@inproceedings{09a769cc6110451995d507c2da599755,
title = "5G SUCI-catchers: Still catching them all?",
abstract = "In mobile networks, IMSI-Catchers identify and track users simply by requesting all users' permanent identities (IMSI) in range. The 5G standard attempts to fix this issue by encrypting the permanent identifier (now SUPI) and transmitting the SUCI. Since the encrypted SUCI is re-generated with an ephemeral key for each use, an attacker can no longer derive the user's identity. However, this scheme does not prevent all tracking and linking: if the identity of a user is already known, an attacker can probe users for that identity. We demonstrate a proof-of-concept 5G SUCI-Catcher attack in a 5G standalone network. Based on prior work on linkability through the Authentication and Key Agreement (AKA) procedure, we introduce an attack variant that enables practical, repeatable attacks. We capture encrypted SUCIs and use the AKA-procedure to link the encrypted identities between sessions. This answers Is user X present now? - - a typical scenario for IMSI-Catchers. We analyze the attack's scalability, discuss real-world applicability, and possible countermeasures by network operators.",
keywords = "5G security, AKA, IMSI, IMSI-catcher, SUCI, SUCI-catcher, SUPI, fake base station, subscription concealed identifier",
author = "Merlin Chlosta and David Rupprecht and Christina P{\"o}pper and Thorsten Holz",
note = "Publisher Copyright: {\textcopyright} 2021 ACM.; 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2021 ; Conference date: 28-06-2021 Through 02-07-2021",
year = "2021",
month = jun,
day = "21",
doi = "10.1145/3448300.3467826",
language = "English (US)",
series = "WiSec 2021 - Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks",
publisher = "Association for Computing Machinery, Inc",
pages = "359--364",
booktitle = "WiSec 2021 - Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks",
}