This work proposes 5Gone, a software-defined radio (SDR)-based uplink jamming attack targeting the limitations of traditional IMSI-catcher attacks in 5G standalone (SA) networks—namely their high transmission power and ease of detection. Exploiting a vulnerability in the 3GPP standard, 5Gone overlays legitimate user signals with slightly higher-power transmissions on identical time-frequency resources, enabling stealthy denial-of-service, privacy leakage, and network downgrade attacks. Implemented entirely in software on a commercial x86 platform coupled with SDR hardware, 5Gone achieves precise time-frequency synchronization and real-time signal processing to perform low-latency (<500 μs) uplink jamming within a 100 MHz commercial 5G cell without requiring specialized hardware. Experimental validation in both lab and live public network environments demonstrates its effectiveness across seven smartphone models and devices from three major chipset vendors, highlighting its high stealth, scalability, and broad applicability.

5G presents numerous advantages compared to previous generations: improved throughput, lower latency, and improved privacy protection for subscribers. Attacks against 5G standalone (SA) commonly use fake base stations (FBS), which need to operate at a very high output power level to lure victim phones to connect to them and are thus highly detectable. In this paper, we introduce 5Gone, a powerful software-defined radio (SDR)-based uplink overshadowing attack method against 5G-SA. 5Gone exploits deficiencies in the 3GPP standard to perform surgical, covert denial-of-service, privacy, and downgrade attacks. Uplink overshadowing means that an attacker is transmitting at exactly the same time and frequency as the victim UE, but with a slightly higher output power. 5Gone runs on a COTS x86 computer without any need for dedicated hardware acceleration and can overshadow commercial 100 MHz cells with an E2E latency of less than 500$\mu$s, which up to now has not been possible with any software-based UE implementation. We demonstrate that 5Gone is highly scalable, even when many UEs are connecting in parallel, and finally evaluate the attacks end-to-end against 7 phone models and three different chipset vendors both in our lab and in the real-world on public gNodeBs.