Did 5G Kill the IMSI Catcher?

2 months ago 4

/nl_img1

You dial into your Zoom meeting while sitting on a moving train. Your mobile device (i.e., User Equipment, UE) must seamlessly switch towers as you go in and out of range. This concept, called mobility, remains a central requirement for mobile networks, but it’s also a central security vulnerability.

You see, you may have just been hacked while leisurely zooming on said train – and you’d never know it.

The GSM (better known as 2G) protocol has a security vulnerability that exposes a user’s personal identifier (IMSI) in the clear, allowing for attribution and geolocation. This vulnerability is also in the UMTS (a.k.a. 3G) spec, and in the LTE (4G) spec. While the vulnerability was finally addressed in NR (5G), it’s imperfect and remains an exploitable 5G network vulnerability… and my favorite cybersecurity topic.

In this article, I’ll introduce this long-standing security exploit, known as an IMSI catcher, discuss some high-level technical aspects regarding 2G–4G IMSI catchers, then finish with 5G security improvements and the possibility of 5G IMSI catchers.

What is an IMSI?

Every account on a cellular network has a unique identifier to connect a SIM card to a credit card, and that identifier is called the International Mobile Subscriber Identity (IMSI, pronounced “IM-zee”). This number contains 3 pieces of information: the Mobile Country Code (MCC) of the issuing network operator, the Mobile Network Code (MNC) of the issuing network operator, and a unique number that only exists for that SIM card. The IMSI is ultimately used to make sure you paid your bill and that you’re allowed to register onto a network.

What is an IMSI catcher?

An IMSI catcher is a tool that collects cellular signals and decodes packets to access and save off the IMSI. There are two types of IMSI catchers: active and passive.

Diagram showing a person with a cell phone that's interacting with an IMSI catcher because it has a stronger signal than a nearby 5G cell tower. So, the IMSI catcher is directly catching the phone's IMSI. This illustrates Active IMSI Catching.

Active IMSI Catcher

Also known as a cell station simulator or rogue base station, an active IMSI catcher is the more effective of the two. The downside is that it requires RF transmission, which violates FCC laws (and international equivalents) and is detectable.

Diagram showing a person with a cell phone that's interacting with a 5G tower, and the IMSI catcher is listening in, and thus catching the phone's IMSI. This illustrates Passive IMSI Catching.

Passive IMSI Catcher

This type requires a lot more planning and may not yield as many IMSIs. However, it’s undetectable (from an RF perspective) and reflects a true account of the network without interference.

To use an analogy, active IMSI catchers are like standing outside of the grocery store with an official-looking outfit and asking for people’s licenses to write down the number; it may work until someone with a badge shows up.

On the other hand, passive IMSI catchers are like sitting behind the one-way glass by the checkout counter and taking a photo of everyone’s licenses when they open their wallets – difficult to detect and not illegal because it’s in plain sight (probably… I’m not a lawyer and this isn’t legal advice).

How does an IMSI catcher work?

(NB: The remainder of this article refers exclusively to passive IMSI catchers.)

A UE (User Equipment, like your smartphone) is constantly performing selection, reselection, and registration procedures to maintain mobility and access to the cellular network. These processes are extremely complicated at the technical level, yet conceptually they’re very simple.

After selecting a cell tower, based on measurements and control information, the UE sends a request to attach to a cell tower.
If the UE is allowed to attach, the cell tower and UE go back and forth a few times to negotiate some parameters, finalizing with the UE sending its IMSI.
The cell tower starts a new back-and-forth with the network to establish whether or not the IMSI is valid, active, and paid.
If the UE is allowed on the network, the cell tower initiates the authentication process, and everything from here on out is encrypted.

This would be the end of the story, were it not for mobility. Again, mobility is a feature, as well as a network vulnerability. Every time the UE switches to another tower, it must repeat the registration process. (Ok, not EVERY time, but every time that the UE is in IDLE mode, which is most of the time. Handover is a whole other discussion.)

To minimize the number of times a UE registers using an unencrypted IMSI, the network issues a Temporary Mobile Subscriber Identity (TMSI, pronounced “TIM-zee”). The TMSI is issued over an encrypted connection and associated with the IMSI on the network side. For the sake of this article, we’ll consider the TMSI to be an unexploitable solution (…it’s not).

