A survey of subscription privacy on the 5G radio interface - The past, present and future

https://doi.org/10.1016/j.jisa.2020.102537Get rights and content

Abstract

End-user privacy in mobile telephony systems is nowadays of great interest because of the envisaged hyper-connectivity and the potential of the unprecedented services (virtual reality, machine-type communication, vehicle-to-everything, IoT, etc.) being offered by the new 5G system. This paper reviews the state of subscription privacy in 5G systems. As the work on 5G Release 15 – the first full set of 5G standards – has recently been completed, this seems to be an appropriate occasion for such a review. The scope of the privacy study undertaken is limited to the wireless part of the 5G system which occurs between the service provider’s base station and the subscriber’s mobile phone. Although 5G offers better privacy guarantees than its predecessors, this work highlights that there still remain significant issues which need rectifying. We undertook an endeavor to (i) compile the privacy vulnerabilities that already existed in the previous mobile telephony generations. Thereafter, (ii) the privacy improvements offered by the recently finalized 5G standard were aggregated. Consequently, (iii) we were able to highlight privacy issues from previous generations that remain unresolved in 5G Release 15. For completeness, (iv) we also explore new privacy attacks which surfaced after the publication of the 5G standard. To address the identified privacy gaps, we also present future research directions in the form of proposed improvements.

Introduction

Mobile telephony subscribers’ personal information has become an attractive target for online advertisements and other connected industries. Besides the commercial arena, the Edward Snowden revelations show that national intelligence agencies also collect telephony subscribers’ personal information on an unprecedented scale [1]. Apart from the danger that this personal information is utilized for nefarious political agendas, it may also be misused for personal advantages. Thus, privacy has turned out to be a primary consideration for end users when selecting and using a telephony service today. From a regulatory compliance perspective, the EU General Data Protection Regulation (GDPR) [2] obligations for protecting personal data of subscribers are directly applicable to mobile telephony operators. With penalties that can reach as high as EUR 20 million or 4 percent of total worldwide annual turnover, there is a huge financial risk for mobile operators in the event of potential non-compliance. Hence, protecting end-user privacy is all the more important for the latest international mobile telephony standards such as 5G.

3rd Generation Partnership Project (3GPP), the de facto international body for mobile telephony standardization, released the first documents pertaining to 5G at the end of the year 2017. The development of the 5G system was planned in two phases: 5G Phase 1 (formally called Release 15) and 5G Phase 2 (formally Release 16). As 5G Release 15 – the first full set of 5G standards – was frozen 1 in June 2019 (see Fig. 1), this seems to be an appropriate time to undertake a comprehensive review of one of the most prominent privacy aspects of 5G based mobile telephony, i.e., subscription privacy on the wireless channel.

5G security and privacy documentation [3] often refers to previous generations for elaboration of various security and privacy requirements. The same is true in the case of subscription privacy where Release 15 refers to 3GPP TS 33.102 [4] for the requirements which are listed below:

  • User Identity Privacy: The permanent identity of a user to whom a service is delivered cannot be eavesdropped on the radio access link.

  • User Location Privacy: The presence or the arrival of a user in a certain area cannot be determined by eavesdropping on the radio access link.

  • User Untraceability: An intruder cannot deduce whether different services are delivered to the same user by eavesdropping on the radio access link.

An important point to note here is that the use of the phrase “cannot be eavesdropped” in the above statements should not be misinterpreted if it only refers to a passive adversary ‘eavesdropping’ on the radio interface. This certainly is not the case here and a few previously published papers [5] fell prey to this misnomer. 3GPP has always considered active adversaries for its security and privacy scenarios. A pertinent example of this is the 3GPP study TR 33.899 [6] which was conducted to collect, analyze and further investigate potential security threats and requirements for 5G systems and contains explicit references to active adversaries.

In this paper, we provide an overview of the state of subscription privacy on the 5G radio interface. Keeping the aforementioned privacy objectives in mind, this paper evaluates, systematizes, and contextualizes the requisite aspects of 5G subscription privacy in three chronological categories; past, present and the future. The past category looks at the state of subscription privacy before the advent of 5G Release 15. In present, the improvements provisioned to user privacy by Release 15 are explored. Finally, the future category discusses the privacy aspects which still could be improved in subsequent Releases.

There are three aspects which play a pivotal role in defining the scope of the study undertaken in this paper:

  • We confine the privacy study undertaken in this paper to the wireless part of the 5G system. This is primarily because this medium is open and can easily be exploited by any malicious party and, as a result, is the most vulnerable.

  • In this manuscript only those aspects of subscription privacy are discussed which come under the purview of 3GPP. Modern-day smart phones have evolved into powerful devices with functionality that goes beyond just telecommunications. These multitasking devices are now being utilized for all sorts of computational purposes which may or may not affect the end-user privacy that 3GPP is trying to protect. There are numerous other sources of leakage affecting user privacy such as Wi-Fi [7], Bluetooth [8], etc. which do not fall under the purview of 3GPP. We do not consider privacy leakages via these other sources in this work.

