Estimated reading time: 5 minutes
There’s a fundamental security flaw in the 4G SIM – and attackers can pay as little as $7 to exploit it. The 5G SIM is different. Hackers can’t get in. Here’s why.
For most of its history the mobile telecoms business has had a relatively good record on security. Theft of a person's mobile identity (phone number) does happen. But it is rare – especially when compared to historic theft of email.
This is mostly thanks to the mobile SIM. There are two key reasons why the SIM is so secure. Firstly, a SIM is physical. This makes it hard to steal en masse. Moreover, a SIM encrypts and stores sensitive critical data inside a tamper-resistant Secure Element. It's a bit like a bank vault, and it's almost impregnable.
But the traditional mobile SIM does have one glaring flaw. When it communicates its identity to the network it does so in plain text. Obviously, this is a problem if an attacker is able to intercept this communication.
In reality, such attacks are rare. But they do happen. And this is a concern.
Now, of course, we are entering the 5G era. The capacity of new 5G networks will vastly expand the number of connected devices. GSMA predicts the number will more hit almost 25 billion by 2025.
And most of these new connections will be 'things' – from fitness devices to remote sensors to trucks.
Clearly, the existence of billions of new devices offers attackers billions more opportunities for illegal access. 5G security is essential.
So the mobile industry has acted to close the 'plain text' loophole. When establishing the standards for 5G security, it mandated a new way for the SIM to communicate with the network using encryption and private keys.
The following Q&A outlines the problem and the solution.
Every device on the mobile network needs a unique identity – something that proves to the carrier that it is authentic and can be trusted. On 2G, 3G and 4G networks, this is the International Mobile Subscriber Identity. The IMSI comprises country code, wireless provider code, and phone number. It exists on a chip inside the SIM card.
- What are the threats?
IMSIs on the 2G, 3G and 4G network are not encrypted. Instead, they are transmitted in plain text over the air. So although calls and texts are encrypted in 4G, the user’s meta data – identity and location – is not. This leaves the owner of the IMSI open to a number of threats.
- How are criminals using IMSI Catchers?
Obviously attackers can intercept the plain text IMSI. They usually do this via ‘man in the middle attacks’ using something called an IMSI Catcher (also known as a Stingray). Once they have possession of the IMSI, they can harvest user data, do location tracking and even perform a denial of service.
An IMSI catchers exploits a loophole in the GSM protocol. To get the best network coverage, mobile devices constantly look for the cell tower with the strongest signal.
An IMSI catcher impersonates a tower. Once a phone connects to it, it requests the IMSI, and then catcher handles the traffic between the real cell site and the phone. This gives the attacker access to the device’s data.
It’s important to note that there are legitimate use cases for IMSI catchers. Governments and other law enforcement agencies can (with legal approval) use them to monitor criminals for example.
• How easy is it to set up an IMSI catcher?
It's alarmingly easy. Attackers just need a laptop, a few lines of code and some cheap hardware, which can be easily bought online. Some reports say this can be done for only $7.
• What are the consequences for MNOs?
When faced with an IMSI catcher attack, MNOs can be forced to change their network authentication algorithms or replace subscribers' SIM cards. This can be costly and damage their brand reputation.
5G SIM: Protecting from an IMSI catcher
When the mobile standards body 3GPP defined the 5G security architecture, it resolved to fix the encryption problem of 4G. How? By ensuring the full anonymisation of the subscriber identity from mobile equipment to core network.
To do this, it created a new kind of identifier, the SUPI (Subscription Permanent Identifier). Devices don't send the SUPI over the air. Instead they send an encrypted key called a SUCI (Subscription Concealed Identifier).
Obviously, even if an attacker intercepts the SUCI the information is useless and cannot be used to harvest data.
How do the new generation of 5G SIMs bake in this encryption?
SIM specialists such as Thales and Qualcomm have built highly customisable on-board identity encryption capabilities into their 5G SIM products. These SIMs come in multiple form factors – removable, soldered, eSIM.
They also provide advanced key rotation management systems. This gives MNOs the ability to swap out – securely and remotely – the authentication algorithms contained in the SIM.
How do MNOs benefit?
Subscriber privacy is a critical consideration for MNOs.
The extra layer of encryption in the 5G SIM should eradicate IMSI catcher attacks, which cost money to fight and damage brand reputation.
That said, the new 5G security protocols do give the MNO the flexibility to support law enforcement when needed. Since the MNO controls the security and privacy of the IMSI from the SIM to the network, it can still work with agents to monitor approved criminal targets.
Finally, the added security of the 5G SIM helps MNOs meet the many new ePrivacy regulations emerging in the EU, California, Brazil, Japan, Australia and elsewhere.