International Journal of Open Information Technologies

The issues of subscriber’s privacy in mobile phone systems are currently very interesting due to the expected growth of new communication services (virtual reality, Machine­Type Communications – MTC, Vehicle­to­Everything – V2X, Internet of Things­IoT, etc.) provided by 5G networks. The survey addresses security issues in 5G systems. Release 15 is selected as the main release of the 5G specifications, as well as added some information from Release 16 up to Stage 3. Only the wireless component (the area between the base station and the mobile equipment) of 5G networks is considered in our survey. Despite the fact that 5G networks offer additional security mechanisms, the presented survey demonstrates that many significant problems remain in this area. The paper contains the analysis of security issues in previous mobile phone generations and the survey of countermeasures that improve security in the 5G standard. In addition, we discuss some new types of attacks to 5G Release 15 specifications and suggest some methods to avoid some significant security and privacy issues in 5G networks.

G. Greenwald, “NSA collecting phone records of millions of Verizon customers daily”, https://www.theguardian.com/world/2013/jun/06/nsa­phone­recordsverizon­court­order, Jun 2013.

3rd Generation Partnership Project, “Security Architecture and Procedures for 5G Systems (3GPP TS 33.501 Version 15.0.0 Release 15)”, Mar 2018.

3rd Generation Partnership Project, “3G Security; Security Architecture (3GPP TS 33.102 Version 15.0.0 Release 15)”, Jun 2018.

3rd Generation Partnership Project, “Study on the security aspects of

the next generation system (3GPP TR 33.899 Version 1.3.0 Release 14)”, Aug 2017.

Haibat Khan, Keith M. Martin, A Survey of Subscription Privacy on the 5G Radio Interface ­ The Past, Present and Future, Computer Science IACR Cryptol. ePrint Arch., 2020, https://eprint.iacr.org/2020/101.pdf.

N. Husted and S. Myers, “Mobile Location Tracking in Metro Areas: Malnets and Others”, in Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4­8, 2010, E. Al­Shaer, A. D. Keromytis, and V. Shmatikov, Eds. ACM, 2010, pp. 85–96.

M. Jakobsson and S. Wetzel, “Security Weaknesses in Bluetooth”, in

Topics in Cryptology ­ CT­RSA 2001, The Cryptographer’s Track at RSA Conference 2001, San Francisco, CA, USA, April 8­12, 2001, Proceedings, ser. Lecture Notes in Computer Science, D. Naccache, Ed., vol. 2020. Springer, 2001, pp. 176–191.

3rd Generation Partnership Project, “System Architecture for the 5G System (3GPP TS 23.501 Version 15.1.0 Release 15)”, Mar 2018.

3rd Generation Partnership Project, “Mobile Application Part (MAP)Specification (3GPP TS 29.002 Version 15.3.0 Release 15)”, Mar 2018.

R. F. Olimid and S. F. Mjølsnes, “On Low­Cost Privacy Exposure Attacks in LTE Mobile Communication”, Proceedings of the Romanian Academy Series A­Mathematics Physics Technical Sciences Information Science, vol. 18, pp. 361–370, 2017.

3rd Generation Partnership Project, “Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) (3GPP TS 33.220 Version 15.2.0 Release 15)”, June 2018.

C. Paget, “Practical Cellphone Spying”, Def Con, vol. 18, 2010.

S. F. Mjølsnes and R. F. Olimid, “Easy 4G/LTE IMSI Catchers for Non­Programmers”, in Computer Network Security ­ 7th International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security, MMM­ACNS 2017, Warsaw, Poland, August 28­30, 2017, Proceedings, ser. Lecture Notes in Computer Science, J. Rak, J. Bay, I. V. Kotenko, L. J. Popyack, V. A. Skormin, and K. Szczypiorski, Eds., vol. 10446. Springer, 2017, pp. 235–246.

A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. R. Weippl, “IMSI­catch me if you can: IMSI­catcher­catchers”, in Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, December 8­12, 2014, C. N. P. Jr., A. Hahn, K. R. B. Butler, and M. Sherr, Eds. ACM, 2014, pp. 246–255.

A. Dabrowski, G. Petzl, and E. R. Weippl, “The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection”, in Research in Attacks, Intrusions, and Defenses ­ 19th International Symposium, RAID 2016, Paris, France, September 19­21, 2016, Proceedings, ser. Lecture Notes in Computer Science, F. Monrose, M. Dacier, G. Blanc, and J. García­Alfaro, Eds., vol. 9854. Springer, 2016, pp. 279–302.

