5Ghoul Revisited: Three Months Later
About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary [1]. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability.
Patch updates have been made concerning the various products listed in Table 1 [1]. However, older models tend not to receive security updates due to the end of security patch support. Additionally, some vendors do not publicly make their firmware patch information available, which poses a challenge when ascertaining if affected products were patched. The updated Table 1 below shows the current patch status as of the publication of this diary entry:
| Vendor/Product |
5G Modem
|
Type
|
Firmware/Software Version |
CVE ID
|
Patch Status
|
|---|---|---|---|---|---|
|
Quectel RM500Q-GL
|
Qualcomm X55
|
USB Modem
|
Aug 03 2021
|
CVE-2023-33042 |
Unclear* |
|
Simcom SIM8202G
|
Qualcomm X55
|
USB Modem
|
SIM8202G-M2_V1.2
|
CVE-2023-33042 |
Unclear* |
|
Fibocom FM150-AE
|
Qualcomm X55
|
USB Modem
|
89602.1000.00.04.07.20
|
CVE-2023-33042 |
Unclear* |
|
Telit FT980m
|
Qualcomm X55
|
USB Modem
|
38.23.001-B001-P0H.000640 |
CVE-2023-33042 |
Unclear* |
|
OnePlus Nord CE 2 5G
|
MediaTek Dimensity 900 5G
|
Smartphone
|
M_V3_P10 |
CVE-2023-20702 |
CVE-2023-20702 fixed* |
|
Xiaomi Redmi K40
|
MediaTek Dimensity 1200 5G
|
Smartphone
|
MOLY.NR15.R3.TC8.PR2.SP.V2.1.P70
|
CVE-2023-20702 |
Unpatched* |
|
Asus ROG Phone 5s |
Qualcomm X60
|
Smartphone
|
M3.13.24.73-Anakin2
|
CVE-2023-33042 |
End of Support - no more patches available* |
For modem devices such as Telit FT980m, Simcom SIM8202G, Fibocom FM150-AE and Quectel RM500Q-GL, their patch status is unclear as firmware patch information is not publicly available. I had tried to find out more about the devices that were tested, but it appears that there were few discussions with respect to 5Ghoul from the tested device brands. Quectel did have a query in their forums (sighted previously and visible from Google search results), but unfortunately, their website was down. Interestingly, Sierra Wireless (a company that had used the affected Qualcomm chipset) released a Security Advisory on their website, although their products were not used to evaluate 5Ghoul vulnerabilities [4].
As highlighted in the previous diary, all 5Ghoul vulnerabilities have had their patches released by Qualcomm/MediaTek [1]. The Android project has also implemented the fixes for the CVEs in the following order:
November 2023: MediaTek fix for CVE-2023-20702 [5]
January 2024: Qualcomm fixes for CVE-2023-33043 and CVE-2023-33044 [6]
February 2024: MediaTek fixes CVE-2023-32842, CVE-2023-32841 and CVE-2023-32843 [7]
March 2024: Qualcomm fix for CVE-2023-33042 [8]
There is also interesting trivia about the CVEs being addressed. One might have noted that CVE-2023-32844, CVE-2023-32846 and CVE-2023-32845 were not listed. According to MediaTek and having sighted the correspondence between MediaTek and the 5Ghoul researchers, fixes for the three previously mentioned CVEs were addressed altogether in CVE-2023-32841.
Unfortunately, it appears that the most significant delay and uncertainties lie with the vendors who have yet to implement the fixes released by MediaTek and Qualcomm. Although the Android project has had all the patches nailed down (which means Google Pixel phones that are still being supported would get the fixes first), the fragmented ecosystem of various Android phone brand models could add time for patches to be implemented. Some older device models also no longer receive updates, so it is safe to presume they would be susceptible to 5Ghoul attacks. These attacks have yet to be widely prevalent, but they will surely be annoying if one gets targeted. If you are using a mobile device that will no longer have any security updates, consider whether one can accept the inconveniences of being affected by 5Ghoul attacks (note that proof-of-concept code is available [9]). In the context of organizations that depend heavily on 5G communications (such as the Industrial Internet of Things) and are using hardware listed in Table 1 or the vulnerable 5G modems that had been identified, it is highly recommended that the business owners evaluate the risks and impact of disruptions caused by 5Ghoul and the relevant mitigations that can be adopted.
References:
[1] https://isc.sans.edu/diary/30462
[2] https://community.oneplus.com/thread/1514600069267980292
[3] https://miuirom.org/phones/redmi-k40
[4] https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2024-001/
[5] https://source.android.com/docs/security/bulletin/2023-11-01
[6] https://source.android.com/docs/security/bulletin/2024-01-01
[7] https://source.android.com/docs/security/bulletin/2024-02-01
[8] https://source.android.com/docs/security/bulletin/2024-03-01
[9] https://github.com/asset-group/5ghoul-5g-nr-attacks
-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter
Comments