Sni5Gect: A New Framework Revealing Hidden 5G Vulnerabilities

When a team of researchers from the Singapore University of Technology and Design (SUTD) presented Sni5Gect at the 34th USENIX Security Symposium, they did more than publish an academic paper. They exposed a practical window in 5G New Radio (NR) behaviour where an attacker can observe ongoing protocol exchanges and, in some cases, inject spoofed messages that the handset will accept,  all without running a rogue base station. That last detail removes a major logistical barrier to over-the-air attacks, and it forces a rethink of how we model risk at the very moment a device is trying to get on the network.

Sni5Gect is a research framework: an engineered set of tools and techniques that can sniff control-plane messages in real time and craft downlink messages timed to the right protocol state so a User Equipment (UE) will accept them.

The team released a public codebase and evaluation artifacts so other researchers and operators can reproduce, test, and defend against the techniques. That openness is important, it allows defenders to validate the threat, but it also raises the unavoidable trade-off between disclosure and potential misuse.

Key takeaways

• Sni5Gect is a publicly disclosed research framework that can sniff 5G NR control-plane messages and inject timed downlink messages without a rogue base station.
• The framework exposes a vulnerable “pre-authentication” window in real-world 5G connections; attacks demonstrated include device crashes, fingerprinting, and multi-stage downgrades to 4G.
• Researchers achieved high success rates in controlled tests (sniffing accuracy often >80–90%, injection success frequently 70–90% at short range), but practical reach and precision are limited by radio conditions and protocol constraints.
• SUTD released code, test data, and Docker images for reproducibility; the project is intended for research and defensive testing, and some dangerous exploit sequences were withheld from the public tree.
• Operators should treat this as a prompt to harden monitoring during the initial connection steps, accelerate relevant patching, and expand anomaly detection for unexpected downlink messages. GSMA has acknowledged the risk with a coordinated vulnerability disclosure identifier.

What is Sni5Gect?

Sni5Gect is a research toolkit that serializes two capabilities: (1) capturing live 5G NR control plane messages from the air and (2) sending crafted downlink control-plane messages that align with the timing and state expected by a target UE. The method relies on careful synchronization and state tracking so that an injected message looks legitimate when the handset receives it. That combination (passive observation followed by timely injection) is what makes the technique noteworthy.

Historically, many practical over-the-air 5G attacks required a rogue gNodeB (a malicious base station). Running a rogue station is noisy, expensive, and easier to detect. Sni5Gect demonstrates that an attacker can accomplish some of the same objectives without pretending to be the network. That lowers the operational bar for certain attacks, making them potentially stealthier and more scalable in specific settings (for example, dense urban areas or near critical infrastructure).

Importantly, Sni5Gect operates in the pre-authentication phase of the connection where some exchanges are still cleartext by design. Those unprotected exchanges are necessary for basic radio resource negotiation and service setup, but they also create a predictable surface that the framework exploits.

How Sni5Gect Framework Works (high level)

The Sni5Gect authors break the system into modular pieces that reflect the stages of a normal 5G exchange: synchronization, broadcast decoding, per-UE tracking, uplink/downlink message processing, and downlink injection. That modular approach helps the software maintain the right protocol state for each tracked device and to time injected messages precisely. The public documentation and paper describe these components conceptually; the released artifacts include code and evaluation data for reproducibility.

The framework’s novelty is not a single trick but the orchestration: it combines radio synchronization and control-plane parsing with a message injection engine that only speaks when the protocol state suggests the UE will accept a downlink message. Practically, that lets researchers demonstrate three categories of attacks: one-shot crashes or rejects, response-based fingerprinting where the tool elicits and observes a device response, and multi-stage downgrade sequences that push the UE to fallback to older, weaker technologies.

The team evaluated Sni5Gect against multiple commercial devices and base station implementations in lab settings. They report high detection and injection rates at short distances, results that validate the concept without implying universal success under all field conditions. Radio propagation, interference, and vendor-specific protocol quirks still constrain practical performance.

What the Researchers Demonstrated (Attacks and Real-World Results)

The published work and accompanying reports describe several concrete outcomes that are useful for threat modeling:

• Device crash and immediate downgrade: Injected messages timed to specific states triggered rejections or crashes on some handsets, which caused them to reconnect under weaker configurations. These are “one-shot” attacks that rely on precise timing.
• Fingerprinting and identity harvesting: By injecting messages that provoke predictable responses, the framework can help an observer correlate protocol behavior to specific device models or subscribers, useful for tracking or reconnaissance.
• Multi-stage downgrade (industry-acknowledged): The researchers disclosed a multi-stage downgrade attack that uses a crafted authentication sequence to induce handset behavior that prefers 4G. GSMA acknowledged the risk and assigned a coordinated vulnerability disclosure identifier. That underscores the industry relevance of the finding.

Across lab tests, the authors reported sniffing accuracy often above 80–90% for certain message types and injection success commonly in the 70–90% range at short range. Those figures validate the concept but should not be read as a universal metric for all environments, distance, building materials, and competing radio signals materially affect real-world performance.