K. Nohl, “Mobile Self­defense”, in 31st Chaos Communication Congress 31C3, 2014.

A. Lilly, “IMSI catchers: hacking mobile communications”, Network Security, vol. 2017, no. 2, pp. 5–7, 2017.

D. Fox, “Der imsi­catcher”, Datenschutz und Datensicherheit, vol. 26, no. 4, 2002.

N. J. Croft, “On forensics: A silent SMS attack”, in 2012 Information Security for South Africa, Balalaika Hotel, Sandton, Johannesburg, South Africa, August 15­17, 2012, H. S. Venter, M. Loock, and M. Coetzee, Eds. IEEE, 2012, pp. 1–4.

M. Arapinis, L. I. Mancini, E. Ritter, and M. D. Ryan, “Analysis of Privacy in Mobile Telephony Systems”, Int. J. Inf. Sec., vol. 16, no. 5, pp. 491–523, 2017.

A. Shaik, J. Seifert, R. Borgaonkar, N. Asokan, and V. Niemi, “Practical attacks against privacy and availability in 4g/lte mobile communication systems”, in 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21­24, 2016. The Internet Society, 2016.

D. Kune, J. Koelndorfer, N. Hopper, and Y. Kim, “Location Leaks on the GSM Air Interface”, in 19th Annual Network & Distributed System Security Symposium, ISOC­NDSS, 2012.

K. Nohl and S. Munaut, “Wideband GSM Sniffing”, in 27th Chaos Communication Conference, 2010.

B. Hong, S. Bae, and Y. Kim, “GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier”, in 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18­21, 2018. The Internet Society, 2018.

M. Arapinis, L. I. Mancini, E. Ritter, and M. Ryan, “Privacy through Pseudonymity in Mobile Telephony Systems”, in 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23­26, 2014. The Internet Society, 2014.

D. Forsberg, L. Huang, T. Kashima, and S. Alanärä, “Enhancing Security and Privacy in 3GPP E­UTRAN Radio Interface”, in Proceedings of the IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, PIMRC 2007, 3­7 September 2007, Athens, Greece. IEEE, 2007, pp. 1–5.

M. Arapinis, L. I. Mancini, E. Ritter, M. Ryan, N. Golde, K. Redon, and R. Borgaonkar, “New Privacy Issues in Mobile Telephony: Fix and Verification”, in the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16­18, 2012, T. Yu, G. Danezis, and V. D. Gligor, Eds. ACM, 2012, pp. 205–216.

C. Sørseth, S. X. Zhou, S. F. Mjølsnes, and R. F. Olimid, “Experimental Analysis of Subscribers’ Privacy Exposure by LTE Paging”, Wireless Personal Communications, pp. 1–19, 2018.

S. R. Hussain, M. Echeverria, O. Chowdhury, N. Li, and E. Bertino, “Privacy attacks to the 4g and 5g cellular paging protocols using side channel information”, in 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24­27, 2019. The Internet Society, 2019.

R. Borgaonkar, L. Hirshi, S. Park, A. Shaik, A. Martin, and J.­P. Seifert, “New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor”, in Blackhat, Las Vegas, USA 2017, July 2017.

A. Kunz and X. Zhang, “New 3GPP Security Features in 5G Phase 1”, in 2018 IEEE Conference on Standards for Communications and 62 Networking, CSCN 2018, Paris, France, October 29­31, 2018. IEEE, 2018, pp. 1–6.

A. R. Prasad, S. Arumugam, B. Sheeba, and A. Zugenmaier, “3GPP 5G Security”, Journal of ICT Standardization, vol. 6, no. 1, pp. 137–158, 2018.

3rd Generation Partnership Project, “NR; User Equipment (UE) procedures in Idle mode and RRC Inactive state (3GPP TS 38.304 Version 15.5.0 Release 15)”, Sep 2019.

3rd Generation Partnership Project, “NR; Radio Resource Control (RRC) protocol specification (3GPP TS 38.331 Version 15.6.0 Release 15)”, Jun 2019.

V. Shoup, “A proposal for an ISO standard for public key encryption”, IACR Cryptology ePrint Archive, vol. 2001, p. 112, 2001.

D. Hankerson and A. Menezes, “Elliptic Curve Cryptography”, in Encyclopedia of Cryptography and Security, 2nd Ed., H. C. A. van Tilborg and S. Jajodia, Eds. Springer, 2011, p. 397.

SECG SEC 1, “Recommended Elliptic Curve Cryptography, Version 2.0”, http://www.secg.org/sec1­v2.pdf, 2009.

M. Khan, K. Järvinen, P. Ginzboorg, and V. Niemi, “On Desynchronization of User Pseudonyms in Mobile Networks”, in Information Systems Security ­ 13th International Conference, ICISS 2017, Mumbai, India, December 16­20, 2017, Proceedings, ser. Lecture Notes in Computer Science, R. K. Shyamasundar, V. Singh, and J. Vaidya, Eds., vol. 10717. Springer, 2017, pp. 347–366.