  • Lastly, as work on 3GPP Release 16 (Phase 2 of 5G) is still under active development, we do not consider the ever-evolving Release 16.

To our knowledge, this paper presents the first work on 5G subscription privacy after the completion of the first phase (Release 15) of the standard. Unlike other survey papers whose ambit of 5G security and privacy exploration has been very wide, we focus on one particular and very critical aspect, i.e., subscription privacy on the 5G wireless interface. In summary, the main contributions of this paper are as follows:

  • Comprehensive Overview: This paper categorizes the privacy from the viewpoint of mobile users. To do so in a comprehensive manner, we study around 50 published papers and 20 3GPP publications to sift and sort the appropriate aspects of subscription privacy in 5G.

  • Chronological Context: In this work, various aspects of subscription privacy are contextualized in a chronological order which gives an insight into the standards’ development cycle and provides the reader with an opportunity to appreciate how things evolve in the real world.

  • Identification of Future Challenges: Based on our study of the evolution of subscription privacy in 5G, we highlight possible issues that are yet to be addressed and, where appropriate, the impediments faced in resolving such challenges.

The remainder of this paper is organized as follows: Section 2 provides the requisite background. Section 3 discusses the privacy vulnerabilities that existed before 5G, while improvements to subscription privacy provisioned by 5G are detailed in Section 4. In Section 5, outstanding privacy issues of 5G and future research directions are discussed. Section 6 describes the related work. Finally, Section 7 concludes the paper and provides recommendations.

Section snippets

Technical background

Before we delve further into the subscription privacy aspects of 5G, we outline the mobile telephony ecosystem and its pertinent security and privacy mechanisms

The past - Inherited challenges

The first and foremost task for 5G Release 15 was to address the privacy vulnerabilities that existed in the previous generations. Hence, before we discuss the improvements offered by Release 15, we take a look at the vulnerabilities that already existed in the early generations that affect subscription privacy on the radio channel. Table 2 provides a summary of the attacks on subscription privacy in earlier generations.

The present - Privacy improvements by 3GPP elease 15

Release 15 comes with several new security features that significantly improve subscription privacy on the radio interface [40], [41]. Table 3 provides a summary of the effect of these new features upon the vulnerabilities from previous generations.

The future - Outstanding issues, new attacks & proposed measures

The successful deployment of future 5G systems requires resolution of the outstanding subscription privacy issues. In this section, we highlight the subscription privacy vulnerabilities which were not addressed by Release 15. We also discuss recent literature which either suggests improvements or presents new attacks on 5G subscription privacy.

Related work

We believe there does not exist any prior work in the published literature with exclusive focus on 5G subscription privacy. The probable reason for this seems to be that 5G is a very nascent technology within which extensive development and upgrades were undertaken as late as June 2019. Table 4 presents a summary of the related literature which has considered security and privacy in 5G or 5G-like networks. Here, we briefly discuss the work carried out in these publications.

Rupprecht et al. [71]

Conclusion and recommendations

Along with the pursuit of a connected future, at least an equivalent – if not greater – focus is required on the security and privacy of these connections. 5G is a platform which will transform everything from education to AI to medicine. But 5G also comes with potentially enormous privacy risks. Due to increasing diversity of devices and emergence of new services, it is necessary for a successful 5G future that these privacy risks be resolved sooner rather than later. As a result of the study

CRediT authorship contribution statement

Haibat Khan: Conceptualization, Methodology, Writing - original draft, Investigation, Resources. Keith M. Martin: Validation, Writing - review & editing, Supervision.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (83)

  • M. Arapinis et al.

    Analysis of privacy in mobile telephony systems

    Int J Inf Sec

    (2017)
  • Greenwald G.. NSA collecting phone records of millions of Verizon customers daily....
  • Union E.. Regulation (EU) 2016/679 (General Data Protection Regulation). https://gdpr-info.eu/ [Online; accessed...
  • 3GPP. Security architecture and procedures for 5G systems (3GPP TS 33.501 Version 15.0.0 Release 15). 2018a....
  • 3GPP. 3G Security; Security Architecture (3GPP TS 33.102 Version 15.0.0 Release 15). 2018b....
  • D.A. Basin et al.

    A formal analysis of 5G authentication

  • 3GPP. Study on the security aspects of the next generation system (3GPP TR 33.899 Version 1.3.0 Release 14). 2017....
  • N. Husted et al.

    Mobile location tracking in metro areas: Malnets and others

  • M. Jakobsson et al.

