Enhanced 5G subscriber privacy for variable-length identifiers
- 5G Standards allow permanent subscription identifiers to be of variable length.
- Encrypted permanent subscription identifiers hide the content of the identifiers, but they cannot hide the length.
- When permanent subscription identifiers are of variable length, leaking the length over the radio interface causes privacy threats.
- 3GPP provides recommendations for mobile operators on how to use variable-length permanent subscription identifiers.
3GPP has studied a well-known privacy issue where bad actors, also known as IMSI catchers, can identify the location of individual users. The attack is launched by determining the length of the subscription identifier that mobile devices transmit over the air in an encrypted code. In a 2021 paper, Ericsson researchers Prajwol Kumar Nakarmi and John Preuß Mattsson addressed the problem and proposed a solution to make it harder for these attacks to work by altering the length of subscription identifier before encrypting.
After the study, 3GPP created a recommendation for mobile operators to either use a fixed-length subscription identifier or make the variable-length codes the same length before sending them over the air. This would protect the privacy of users and make it harder for IMSI catchers to carry out their attacks.
Long-term subscription identifiers and IMSI catchers
A subscription identifier is used by the mobile network to uniquely identify, locate, and authenticate subscribers to connect incoming calls, bill the right subscription owner, and more. The subscription identifier is a long-lived string known as International Mobile Subscriber Identity (IMSI) in legacy networks and Subscriber Permanent Identifier (SUPI) in 5G networks.
Unlike some cryptographic keys, IMSI/SUPI are not secrets — they are shared with various entities of the network that are involved in providing services.
IMSI/SUPI and the associated subscribers are meant to be known by legitimate entities, but since there are multiple legitimate entities, there is a risk of being exposed by a malicious entity. Such knowledge can be exploited to breach the location privacy of a subscriber by an IMSI catcher.
A passive IMSI catcher is a malicious entity that eavesdrops on the ongoing radio communication within a cell of the mobile network. An active IMSI catcher, impersonating a legitimate radio network, “tricks” devices into connecting to it. Then, the IMSI catcher can send identity requests to those devices and receive the IMSI in return. By identifying the presence of the relevant IMSI/SUPI in the radio communication in a cell, the IMSI catcher can compromise the location privacy of a subscriber.
The threat of IMSI catchers is powerful
To breach the location privacy of its user, adversaries may also attack a notebook or tablet computer instead of a mobile phone. These attacks can exploit the presence of other identifiers, such as IP address, rather than IMSI/SUPI in the observable communication traffic. However, IMSI catchers’ attacks directed at a mobile phone, that are based on exploiting the presence of IMSI/SUPI, are relatively powerful for various reasons, as explained below.
Mobile phones are omnipresent in their user’s physical space
A mobile phone is always turned on and carried by its user almost everywhere. Therefore, an IMSI catcher can use the following as working assumptions about the presence and absence of the user and the mobile phone in a cell:
- If a user is present, then it is highly likely that the associated mobile phone is also present.
- If a mobile phone is present, then it is highly likely that the user is also present.
- If a user is absent, then it is highly likely that the associated mobile phone is also absent.
- If a mobile phone is absent, then it is highly likely that the user is also absent.
None of the above holds for attacks on other devices such as notebooks or tablet computers. This is because they are not always turned on and carried by their users — they could be turned on but not carried by the user or carried by the user but not turned on.
Cell sizes are not too large or sufficiently small to thwart privacy attacks
Cells in a mobile network do not cover a large geographical area — in many cases, it is as small as a neighborhood. Therefore, the location of the victim is damagingly fine-grained. On the other hand, cells are large enough so that an adversary can set up an IMSI catcher, a wireless device, in a hidden spot that is completely out of the victim’s sight making the attack stealthy. One cannot argue the same for adversaries that attack devices that are connected via network cables or short-range wireless networks such as Bluetooth. Adversaries would need to come quite close to the victim’s space — risking the attack being noticed. When it comes to Wi-Fi networks, the range is longer than Bluetooth but not very long (about 45 meters) from the access point. This may make the adversary less noticeable than the adversary in the Bluetooth scenario but significantly more noticeable than in the cellular network case.
