5G presents numerous advantages compared to previous generations: improved throughput, lower latency, and improved privacy protection for subscribers. Attacks against 5G standalone (SA) commonly use fake base stations (FBS), which need to operate at a very high output power level to lure victim phones to connect to them and are thus highly detectable. In this paper, we introduce 5Gone, a powerful software-defined radio (SDR)-based uplink overshadowing attack method against 5G-SA. 5Gone exploits deficiencies in the 3GPP standard to perform surgical, covert denial-of-service, privacy, and downgrade attacks. Uplink overshadowing means that an attacker is transmitting at exactly the same time and frequency as the victim UE, but with a slightly higher output power. 5Gone runs on a COTS x86 computer without any need for dedicated hardware acceleration and can overshadow commercial 100 MHz cells with an E2E latency of less than 500$μ$s, which up to now has not been possible with any software-based UE implementation. We demonstrate that 5Gone is highly scalable, even when many UEs are connecting in parallel, and finally evaluate the attacks end-to-end against 7 phone models and three different chipset vendors both in our lab and in the real-world on public gNodeBs.

翻译：相较于前几代移动通信技术，5G具备诸多优势：更高的吞吐量、更低的延迟以及更完善的用户隐私保护。针对5G独立组网（SA）的攻击通常采用伪基站（FBS）手段，此类基站需以极高输出功率运行才能诱使受害手机接入，因而极易被检测。本文提出5Gone——一种基于软件定义无线电（SDR）的强效上行链路遮蔽攻击方法，专门针对5G-SA网络。该方法利用3GPP标准中的缺陷，可实施精准、隐蔽的拒绝服务攻击、隐私窃取及网络降级攻击。上行链路遮蔽指攻击者与受害用户设备（UE）在完全相同的时间与频段进行传输，但以略高的输出功率压制正常信号。5Gone可在商用x86计算机上运行，无需专用硬件加速，即能以低于500μs的端到端延迟遮蔽商用100MHz基站，这是目前任何基于软件的用户设备实现方案均无法达到的。我们通过实验证明，5Gone具备高度可扩展性，即使在多用户设备并行接入场景下仍能有效运作，并最终在实验室及真实公共gNodeB环境中，对7款手机型号及三家不同芯片供应商的设备完成了端到端攻击验证。