Did 5G Kill the IMSI Catcher?

Summary

You dial into your Zoom meeting while sitting on a moving train. Your mobile device (i.e., User Equipment, UE) must seamlessly switch towers as you go in and out of range. This concept, called mobility, remains a central requirement for mobile networks, but it’s also a central security vulnerability. You see, you may have just been hacked while leisurely zooming on said train – and you’d never know it. The GSM (better known as 2G) protocol has a security vulnerability that exposes a user’s personal identifier (IMSI) in the clear, allowing for attribution and geolocation. This vulnerability is also in the UMTS (a.k.a. 3G) spec, and in the LTE (4G) spec. While the vulnerability was finally addressed in NR (5G), it’s imperfect and remains an exploitable 5G network vulnerability… and my favorite cybersecurity topic. In this article, I’ll introduce this long-standing security exploit, known as an IMSI catcher, discuss some high-level technical aspects regarding 2G–4G IMSI catchers, then finish with 5G security improvements and the possibility of 5G IMSI catchers. What is an IMSI? Every account on a cellular network has a unique identifier to connect a SIM card to a credit card, and that identifier is called the International Mobile Subscriber Identity (IMSI, pronounced “IM-zee”). This number contains 3 pieces of information: the Mobile Country Code (MCC) of the issuing network operator, the Mobile Network Code (MNC) of the issuing network operator, and a unique number that only exists for that SIM card. The IMSI is ultimately used to make sure you paid your bill and that you’re allowed to register onto a network. What is an IMSI catcher? An IMSI catcher is a tool that collects cellular signals and decodes packets to access and save off the IMSI. There are two types of IMSI catchers: active and passive. Active IMSI Catcher Also known as a cell station simulator or rogue base station, an active IMSI catcher is the more effective of the two. The downside is that it requires...