3rd Generation Partnership Project, “Technical Specification Group Core Network and Terminals; Non­Access­Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (Release 16) (3GPP TS 24.301 Version 16.2.0 Release 16)”, Sep 2019.

3rd Generation Partnership Project, “Radio Resource Control (RRC); Protocol specification (3GPP TS 25.331 Version 15.4.0 Release 15)”, Sep 2018.

3rd Generation Partnership Project, “Evolved Universal Terrestrial Radio Access (E­UTRA); Radio Resource Control (RRC); Protocol specification (3GPP TS 36.331 Version 15.6.0 Release 15)”, Jun 2019.

J. J. Caffery and G. L. Stuber, “Overview of radiolocation in CDMA cellular systems”, IEEE Communications Magazine, vol. 36, no. 4, pp. 38–45, 1998.

3rd Generation Partnership Project, “NG­RAN; NG Application Protocol (NGAP)(3GPP TS 38.413 Version 15.3.0 Release 15)”, Mar 2019.

M. Lee, N. P. Smart, B. Warinschi, and G. J. Watson, “Anonymity guarantees of the UMTS/LTE authentication and connection protocol”, Int. J. Inf. Sec., vol. 13, no. 6, pp. 513–527, 2014.

B. Blanchet, “Automatic Verification of Security Protocols in the Symbolic Model: The Verifier ProVerif”, in Foundations of Security Analysis and Design VII ­ FOSAD 2012/2013 Tutorial Lectures, ser. Lecture Notes in Computer Science, A. Aldini, J. López, and F. Martinelli, Eds., vol. 8604. Springer, 2013, pp. 54–87.

P. Fouque, C. Onete, and B. Richard, “Achieving Better Privacy for the 3GPP AKA Protocol”, PoPETs, vol. 2016, no. 4, pp. 255–275, 2016.

R. Borgaonkar, L. Hirschi, S. Park, and A. Shaik, “New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols”, PoPETs, vol. 2019, no. 3, pp. 108–127, 2019.

H. Khan and K. M. Martin, “On the Efficacy of New Privacy Attacks against 5G AKA”, in Proceedings of the 16th International Joint Conference on e­Business and Telecommunications, ICETE 2019 Volume 2: SECRYPT, Prague, Czech Republic, July 26­28, 2019., M. S. Obaidat and P. Samarati, Eds. SciTePress, 2019, pp. 431–438.

ETSI­SAGE, “First response on ECIES for concealing IMSI or SUPI”, https://portal.3gpp.org/ngppapp/ CreateTdoc.aspx? mode=view&contributionId=832160, Oct 2017.

P. W. Shor, “Algorithms for quantum computation: Discrete logarithms and factoring”, in 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20­22 November 1994. IEEE Computer Society, 1994, pp. 124–134.

X. Hu, C. Liu, S. Liu, W. You, Y. Li, and Y. Zhao, “A Systematic Analysis Method for 5G Non­Access Stratum Signalling Security”, IEEE Access, vol. 7, pp. 125, 424–125, 441, 2019.

H. Khan, B. Dowling, and K. M. Martin, “Identity Confidentiality in 5G Mobile Telephony Systems”, in Security Standardisation Research ­ 4th International Conference, SSR 2018, Darmstadt, Germany, November 26­27, 2018, Proceedings, ser. Lecture Notes in Computer Science, C. Cremers and A. Lehmann, Eds., vol. 11322. Springer, 2018, pp. 120–42.

Vodafone, “Discussion paper on embedded routing information in SUCI”, https://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_90Bis _SanDiego/docs/S3­180761.zip, Mar 2019.

Vodafone, “pCR to 33.501 ­ addition of routing information into SUCI”, https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_­90Bis _SanDiego/Docs/S3­180763.zip, Mar 2019.

M. Khan, V. Niemi, and P. Ginzboorg, “IMSI­based Routing and Identity Privacy in 5G”, in Proceedings of the 22nd Conference of Open Innovations Association FRUCT, Jyvaskyla, Finland, 2018.

CATT, “Solution for SUPI privacy and LI requirement”, https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_90Bis _SanDiego/Docs/S3­180591.zip, Mar 2019.

KPN, N. DOCOMO, DT, BT, and NEC, “Proposal and Discussion for Privacy and LI Solution”, https://www.3gpp.org/ftp/TSG_SA/WG3_­ Security/TSGS3_90Bis _SanDiego/Docs/S3­180684.zip, Mar 2019.

Nokia, “Discussion on LI conformity by verification hash method”, https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_90Bis

_SanDiego/Docs/S3­180768.zip, Mar 2019.

Nokia, Gemalto, and IDEMIA, “SUCI and LI – verification hash

integrated in 5G AKA”, https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3 _90Bis_SanDiego/Docs/S3­180769.zip, Mar 2019.

