Hidden vulns in 5G basebands: Using AI and pre-auth messages to hack 64 modems π±β―πΌπ¨π€
A group of academic security researchers from the US shared the design of a framework that helped them find seven new vulnerabilities in the 5G baseband firmware of mobile phones - using deep AI analysis of Radio Resource Control configuration messages.
The idea is quite brilliant: RRC messages are not encrypted and may have valid syntax for the initial ASN.1 parser, yet still contain payloads or data that, deeper in the 3GPP specifications, can cause crashes or, in the worst case, even more serious damage.
Of course, to catch those, one needs to run an enormous amount of code fuzzing, remember the 3GPP specifications very well, or use AI that can analyze the collected RRC messages and see how they are processed throughout the entire 3GPP specification. :)
Quite a cool idea with a very practical results:
7 previously unknown flaws
3 high-severity CVEs
Confirmed impact across 64 chipset models
Impact on 542 commercially available smartphone models
Enjoy the read, and remember that a message does not need to be malformed to be dangerous. Somewhere down the processing line, it can take a wrong turn and crash the whole system. :)
More details:
Semantics Over Syntax: Uncovering Pre-Authentication 5G Baseband
Vulnerabilities [PDF]: https://www.usenix.org/system/files/conference/usenixsecurity26/sec26_prepub_huang-qiqing.pdf
Artifacts for the research [Zenodo]: https://zenodo.org/records/17984912


