Did 5G Kill the IMSI Catcher?

Did 5G Kill the IMSI Catcher?

You're sitting on a moving train, attending a Zoom meeting. Your mobile device seamlessly switches towers as you go in and out of range. This concept, called mobility, remains a central requirement for mobile networks. However, it's also a central security vulnerability.

For years, the GSM (better known as 2G) protocol has had a security vulnerability that exposes a user's personal identifier (IMSI) in the clear, allowing for attribution and geolocation. This vulnerability is also present in the UMTS (a.k.a. 3G) spec and the LTE (4G) spec. While the vulnerability was finally addressed in NR (5G), it's imperfect and remains an exploitable 5G network vulnerability.

Every account on a cellular network has a unique identifier to connect a SIM card to a credit card, known as the International Mobile Subscriber Identity (IMSI). This number contains three pieces of information: the subscriber's identity, the user's location, and the equipment used. IMSI is sent in the clear under specific conditions.

In 2G/3G networks, IMSIs are sent in the clear under three conditions: In these situations, an attacker can intercept the IMSI and use it to identify the subscriber, their location, and the device they're using. This makes mobility a significant security risk.

4G is more convenient for attackers because the initial attach procedure includes inter-RAT (Radio Access Technology) reselection. This means you can grab an IMSI in any LTE dead zone where a UE falls back to 2G or 3G. However, the initial attach is unreliable and can be overcome with computing power.

5G has finally addressed the cleartext IMSI network vulnerability. The IMSI is now called the Subscription Permanent Identifier (SUPI), and the unique identifier portion is encrypted using public key cryptography to create the Subscription Concealed Identifier (SUCI). Together, the 5G SUPI and SUCI sufficiently solve the 5G network vulnerability: the SUCI is transmitted in the clear, yet the SUCI isn't useful for identification or geolocation.

So, are IMSI catchers dead? From a purely academic stance, perhaps. However, such perfection remains extremely unlikely, and I expect to see several opportunities for attackers to exploit these vulnerabilities.

How to Block an IMSI Catcher

There's no way to block an IMSI catcher. The only simple thing you can do is set your network priority to 5G-SA – but most phones don't support this feature. If you're really paranoid, stay in airplane mode until you're in a very dense coverage area.

You can also keep your phone in a Faraday bag, which can provide up to 100 dB of signal attenuation. Cellular mobility will always have intrinsic vulnerabilities, and the problem has shifted from technical to geographical for attackers.

Opportunities Ahead

As for CNE developers, it's great that they've made a huge improvement against attribution attacks with the 3GPP 5G-NR spec. However, there are still opportunities for attackers to exploit these vulnerabilities.

Active IMSI catchers and active jamming remain viable options, but they come with the same risks as always. On the bright side, it's very fun work! If you're interested in this space, feel free to reach out or explore our OSS in the cellular space: Bungeegum, our free Android testing tool for simulating real-world conditions, and Lariat, another open-source testing tool for wrangling the wide range of Android devices – both developed in-house at Zetier.