5G had introduced vast improvements over its predecessors, namely 2G, 3G, and 4G. The issue of IMSI catchers plagued users and threatened the security and sanctity of mobile networks globally. I briefly discussed Stingray/IMSI catchers in my previous article, a look into 5G. However, recent developments revealed a new vector of attacks, discovered by researchers from Ruhr University Bochum Germany together with NYU Abu Dhabi.
What are IMSI catchers?
In a nutshell, IMSI catchers are fake base stations. They act as a silent relay between the UE (mobile phones) and the actual base station. During masquerading, these fake base stations request the user’s permanent identity. This affects all users who are within range of the fake base stations. This attack targets everyone within its vicinity, and the attacker narrows down to his choice of the target within that list.
IMSI catchers perform their activities by forcing the communications to be over 2G since 2G protocols have several security weaknesses (also part of backward compatibility support). When the target is connected to the IMSI catcher, the IMSI catcher performs a MITM (Man in the Middle) attack, putting itself directly in between the target UE and the cellular network.
In a 2G environment, the IMSI catcher uses the IMSI stolen from the UE to complete the identity request from the cellular network and then uses the target device to complete a challenge that requires the SIM card’s secret keys.
IMSI catchers are primarily used for the following reasons.
- Spyware delivery: Some high-end IMSI catchers can deliver spyware to the target device. The spyware provides RAT (remote access trojan) capabilities such as ping the target location directly and also transfer audio/text/images) through the device.
- Data Extraction: Capture metadata such as calls made (A party, B party), call duration, date/time of call, including contents of unencrypted calls/text, and even data usage (sites visited).
- Data interception: Some IMSI catchers advertise the ability to divert calls and text messages, edit messages and spoof the user’s identity in calls and text messages.
- Location tracking: IMSI catchers can force a target UE to respond to a precise location using GPS, or using the signal strength of towers, allowing the use of triangulation to accurately pinpoint user location.
What about SUCI?
In 5G networks, the UE stores the permanent identifier and key un the USIM (Universal Subscriber Identity Module). These are the credentials used to by the UE to establish mutual authentication with the 5G network. Through this process, 3 identifiers become important. Firstly the permanent identifier SUPI (4G: IMSI), the hidden/concealed identifier SUCI and the temporary identifier (5G:GUTI).
The diagram above shows the basic message exchange for the user registration and authentication. The initial stages require SUCI to be transmitted. However, if the temporary identity cannot be established then the permanent identity is requested. Somewhat like websites using cookies to keep you logged in instead of getting you to authenticate all the time. This process should happen bothways, users authenticating the network; and the network authenticating the user. AKA messages are UNPROTECTED; encryption happens only AFTER session key is agreed upon.
SUCI vs SUPI
In 5g networks, permanent identifiers are avoided from being sent using the operator’s public key which is stored in the USIM. The permanent SUPI is encrypted with this public key before transmission (aka SUCI). As the key is encrypted with the operator’s public key, only the operator is able to read the SUPI to reveal the subscriber’s identity. SUCI is regenerated before every usage to prevent linkage of SUCI (aka perfect forward secrecy), preventing the attacker from identifying if the SUCI refers to the same user (even if the user connects multiple times).
Since the SUCI varies, it gives the notion that different users are connecting to the network. SUPI concealment is an OPTIONAL feature, which needs to be configured by the operator.
SUCI Catcher attack
Using the AKA linkability, the attack focuses on the UE giving up its own identity. In order for this to work, the attacker must learn any of the SUCI used by the target UE previously. This is done by (1) sniffing the traffic for SUCI messages, with the full knowledge of the location of the UE or (2) using the IMSI, the attacker can perform the encryption (either EC25519 or secp256r1), with the assumption that the operator’s public key is known. Using either a downgrade/SS7/mobile app based attach the IMSI can be discovered.
Completing the discovery phase, the attacker now has SUCI of the target UE. When an unknown UE connects to the catcher, attacker tries to find out if this unknown UE is identical to the subscriber
Using the obtained SUCI, the attacker makes a Registration Request (since the request requires no authentication to execute). This request will only be responded with the Authentication Request which is responded by the UE associated.
However, there may be 2 outcomes with the Authentication Request. First, whereby the unknown UE is actually the searched-for-UE authenticated successfully and responds with Authentication Response or Authentication Failure, with the reason Sync Failure (sequence number SQN needs to be synchronized). Secondly, if the searched-for-UE isn’t the one, UE sends Authentication Failure with the reason MAC Failure to the SUCI catcher. In order to handle the Sync failure, the attack prepends a reset stage which performs the successful AKA between the UE and then network BEFORE the actual probe. This also handles the resynchronization of the sync number to handle Sync Failure errors.
While the method highlights attack for one UE, it scales well when multiple UE are also searched for.
SUCI Catcher Countermeasures
There are mechanics which needs to be successful in order for the attack to be successful.
The SUCI catcher exploits pre-authentication traffic between the UE and the network .3GPP TR 33.809 discussed message to secure broadcast information. If the pre-authentication traffic is protected, SUCI-catchers will fail to work. This has yet to be standardized by 3GPP and at the moment has no mitigation for the current %G standards.
Linkability is also a factor promoting this attack. Mitigation of linkability of the authentication responses is optional. The 3GPP study TR33.846 proposes to hide the failure reason in the authentication reject. This is not a critical dependency to the attack as failure messages only help, but not deter the attack. Observation of the traffic between the UE and the network will confirm if a link is established.
A network-based detection and prevention (NDP) capability would be a supplementary control. The attack uses the network as an oracle to generate fresh authentication vector. The NDP could throttle the attack’s scalability effectively and requires little efforts for adoption. Operators can keep track of already used SUCI and use this to detect large scale SUCI Catchers. This detection will not work if the attacker generated SUCI from a known IMSI. A custom SUCI scheme can be deployed to detect attacker-originating requests, by guaranteeing freshness and the SUCI’s authenticity (i.e. using a counter and UE’s public/private keypair.
Some controls can be performed at the UE level. The UE can detect a SUCI-Catcher attack by detecting anomalous protocol behaviour. For example, multiple repeated authentication is a dead giveaway. The UE or the USIM can limit or delay responses, which degrades the attach scalability. If the number of responses is limited to small numbers, the attacker will have few attempts to correctly guess authentication token. Apps such as SnoopSnith that access to the baseband can be integrated with such functionality.
5G aims to eliminate the errors from the past generation networks. New functionality brings new vector of attacks, and surely this is the beginning of more and newer attacks. With researchers scrutinising these new stacks, standards need to catch up faster so that issues can be mitigated soonest possible.
- 5G SUCI Catchers: Still catching them all? https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2021/06/02/5G-SUCI-Catcher-WiSec21.pdf