    Security weaknesses in bluetooth

  • 3GPP. System architecture for the 5G system (3GPP TS 23.501 Version 15.1.0 Release 15). 2018c....
  • 3GPP. Mobile Application Part (MAP) specification (3GPP TS 29.002 Version 15.3.0 Release 15). 2018d....
  • R.F. Olimid et al.

    On low-cost privacy exposure attacks in LTE mobile communication

    Proc Roman Acad Ser A-Math Phys Tech Sci Inf Sci

    (2017)
  • 3GPP. Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)(3GPP TS 33.220 Version 15.2.0...
  • C. Paget

    Practical cellphone spying

    Def Con

    (2010)
  • S.F. Mjølsnes et al.

    Easy 4G/LTE IMSI Catchers for Non-Programmers

  • A. Dabrowski et al.

    IMSI-catch me if you can: IMSI-catcher-catchers

  • A. Dabrowski et al.

    The messenger shoots back: network operator based IMSI catcher detection

  • K. Nohl

    Mobile Self-defense

    31st chaos communication congress 31C3

    (2014)
  • A. Lilly

    IMSI Catchers: hacking mobile communications

    Netw Secur

    (2017)
  • D. Fox

    Der IMSI-catcher

    Datenschutz und Datensicherheit

    (2002)
  • N.J. Croft

    On forensics: A silent SMS attack

  • A. Shaik et al.

    Practical attacks against privacy and availability in 4g/LTE mobile communication systems

    23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016

    (2016)
  • D.F. Kune et al.

    Location Leaks on the GSM Air Interface

    19th annual network & distributed system security symposium, ISOC-NDSS

    (2012)
  • K. Nohl et al.

    Wideband GSM Sniffing

    27th Chaos communication conference

    (2010)
  • B. Hong et al.

    GUTI reallocation demystified: cellular location tracking with changing temporary identifier

    25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018

    (2018)
  • R.P. Jover

    LTE security, protocol exploits and location tracking experimentation with low-cost software radio

    CoRR

    (2016)
  • M. Arapinis et al.

    Privacy through pseudonymity in mobile telephony systems

    21st annual network and distributed system security symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014

    (2014)
  • D. Forsberg et al.

    Enhancing security and privacy in 3GPP E-UTRAN radio interface

    Proceedings of the IEEE 18th international symposium on personal, indoor and mobile radio communications, PIMRC 2007, 3–7 September 2007, Athens, Greece

    (2007)
  • M. Arapinis et al.

    New Privacy Issues in Mobile Telephony: Fix and Verification

  • C. Sørseth et al.

    Experimental analysis of Subscribers’ privacy exposure by LTE paging

    Wirel Pers Commun

    (2018)
  • S.R. Hussain et al.

    Privacy attacks to the 4G and 5G cellular paging protocols using side channel information

    26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019

    (2019)
  • R. Borgaonkar et al.

    New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor

    Blackhat, Las Vegas, USA 2017

    (2017)
  • 3GPP. System Architecture Evolution (SAE); Security architecture 3GPP TS 33.401 Version 15.8.0 (Release 15). 2019a....
  • 3GPP. Technical specification group services and system aspects; international mobile station equipment identities...
  • O.H. Abdelrahman et al.

    Signalling Storms in 3G Mobile Networks

    IEEE international conference on communications, ICC 2014, Sydney, Australia, June 10–14, 2014

    (2014)
  • 3GPP. Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for Evolved Packet...
  • 3GPP. Radio Resource Control (RRC); protocol specification (3GPP TS 25.331 version 15.4.0 Release 15). 2018f....
  • 3GPP. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); protocol specification (3GPP...
  • J.J. Caffery et al.

    Overview of radiolocation in CDMA cellular systems

    IEEE Commun Mag

    (1998)
  • A. Kunz et al.

    New 3GPP Security Features in 5G Phase 1

    2018 IEEE conference on standards for communications and networking, CSCN 2018, Paris, France, October 29–31, 2018

    (2018)
  • A.R. Prasad et al.

    3GPP 5G Security

    J ICT Standardizat

    (2018)
  • Cited by (22)

    • HashXor: A lightweight scheme for identity privacy of IoT devices in 5G mobile network

      2021, Computer Networks
      Citation Excerpt :

      Things around us that are connected to the IoT may give away critical information about their identity, leading to compromise in identity privacy of their owner [1]. With the prospect of 5G mobile network getting used as a prominent backbone network in the IoT [2,3], dealing with ‘identity privacy in 5G mobile network’- a challenging security issue in mobile network across the various generations [4–6], has become more important than ever before. Problem and scope: A mobile device needs to be authenticated by the mobile network before any service is offered to it.

    • Provable Non-Frameability for 5G Lawful Interception

      2023, WiSec 2023 - Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks
    • P3LI5: Practical and confidEntial Lawful Interception on the 5G core

      2023, 2023 IEEE Conference on Communications and Network Security, CNS 2023
    View all citing articles on Scopus
    View full text