Skip to main content

5G SIM, Security and privacy for IMSIs

Estimated reading time: 5 minutes -Last update 13 November 2023

Addressing the Critical Shift in SIM Security and Privacy in the 5G Era

The advent of 5G brings with it an imperative to understand and address the vulnerabilities inherent in previous generations.

This article delves into a vulnerability that attackers could exploit and contrasts it with the robust security framework of 5G SIMs.

By exploring the mechanics of these security issues and the innovative solutions offered by 5G technology, we provide a comprehensive overview of why 5G SIMs are not just an upgrade in connectivity but a crucial step forward in safeguarding our digital identities.

Keep reading to discover how 5G SIMs enhance connectivity and provide a much-needed shield in our digital lives, making them an indispensable component in the modern telecommunications landscape.

Decoding the IMP4GT Vulnerability: From 4G Risks to 5G Security Enhancements

There's a fundamental security flaw in the 4G SIM – and attackers can pay as little as $7 to exploit it.

The IMP4GT (IMPersonation Attacks in 4G NeTworks) flaw is a security vulnerability that affects the 4G LTE network.

It is like a flaw in a lock system that allows someone to make a duplicate key.

Normally, your phone and the network should have a unique "handshake" that verifies their identities to each other, much like a secret handshake between friends.

However, with the IMP4GT flaw, an attacker can pretend to be the network and trick your phone into accepting this fake handshake. This allows the attacker to intercept communications, potentially gaining access to any data sent from the phone, such as calls or texts.

The good news?

The 5G SIM is different. Hackers can't get in. Here's why.

For most of its history, the mobile telecoms business has had a relatively good record on security.

The theft of a person's mobile identity (phone number) does happen. But it is rare  – especially when compared to the historic email theft.

This is mostly thanks to the mobile SIM. There are two key reasons why the SIM is so secure.

  1. Firstly, a SIM is physical. This makes it hard to steal en masse.
  2. Moreover, a SIM encrypts and stores sensitive critical data inside a tamper-resistant Secure Element. It's a bit like a bank vault and almost impregnable. 
But the traditional mobile SIM does have one glaring flaw. When it communicates its identity to the network, it does so in plain text. This is a problem if an attacker can intercept this communication.

In reality, such attacks are rare. But they do happen. And this is a concern.

Now, of course, we are entering the 5G era. The capacity of new 5G networks will vastly expand the number of connected devices. By mid-2023, global 5G subscriptions hit the 1.1 billion mark, bolstered by a surge of 125 million new subscriptions in the year's initial quarter.

It's projected that by 2028, 5G will account for 4.6 billion subscriptions, surpassing 50% of all mobile subscriptions worldwide.

And most of these new connections will be 'things' – from fitness devices to remote sensors to trucks. 

Billions of new devices offer attackers billions more opportunities for illegal access.

In other words, 5G security is essential.

So, the mobile industry has acted to close the 'plain text' loophole. Establishing the standards for 5G security mandated a new way for the SIM to communicate with the network using encryption and private keys.
 

Understanding IMSIs 

The following Q&A outlines the problem and the solution.

Every device on the mobile network needs a unique identity – something that proves to the carrier that it is authentic and can be trusted. This is the International Mobile Subscriber Identity on 2G, 3G, and 4G networks. The IMSI comprises country code, wireless provider code, and phone number. It exists on a chip inside the SIM card.

  • What are the threats?

IMSIs on the 2 G, 3G, and 4G networks are not encrypted. Instead, they are transmitted in plain text over the air. So, although calls and texts are encrypted in 4G, the user's identity and location metadata are not.

This leaves the owner of the IMSI open to several threats. 

  • How are criminals using IMSI Catchers?

Attackers can intercept the plain text IMSI. They usually do this via 'man in the middle attacks' using an IMSI Catcher (also known as a Stingray). Once they have possession of the IMSI, they can harvest user data, do location tracking, and even perform a denial of service.

How does an IMSI Catcher work? 
An IMSI catcher exploits a loophole in the GSM protocol. Mobile devices constantly look for the cell tower with the strongest signal to get the best network coverage. 
An IMSI catcher impersonates a tower. Once a phone connects to it, it requests the IMSI, and then the catcher handles the traffic between the real cell site and the phone. This gives the attacker access to the device's data. 
It's important to note that there are legitimate use cases for IMSI catchers. Governments and other law enforcement agencies can (with legal approval) use them to monitor criminals, for example.

 

•    How easy is it to set up an IMSI catcher?

It's alarmingly easy. Attackers need a laptop, a few lines of code, and some cheap hardware, which can be easily bought online. Some reports say this can be done for only $7.

•    What are the consequences for MNOs?

When faced with an IMSI catcher attack, MNOs can be forced to change their network authentication algorithms or replace subscribers' SIM cards. This can be costly and damage their brand reputation.

 

5G SIM: Protecting from an IMSI catcher

When the mobile standards body 3GPP defined the 5G security architecture, it resolved to fix the encryption problem of 4G.

How? By ensuring the full anonymization of the subscriber identity from mobile equipment to the core network.   

To do this, it created a new identifier, the SUPI (Subscription Permanent Identifier). Devices don't send the SUPI over the air. Instead, they send an encrypted key called a SUCI (Subscription Concealed Identifier). 

Even if an attacker intercepts the SUCI, the information is useless and cannot be used to harvest data.

It's like a mask for your secret code name. This mask changes every time, so even if someone intercepts your letter, they can't figure out the secret code name behind the mask, much less your real name. They just see a bunch of scrambled information that doesn't mean anything to them, keeping your identity safe and anonymous.

How do the new generation of 5G SIMs bake in this encryption?

SIM specialists like Thales and Qualcomm have built highly customizable on-board identity encryption capabilities into their 5G SIM products.

These SIMs come in multiple form factors – removable, soldered, eSIM. 

They also provide advanced key rotation management systems. This allows MNOs to swap out – securely and remotely – the authentication algorithms contained in the SIM.

Regularly changing cryptographic keys (key rotation) used for encryption and decryption is an essential best practice that prevents keys from being extensively reused. 

The frequency of key rotation depends on how sensitive the data is, how many messages need to be encrypted, and whether you must coordinate the rotation with external partners.

How do MNOs benefit?

Subscriber privacy is a critical consideration for MNOs.

The extra layer of encryption in the 5G SIM should eradicate IMSI catcher attacks, which cost money to fight and damage brand reputation. 

That said, the new 5G security protocols give the MNO the flexibility to support law enforcement when needed. Since the MNO controls the security and privacy of the IMSI from the SIM to the network, it can still work with agents to monitor approved criminal targets.

Finally, the added security of the 5G SIM helps MNOs meet the many new ePrivacy regulations emerging in the EU, California, Brazil, Japan, Australia, and elsewhere.

 

Closing the Security Gap: The Transformative Impact of 5G SIMs

5G SIMs address know-security gaps with enhanced encryption and new protocols like SUPI and SUCI, offering a level of protection previously unattainable.

As the world increasingly relies on mobile networks, the importance of these advancements cannot be overstated. They protect individual users and fortify the entire telecommunications infrastructure against evolving threats, ensuring both privacy and compliance with emerging global regulations.

Related articles: