A survey of subscription privacy on the 5G radio interface - The past, present and future
Introduction
Mobile telephony subscribers’ personal information has become an attractive target for online advertisements and other connected industries. Besides the commercial arena, the Edward Snowden revelations show that national intelligence agencies also collect telephony subscribers’ personal information on an unprecedented scale [1]. Apart from the danger that this personal information is utilized for nefarious political agendas, it may also be misused for personal advantages. Thus, privacy has turned out to be a primary consideration for end users when selecting and using a telephony service today. From a regulatory compliance perspective, the EU General Data Protection Regulation (GDPR) [2] obligations for protecting personal data of subscribers are directly applicable to mobile telephony operators. With penalties that can reach as high as EUR 20 million or 4 percent of total worldwide annual turnover, there is a huge financial risk for mobile operators in the event of potential non-compliance. Hence, protecting end-user privacy is all the more important for the latest international mobile telephony standards such as 5G.
3rd Generation Partnership Project (3GPP), the de facto international body for mobile telephony standardization, released the first documents pertaining to 5G at the end of the year 2017. The development of the 5G system was planned in two phases: 5G Phase 1 (formally called Release 15) and 5G Phase 2 (formally Release 16). As 5G Release 15 – the first full set of 5G standards – was frozen 1 in June 2019 (see Fig. 1), this seems to be an appropriate time to undertake a comprehensive review of one of the most prominent privacy aspects of 5G based mobile telephony, i.e., subscription privacy on the wireless channel.
5G security and privacy documentation [3] often refers to previous generations for elaboration of various security and privacy requirements. The same is true in the case of subscription privacy where Release 15 refers to 3GPP TS 33.102 [4] for the requirements which are listed below:
- •
User Identity Privacy: The permanent identity of a user to whom a service is delivered cannot be eavesdropped on the radio access link.
- •
User Location Privacy: The presence or the arrival of a user in a certain area cannot be determined by eavesdropping on the radio access link.
- •
User Untraceability: An intruder cannot deduce whether different services are delivered to the same user by eavesdropping on the radio access link.
An important point to note here is that the use of the phrase “cannot be eavesdropped” in the above statements should not be misinterpreted if it only refers to a passive adversary ‘eavesdropping’ on the radio interface. This certainly is not the case here and a few previously published papers [5] fell prey to this misnomer. 3GPP has always considered active adversaries for its security and privacy scenarios. A pertinent example of this is the 3GPP study TR 33.899 [6] which was conducted to collect, analyze and further investigate potential security threats and requirements for 5G systems and contains explicit references to active adversaries.
In this paper, we provide an overview of the state of subscription privacy on the 5G radio interface. Keeping the aforementioned privacy objectives in mind, this paper evaluates, systematizes, and contextualizes the requisite aspects of 5G subscription privacy in three chronological categories; past, present and the future. The past category looks at the state of subscription privacy before the advent of 5G Release 15. In present, the improvements provisioned to user privacy by Release 15 are explored. Finally, the future category discusses the privacy aspects which still could be improved in subsequent Releases.
There are three aspects which play a pivotal role in defining the scope of the study undertaken in this paper:
- •
We confine the privacy study undertaken in this paper to the wireless part of the 5G system. This is primarily because this medium is open and can easily be exploited by any malicious party and, as a result, is the most vulnerable.
- •
In this manuscript only those aspects of subscription privacy are discussed which come under the purview of 3GPP. Modern-day smart phones have evolved into powerful devices with functionality that goes beyond just telecommunications. These multitasking devices are now being utilized for all sorts of computational purposes which may or may not affect the end-user privacy that 3GPP is trying to protect. There are numerous other sources of leakage affecting user privacy such as Wi-Fi [7], Bluetooth [8], etc. which do not fall under the purview of 3GPP. We do not consider privacy leakages via these other sources in this work.
- •
Lastly, as work on 3GPP Release 16 (Phase 2 of 5G) is still under active development, we do not consider the ever-evolving Release 16.
To our knowledge, this paper presents the first work on 5G subscription privacy after the completion of the first phase (Release 15) of the standard. Unlike other survey papers whose ambit of 5G security and privacy exploration has been very wide, we focus on one particular and very critical aspect, i.e., subscription privacy on the 5G wireless interface. In summary, the main contributions of this paper are as follows:
- •
Comprehensive Overview: This paper categorizes the privacy from the viewpoint of mobile users. To do so in a comprehensive manner, we study around 50 published papers and 20 3GPP publications to sift and sort the appropriate aspects of subscription privacy in 5G.
- •
Chronological Context: In this work, various aspects of subscription privacy are contextualized in a chronological order which gives an insight into the standards’ development cycle and provides the reader with an opportunity to appreciate how things evolve in the real world.
- •
Identification of Future Challenges: Based on our study of the evolution of subscription privacy in 5G, we highlight possible issues that are yet to be addressed and, where appropriate, the impediments faced in resolving such challenges.
The remainder of this paper is organized as follows: Section 2 provides the requisite background. Section 3 discusses the privacy vulnerabilities that existed before 5G, while improvements to subscription privacy provisioned by 5G are detailed in Section 4. In Section 5, outstanding privacy issues of 5G and future research directions are discussed. Section 6 describes the related work. Finally, Section 7 concludes the paper and provides recommendations.
Section snippets
Technical background
Before we delve further into the subscription privacy aspects of 5G, we outline the mobile telephony ecosystem and its pertinent security and privacy mechanisms
The past - Inherited challenges
The first and foremost task for 5G Release 15 was to address the privacy vulnerabilities that existed in the previous generations. Hence, before we discuss the improvements offered by Release 15, we take a look at the vulnerabilities that already existed in the early generations that affect subscription privacy on the radio channel. Table 2 provides a summary of the attacks on subscription privacy in earlier generations.
