How 5G Baseband Flaws Allow Silent SMS Injection and Traffic Eavesdropping

TLDR: Researchers at Black Hat 2024 unveiled 5GBaseChecker, an automated black-box testing tool that identifies protocol implementation flaws in 5G basebands. By using differential testing and finite state machine synthesis, the team discovered 13 vulnerabilities across five major vendors, including critical authentication bypasses. These flaws allow attackers to perform silent SMS injection and intercept internet traffic without any user interaction or device notification.

Mobile security research often focuses on the application layer or the OS kernel, but the baseband remains a black box for most security professionals. This is a massive oversight. The baseband is essentially a separate computer running its own proprietary real-time operating system, handling the complex, stateful 5G protocol stack. When that stack is implemented incorrectly, the entire device security model collapses. The research presented at Black Hat 2024 proves that even with the rigorous standards set by 3GPP, commercial baseband vendors are shipping code riddled with logical flaws that bypass fundamental security controls.

The Mechanics of the 5G AKA Bypass

At the heart of this research is the 5G Authentication and Key Agreement (AKA) procedure. Under normal conditions, this process ensures mutual authentication between the user equipment and the network. If this handshake fails, the device should never receive service. However, the researchers found that by manipulating the state machine of the baseband, they could force the device into a state where it accepts service without completing the authentication handshake.

This is not a memory corruption bug that requires complex heap grooming. It is a logic flaw. By crafting specific, out-of-order, or malformed 5G control-plane messages, an attacker can trick the baseband into believing the authentication process was successful. Once the baseband is in this "authenticated" state, it opens the door for the attacker to inject arbitrary data.

The most severe impact demonstrated was the ability to perform silent SMS injection and internet traffic eavesdropping. Because the device believes it is connected to a legitimate network, it will process incoming SMS messages or route traffic through the attacker-controlled fake base station. The user sees no warning, no prompt, and no indication that their connection is compromised. This is the ultimate "silent" attack, and it affects devices using CVE-2023-50804 and related vulnerabilities in major chipsets from Samsung, MediaTek, and others.

Differential Testing as a Discovery Engine

Finding these bugs manually is a nightmare because the protocol specifications are thousands of pages long and often ambiguous. The researchers solved this by building 5GBaseChecker, a tool that treats the baseband as a black box. Instead of trying to read the vendor's proprietary code, the tool uses differential testing.

The logic is simple: if you send the same sequence of 5G control-plane messages to two different devices, they should theoretically respond in the same way. When they don't, you have found a deviation. The tool uses a component called StateSynth to construct a Finite State Machine (FSM) for each device based on its observed behavior. By comparing these FSMs, the tool identifies where one implementation deviates from the expected protocol behavior.

This approach is significantly more scalable than traditional fuzzing. While standard fuzzing might hit a crash, it often fails to trigger the subtle logic errors that lead to authentication bypasses. By mapping the state machine, the researchers could identify "illegal" transitions that the baseband should have rejected but instead accepted.

Pentesting the Baseband

For a penetration tester, this research changes the game. If you are tasked with assessing the security of an IoT device or a mobile handset, you can no longer ignore the baseband. The OWASP Mobile Application Security Verification Standard (MASVS) has long emphasized the importance of secure communication, but these findings suggest that the transport layer itself is the primary attack surface.

During an engagement, you should look for devices that fail to properly validate the Security Header Type (SHT) in incoming NAS messages. If a device accepts an SHT that is inappropriate for its current connection state, it is likely vulnerable to the same class of logic flaws. You can use the researchers' tool to generate these state-violating sequences and observe if the device attempts to establish a PDU session or process the payload.

The impact of these vulnerabilities is high because they bypass the A07:2021-Identification and Authentication Failures category of the OWASP Top 10. If the authentication layer is bypassed, the entire chain of trust for the device is effectively nullified.

Defensive Considerations

Defending against these attacks is difficult because the vulnerability lies in the baseband firmware, which is usually a closed-source blob provided by the chipset vendor. Patching requires the vendor to acknowledge the flaw, fix the state machine logic, and push an Over-the-Air (OTA) update to the device.

For organizations, the best defense is to implement network-level monitoring that can detect anomalous baseband behavior. If a device attempts to establish a connection without a valid AKA handshake, the network should be configured to drop the connection immediately. Furthermore, developers building 5G-enabled hardware should prioritize vendors that provide transparent security disclosures and regular firmware updates.

The research presented this year serves as a wake-up call. We have spent years securing the application layer while leaving the underlying radio protocols wide open. As 5G becomes the backbone for critical infrastructure, from autonomous vehicles to industrial control systems, these baseband logic flaws will become the primary target for anyone looking to gain persistent, silent access to a network. Start looking at the baseband now, before the attackers do.