Ericsson, Q. Incorporated, Samsung, Huawei, Hisilicon, and Intel, “SUCI and LI ­ verification hash integrated in 5G AKA”, https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_90Bis_­

SanDiego/Docs/S3­180818.zip, Mar 2019.

M. Khan and V. Niemi, “Concealing IMSI in 5G Network Using Identity Based Encryption”, in Network and System Security ­ 11th International Conference, NSS 2017, Helsinki, Finland, August 21­23, 2017, Proceedings, ser. Lecture Notes in Computer Science, Z. Yan, R. Molva, W. Mazurczyk, and R. Kantola, Eds., vol. 10394. Springer, 2017, pp. 544–554.

M. Khan, P. Ginzboorg, K. Järvinen, and V. Niemi, “Defeating the

Downgrade Attack on Identity Privacy in 5G”, in Security Standardisation Research ­ 4th International Conference, SSR 2018, Darmstadt, Germany, November 26­27, 2018, Proceedings, ser. Lecture Notes in Computer Science, C. Cremers and A. Lehmann, Eds., vol. 11322. Springer, 2018, pp. 95–119.

3rd Generation Partnership Project, “Technical Specification Group Services and System Aspects; Study on 5G Security Enhancement against False Base Stations Version 0.6.0 (Release 16)”, Aug 2019.

Draft Recommendation ITU­T X.5GSec­q: Security guidelines for applying quantum­safe algorithms in 5G systems, https://www.itu.int/md/T17­SG17­200824­TD­PLEN­3089.

Jin Hong & Palesh Sarkar, Rediscovery of Time Memory Tradeoffs, https://eprint.iacr.org/2005/090.

Orr Dunkelman & Nathan Keller, Treatment of the Initial Value in Time­Memory­Data Tradeoff Attacks on Stream Ciphers, https://eprint.iacr.org/2008/311.

NIST Special Publication 800­38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800­38b.pdf.

ETSI SAGE. Observations on ZUC­256, https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_99e/docs/S3­200930.zip.

The ZUC­256 Stream Cipher, http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf.

D. Rupprecht, A. Dabrowski, T. Holz, E. R. Weippl, and C. Pöpper, “On security research towards future mobile network generations”, IEEE Communications Surveys and Tutorials, vol. 20, no. 3, pp. 2518–2542, 018.

R. Tourani, S. Misra, T. Mick, and G. Panwar, “Security, Privacy, and Access Control in Information­Centric Networking: A Survey”, IEEE Communications Surveys and Tutorials, vol. 20, no. 1, pp. 566–600, 2018.

I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila, and A. V. Gurtov, “5G security: Analysis of threats and solutions”, in IEEE Conference on Standards for Communications and Networking, CSCN 2017, Helsinki, Finland, September 18­20, 2017. IEEE, 2017, pp. 193–99.

I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila, “Overview of 5G Security Challenges and Solutions”, IEEE Communications Standards Magazine, vol. 2, no. 1, pp. 36–43, 2018.

M. A. Ferrag, L. A. Maglaras, A. Argyriou, D. Kosmanos, and H. Janicke, “Security for 4G and 5G cellular networks: A survey of existing authentication and privacy­preserving schemes”, J. Network and Computer Applications, vol. 101, pp. 55–82, 2018.

P. Gandotra and R. K. Jha, “A survey on green communication and security challenges in 5G wireless communication networks”, J. Network and Computer Applications, vol. 96, pp. 39–61, 2017.

A. K. Rangisetti and B. R. Tamma, “Software Defined Wireless Networks: A Survey of Issues and Solutions”, Wireless Personal Communications, vol. 97, no. 4, pp. 6019–6053, 2017.

G. Choudhary and V. Sharma, “A Survey on the Security and the Evolution of Osmotic and Catalytic Computing for 5G Networks”, CoRR, vol. abs/1909.08844, 2019.

R. Khan, P. Kumar, D. N. K. Jayakody, and M. Liyanage, “A survey on security and privacy of 5G technologies: Potential solutions, recent advancements and future directions”, IEEE Communications Surveys & Tutorials, 2019.

R. Ravindran, A. Chakraborti, S. O. Amin, A. Azgin, and G. Wang, “5G­ICN: Delivering ICN Services over 5G Using Network Slicing”, IEEE Communications Magazine, vol. 55, no. 5, pp. 101–107, 2017.

Prajwol Kumar Nakarmi, Mehmet Akif Ersoy, Elif Ustundag Soykan, Karl Norrman, “Murat: Multi­RAT False Base Station Detector”, arXiv:2102.08780, 2021, https://arxiv.org/abs/2102.08780.

J. Cichonski, PSCR 2020_5G Security Evolution not Revolution, PSCR Stakeholder Meeting 2020: The Digital Experience, Boulder, CO, [online], https://tsapps.nist.gov/publication/get_­pdf.cfm?pub_id=931275