The present - Privacy improvements by 3GPP elease 15
Release 15 comes with several new security features that significantly improve subscription privacy on the radio interface [40], [41]. Table 3 provides a summary of the effect of these new features upon the vulnerabilities from previous generations.
The future - Outstanding issues, new attacks & proposed measures
The successful deployment of future 5G systems requires resolution of the outstanding subscription privacy issues. In this section, we highlight the subscription privacy vulnerabilities which were not addressed by Release 15. We also discuss recent literature which either suggests improvements or presents new attacks on 5G subscription privacy.
Related work
We believe there does not exist any prior work in the published literature with exclusive focus on 5G subscription privacy. The probable reason for this seems to be that 5G is a very nascent technology within which extensive development and upgrades were undertaken as late as June 2019. Table 4 presents a summary of the related literature which has considered security and privacy in 5G or 5G-like networks. Here, we briefly discuss the work carried out in these publications.
Rupprecht et al. [71]
Conclusion and recommendations
Along with the pursuit of a connected future, at least an equivalent – if not greater – focus is required on the security and privacy of these connections. 5G is a platform which will transform everything from education to AI to medicine. But 5G also comes with potentially enormous privacy risks. Due to increasing diversity of devices and emergence of new services, it is necessary for a successful 5G future that these privacy risks be resolved sooner rather than later. As a result of the study
CRediT authorship contribution statement
Haibat Khan: Conceptualization, Methodology, Writing - original draft, Investigation, Resources. Keith M. Martin: Validation, Writing - review & editing, Supervision.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (83)
- et al.
Analysis of privacy in mobile telephony systems
Int J Inf Sec
(2017) - Greenwald G.. NSA collecting phone records of millions of Verizon customers daily....
- Union E.. Regulation (EU) 2016/679 (General Data Protection Regulation). https://gdpr-info.eu/ [Online; accessed...
- 3GPP. Security architecture and procedures for 5G systems (3GPP TS 33.501 Version 15.0.0 Release 15). 2018a....
- 3GPP. 3G Security; Security Architecture (3GPP TS 33.102 Version 15.0.0 Release 15). 2018b....
- et al.
A formal analysis of 5G authentication
- 3GPP. Study on the security aspects of the next generation system (3GPP TR 33.899 Version 1.3.0 Release 14). 2017....
- et al.
Mobile location tracking in metro areas: Malnets and others
- et al.
Security weaknesses in bluetooth
- 3GPP. System architecture for the 5G system (3GPP TS 23.501 Version 15.1.0 Release 15). 2018c....
On low-cost privacy exposure attacks in LTE mobile communication
Proc Roman Acad Ser A-Math Phys Tech Sci Inf Sci
Practical cellphone spying
Def Con
Easy 4G/LTE IMSI Catchers for Non-Programmers
IMSI-catch me if you can: IMSI-catcher-catchers
The messenger shoots back: network operator based IMSI catcher detection
Mobile Self-defense
31st chaos communication congress 31C3
IMSI Catchers: hacking mobile communications
Netw Secur
Der IMSI-catcher
Datenschutz und Datensicherheit
On forensics: A silent SMS attack
Practical attacks against privacy and availability in 4g/LTE mobile communication systems
23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016
Location Leaks on the GSM Air Interface
19th annual network & distributed system security symposium, ISOC-NDSS
Wideband GSM Sniffing
27th Chaos communication conference
GUTI reallocation demystified: cellular location tracking with changing temporary identifier
25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018
LTE security, protocol exploits and location tracking experimentation with low-cost software radio
CoRR
Privacy through pseudonymity in mobile telephony systems
21st annual network and distributed system security symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014
Enhancing security and privacy in 3GPP E-UTRAN radio interface
Proceedings of the IEEE 18th international symposium on personal, indoor and mobile radio communications, PIMRC 2007, 3–7 September 2007, Athens, Greece
New Privacy Issues in Mobile Telephony: Fix and Verification
Experimental analysis of Subscribers’ privacy exposure by LTE paging
Wirel Pers Commun
Privacy attacks to the 4G and 5G cellular paging protocols using side channel information
26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019
New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor
Blackhat, Las Vegas, USA 2017
Signalling Storms in 3G Mobile Networks
IEEE international conference on communications, ICC 2014, Sydney, Australia, June 10–14, 2014
Overview of radiolocation in CDMA cellular systems
IEEE Commun Mag
New 3GPP Security Features in 5G Phase 1
2018 IEEE conference on standards for communications and networking, CSCN 2018, Paris, France, October 29–31, 2018
3GPP 5G Security
J ICT Standardizat
Cited by (22)
HashXor: A lightweight scheme for identity privacy of IoT devices in 5G mobile network
2021, Computer NetworksCitation Excerpt :Things around us that are connected to the IoT may give away critical information about their identity, leading to compromise in identity privacy of their owner [1]. With the prospect of 5G mobile network getting used as a prominent backbone network in the IoT [2,3], dealing with ‘identity privacy in 5G mobile network’- a challenging security issue in mobile network across the various generations [4–6], has become more important than ever before. Problem and scope: A mobile device needs to be authenticated by the mobile network before any service is offered to it.
A Systematic Literature Mapping on the Security of 5G and Vertical Applications
2023, Research SquareProvable Non-Frameability for 5G Lawful Interception
2023, WiSec 2023 - Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile NetworksP3LI5: Practical and confidEntial Lawful Interception on the 5G core
2023, 2023 IEEE Conference on Communications and Network Security, CNS 2023