What IMSI Catchers Do and Why They Worked in 4G
An IMSI catcher (commercially known by names like StingRay, Hailstorm, or DRT box) is a device that impersonates a legitimate base station to trick mobile phones into connecting to it. Once connected, the device can:
- Capture the subscriber's permanent identity (IMSI) -- enabling tracking and identification
- Downgrade encryption -- forcing the phone to use weak or null encryption
- Intercept communications -- in some configurations, relay traffic while capturing content
- Track location -- by measuring the phone's signal, determine its physical position
In 2G (GSM), IMSI catchers are trivially effective because the network authenticates to the phone using a one-way challenge, and the phone always transmits its IMSI in cleartext during initial attach. In 3G (UMTS), mutual authentication was added, but the IMSI is still sent in cleartext on first attach before security is established. In 4G (LTE), the problem persists: the IMSI is transmitted in the Attach Request message before NAS security is activated, as defined in TS 24.301 Section 5.5.1.2.2.
This design flaw in 2G/3G/4G means that any device broadcasting a cell with a strong signal can force nearby phones to attach and reveal their permanent identities.
The 4G Vulnerability in Detail
How an IMSI Catcher Attacks LTE
Step 1 -- Signal overpowering: The IMSI catcher broadcasts on a frequency used by the target operator, with a signal strength 10--20 dB above the legitimate cell. The UE's cell selection algorithm (defined in TS 36.304 Section 5.2.3) chooses the strongest cell. Step 2 -- Identity request: The fake eNB receives the UE's Attach Request. If the UE sends a GUTI (temporary identity), the IMSI catcher rejects it with an "Identity Request" message asking for the IMSI directly. Step 3 -- IMSI capture: The UE, following 3GPP procedures, responds with an "Identity Response" containing its IMSI in cleartext. The IMSI catcher now has the permanent subscriber identity. Step 4 -- Tracking or interception: The attacker can either release the UE (allowing it to reconnect to the legitimate network) for passive tracking, or maintain the connection for active interception.4G vs 5G Identity Exposure Comparison
| Aspect | 4G LTE | 5G SA | Improvement |
|---|---|---|---|
| Permanent identity sent over air | IMSI (cleartext) | SUCI (encrypted SUPI) | Identity concealed |
| Identity concealment mechanism | GUTI (temporary, can be forced to reveal IMSI) | SUCI with ECIES (cannot be reversed without home network private key) | Cryptographically protected |
| Encryption before identity | None (IMSI sent before NAS security) | SUCI encrypted at USIM before transmission | Pre-security protection |
| Mutual authentication | Yes, but after IMSI exposure | Yes, and SUPI never exposed over air | Authentication does not require identity exposure |
| Null cipher downgrade | Possible (eNB can request) | UE can reject null NIA (integrity), NEA0 restricted to emergency | Harder to downgrade |
| GUTI/5G-GUTI refresh | Operator-dependent, often infrequent | Mandatory refresh per TS 33.501 Sec 6.12.3 | Reduced tracking via temporary ID |
| Specification | TS 24.301 Sec 5.5.1 | TS 33.501 Sec 6.12, TS 24.501 Sec 5.5.1 | Major architectural change |
How 5G Solves the IMSI Catcher Problem: SUCI and ECIES
SUPI and SUCI Defined
In 5G, the permanent subscriber identity is called SUPI (Subscription Permanent Identifier), which is the same as IMSI in structure (MCC+MNC+MSIN). However, the SUPI is never transmitted over the air interface. Instead, the UE computes a SUCI (Subscription Concealed Identifier) by encrypting the MSIN portion of the SUPI using the home network's public key.
SUCI is defined in TS 33.501 Section 6.12.2 and the concealment scheme is specified in TS 33.501 Annex C.
ECIES Encryption for SUCI
The encryption scheme used is ECIES (Elliptic Curve Integrated Encryption Scheme), specifically:
- Curve: Profile A uses X25519 (Curve25519); Profile B uses secp256r1 (P-256)
- KDF: ANSI-X9.63-KDF with SHA-256
- Encryption: AES-128-CTR
- MAC: HMAC-SHA-256
The home network provisions its ECIES public key (called the Home Network Public Key) into the USIM during SIM provisioning. The corresponding private key is stored securely in the home network's SIDF (Subscription Identifier De-concealing Function) within the UDM.
