Demystifying Privacy in 5G Standalone Networks: New Research Publication

This research, authored by Stavros Eleftherakis, Timothy Otim, Giuseppe Santaromita, Almudena Diaz Zayas, Domenico Giustiniano, and Nicolas Kourtellis, is part of the ELASTIC Project and was presented at the 30th Annual International Conference on Mobile Computing and Networking (ACM MobiCom 2024).

Exploring Privacy in 5G Standalone Networks: Key Findings from Recent Research

As 5G deployments accelerate globally, ensuring robust privacy protections remains critical. A recent study presented at ACM MobiCom 2024 highlights significant advancements and ongoing challenges in privacy within 5G Standalone (SA) networks compared to Non-Standalone (NSA) deployments.

Why Privacy Matters in 5G Networks

The adoption of 5G technology brings increased connectivity through smartphones, IoT devices, and other connected systems. However, legacy privacy issues from 2G, 3G, and 4G/LTE persist, making it essential to evaluate privacy features in 5G networks.

The study conducted a comprehensive analysis of real 5G operator networks and an OpenAirInterface (OAI)-based testbed, focusing on eight major privacy vulnerabilities identified in previous cellular generations.

Key Findings and Mitigations

  • Subscriber Identity Privacy: The study confirmed that 5G SA networks implement the Subscription Unique Concealed Identifier (SUCI), mitigating IMSI catcher attacks. This represents a significant improvement over 5G NSA networks, where such protection is absent.
  • Paging Security: Both 5G SA and NSA networks now avoid using sensitive identifiers during paging, ensuring privacy during incoming call or message notifications.
  • Equipment Identity Security: The Permanent Equipment Identity (PEI) is securely transmitted only after a secure channel is established, preventing device tracking through IMEI catching attacks.
  • Temporary Identifier Reallocation: The correct implementation of 5G-GUTI (Globally Unique Temporary Identifier) reallocation in some 5G SA networks reduced tracking risks. However, inconsistencies remain in certain deployments.
  • Mandatory Ciphering and Integrity Protection: The lack of mandatory RRC (Radio Resource Control) message ciphering leaves room for attacks like C-RNTI tracking. Stricter implementation of these security measures is necessary.
  • Protection Against Bidding-Down Attacks: While the OAI testbed successfully mitigated security capability bidding-down attacks using a robust integrity verification process, commercial operator implementations exhibited vulnerabilities.

Identified Privacy Gaps and Recommendations

The study revealed two previously undocumented vulnerabilities in 5G SA networks:

  • GUTI Reallocation Command Weakness: The absence of integrity protection and ciphering for the GUTI reallocation command creates risks of denial-of-service (DoS) and user tracking attacks.
  • Enhanced NAS Security Mode Deficiency: Operator networks failed to implement the required Message Authentication Code (MAC) verification, exposing them to potential security downgrades.

Looking Ahead

The findings underscore the need for stricter implementation of 3GPP privacy standards and improved configuration practices among operators. Furthermore, the open-source OAI platform demonstrated promising compliance and can serve as a valuable tool for future privacy research.

The road to fully secure 5G networks is ongoing. Collaborative efforts between operators, standards bodies, and the research community will be crucial in ensuring that privacy keeps pace with technological advancements.

Access and Further Information
The full publication and supporting materials are available on Zenodo.