- The paper highlights how 5G SA networks use SUCI to mitigate IMSI catching attacks, offering enhanced user privacy over NSA networks.
- It demonstrates that both 5G SA and NSA networks employ 5G-S-TMSI in paging to effectively counter IMSI paging attacks.
- It uncovers new privacy risks like unprotected GUTI reallocation and bidding-down attacks, urging strict encryption and standardization reforms.
Demystifying Privacy in 5G Stand Alone Networks
In Demystifying Privacy in 5G Stand Alone Networks, Eleftherakis et al. focus on critical privacy concerns associated with the transition from 5G Non-Stand Alone (NSA) to 5G Stand Alone (SA) networks. This paper presents a pioneering qualitative and experimental comparison between 5G NSA and SA networks and provides a detailed assessment of privacy enhancements against the most salient pre-5G attacks. It also evaluates the privacy features of OpenAirInterface (OAI), a notable open-source 5G software, against real-world deployments to identify new vulnerabilities.
Core Study and Key Findings
- IMSI Catching: The research highlights that 5G SA networks support the Subscription Unique Concealed Identifier (SUCI), effectively mitigating IMSI catching attacks, which remain a concern in 5G NSA implementations. Multiple SUCI-based Identity Request transmissions were tested and validated only in 5G SA and OAI (Figures \ref{fig:5G_SA_SUCI} and \ref{fig:5G_OAI_SUCI}).
- IMSI Paging: By employing a 5G S-Temporary Mobile Subscription Identifier (5G-S-TMSI) for paging instead of IMSI/SUPI, 5G networks (both NSA and SA) robustly defend against IMSI paging attacks, ensuring greater end-user privacy.
- IMEI Catching: The shift to a secure channel for PEI transmission in 5G SA and NSA networks limits the risk of IMEI catching effectively. This new protocol maintains PEI confidentiality and integrity during transmission, countering previous exploits where IMEI was transmitted in plaintext.
- TMSI Deanonymity: The paper identifies variation in GUTI reallocation policy adherence among 5G networks. Two out of three 5G SA networks implemented 3GPP-specified GUTI updates correctly, counter to the NSA network and OAI, which exhibited inadequate renewal schemes, thus being susceptible to TMSI deanonymity attacks.
- RRC and NAS Ciphering: All experimental networks employed Null encryption for RRC and NAS messages, exposing vulnerabilities related to C-RNTI tracking and UE measurement reports. Mandatory encryption for these channels is underlined as a critical need to ensure comprehensive privacy protection.
- Security Capabilities Integrity: While all networks replayed the UE's initial security capabilities, the operator networks showed a significant vulnerability due to the lack of Message Authentication Code (MAC) in the NAS Security Mode Command. This opens up vulnerabilities to advanced bidding-down attacks, a shortcoming not evidenced in OAI implementations, which included MAC capabilities, ensuring robust integrity checks.
New 5G Vulnerabilities
The paper surfaces two new privacy vulnerabilities specific to the 5G SA CN implementations:
- 5G-GUTI Reallocation Command Attack: Notably, two 5G SA networks transmit the Configuration Update Command without integrity or encryption, posing threats of DoS attacks and potential user tracking. Realistically intercepting these unprotected commands facilitates the execution of such attacks.
- Security Capabilities Bidding-Down Attack: As confirmed in the operator deployments, the omission of MAC in NAS SMC messages leads to susceptibility to a novel variation of the bidding-down attack. Such attacks downgrade network security, fortifying prior threats by exploiting weakened security protocols.
Implications and Future Directions
The paper’s implications are significant:
- Operational Enhancements: There is a clarion call for stricter operational policies mandating encryption of RRC and NAS messages. Operators must consider integrating integrity and ciphering by default to prevent recurring vulnerabilities inheritable from pre-5G networks.
- Standardization Rigor: The 3GPP should evaluate and possibly revise current standards to mandate these enhancements, ensuring that all entities fully adhere to the protocols, thus mitigating the outlined novel vulnerabilities.
- Open Source Utility: The OAI compliance with 3GPP standards in privacy features, barring the GUTI update mechanism, attests to its viability as a research and development tool for privacy and security evaluations, furthering academic and industrial applications.
Conclusion
Demystifying Privacy in 5G Stand Alone Networks delivers a meticulous comparative framework for analyzing 5G SA versus NSA privacy features. It stresses the importance of adhering to 5G-specific privacy enhancements while identifying and confronting new vulnerabilities. By ensuring rigorous compliance and operational modifications, the evolving landscape of 5G networks can achieve robust user privacy and security, crucial for the wide-scale deployment of future network technologies.