5G basebands could be exploited by attackers to allow them to send fake messages to your contacts, or even hand over your credentials using a very real-looking website, experts have warned.
Unveiled at the Black Hat cybersecurity conference, a research group from Pennsylvania State University presented their vulnerability sniffing tool 5GBaseChecker.
5G basebands are used to connect phones to mobile networks, but they can be exploited to connect them to fake network towers that are run by an attacker.
“Totally silent” attack
The researcher team, comprised of Kai Tu, Yilu Dong, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Weixuan Wang, Tianwei Wu, and Syed Rafiul Hussain, made their tool available to search for vulnerable Samsung, MediaTek and Qualcomm basebands, which are used by a number of popular phone manufacturers, including the likes of Google, Motorola and Samsung.
Among the possible avenues of attack from the fake base station, Tu highlighted a circumstance in which an attacker could potentially send a very real looking message from a friend to the victims phone opening up the potential for convincing phishing messages to be delivered from a supposedly credible source.
Tu states that once the phone connected to the fake base station, “the security of 5G was totally broken. The attack is totally silent.”
Another potential method of attack using a fake base station could be redirecting the target phone to a fake, but very real looking website such as a social media site or email login, and then stealing the credentials used to log in. To add further sting to the attack, the base station could also be used to downgrade the target phone to 4G, making it easier to snoop on the device.
So far, most of the vulnerabilities discovered in the basebands have been patched by the manufacturers, with spokespeople for both Samsung and Google telling TechCrunch that the flaws in their devices were now patched.
More from TechRadar Pro
- These are the best Android antivirus apps around right now
- Samsung is offering up to $1 million to anyone who can find security flaws in its software
- Take a look at the best malware removal tools