What is 5Ghoul

More importantly, the attacker does not need to be aware of any secret information of the target UE e.g., SIM card details, to reach the beginning of the NAS network registration. The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters (e.g., SSB ARFCN, Tracking Area Code, Physical Cell ID, Point A Frequency). This can be easily accomplished using freely available applications like Cellular-Pro. Once the attacker is sufficiently close to the target UE and the Received Signal Strength Indicator (RSSI) of the adversarial gNB is higher than the legitimate gNB, the target UE will connect to the adversarial gNB. Then, the UE starts exchanging messages up to step 4 of Figure 1. Procedures that appear later are subjected to failure since key information from UE’s SIM card is unknown. However, throughout the message exchanges, the adversarial gNB can freely manipulate downlink messages to the target UE, opening a window of opportunities to launch attacks at any step of the 5G NR procedures shown in Figure 1.

In practicality, 5Ghoul  vulnerabilities can be easily exploited over-the-air by starting a malicious gNB within radio range of the target 5G UE device. This is a practical setup which relies on using Software Defined Radio (SDR) to behave as a cloned gNB. While USRP B210 used in our setup could be recognized from afar, thus making the attack visually noticeable, such type of equipment has already been miniaturized to the size of a Raspberry Pi . This, in turn, enables the use of SDR for visibly stealthy attacks.

CVE References
CVE-2023-33043
CVE-2023-33044
CVE-2023-33042
CVE-2023-32842
CVE-2023-32844
CVE-2023-20702
CVE-2023-32846
CVE-2023-32841
CVE-2023-32843
CVE-2023-32845

Qualcomm - https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2023-bulletin.html

Research Source - https://asset-group.github.io/disclosures/5ghoul/  

Lab (Threat Testing) - https://github.com/asset-group/5ghoul-5g-nr-attacks