We recently released a pre-print of our paper analyzing the 5G security specifications. The idea of releasing the pre-print while the paper is under submission was to get it out there soon and start collecting feedback in parallel to the actual review. There are a couple of things we want to clarify in the published version. The editorial process for this paper is taking longer than anticipated, so I thought I could make a quick update as sneak peak.

A few folks have pinged us with some questions and really good constructive feedback about the paper. Some questions were related to the main two concepts we will be clarifying in the final version.

  1.  The IMSI (SUPI in the context of 5G – I have been working in LTE security for many years and I am too used to saying IMSI, so I might wrongly refer to the IMSI here when I mean SUPI…) will be concealed using the public key of the home network, which does indeed imply that a SIM card only requires to have one single public key stored in order to conceal the SUPI into the SUCI.The SUPI will still be transmitted in the clear if there is no public key for the home network provisioned or in the case of an unauthenticated emergency call. It is not clear yet whether a rogue 5G base station could trick a device to issue such an unauthenticated call. Also, similarly to a recovery from a network outage in LTE, 5G might (should?) support a similar procedure for 5G. It is not clear yet either how the operator will indicate a UE/USIM that it needs to rotate the secret key (maybe it has been compromised, maybe it is time to rotate it… because they plan to rotate them, right???). In that scenario, implicitly, the operator will need to require the UE to authenticate in a manner that will not allow the SUPI to be concealed. To make things more complex, key management and rotation and what to do in these cases is left outside of the specifications.
  2. The 5G security specifications never explicitly state that a USIM will require to have a public key for every operator from every country. That is, however, an implicit requirement for the secure implementation of the protocol and to tackle the known LTE exploits (e.g. Attach Reject to DoS the device or downgrade it to GSM). Most of the protocol exploits discovered in LTE exploit one or multiple pre-authentication PHY, RRC or NAS messages before the handshake. An IMSI catcher returns an Attach Reject “I don’t know your TMSI/GUTI, send me your IMSI” message, a DoS-device replies with an AttachReject EMM Cause Code (for example) 0x03 Illegal UE and the device stops trying to connect until the timer T3245 expires (24h to 48h). A sophisticated Stingray replies with AttachReject EMM Cause Code 0x07 EPS Services Not Allowed and downgrades the UE to GSM to Man in the Middle the connection.Note that, in the case of IMSI/SUPI catching, 5G is *not* preventing the pre-authentication message to be exploited. In 5G, when an adversary sends an AttachReject “I don’t know your TMSI/GUTI send me your SUPI”, the UE replies with the SUPI, but this identifier is concealed. So the adversary catches the identifier, tough she/he cannot decrypt it. All the other exploits that leverage pre-authentication messages, and any other one that has not been identified yet, could still potentially be possible in 5G unless pre-authentication messages can be cryptographically authenticated by the UE. If mobile users never roamed to other networks or countries, having the public key of the home network would suffice. But, factoring roaming into the equation, the only way a UE could possibly cryptographically authenticate PHY, RRC and NAS pre-authentication messages is if the UE had a public key for every single operator from every single country. Otherwise, if I am missing a public key from an operator from say, Spain, I just need to set up my rogue 5G base station to broadcast, for example, MCC=214 MNC=07 (for Movistar) and the UE will implicitly trust every single PHY, RRC and NAS message that comes before the NAS authentication process.

    An alternative could be to have NAS messages from roaming UEs always routed back to/from the home operator in the home country. This would likely be an overload nightmare for Diameter networks and the mobile core networks. And, actually, probably this is something that could be exploited as a DDoS attack against mobile operators by having an army of fake software-radio based UEs initiating connections from different locations claiming to be USIM’s from all over the world. There might be other potential solutions to this problem, and I know of a couple research groups in academia doing excellent work to tackle this challenge.

Long story short, IMSI catching trickier in 5G but still not clear if fully prevented, and the requirement for a public key from all operators and countries is not an explicit requirement in the specifications but an implicit requirement if 5G is to tackle protocol exploits leveraging pre-authentication messages.

We will update the document on arXiv soon with these clarifications. Thank you very much again to everyone who has sent us feedback on the paper. We really appreciate it!

Ps. Good game by Barcelona last night despite having Messi out! 😀

EDIT: Just to clarify further. The public key of the home network at the USIM is intended only to conceal the SUPI. We are not trying to imply that this key is intended to apply to pre-authentication PHY/RRC/NAS messages. If this public/private key scheme was to be used to protect pre-authentication messages, though, then there would be an implicit requirement of having public keys for all operators.