There are 3 ways to catch an IMSI:

LOCATION, LOCATION, LOCATION!

As mentioned earlier, the technical aspects of developing a passive IMSI catcher are complicated. (If you’re interested in this topic, send an email to [email protected].) The simplified explanation is this: sometimes phones send IMSIs in cleartext, and if you’re collecting at the right place and right time, you’ll catch them. Conversely, even if you have the perfect IMSI catcher, but you’re in the wrong location, you’ll never catch an IMSI.

So, where do you catch an IMSI?

In the 2G and 3G protocols, IMSIs are sent in the clear under 3 conditions:

Initial attach
Crossing a Location Area Code (LAC) boundary (NB: Depending on the system configuration, TMSIs can be shared between LACs)
Location Update Request (LUR)

In addition, these protocols utilize spectrum around the downlink center frequency for Radio Resource Control (RRC), meaning a radio only needs to tune to a single frequency to get the downlink and uplink for these particular messages – which is very convenient. However, my favorite thing about the ever-dwindling 2G/3G towers is that the initial attach procedure includes inter-RAT (Radio Access Technology) reselection. This means you can grab an IMSI in any LTE dead zone where a UE falls back to 2G or 3G.

4G is much less convenient: the uplink and downlink channels are necessary, and they must be partially synchronized. This is ultimately a technical issue that can be overcome with computing power. Furthermore, the initial attach is really the only viable option for reliably grabbing IMSIs, yet it’s extremely unreliable. 4G IMSIs can be found on PLMN borders (e.g., country borders, airports, roaming boundaries) and older RAT borders (e.g., reselection boundaries from 2G or 3G towers). If 4G/LTE piques your curiosity, you may want to explore the IMSI extractor.

5G has finally addressed the cleartext IMSI network vulnerability. The IMSI is now called the Subscription Permanent Identifier (SUPI, pronounced “SOUP-ee”), and the unique identifier portion is encrypted using public key cryptography to create the Subscription Concealed Identifier (SUCI, pronounced “SU-shi”).

Together, the 5G SUPI and SUCI sufficiently solve the 5G network vulnerability: the SUCI is transmitted in the clear (instead of the 5G SUPI), yet the SUCI isn’t useful for identification or geolocation.

So that’s it? IMSI catchers are dead?

From a purely academic stance, perhaps IMSI catchers have become impractical on fully patched, full-featured, network-wide 5G deployments. But such perfection remains extremely unlikely, and I expect to see several opportunities:

5G is a multi-stage rollout, and any 5G Non-Standalone (NSA) deployments have all of the same vulnerabilities as 4G!
Downgrading from 5G to 4G supports handover (i.e., the TMSI is passed between RATs), but I’ve seen so many misconfigured towers over the years that I’d assume a downgrade to be vulnerable.
Mobile carriers may also not use the SUCI at all. I’m not sure how prevalent this vulnerability is in the wild, but I believe it’s non-zero.

How to block an IMSI catcher

There’s no way to block an IMSI catcher. The only simple thing you can do, that can have an effect, is to set your network priority to 5G-SA – but most phones don’t support this feature.

If you’re really paranoid, stay in airplane mode until you’re in a very dense coverage area. While this is far from a guarantee, IMSI catchers are more likely to be sitting in areas with compromised signal quality.

Finally, you can keep your phone in a Faraday bag, which can provide up to 100 dB of signal attenuation.

There’s always something

Cellular mobility will always have intrinsic vulnerabilities. The 3GPP 5G-NR spec has been a huge improvement against attribution attacks, which is definitely good for users. As for CNE developers, it has shifted the problem from technical to geographical. Active IMSI catchers and active jamming remain viable options, but they come with the same risks as always. On the bright side, there’s still work to be done – and it’s very fun work!

If you’re interested in this space, feel free to reach out – or explore our OSS in the cellular space: Bungeegum, our free Android testing tool for simulating real-world conditions, and Lariat, another open-source testing tool for wrangling the wide range of Android devices – both developed in-house at Zetier.

Illustrations by Rebecca DeField.