Nori: Concealing the Concealed Identifier in 5G

IMSI catchers have been a long standing and serious privacy problem in pre-5G mobile networks. To tackle this, 3GPP introduced the Subscription Concealed Identifier (SUCI) and other countermeasures in 5G. In this paper, we analyze the new SUCI mechanism and discover that it provides very poor anonymity when used with the variable length Network Specific Identifiers (NSI), which are part of the 5G standard. When applied to real-world name length data, we see that SUCI only provides 1-anonymity, meaning that individual subscribers can easily be identified and tracked. We strongly recommend 3GPP and GSMA to standardize and recommend the use of a padding mechanism for SUCI before variable length identifiers get more commonly used. We further show that the padding schemes, commonly used for network traffic, are not optimal for padding of identifiers based on real names. We propose a new improved padding scheme that achieves much less message expansion for a given $k$-anonymity.Comment: 9 pages, 8 figures, 1 tabl

Applying Machine Learning on RSRP-based Features for False Base Station Detection

False base stations -- IMSI catchers, Stingrays -- are devices that impersonate legitimate base stations, as a part of malicious activities like unauthorized surveillance or communication sabotage. Detecting them on the network side using 3GPP standardized measurement reports is a promising technique. While applying predetermined detection rules works well when an attacker operates a false base station with an illegitimate Physical Cell Identifiers (PCI), the detection will produce false negatives when a more resourceful attacker operates the false base station with one of the legitimate PCIs obtained by scanning the neighborhood first. In this paper, we show how Machine Learning (ML) can be applied to alleviate such false negatives. We demonstrate our approach by conducting experiments in a simulation setup using the ns-3 LTE module. We propose three robust ML features (COL, DIST, XY) based on Reference Signal Received Power (RSRP) contained in measurement reports and cell locations. We evaluate four ML models (Regression Clustering, Anomaly Detection Forest, Autoencoder, and RCGAN) and show that several of them have a high precision in detection even when the false base station is using a legitimate PCI. In our experiments with a layout of 12 cells, where one cell acts as a moving false cell, between 75-95\% of the false positions are detected by the best model at a cost of 0.5\% false positives.Comment: 9 pages,5 figure, 3 tables, 2 algorithm

Evaluation of VoIP Security for Mobile Devices

Market research reports by In-Stat, Gartner, and the Swedish Post and Telecom Agency (PTS) reveal a growing worldwide demand for Voice over IP (VoIP) and smartphones. This trend is expected to continue over the coming years and there is wide scope for mobile VoIP solutions. Nevertheless, with this growth in VoIP adoption come challenges related with quality of service and security. Most consumer VoIP solution, even in PCs, analog telephony adapters, and home gateways, do not yet support media encryption and other forms of security. VoIP applications based on mobile platforms are even further behind in adopting media security due to a (mis-)perception of more limited resources. This thesis explores the alternatives and feasibility of achieving VoIP security for mobile devices in the realm of the IP Multimedia Subsystem (IMS)

A security architecture for 5G networks

5G networks will provide opportunities for the creation of new services, for new business models, and for new players to enter the mobile market. The networks will support efficient and cost-effective launch of a multitude of services, tailored for different vertical markets having varying service and security requirements, and involving a large number of actors. Key technology concepts are network slicing and network softwarisation, including network function virtualisation and software-defined networking. The presented security architecture builds upon concepts from the 3G and 4G security architectures but extends and enhances them to cover the new 5G environment. It comprises a toolbox for security relevant modelling of the systems, a set of security design principles, and a set of security functions and mechanisms to implement the security controls needed to achieve stated security objectives. In a smart city use case setting, we illustrate its utility; we examine the high-level security aspects stemming from the deployment of large numbers of IoT devices and network softwarisation