Protecting 5G against IMSI catchers
IMSI catchers are devices used to intercept wireless traffic and trace subscribers by their long-term identifiers (IMSIs). While the phenomenon is often exaggerated, IMSI catchers do pose a threat to subscriber privacy. On-going 5G standardization done in 3GPP is a golden opportunity to improve subscribers’ privacy by constructing a protocol architecture that protects against IMSI catchers.
Subscriber privacy matters
Before diving in to technology, let’s start explaining why IMSI catchers and tracing of subscribers represent such a serious privacy threat. In general, personal information about subscribers has become a valuable commodity connected with a growing economy of aggressively targeted online advertisements and other industries.
Besides the private sector, the Edward Snowden revelations showed that also national intelligence organizations collect personal information on an unanticipated scale. Apart from the risk that this collection is misused for political purposes, it may also be misused for personal benefit. Thus, privacy has become a significant concern for subscribers when selecting and using digital services today and justifiably so.
One of the most pressing privacy concerns in mobile networks relates to the subscriber’s long-term identifier, the International Mobile Subscriber Identifier (IMSI). The IMSI is used by the mobile network to identify and locate subscribers to connect incoming calls, and more. Since the IMSI uniquely identifies subscribers it can be misused in today’s mobile networks by malicious third-parties to effectively trace subscribers as they move in the physical world.
Benefits of subscriber privacy in 5G networks
Taking the opportunity to improve subscriber untraceability when standardizing 5G benefits subscribers, operators, equipment vendors and application service providers alike. Clearly, subscribers will enjoy increased privacy and be attracted to internet and voice services via mobile networks. In addition, improved subscriber untraceability enables digitization of more privacy sensitive services in society. This increases the market for application services and drives a need for efficient mobile networks providing pervasive connectivity. The latter increases the market for operators and equipment vendors.
While the word untraceable may sound absolute, we here use it in a looser way so that a user may be more or less untraceable. The biggest threat to subscriber untraceability in mobile networks is arguably the IMSI catcher.
“IMSI catcher” is the collective name given to devices used to eavesdrop and track mobile network subscribers. They have over the past years received much attention from Canada’s CBC News, Norway’s Aftenposten and The Washington Free Beacon or Vice News in the US, as well as publicity in hacker conferences like DEF CON 24 and Black Hat EU 2015.
Some of these IMSI catchers are only capable of collecting subscribers’ long-term identifiers, hence their name. More advanced IMSI catchers can also eavesdrop on 2G communication. Combined with elaborate attacks against the operators’ interconnect networks they may also eavesdrop on 3G and 4G communication. Like most tools, they can be used for good, such as catching criminals, but also for surveillance of citizens, eavesdropping on business competitors or foreign diplomats and politicians.
While IMSI catchers are primarily used for surveillance, they can also be used to deliver spam SMS and for other activities – in 2G they can essentially mimic all functions of a complete network to which mobile devices can be lured to connect. Due to the network authentication and integrity protection of the control signaling, IMSI catchers have much more limited capabilities in 3G and 4G radio technologies. They can also cause unintentional effects: unless rigorously implemented, they may leave mobile devices connected to the IMSI catcher even after the attack is completed. This effectively prevents the mobile device to receive incoming calls or make outgoing ones. However, this post is focused on privacy aspects of IMSI catchers, specifically on how subscribers can be made less traceable in 5G networks.
Evolution of subscriber privacy in 3GPP networks
In mobile networks standardized by 3GPP, the subscribers’ temporary identifiers (often referred to as TMSIs) have been in use since 2G. Subscribers’ temporary identifiers work well to thwart subscriber tracing attacks where the attacker is only passively eavesdropping traffic. However, a bit more complex and less stealthy attacks where the attacker actively interacts with the mobile device are still possible, meaning that subscribers’ long-term identifiers were still vulnerable. To address that, much academic work has been done in the past to improve subscriber un-traceability in mobile networks. Some of this work was brought to 3GPP as well, but for various reasons could not be incorporated in earlier generation networks. An important limiting factor for earlier generations was the computational power of mobile devices. Due to the rapid technology evolution, this is less of a problem for many devices today.
Therefore, since 5G security standardization began in 3GPP with a study of 5G security (TR 33.899), Ericsson Security Research has been one of the main drivers advocating analyzing key issues and providing solutions for subscriber un-traceability in the presence of active attackers. Ericsson is also the rapporteur of TR 33.899. Even though there are several options for protection mechanism, it is important to introduce them with care in order not to interfere with operational or regulatory requirements.
