Cyber Shadows: SLAM Strikes at CPU Cores, While 5Ghoul Haunts Mobile Networks

In a recent revelation, researchers from Vrije Universiteit Amsterdam have exposed a side-channel attack named SLAM, capable of compromising kernel memory on current and upcoming CPUs from major players like Intel, AMD, and Arm.

The Intricacies of SLAM Exploit

SLAM stands out as an end-to-end exploit for Spectre, leveraging a distinctive feature in Intel CPUs called Linear Address Masking (LAM), analogous to AMD’s Upper Address Ignore (UAI) and Arm’s Top Byte Ignore (TBI). 

While these features are ostensibly presented as security enhancements, the study reveals an ironic twist – they degrade security and significantly expand the Spectre attack surface.

Understanding the Threat Landscape

SLAM operates as a transient execution attack, a sophisticated method that capitalizes on the microarchitectural side effects of transient instructions. 

This allows malicious entities to access information typically shielded by architectural access control mechanisms.

CPU Vulnerabilities and Impacted Systems

The reach of SLAM is affecting existing AMD CPUs vulnerable to CVE-2020-12965 and upcoming CPUs from Intel, AMD, and Arm that support LAM, UAI, and TBI, respectively, with 5-level paging.

Industry Responses and Mitigations

AMD has directed attention to existing Spectre v2 mitigations as a defense against SLAM. On the other hand, Intel plans to offer software guidance before the release of processors with LAM support. 

In the interim, Linux maintainers have proactively developed patches to disable LAM by default.

Arm’s Stance on Mitigations

Arm, while already mitigating against Spectre v2 and BHB, emphasizes that the responsibility to safeguard against Spectre v1 lies with software. 

The techniques employed in SLAM augment existing vulnerabilities, increasing the potential for exploitation.

5Ghoul: A Grave Concern in Mobile Network Security

Security researchers from the ASSET Research Group at the Singapore University of Technology and Design (SUTD) have uncovered a concerning collection of security flaws in the firmware of 5G mobile network modems. 

These vulnerabilities extend their reach to USB and IoT modems, impacting many smartphones running on Android and iOS platforms.

The Menace of 5Ghoul: Scope and Severity

Termed “5Ghoul,” this cluster of 14 flaws, affecting major chipset vendors like MediaTek and Qualcomm, has far-reaching consequences. 

Among the vulnerabilities, 10 targets 5G modems, with three classified as high-severity issues. 

The implications are severe, as threat actors could exploit these vulnerabilities to disrupt connections, freeze connections requiring manual reboots, or even force a downgrade from 5G to 4G connectivity.

The Extensive Impact on Smartphone Models

The ripple effect of 5Ghoul is substantial, affecting a staggering 714 smartphones from 24 prominent brands. 

Brands such as Vivo, Xiaomi, Samsung, Huawei, Apple, and Google find themselves within these vulnerabilities’ ambit, emphasizing the threat’s pervasive nature.

Deception at the Core

The attacks by 5Ghoul revolve around deceiving smartphones and 5G-enabled devices into connecting with a rogue base station (gNB). 

5Ghoul – 5G NR Attacks & 5G OTA Fuzzing

Proof of Concept (PoC) of 5G NR Attacks against commercial smartphones, CPE routers, USB Modems, etc. Fuzzer included⚡. 5Ghoul is family of implementation-level 5G DoS vulnerabilities affecting Qualcomm and MediaTek mobile platforms.… pic.twitter.com/NtbS7hzH1d

— HackGit (@hack_git) December 10, 2023

The attacker doesn’t need privileged information, such as SIM card details, and instead relies on impersonating a legitimate gNB using known Cell Tower connection parameters.

Industry Response and Patching Efforts

MediaTek and Qualcomm have responded with patches for 12 of the 14 identified flaws. However, details on the remaining two vulnerabilities are shrouded in confidentiality and set to be disclosed in the future. 

The researchers highlighted the complexity of the patching process, indicating that it can take six months or more for 5G security patches to reach end-users due to dependencies on modem and chipset vendors.

What’s Your Next Strategy?

The SLAM exploit highlights the delicate balance between purported security enhancements and unintended consequences, necessitating a paradigm shift in how we approach CPU architecture. 

Similarly, 5Ghoul’s far-reaching impact on mobile networks emphasizes the urgency for streamlined collaboration among industry stakeholders to expedite the deployment of timely and effective security patches, mitigating potential disruptions.