A full transition to 5G may bring an upgrade unlikely to be mentioned in wireless carriers' ads, but which wireless users should appreciate anyway: much lower odds of a phone falling for an IMSI catcher.

But even after standalone 5G becomes routine, uneven carrier implementation and opaque user controls and interfaces could short-circuit advances made in 5G security over the last couple of years, two researchers warned in an August 5 presentation at the Black Hat security conference.

"Definitely, this is much better than what we have in today's 4G security network," said Ravishankar Borgaonkar, senior research scientist at SINTEF Digital and an associate professor at the University of Stavanger, at the start of the 5G IMSI Catchers Mirage briefing he conducted via video with Altaf Shaik, a senior researcher at Technischen Universität Berlin.

(Black Hat, like many upcoming tech events, adopted a hybrid in-person/online structure after the pandemic forced that Las Vegas-hosted gathering to switch to a digital-only format last year.)

These privacy and security upgrades look most tenuous on non-standalone 5G networks, the two researchers emphasized, because so many functions still happen in a 4G context that remains vulnerable to passive surveillance and active man-in-the-middle interference by fake cell sites that may be operated by law enforcement, intelligence agencies or criminal enterprises – IMSI catchers.

That 4G footing means all you can count on in the non-standalone context is the assurance that a phone will only convey its capabilities to the network after a security handshake to prevent "MitM" tampering.

"The current 5G NSA networks only support the secure UE [user equipment] capability transfer," Shaik emphasized. "The rest of the security features are only available in the standalone networks."

Or as their presentation put it in bold type, NSA 5G yields a "false sense of 5G security."

In particular, 5G's replacement of the permanent and easily-tracked IMSI with the temporary and encrypted Subscription Concealed Identifier (SUCI) doesn't happen in NSA 5G, the researchers warned. That implementation and its 4G core network do support a Globally Unique Temporary Identifier (GUTI) ID, but operators aren't obliged to reset it or randomize it to a particular degree.

Testing results

Borgaonkar and Shaik presented tests they did of a few unspecified operators in two unnamed countries that showed wide variations in GUTI privacy. At worst, they caught one keeping the same identifier on the same phone for more than ten days at a stretch, even after reboots of the device. Continued neglect of these security features in standalone 5G, Borgaonkar said, would keep IMSI-catcher snooping an easy proposition.

IMSI catchers can also still attempt "bid-down" attacks against devices to get them to degrade their security in NSA 5G. Shaik noted that while phones can impede that by requiring a reset to higher security after a defined period, many of the most widely used phones don't support that sort of timer-based recovery.

Standalone 5G such as what T-Mobile began deploying in August of 2020 supports a much wider set of security features, even if some of those set out in the current Release 16 of the 5G spec (itself a considerable advance over the weaker Release 15) remain optional.

The privacy provided by mandatory use of temporary and randomized phone IDs stands large among them. Shaik credited that for impeding large-scale surveillance and tracking via IMSI catchers: "You increase the privacy of the 5G user with respect to passive attacks and even active attacks." But insufficiently randomizing a 5G phone's SUCI could also allow less granular tracking by fake base stations, such as identifying users on private networks or on roaming.

5G specs also enable but don't require operators to scan for fake base stations by looking for inconsistent identifiers and unknown frequencies in use.

"It is the first time that IMSI catchers have been considered in the specifications," Shaik said. "Although this is not a bulletproof approach, I would say, it's a very good start to implement such features."

Vigilance

But, he added, even standalone 5G can still be susceptible to downgrading attacks from IMSI catchers that falsely report 5G service is not available to force a switch back to 4G. And since that could lead to exposure of a phone's IMSI in a targeted attack, that could allow continued tracking, albeit with an "active" IMSI catcher that should be slightly easier to detect.

Borgaonkar suggested that 5G specifications still gave a base station too much authority over phones to dictate network and security configurations, even if that relationship was less unequal than in prior generations of wireless.

Rewriting 5G specs may be a tall order, considering the existing pace of the standards-setting process. But the duo's advice to smartphone vendors shouldn't require as many sign-offs: Add a network-encryption indicator to the status bar of smartphones and give users a way to prioritize more secure networks.

Borgaonkar pitched the first, which would require some coordination with network operators, as a first warning to users that their phone had landed on an IMSI catcher that could not support their carrier's encryption. He compared that to the widespread agreement that browsers should identify a site's support for encryption in transit and warn of its absence: "Same argument, right?"

The second, meanwhile, would surface an option that today lurks in some developer settings for technically advanced users to force a phone to prefer standalone 5G to non standalone 5G. As third-party tests of T-Mobile's 5G have shown, today's 5G users spend only a small portion of their time on the flavor of 5G that gets closest to the standard's advance billing.

Said Borgaonkar: "Users should get options, actually, to select the best secure network first."

— Rob Pegoraro, special to Light Reading. Follow him @robpegoraro.