A few years ago, Ericsson Security Research therefore started research on how to adapt and improve previous ideas to make them suitable for 5G networks. Some of the results can be found in the papers Protecting IMSI and subscriber privacy in 5G networkspublished at MobiMedia’16 and Subscription identifier privacy in 5g systems published at MoWNet’17. Our findings and practical experiments were promising and we brought them to the security group SA3 of 3GPP during the study phase of 5G to further evolve the technology together with other interested companies. We are now glad to see the concepts being agreed by 3GPP to be used in the security specification TS 33.501 for 5G. We now go on to briefly explain the technical aspects of the main concepts.
Protecting the IMSI in 5G
The mobile device needs to transmit its long-term identifier IMSI to the network at times. The concept we propose builds on an old idea that the mobile device encrypts its IMSI using home network’s asymmetric key before it is transmitted over the air-interface. By using probabilistic asymmetric encryption scheme – one that uses randomness – the same IMSI encrypted multiple times results in different values of encrypted IMSIs. This makes it infeasible for an active or passive attacker over the air-interface to identify the subscriber. Below is a simplified illustration of how a mobile device encrypts its IMSI.
Each mobile operator (called the ‘home network’ here) has a public/private pair of asymmetric keys. The home network’s private asymmetric key is kept secret by the home network, while the home network’s public asymmetric key is pre-provisioned in mobile devices along with subscriber-specific IMSIs (Step 0). Note that the home network’s public asymmetric key is not subscriber-specific.
For every encryption, the mobile device generates a fresh pair of its own public/private asymmetric keys (Step 1). This key pair is used only once, hence called ephemeral, and therefore provide probabilistic property to the encryption scheme. As shown in the figure, the mobile device then generates a new key (Step 2), e.g., using Diffie–Hellman key exchange. This new key is also ephemeral and is used only once to encrypt the mobile device’s IMSI (Step 3) using symmetric algorithm like AES. The use of asymmetric and symmetric crypto primitives as described above is commonly known as integrated/hybrid encryption scheme. The Elliptic Curve Integrated Encryption Scheme (ECIES) is a popular scheme of such kind and is very suitable to the use case of IMSI encryption because of low impact on radio bandwidth and mobile device’s battery.
The nicest thing about the described concept is that no public key infrastructure is necessary, which significantly reduces deployment complexity, meaning that mobile operators can start deploying IMSI encryption for their subscribers without having to rely on any external party or other mobile operators.
Practical aspects of 5G IMSI privacy
In our practical evaluation/experiment, in an android based device with 2.2 GHz CPU, IMSI encryption took around 1.61 milliseconds and the total size of encrypted IMSI was around 320 bits. Therefore, we do not see any apparent technical impediments for the 5G systems in implementing the described concept of encrypting IMSI and thus thwart the threat of IMSI catching attack, both in its active and passive versions.
Having said that, it is also important that subscribers’ IMSIs are not exposed over the air-interface in any other occasion. Because if they were, it would partially defeat the purpose of adding these protection mechanisms. An example where the IMSIs could be exposed is the paging procedure. The paging procedure is a network-initiated procedure, used to inform mobile devices of incoming services, new or updated system information, and public emergency warnings. Normally, a paging message includes the paged subscriber’s temporary identifier. However, in the mobile network generations up to 4G, paging message includes the paged subscribers IMSI in rare cases where the mobile network has lost the temporary identifier.
The good news is that 5G will inherently support features improving robustness, such as virtualized functions, pooling, redundancy, and persistent storage of data/contexts. So, losing subscribers’ contexts because of node failure is even less likely to happen in 5G. And ultimately, mobile devices would not remain locked out for long, because the mobile originating services will reconnect them to the network. This seems to lead to two reasonable options ahead for protecting the IMSI. Either 5G only supports Paging using subscribers’ temporary identifiers, or, it adopts some privacy preserving mechanism, such as using the encrypted IMSIs provided earlier by the mobile devices.
Moving forward with 5G privacy
It is a very exciting time and 5G is gearing up with lots of promising security and privacy features, subscriber un-traceability being one of the important ones. Ericsson Security Research will continue to be active in 3GPP, collaborating with other companies to ensure security specifications for 5G provide strong and appropriate security, and privacy for the years to come.