Ruhr-Uni-Bochum

5G SUCI-catchers: still catching them all?

2021

Conference / Journal

Research Hub

Research Hub C: Sichere Systeme

Research Challenges

RC 7: Building Secure Systems

Abstract

In mobile networks, IMSI-Catchers identify and track users simply by requesting all users' permanent identities (IMSI) in range. The 5G standard attempts to fix this issue by encrypting the permanent identifier (now SUPI) and transmitting the SUCI. Since the encrypted SUCI is re-generated with an ephemeral key for each use, an attacker can no longer derive the user's identity. However, this scheme does not prevent all tracking and linking: if the identity of a user is already known, an attacker can probe users for that identity.

We demonstrate a proof-of-concept 5G SUCI-Catcher attack in a 5G standalone network. Based on prior work on linkability through the Authentication and Key Agreement (AKA) procedure, we introduce an attack variant that enables practical, repeatable attacks. We capture encrypted SUCIs and use the AKA-procedure to link the encrypted identities between sessions. This answers Is user X present now? --- a typical scenario for IMSI-Catchers. We analyze the attack's scalability, discuss real-world applicability, and possible countermeasures by network operators.

Tags

Mobile Security
Network Security