A new open-source framework called SNI5GECT enables attackers to sniff and inject messages into pre-authentication 5G NR traffic—without needing rogue base stations.

Developed by researchers at the Singapore University of Technology and presented at the 34th USENIX Security Symposium, the tool demonstrates practical exploits against commercial 5G devices, enabling denial-of-service attacks, forced downgrades, and identity leaks. Unlike traditional 5G attack models that depend on rogue gNBs, which are costly, detectable, and require tricking devices into connecting, SNI5GECT operates passively as a third-party observer. Using a software-defined radio (SDR) setup, it silently monitors 5G traffic and injects protocol-specific messages at key states. The full framework, including a 5G sniffer and downlink injector, is publicly available on GitHub, giving researchers a testbed for real-world 5G security analysis.

Figure 1. SNI5GECT.

How It Works

SNI5GECT exploits the pre-authentication window—the moment during initial 5G connections when control-plane messages are unencrypted. This window commonly appears when devices exit airplane mode or reconnect after leaving coverage areas like tunnels, giving attackers a chance to eavesdrop and alter traffic without needing user credentials. Figure 1 shows SNI5GECT.

Its main components include:

• Syncher: Aligns with the target 5G cell and decodes synchronization signals.
• Broadcast Worker: Extracts system information and monitors new UEs via random access responses.
• NEXTracker: Tracks devices across states and manages injection payloads.
• GNB DL Injector: Sends spoofed downlink messages that mimic legitimate gNB transmissions, carefully timed to bypass detection.

By decoding both uplink and downlink traffic, SNI5GECT allows precise, stateful injections during registration, RRC setup, and NAS procedures [1]. Timing adjustments enable message injection up to 20 meters away.

Attack Scenarios

Tested on five commercial 5G devices—including models from OnePlus, Huawei, Google, Samsung, and Fibocom—the framework achieved >95% downlink sniffing accuracy and 70–90% injection success. Demonstrated attacks include:

• Device Crashes: Triggered via malformed protocol messages, reproducing known vulnerabilities (e.g., CVE-2023-20702).
• Downgrade Attacks: Forcing devices onto 4G with a forged registration reject.
• Identity Leaks: Capturing encrypted identifiers by injecting fake identity requests.
• Replay-Based Downgrade (New): Forged authentication requests trick devices into blacklisting 5G cells, forcing permanent fallback to 4G. This method (CVD-2024-0096) was acknowledged by GSMA.

In one demo, researchers successfully downgraded a device to 4G, then captured its IMSI using a rogue 4G base station, defeating 5G privacy protections.

Real-World Impact

Unlike many academic attacks, SNI5GECT works against live commercial 5G networks with off-the-shelf SDRs like the USRP B210. It achieves precise message injection without GPSDO timing hardware by using iterative delay calibration.

Compared to existing tools such as NR-Scope and Falcon, SNI5GECT is unique in combining passive sniffing with state-aware, bidirectional injection. Built in C++ on top of srsRAN, it includes nearly 11,000 lines of code and integrates with the WDissector protocol analyzer.

For defenders, the framework provides a practical, open testbed for evaluating real-world 5G vulnerabilities. By making the entire stack publicly available, the researchers aim to encourage both further study of mobile network security and improved resilience against sophisticated pre-authentication attacks.

Reference:

1. https://cyberinsider.com/new-sni5gect-attacks-bypass-5g-security-without-rogue-towers/

Cite this article:

Keerthana S (2025), SNI5GECT Exploit Bypasses 5G Security Without Needing Fake Towers, AnaTechMaz, pp.207