IMSI/SUPIs are long-lived
For a subscriber, IMSI/SUPI remains the same as long as the subscriber does not replace the SIM card — which, in many cases, can be as long as a decade. IMSI catchers can attack the privacy of a subscriber throughout these years. One cannot argue the same for attacks that are based on other identifiers, such as IP addresses, which are not nearly as long-lived as the IMSI/SUPI. Unlike in an attack based on IMSI/SUPI, an adversary must leverage a much more dynamic mechanism to link an IP address to its user.
Existing protection against IMSI catchers
Since the early GSM time, various protective measures have been taken to provide better user privacy over the radio interface against the IMSI catchers. These measures mostly use temporary identifiers, instead of IMSI, to reduce the number of occasions of sending IMSI over the air — the less frequently IMSI is sent over the air, the less efficient IMSI catchers can be. Temporary identifiers such as Temporary Mobile Subscriber Identity (TMSI), Globally Unique Temporary User Equipment Identity (GUTI), and various radio identifiers have been designed to be short-lived, randomly chosen, and un-linkable. These temporary identifiers work well against passive attackers who only listen to radio communication. However, when the User Equipment (UE) roams to a new serving network or the current serving network loses the temporary identifiers, the UE must transmit the IMSI (in plaintext in 2G, 3G, and 4G) to the network. This provides an opportunity for the IMSI catchers to attack the location privacy. An active attacker, who sends messages to a UE, can exploit this opportunity.
The 5G standards took a big step towards adopting the ultimate solution against IMSI catchers by encrypting the username part of the SUPI into a what is called a Subscription Concealed Identifier (SUCI) before transferring to the network. It’s impossible for an IMSI catcher to recognize the username of the underlying SUPI by observing the transmitted SUCIs. Besides, in 5G, when Extensible Authentication Protocol (EAP) based authentication methods are used, SUPIs can be sent by the UE in a confidentiality-protected channel. As a side note: Mobile Country Code (MCC) and Mobile Network Code (MNC) are sent in plaintext in a SUCI, so a passive IMSI catcher can recognize which CSP the subscriber is using. This is however outside the scope of the Rel-18 3GPP study on identity privacy and for this blog post.
IMSI catchers exploiting variable-length NAI-format SUPIs
If SUPIs are of variable length and an IMSI catcher knows the length of the SUPI of a target subscriber, then the IMSI catcher can exploit the information in a privacy attack against the subscriber. The 5G standard allows a SUPI to take the form of a Network Access Identifier (NAI), i.e., username@realm. The username part of such SUPIs may vary in length. While SUCIs hide the content of the SUPIs, they do not conceal the length of the SUPIs; thus allowing adversaries to still use SUCIs for attacks.
When subscribers have SUPIs of varying lengths, and an adversary can deduce the length of the associated SUPI from a SUCI, then it becomes easier for the adversary to identify the hidden SUPI. For example, if two SUPIs have different lengths, the SUCIs computed from the SUPIs will also differ — see Figure 1.
SUCIs cannot hide the length of the SUPIs because encryption methods alone do not hide the length of plaintext. In the TLS-based EAP methods used for secondary authentication of subscribers, though the TLS messages that carry SUPIs are encrypted, they may reveal the length of the SUPIs. This is because the message that carries the SUPI may have other parameters that are the same for many other subscribers but differ only for the SUPIs of the subscribers.
Some networks may want to have the username part created from real-world names because earlier and current uses of such identifiers, for example in IP Multimedia Services Identity Module (ISIMs), have been based on real-world names. In their paper Nori: Concealing the Concealed Identifier in 5G, Prajwol Kumar Nakarmi and John Preuß Mattsson analyzed the name length data for Sweden (ten million people) and four regions (Sweden, China, India, and the US) of an internal company. They found that the length distributions have tails — see Figure 1. Therefore, in 5G, an operator that uses NAI-format SUPIs is highly likely to have subscribers with SUPIs of varying lengths.
