Stingray spying: 5G will protect you against surveillance attacks, say standards-setters

It looks likely that 5G will sideline IMSI catcher, or stingray, fake mobile base stations.
Written by David Meyer, Contributor

Video: How US carriers moved up the timeline on 5G

5G mobile connectivity is just around the corner. But while it promises improved support for the growing Internet of Things and help for mobile operators coping with increasing data demands, it also brings significant security risks.

5G networks will involve more players than current networks do; the Internet of Things will provide many more juicy targets than are out there today; and the big data that's generated could have serious privacy implications.

However, it's increasingly likely that 5G will provide a privacy boost in at least one regard, by making obsolete the fake mobile base stations -- known as IMSI catchers or stingrays -- that law enforcement agencies sometimes use to spy on people's phones and, by extension, their owners.

Network equipment giant Ericsson was talking about this in mid-2017, but it now seems that its proposals to the 3GPP standards-setting body are moving forward.

Speaking to German tech site Golem, Deutsche Telekom executive Stefan Schröder said 3GPP had just a few weeks ago discussed the matter, and was planning to create new mechanisms in the 5G standard to offer better protection to users.

IMSI stands for International Mobile Subscriber Identity. It's a number that your phone sends to the network to identify itself to connect. IMSI catchers present themselves to a phone as genuine base stations to dupe the phone into connecting to them.

See also: IT pro's guide to the evolution and impact of 5G technology (free PDF)

Once that's happened, they can be used to identify devices and their locations, as well as gather details of communications.

Some IMSI catchers can be used to trick phones into falling back to 2G, where the communications themselves can be monitored. In China, criminals have also been caught using IMSI catchers to pump out spam to unsuspecting individuals' phones.

According to the proposal for 5G's security, published for approval last week, this abuse should no longer be possible, although it's worth remembering they said the same about 3G and 4G, which are susceptible.

5G phones will have a Subscription Permanent Identifier (SUPI), which will be encrypted using the network operator's public key. The network holds the subscription profile. If it can establish that the phone matches that profile, the authentication mechanism will implicitly be able to assure the phone that the network is also genuine.

The same concept is present in 4G, but 5G also provides "more protection of what is sent over the air", thanks to a protected identifier called the Subscription Concealed Identifier (SUCI), said Steve Buck, product director at mobile network security firm Evolved Intelligence.

"They're trying to address the IMSI catcher problem in 5G," Buck said. "In the 5G radio side of things, there's also a placeholder for dealing with the issue of forcing a null encryption scheme, where [IMSI catchers] pretend the mobile has asked for no encryption."

However, while these efforts might make it more difficult for someone to wade into a crowd of people with an IMSI catcher and figure out who's in the crowd, other aspects of 5G -- particularly in the way it handles network interconnections -- might make spying easier, Buck said.

"You can lease access or get a cable connecting to the network and ask for the IMSI," he explained.

"The core network was originally designed back in the 1980s, assuming the only people with access to that connection were other mobile operators, and also that it was expensive."

Now, a lot of people have access to that connection, because mobile operators lease access.

"The interesting thing is that the trend in security over the radio has been improving in each generation, but the trend for interconnect security is [going in] the opposite direction," Buck said.

Download now: Mobile device computing policy

He added that if someone wanted to snoop on the network to see if particular suspects were at a demonstration, "without going there, you could find out whether those suspects were there, or VIPs, or politicians".

All this is only likely to inform what happens a few years down the line. Although some operators in countries such as the US and South Korea are starting to boast about 5G network launches, true 5G won't even be standardized until 2019, and their first use cases are likely to involve fixed-line replacement services and things like connected cars.

It will only be a couple years later that we are likely to see 5G mobile phones and, even then, those handsets will also still be able to use today's connectivity standards.

So, for a while after that development comes, it may still be possible to force 5G phones to fall back to 3G and 4G, which are demonstrably vulnerable to IMSI catchers.

Previous and related coverage

Security flaw shows 3G, 4G LTE networks are just as prone to stingray phone tracking

The researchers say "very little" can be done to prevent stingray-style surveillance attacks.

Those 'stingray' detector apps are basically useless, say researchers

Researchers found at least one major flaw in the five leading stingray surveillance trackers for Android.

New York bill aims to limit police use of 'stingray' phone surveillance

The bill would limit but not block law enforcement use of so-called cell site simulators in New York state.

Neutral hosting could be the future of 5G in New York City (TechRepublic)

Neutral Connect Networks founder Tyler Kratz talked with TechRepublic about the challenge of deploying 5G networks in many parts of the city.

FCC's new 5G rules favor fast setup over federal reviews (CNET)

Small cell 5G gear will no longer need federal environmental and historic reviews. The change is meant to lower costs and speed deployment of next-gen networks.

Editorial standards