Presentation Material
Abstract
IMSI catchers aka Stingrays aka fake base stations are well-known privacy threats to almost every mobile phone with SIM card connectivity (including iOS or Android-based) in the world. The cellular network generations such as 2G, 3G, and 4G are vulnerable to such almost undetectable and silent attacks. Finally, new security mechanisms in the next generation 5G networks have been added to address these types of issues.
In this talk, we carefully investigate new security protection techniques in 5G and perform practical experiments using commercial 5G devices. Besides, we explain our failure and successful attempts at building 5G IMSI catchers for our research. Finally, we conclude with results explaining the impact of 5G IMSI catchers against 5G users without downgrading to legacy networks, guidelines for the cellular device vendors, operators, and end-users and directions towards fixing the problem in 6G networks.
AI Generated Summary
This research evaluates whether IMSI catcher (fake base station) threats have been mitigated in 5G networks by analyzing specification improvements and real-world deployments. The study contrasts 5G non-standalone (NSA) mode, which uses a 4G core, with standalone (SA) mode and its new 5G core.
Key 5G security specifications include protecting the subscriber permanent identifier (SUPI) by transmitting only a concealed identifier (SUCI) over the air, using paging with only temporary identifiers (5G-TMSI), mandating frequent temporary identifier refreshment, and introducing anti-bidding-down parameters and optional user-plane integrity protection. A detection mechanism based on mobile device measurement reports is also specified.
Experimental testing of four commercial 5G NSA networks revealed inconsistent implementation. While all networks correctly exchanged capabilities after security establishment, none enabled user-plane integrity protection, leaving them vulnerable to A5/3-alternative attacks. Temporary identifier (GUTI) rotation policies varied significantly; some networks randomized identifiers sufficiently, while others kept them static for days, enabling tracking. Mandatory refresh mechanisms were not observed in practice.
For 5G SA networks, new attack vectors emerge. The SUPI, while encrypted in SUCI, leaks the home operator’s MCC/MNC in clear text, enabling coarse geographic profiling. Furthermore, the 5G-AKA protocol’s AUTN value remains unprotected over the radio interface. If an attacker obtains a target’s AUTN (e.g., via downgrade), they can replay it to a SA base station to identify the device via synchronization failure or XOR-based vulnerabilities, a problem persisting from prior research.
The work concludes that while 5G specifications substantially raise the bar, practical deployment choices in NSA mode and inherent protocol weaknesses in SA mode mean IMSI catcher threats are not fully resolved. Operator configuration, particularly for NSA networks, remains critical for realizing intended privacy benefits.