5G SUCI-catchers: Still catching them all?

Merlin Chlosta, David Rupprecht, Christina Pöpper, Thorsten Holz

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In mobile networks, IMSI-Catchers identify and track users simply by requesting all users' permanent identities (IMSI) in range. The 5G standard attempts to fix this issue by encrypting the permanent identifier (now SUPI) and transmitting the SUCI. Since the encrypted SUCI is re-generated with an ephemeral key for each use, an attacker can no longer derive the user's identity. However, this scheme does not prevent all tracking and linking: if the identity of a user is already known, an attacker can probe users for that identity. We demonstrate a proof-of-concept 5G SUCI-Catcher attack in a 5G standalone network. Based on prior work on linkability through the Authentication and Key Agreement (AKA) procedure, we introduce an attack variant that enables practical, repeatable attacks. We capture encrypted SUCIs and use the AKA-procedure to link the encrypted identities between sessions. This answers Is user X present now? - - a typical scenario for IMSI-Catchers. We analyze the attack's scalability, discuss real-world applicability, and possible countermeasures by network operators.

Original languageEnglish (US)
Title of host publicationWiSec 2021 - Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks
PublisherAssociation for Computing Machinery, Inc
Pages359-364
Number of pages6
ISBN (Electronic)9781450383493
DOIs
StatePublished - Jun 21 2021
Event14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2021 - Virtual, Online, United Arab Emirates
Duration: Jun 28 2021Jul 2 2021

Publication series

NameWiSec 2021 - Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Conference

Conference14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2021
Country/TerritoryUnited Arab Emirates
CityVirtual, Online
Period6/28/217/2/21

Keywords

  • 5G security
  • AKA
  • fake base station
  • IMSI
  • IMSI-catcher
  • subscription concealed identifier
  • SUCI
  • SUCI-catcher
  • SUPI

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of '5G SUCI-catchers: Still catching them all?'. Together they form a unique fingerprint.

Cite this