Send in your ideas. Deadline October 1, 2024
Theme fund: NGI0 PET
Start: 2019-04
End: 2019-04

IMSI Pseudonymization

Better privacy protection for 2G-5G

The IMSI Pseudonymization project will design a specification and provide a reference implementation of a mechanism to conceal the IMSI (international mobile subscriber identity) of a mobile subscriber on the radio interface. The IMSI is used to uniquely identify each subscriber in a (2G, 3G, 4G, 5G) cellular network. However, the privacy of users is not really well protected: current specification require to transfer the IMSI in plain-text at various times before an encrypted connection can be set up. The present project will specify, implement and evaluate a method by which the IMSI will be concealed on the air interface with no modifications to existing mobile phones or any network elements of the operator beyond the HLR/HSS (which implements the authentication on the network side). The project will further submit this proposal into the 3GPP standardization process and attempt to make it at least an optional extension that operators (even MVNOs) can deploy.

Why does this actually matter to end users?

The mobile phone has become the very center of our digital life at a spectacular and very impressive rate. People literally go to sleep and wake up next to their mobile phone, and some clutch their phone in their hands for large parts of the day. On average they touch their phone more than they have physical contact with their combined friends and family, and even more so than any other object they own - apart from the clothes they wear. The amount of households in Europe without a mobile subscription has shrunk to a mere one in twenty, and globally over 5 billion people now use cell phones - and the number continues to grow.

When we turn on our cell phone, it safely connects to the network within seconds - ready for us to catch up on news while riding public transport, order food, play games, find our way around a city and keep connected with our social environment. When we move around, the phone invisibly detects this and seamlessly hands over the current session to the closest tower. This is done so smoothly, that most people are unaware of such a handover when it happens. But is the way a phone connects really as secure and trustworthy as we assume it is? As it turns out, mobile phone standards fail to protect the privacy of users due to a flaw in the core design which opens up a number of options of abuse. The GSM specification makes it mandatory for your phone to reveal its identity to the network. Mobile phones use radio waves to establish a connection with the closest base station, meaning that this information is received and broadcast over the air. Since the network is presumed to be operated by a regulated and licensed network provider, there is no requirement for the network to prove to the phone that it is legit. Phones have been programmed to trust the network, even if this is not justified. This design flaw is actively abused by so called IMSI catchers, which are devices used to eavesdrop on mobile phone users.

The idea behind an IMSI catcher is as simple as it is hard to notice: a fake device somewhere sends out signals impersonating a cell phone tower from one of the existing providers. Mobile phones by design want to optimize the signal they receive, and choose the strongest signal among the different reachable candidates. If the attacker has a strong enough signal, all phones in its neighbourhood connect to the fake device instead of to the real network. At that point, all the attacker needs to do is to send a standard signal for all the phones to expose their unique mobile subscriber identity. An attack only takes minutes, is very difficult to spot and can be used to expose the identity of anyone close by that has their phone turned on. In fact, such an attack also works on devices like sensors in bridges, roads and inside companies that use the mobile network to communicate. Subsequent forms of abuse may follow.

In this project the well-known security researcher and software developer Harald Welte, founder of the Osmocom project, is redesigning the mobile protocols in such a way that the phone of the user would no longer have to reveal any information before it establishes an encrypted session. This would immediately prevent a number of currently unstoppable privacy attacks targeting IMSI exposure. The project will submit these proposals into the international 3GPP standardization process, to make it available to all networks - so that when in the future you turn on the phone, it can keep its secrets safe until trust is established. As such, this project promised to be an important contribution to protecting the privacy of consumers, and the confidentiality of business and continuity within the public sector.

Run by Osmocom project

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.