The advent of 5G, the fifth generation of mobile network technology, has ushered in a new era of connectivity, promising faster speeds, lower latency, and increased capacity. However, alongside these advancements, concerns have arisen regarding the privacy of 5G users. In particular, the use of the Subscription Concealed Identifier (SUCI) has been touted as a mechanism to protect user anonymity, but several vulnerabilities have been identified that raise doubts about its effectiveness.
SUCI: A Controversial Concept
The SUCI is designed to obfuscate the unique identifier of a user’s SIM card, the Subscription Permanent Identifier (SUPI), which could potentially be used to track and identify users. This concealment is achieved through two methods, Profiles A and B. Profile A utilizes a combination of masking and encryption techniques (this is at least more or less what the Researchers discovered after analyzing the structure of the masked SUCI and exploiting weaknesses in the algorithm), while Profile B relies solely on encryption.
Unveiling the Vulnerabilities of Profile A
In a recent study, researchers demonstrated that the masking technique employed in Profile A is susceptible to deconcealment attacks. By exploiting weaknesses in the masking algorithm, adversaries can successfully retrieve the SUPI from the masked SUCI. This revelation casts doubt on the effectiveness of Profile A in protecting user privacy.
Side-Channel Attacks: A Threat to Profile B
While Profile B offers stronger encryption, it is not without its own vulnerabilities. Side-channel attacks, which exploit physical characteristics of the device or network to extract information, have been shown to be effective against Profile B encryption keys. These attacks, though more sophisticated, pose a significant threat to user anonymity.
Commonality of Profiles A and B: A Shared Weakness
Both Profiles A and B share a crucial weakness: they are common across all subscribers of a mobile network operator. This means that if an adversary can derive the common Profile A or B key for one user, they can use that key to deconceal any SUCI within that operator’s network.
Downgrading to Vulnerable Protocols
The backwards compatibility of 5G with previous generations of mobile networks, such as 4G LTE and UMTS, introduces another layer of vulnerability. Adversaries can easily manipulate a 5G-connected device to downgrade to a 4G or even a 2G network, where privacy protections are significantly weaker. This downgrade attack allows adversaries to exploit the vulnerabilities of the outdated protocols to compromise user anonymity.
Specific Target Attacks: Exploiting Authentication Procedures
Researchers have uncovered a technique that allows adversaries to specifically target specific users and derive their IMSI/SUPI from the SUCI. This method involves analyzing the authentication procedure for the targeted user and extracting identifying information from the responses.
Conclusion: SUCI Anonymity: Myth or Reality?
The vulnerabilities of SUCI concealment raise serious concerns about the true level of privacy protection offered by 5G networks. The ease with which adversaries can deconceal SUPIs using Profile A and the susceptibility of Profile B to side-channel attacks indicate that SUCI anonymity is not as robust as initially believed. Additionally, the downgrade attack and specific target attacks further undermine the effectiveness of SUCI as a privacy safeguard.
5G networks offer undeniable benefits in terms of speed and capacity, but these advancements must not come at the expense of user privacy. It is crucial for mobile network operators to take immediate steps to address the vulnerabilities of SUCI concealment and implement stronger privacy measures to protect the anonymity of their subscribers.
Contact us today to discuss your specific needs and how we can help you secure your 5G network.
Explore Deeper: Recommended Sources for the Curious
- 3GPP TS 33.501, “Security architecture and procedures for 5G System”
- Merlin Chlosta et al. “5G SUCI-Catchers: Still catching them all?”
- Jinghao Zhao et. al “SecureSIM: Rethinking Authentication and Access Control for SIM/eSIM”, ACM MobiCom 2021
- John A. Hearle, “Side-channel Analysis of Subscriber Identity Modules”, Thesis AFIT