HackerTrans
TopNewTrendsCommentsPastAskShowJobs

5Ghoul: Unleashing Chaos on 5G Edge Devices(asset-group.github.io)

137 points·by rho138·3 lata temu·24 comments
asset-group.github.io
5Ghoul: Unleashing Chaos on 5G Edge Devices

https://asset-group.github.io/disclosures/5ghoul/

26 comments

neverrroot·3 lata temu
Happy to see these things getting more attention, they are a critical part of the modern mobile devices.
osy·3 lata temu
They are all denial of service bugs. I.e. crashes/hangs. No remote code execution or disclosure of sensitive data.

Glad they were able to figure out the branding though.
jdiff·3 lata temu
> Glad they were able to figure out the branding though.

That's pretty obviously something someone threw together in a few minutes after grabbing a few [0] random images from the internet. This isn't one of those exploit sites with more effort poured into marketing than the exploits themselves.

[0] https://www.flaticon.com/free-icon/ghost_1227567
coldpie·3 lata temu
The vulnerability branding trend is stupid, but I'm not sure it's worse for communicating what you're talking about than "CVE-2023-129038, 109239, and 120993" or "Those 5G vulnerabilities from uh I think 2022 or 2023? No not those, the other ones." Is there a better method?
fragmede·3 lata temu
I don't think it's stupid because I can't, off the top of my head, tell you the CVE number for Heartbleed, despite being very involved with it for a couple of weeks.

Heartbleed I remember, along with Spectre/Meltdown, but I couldn't name the weak exploits that turn out to be nothing burgers. Log4j could have used a brand though, imo.
andrewxdiamond·3 lata temu
How often do you need CVE numbers while simultaneously being unable to google for the CVE number?
genmud·3 lata temu
Because everyone called it heartbleed.

I still remember some of the big ones like MS03-026/031, MS08-067, CVE-2005-1042.
bryancoxwell·3 lata temu
> No [...] disclosure of sensitive data.

Not directly, but downgrading to LTE would almost certainly force a UE to expose its IMSI at least.
gafage·3 lata temu
You don't need a baseband exploit for that, just a jammer.
zapcto·3 lata temu
> At least two other vulnerabilities are not disclosed yet due to confidentiality.
fulafel·3 lata temu
They observed just crashes and they didn't try to research exploitability. Absent more details, and knowing the usual exploitability distribution of C crash bugs, this would seem in doubt still.
[deleted]·3 lata temu
snvzz·3 lata temu
Proprietary, audit-unfriendly blobs.

It should be no surprise the code is crap quality, like the fw in those Polish trains, although those had malware to boot.

And then, the protocols themselves are encumbered. GSM is a disaster in general.
cogman10·3 lata temu
I hate that this is status quo for mobile hardware. And almost certainly just to enforce artificial support boundaries to sell more hardware.
hedora·3 lata temu
It also enables a lot of surveillance and prevents innovation in cell phone business models. Imagine what things would be like if you could connect any compatible device to the phone network for the same price.

The land line network used to work like the cell network does today. Early home computer networks, and then later, home internet were enabled by the court ruling that said the phone company couldn't block you from plugging modems in (or charge more for the same copper wire if you did plug a modem in).

California network neutrality laws supposedly ban discrimination against devices as well as against web sites, but it's either unenforced, or there is a loophole.
cduzz·3 lata temu
So -- to a large degree you're right.

But also, with the history of actually open protocols such as SMTP, the opportunity for abuse is enormous. The mobile phone system is abused right now by manufacturers, vendors, and "the surveillance state", but being open may just end up with us in a state where all that is true and there's a limitless slurry of effluent from semi-anonymous bad faith actors.
hedora·3 lata temu
I think Signaling System 7 (what the phone networks use) might be the only widely-used communication protocol that's more open to abuse than SMTP.

With SS7, not only can you spoof any phone number, but you can cause the other end of the network connection to wire money without getting their prior authorization!

This is improved somewhat by STIR/SHAKEN, but, even with that, the state of the art is worse than SMTP.
JohnFen·3 lata temu
In a prior life, I did a lot of work with SS7. I was dumbfounded by how insecure it is.
mschuster91·3 lata temu
Like SMTP, BGP or most "ancient" network protocols, it was built on completely different assumptions about who was actually allowed to connect to the network, and therefore trustability.

Unfortunately, there is way too much old gear around, probably hundreds of billions of dollars worth, so instead of actually rebuilding communications systems we're forced to bolt on security (and features, like with IPv6) onto an extremely large pile of ossified bull dung.
cogman10·3 lata temu
SMTP has no authentication, authorization, or encryption built in. GSM and the verizon standard do. SMTP abuse is entirely down to you being able to fire and forget a message without any sort of acceptance criteria for downstream systems.

Anyone abusing the mobile network runs the risk of their provider pulling the plug and disabling their access.
gruez·3 lata temu
> Imagine what things would be like if you could connect any compatible device to the phone network for the same price.

Can't you already do that today? Just swap your sim card.
ksjskskskkk·3 lata temu
you are way out of date on how bad things are.

just moving sim card to another phone will completely block you any access until you "reactivate" in the majority of telcos around the world.
gruez·3 lata temu
>just moving sim card to another phone will completely block you any access until you "reactivate" in the majority of telcos around the world.

Mind listing those countries? One source[1] for the US says that statement is only true for 1 of the 3 major telecoms. One of the other two requires an approved device to activate the sim, but otherwise doesn't care, and the other doesn't care as long as the device supports VoLTE.

[1] https://prepaid-data-sim-card.fandom.com/wiki/United_States#...
genmud·3 lata temu
Its status quo for almost all hardware. Your computers firmware/boot stack has probably some of the buggiest and error prone software you have running near you, unless you happen to be sitting in your car.

It feels like a damn miracle anything actually works.
[deleted]·3 lata temu
jruohonen·3 lata temu
Seems bad enough, although most seem plain DoS. Even with that, the fun may start soon and continue for a long time because most of these are never patched. (That said, I didn't read close enough to deduce how realistic exploitation is.)