The paper argues it is important to take appropriate measures so that confidentiality protection hides both the length and content of the SUPIs. An example of a method is to use padding to standardize variable-length SUPIs before encryption.
3GPP guidelines on using NAI-format SUPIs
The 3GPP security working group, SA3, as part of their Release-18 work, studied the privacy issue associated with the use of variable-length NAI-format SUPIs. The study investigated ten different solutions. All these solutions have one thing in common — they manipulate the length of the long-term identifier to a privacy-preserving length so that an adversary that observes the length of the long-term identifier over the radio interface cannot obtain any information about the length of the long-term identifier. From the point of view of the techniques used to manipulate the length, these solutions could be put into five categories:
- Operators choose the lengths of NAI-format SUPIs.
- UEs pad variable-length NAI-format SUPIs.
- UEs hash variable-length NAI-format SUPIs.
- UEs truncate variable-length NAI-format SUPIs.
- Operators choose pseudonyms mapped to the NAI-format SUPIs.
SA3 discussed and understood the effectiveness of these solutions on the basis of fulfilling the following two, including other, requirements: (1) the solution needs to provide the desired privacy in the context of all authentication algorithms, for example, 5G AKA, EAP-AKA, and other EAP-based methods such as EAP-TLS or EAP-TTLS (2) the solution needs to be backward compatible, with existing devices or already deployed NAI-format SUPIs. In the discussion at SA3, it was understood that solutions of the categories (1) and (2) both fulfill these two (including other) requirements.
SA3 also discussed the appropriate length of the long-term identifier to preserve privacy. Proposals included the use of fixed length, variable length carefully chosen by the operators, and random length chosen by the UE. Random or carefully chosen lengths of long-term identifiers can provide some privacy assurance only if all the subscribers of an operator were present in a single cell, and the IMSI catcher could attack all of them simultaneously — which is never the case. Only a small subset of the subscribers of an operator is usually present in the vicinity of the IMSI catcher’s cell. In such a local setup, it is difficult to analyze the impact of random or carefully chosen lengths on the desired privacy. However, it is easy to analyze the impact of fixed length on desired privacy — if all the NAI-format SUPIs of the operator have the same length, then the resulting SUCIs would not reveal information about the username of the SUPIs. Therefore, it was understood that using fixed-length would be the most secure and future-proof choice.
Combining the above two understandings, SA3 provided the following guidelines in the 5G specification in TS 33.501:
"Use of variable-length SUPIs in NAI format (e.g., unusually short, or long length for the username portion of the NAI) can result in leakage of length even if the username portion is confidentiality protected. Such a leakage can affect the privacy of the subscriber. To mitigate this risk, it is recommended that home networks configure the username portion of the SUPIs in the USIMs and the UDM to meet the desired anonymity. This can be ensured by the home network operator, for example, by choosing username(s) of a fixed length or by making variable-length usernames fixed-length using techniques such as padding in the USIM and home network. The actual method chosen is left to the decision of the home network operator.
The above risk is not applicable to SUPIs that are of fixed length such as SUPIs containing IMSI."
The confidentiality of SUPI over the radio interface is a serious concern and it is reassuring that 3GPP addresses this matter accordingly.
Acknowledgement: The authors thank Karl Norrman for his useful comments.
Learn more
More details about IMSI catchers can be found in Section 3.2.1 of the doctoral thesis by Mohsin Khan.
The 3GPP study on the security issues related to variable-length NAI-format SUPIs is recorded in the TR 33.870 — Key Issue #1.
RELATED CONTENT
Like what you’re reading? Please sign up for email updates on your favorite topics.
Subscribe nowAt the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.