Catch Me if You Can: Protecting Mobile Subscriber Privacy in 5G
September 10, 2020
Stéphane Jacquelin, Chair of the Trusted Connectivity Alliance Mobile Privacy Working Group
In today’s connected world, mobile networks carry a virtual trace of our lives as they unfold minute-by-minute. Smartphones, smartwatches and fitness trackers, tablets and PCs, connected cars, and even smart home appliances, constantly collate our most personal and sensitive data.
This means any compromise can lead to hugely damaging breaches of user privacy. Blackmail, harassment, fraud, manipulative commercial profiling, to name just a few, are all credible threats.
The advent of 5G presents an opportunity to address key concerns for mobile networks and promote subscriber privacy. Protecting the most prominent personal data involved in mobile communications – the International Mobile Subscriber Identity (IMSI) – must therefore be a critical consideration.
What is an IMSI?
The IMSI – known as Subscription Permanent Identifier (SUPI) in 5G – is the unique subscriber identifier allocated by the mobile network operator (MNO) to each SIM card or in an eSIM. As it represents the relationship between subscribers and the MNO that issued the SIM, it can be used to confirm a subscriber’s identity and monitor location, calls and SMS messages.
Put simply, the IMSI should be considered as deeply private information. But in the current 2G, 3G and 4G network technologies, as defined in the 3GPP standards, the IMSI is sent in clear over-the-air without being encrypted.
This exposes it to a well-known and significant vulnerability known as IMSI catching attacks.
IMSI catchers and subscriber privacy
IMSI catchers work as follows. As mobile phones usually select the cell with the strongest signal, IMSI catchers simulate a cell with a better signal strength. The IMSI catcher launches the basic identification procedure by requesting the mobile phone’s IMSI to confirm that the subscriber is in the area. It then relays the traffic between the real cell site and the subscriber’s mobile phone, intercepting any data it wants.
Given the sensitivity and value of the data that can be obtained, you may think that IMSI catchers would require a high level of technical sophistication to build, or could only be bought at great expense from the deepest corners of the dark web. Unfortunately, this is not the case. Even though using or buying an IMSI catcher is strictly regulated, it is possible to easily build or obtain a device.
It is unsurprising that IMSI catchers may already be maliciously deployed. The Department of Homeland Security has reported the use of IMSI catchers by an unidentified entity ‘operating near the White House and other sensitive locations in Washington.’
Promoting subscriber privacy through standardisation
Given the threat posed by IMSI catchers, protecting the IMSI is crucial to promoting subscriber privacy. This is why the Trusted Connectivity Alliance Recommended 5G SIM supports IMSI encryption in the 5G SIM.
The 5G standards developed by 3GPP introduced the possibility for MNOs to encrypt the IMSI before it is sent over-the-air. But as the standards state that encryption can be performed either by the SIM or by the device, and even be deactivated, there is potential for significant variability in terms of implementation.
At the most straightforward level, there is the scenario where the IMSI encryption feature is not activated in the network. Another potential issue occurs when the encryption feature is activated in the network, but end-users have an older SIM not capable of supporting IMSI encryption.
In addition, the IMSI encryption feature is activated in the network and 5G end-users have a 5G SIM that does not support IMSI encryption. In this case, the device executes the cryptographic operations. This increases interoperability risks and can impact the overall protection level.
IMSI encryption within the 5G SIM
Given these scenarios, various factors mean that the recommended way to promote privacy is to manage IMSI encryption within the 5G SIM.
As the MNO owns the 5G SIM configuration, they can control the security and privacy of the IMSI end-to-end from the SIM to the network.
Tamper-resistant secure elements (SEs), the foundation of the 5G SIM, offer the highest level of security as certified by recognised schemes. The 5G SIM is also produced and provisioned in secure, regulated facilities.
And finally, the qualification and certification process is streamlined and simple, with well-established interoperability between different 5G SIM implementations.
What about lawful interception?
As with other security technologies, there is an important balance to be found between protecting a citizen’s right to privacy and enabling law enforcement agencies to track criminals when necessary.
So while encrypting the IMSI does prevent the unlawful and malicious usage of IMSI catchers, governments and other law enforcement agencies will still be able to monitor targets with the collaboration of MNOs.
Towards a secure connected future
Subscriber privacy is a critical consideration for MNOs. Given the known vulnerability to attacks from IMSI catchers, protecting the IMSI is imperative to a secure, connected future.
While industry standardisation efforts have undoubtedly made progress, different implementation options create various scenarios where the IMSI is not protected and consumer privacy is at risk.
Managing IMSI encryption within the 5G SIM, however, delivers control, best-in-class security and flexibility to prevent malicious and unlawful interception.
Protecting Subscriber Privacy in 5G is available for free download from the Trusted Connectivity Alliance website. A summary document and presentation are also available. The TCA is also hosting a free-to-attend webinar to further explore the topics covered in the white paper. The webinar will take place on Thursday 17 September at 10:00 CET and 17:00 CET. To register, click here.
 “5G SIM” refers to both the SIM or eSIM as defined as Recommended 5G SIM by TCA.
Categorised in: Blog