze connections until a manual reboot.thehackernews

  • Forced downgrade (5G→4G): A novel downgrade sequence reduces security posture, enabling extended surveillance and lower‑barrier attacks; GSMA assigned CVD‑2024‑0096 to the finding.theregister

  • Identity exposure and traffic manipulation: Real‑time sniffing/injection can fingerprint devices, influence registration flows, or steer users toward malicious follow‑on vectors during reconnection scenarios (e.g., exiting airplane mode, tunnels, elevators).cybersecuritynews+1

Tested scope and accuracy

The team evaluated Sni5Gect against five 5G‑capable devices using both open‑source (srsRAN) and commercial (Effnet) base stations, reporting >80% sniffing accuracy for uplink/downlink and ~70–90% success rates for downlink injection at short range.gbhackers+1

How Sni5Gect differs from prior 5G attacks

Earlier work often relied on rogue gNBs to lure devices. Sni5Gect instead acts as a passive third‑party observer and only goes active at precise states, significantly lowering setup complexity and detectability while exploiting an inherent timing gap in the protocol.cybersecuritynews+1

Relation to prior modem flaws (5Ghoul)

Sni5Gect builds on a research trajectory that previously exposed chipset firmware weaknesses (5Ghoul) in 2023 across major 5G modems. While 5Ghoul targeted vendor‑specific stacks, Sni5Gect focuses on protocol‑level windows that can affect diverse devices, amplifying practical risk during connection transitions.thehackernews

Real‑world risk and threat model

  • Attacker proximity: Requires line‑of‑sight or near‑field access within tens of meters using SDR gear—feasible in crowded venues, transit hubs, or targeted operations.theregister

  • Time‑of‑use exploitation: Most effective when users reconnect (airplane mode off, elevator exit, leaving tunnels), when pre‑auth control exchanges are frequent and predictable.cybersecuritynews

Mitigations and defenses

  • Protocol hardening: Reduce or eliminate unprotected pre‑auth messaging where feasible; accelerate the establishment of NAS security; add integrity checks to sensitive early messages. GSMA has acknowledged the downgrade class and is coordinating disclosures.theregister

  • RAN‑side monitoring: Detect anomalous RF patterns and injection signatures, including timing anomalies and unexpected control message frequencies near cells.ncs

  • UE firmware updates: Vendors should patch state handling and tighten acceptance criteria for early‑stage control messages; prioritize robust fallback logic to avoid forced downgrades.orbit.dtu

  • Operational guidance: Encourage users to re‑associate in safer locales; carriers to deploy anomaly detection near high‑risk areas (e.g., airports, stadiums).ncs

Why this matters now

5G is the backbone for critical services, from industrial IoT to emergency communications. A practical, open research framework that enables over‑the‑air sniffing and stateful injection—without rogue gNBs—raises the bar for adversaries and red teams alike, and stresses the need for protocol‑level fixes, carrier monitoring, and handset vendor updates.usenix+1

FAQs

  • What is Sni5Gect?
    Sni5Gect is a research framework that passively sniffs pre‑authentication 5G control messages and injects targeted downlink payloads in real time without a rogue base station.usenix+1

  • Does it need device credentials?
    No. It exploits unencrypted, pre‑auth messages, so it doesn’t require UE credentials to sniff or inject during the early connection window.thehackernews

  • How close must an attacker be?
    Demonstrations showed effective sniffing and injection at up to roughly 20 meters with an SDR setup, depending on environment and equipment.gbhackers+1

  • What attacks were shown?
    Device crashes, connection freezes, and forced downgrades from 5G to 4G, plus fingerprinting and message manipulation opportunities.thehackernews+1

  • Has this been disclosed to industry?
    Yes. The GSMA confirmed the downgrade class and assigned CVD‑2024‑0096; the work was presented at USENIX Security 2025.usenix+1

  • How can networks defend?
    Harden pre‑auth exchanges, speed up establishing security contexts, deploy RAN‑side anomaly detection, and coordinate UE firmware updates.orbit.dtu+1

Sources

  • USENIX Security 2025: SNI5GECT paper/presentation on stateful sniffing and injection without rogue gNB.usenix

  • The Register coverage of Sni5Gect capabilities, ranges, success rates, and GSMA CVD.theregister

  • The Hacker News summary linking Sni5Gect to pre‑auth message interception and 5Ghoul lineage.thehackernews

  • CybersecurityNews and GBHackers overviews with testbed details (srsRAN/Effnet) and success metrics.gbhackers+1

  • NCS/CSA 5G security evaluation guidance and countermeasure framing; broader 5G attacks/countermeasures research.ncs+1

Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...