What Sni5Gect Cannot Do and Practical Limitations

While the publicity around Sni5Gect has been dramatic, the framework has clear limits that matter for defenders and risk assessments:

• Not a universal remote control: The framework targets specific pre-authentication messages and timed windows. It cannot read or modify encrypted, post-authentication user traffic, so it is not a general purpose man-in-the-middle for arbitrary subscriber data.
• Range and environment sensitive: Radio conditions matter. The reported success rates were measured in controlled setups and at modest distances. Urban clutter, managed spectrum, and base station power levels reduce the effective envelope for such techniques.
• RNTI and protocol limits: Device tracking in the framework uses temporary identifiers and protocol state, which limits the attacker’s ability to uniquely identify a subscriber long term without additional correlation data.
• Responsible withholding: The research team deliberately withheld some exploit sequences from public release and framed the codebase for defensive testing and validation; that mitigates some, but not all, risk from public disclosure.

These limitations don’t make the project irrelevant, they simply frame the conditions where Sni5Gect is most potent: relatively close proximity, careful timing, and in scenarios where pre-authentication replies reveal useful state. For critical infrastructure or high-value targets in close quarters, those constraints are less comforting.

What Operators and Defenders Should Do

Sni5Gect is a concrete reminder that network security isn’t only a matter of cryptography: it’s also operational. Here are pragmatic steps teams can (and should) take.

1. Harden the initial connection visibility and monitoring. Instruments that monitor anomalous downlink control-plane messages especially during registration and, authentication windows, can detect injections or protocol anomalies early. Network operators should extend telemetry to those earlier stages and incorporate rules that flag odd timing patterns or messages from unexpected physical sectors.
2. Validate and patch baseband and core stacks. Vendor firmware and core network components sometimes include protocol fallbacks or behavioural quirks that Sni5Gect exploits. Work with vendors to prioritize patches for any vulnerabilities tied to pre-authentication handling. Where GSMA or vendor advisories exist, apply mitigations promptly.
3. Improve anomaly detection and correlation. Combine radio-layer anomalies with higher layer indicators (e.g., unexpected re-registrations, bursty authentication failures) so that localized sniff-and-inject attempts trigger operational responses. Correlating radio telemetry with subscriber behaviour reduces false positives and accelerates triage.
4. Limit attack surface where possible. Design network acceptance policies to require integrity checks before key transitions; where refinements to protocol state handling are possible, prefer patterns that reduce exploitable pre-auth windows. Industry bodies already discuss bidding-down and downgrade mitigations; operators should track and adopt those recommendations.
5. Use research releases defensively. The Sni5Gect codebase and dataset exist to help operators test real systems. Use those artifacts in controlled lab tests to validate local equipment behaviour and to tune IDS/IPS rules, but only in regulated, legal test environments with proper authorization.

Ethics, Disclosure, and the Balance of Openness

The Sni5Gect story is also a case study in responsible research disclosure. The team published a paper and released tools but withheld a subset of potentially damaging exploit sequences. They coordinated with industry groups and documented the risk so operators could respond. That approach, publish enough to demonstrate a real threat and protect the community’s ability to defend, while withholding the most dangerous weaponized exactly-repeatable recipes, is a defensible middle ground.

Still, public releases of capability always carry risk. The net effect depends on how quickly operators patch, how well detection improves, and whether opportunistic adversaries can adapt the techniques to field constraints. That uncertainty is why GSMA and national regulators will take a renewed interest in pre-authentication robustness and why vendor timelines for firmware updates should receive scrutiny.

Research and Policy Implications

Sni5Gect is unlikely to be the last research project that surfaces a subtle but material attack path in 5G. The architecture of cellular systems, where radios negotiate capabilities, bandwidth, and identity before a secure channel is fully established, creates recurring design choices that trade convenience for exposure. The immediate policy implication is not to rip out functionality but to invest in layered defenses: better telemetry, more secure protocol defaults, and vendor practices that minimize pre-auth surprises.

Sni5Gect is a useful, reproducible benchmark: it provides datasets, Docker images, and an open code base so that other teams can test mitigations, develop detection rules, or propose protocol improvements. It’s also a call to treat pre-authentication behaviour as part of the attack surface, not as a benign implementation detail.

Closing Reframing

Sni5Gect doesn’t break the promise of 5G; it clarifies the engineering tradeoffs that underlie that promise. The vulnerability window it demonstrates is not some esoteric academic curiosity, it’s an operational reality that can be exploited under certain conditions.

The right response is proportionate: take the research seriously, test networks where possible, prioritize vendor fixes that address pre-authentication fragility, and build monitoring that covers the earliest moments of every connection. That combination reduces risk without undermining the benefits of mobile broadband.

References For Further Reading

• Luo, S., Garbelini, M. E., Chattopadhyay, S., & Zhou, J. “Sni5Gect: A Practical Approach to Inject aNRchy into 5G NR.” USENIX Security 2025 (paper and PDF).
• Sni5Gect project repository and public site (ASSET Research Group / GitHub).
• Zenodo: Sni5Gect dataset and Docker artifacts for reproducibility.
• SecurityWeek coverage: “Novel 5G Attack Bypasses Need for Malicious Base Station.”
• The Register: “Boffins release 5G traffic sniffing tool” (analysis and commentary).

Follow us on Google News