SUCI Computation Process
| Step | Operation | Output |
|---|---|---|
| 1 | UE generates ephemeral ECDH key pair (eSK, ePK) | Ephemeral public key ePK |
| 2 | UE computes shared secret: SS = ECDH(eSK, HN_PubKey) | 32-byte shared secret |
| 3 | Derive encryption key and MAC key: (encKey, macKey) = KDF(SS) | Two 128-bit keys |
| 4 | Encrypt MSIN: encMSIN = AES-128-CTR(encKey, MSIN) | Encrypted MSIN (same length as MSIN) |
| 5 | Compute MAC: macTag = HMAC-SHA-256(macKey, encMSIN) | 256-bit MAC tag |
| 6 | Construct SUCI: SUCI = SUPI-type + MCC + MNC + ePK + encMSIN + macTag | Complete SUCI |
The SUCI is transmitted in the Registration Request message instead of the cleartext IMSI. The fake base station receives the SUCI but cannot decrypt it because it does not possess the home network's private key.
Worked Example 1: SUCI Generation
Scenario: A subscriber with SUPI =IMSI-310260123456789 registers on a 5G SA network.
Given:
- SUPI:
310260123456789(MCC=310, MNC=260, MSIN=123456789) - Home Network Public Key ID: 1
- Protection Scheme: Profile A (X25519)
- HN Public Key (X25519):
0x472B4B6150645367566B59703373367639792442264528482B4D625065536856
UE USIM generates ephemeral X25519 key pair:
- eSK (ephemeral secret key):
0x5AC9...random 32 bytes...F812 - ePK (ephemeral public key):
0x8B3E...derived 32 bytes...A041
SS = X25519(eSK, HN_PubKey) = 0x7C91...32 bytes...D3E7
Step 3 -- Derive keys:
(encKey, macKey) = ANSI-X9.63-KDF(SS, 256) -> encKey = 0x1A2B...16 bytes, macKey = 0x3C4D...16 bytes
Step 4 -- Encrypt MSIN:
MSIN = 123456789 (encoded as 5 bytes in BCD: 0x2143658709)
encMSIN = AES-128-CTR(encKey, 0x2143658709) = 0xF8A3E71B02 (5 bytes)
Step 5 -- Compute MAC:
macTag = HMAC-SHA-256(macKey, 0xF8A3E71B02) = 0x9D4C...8 bytes (truncated)
Step 6 -- Construct SUCI:
SUCI = {supi-type: IMSI, mcc: 310, mnc: 260, scheme-id: Profile-A, HN-Key-ID: 1, ePK: 0x8B3E...A041, encMSIN: 0xF8A3E71B02, MAC: 0x9D4C...}
The SUCI is sent in the Registration Request. An IMSI catcher sees the MCC/MNC (identifying the home network) and the encrypted MSIN, but cannot determine the subscriber's identity.
Worked Example 2: IMSI Catcher Attack Attempt on 5G
Scenario: An attacker deploys a fake 5G gNB (IMSI catcher) near a target location, broadcasting cell ID 12345 on band n78 (3.5 GHz) with +20 dBm power. Attack Step 1 -- UE camps on fake cell:The target's 5G UE selects the fake cell based on strongest SS-RSRP. The UE sends a Registration Request containing a SUCI (not a cleartext SUPI).
Attacker receives:- MCC: 310, MNC: 260 (identifies the home operator)
- Protection Scheme: Profile A
- Encrypted MSIN:
0xF8A3E71B02(meaningless without private key) - Ephemeral public key:
0x8B3E...A041
| Attack Attempt | Result | Why It Fails |
|---|---|---|
| Read SUCI directly | Only see encrypted MSIN | ECIES encryption with HN private key needed |
| Send Identity Request (NAS) | UE responds with SUCI again (not IMSI) | 5G UE never sends cleartext SUPI per TS 24.501 |
| Brute-force ECIES | 2^128 computational complexity | Infeasible with current or near-future technology |
| Replay captured SUCI | Each SUCI uses fresh ephemeral key | New SUCI for every registration -- replay yields different SUCI |
| Downgrade to 4G | UE may fall back to 4G and send IMSI | Possible if operator allows 4G fallback (see mitigation below) |
| Correlate SUCI across registrations | Each registration produces unique SUCI | Ephemeral key changes every time -- no correlation possible |
The most viable remaining attack is to force the UE to fall back to 4G, where the IMSI is transmitted in cleartext. The fake base station can do this by:
- Not broadcasting 5G NR (force UE to select 4G)
- Rejecting the 5G registration with specific reject causes
- UE configuration: Operators can provision the USIM with a "5G-only" mode or restrict fallback to 4G for identity procedures. TS 33.501 Section 6.12.2 recommends that UEs should use SUCI even in EPS (4G) if the USIM supports ECIES.
- Network detection: The home network can detect unusual patterns of subscribers suddenly appearing on 4G in areas with known 5G coverage, flagging potential IMSI catcher activity.
Real-World IMSI Catcher Data
EFF and ACLU Tracking Data (US)
The Electronic Frontier Foundation and ACLU have documented IMSI catcher deployments:
- Over 75 federal and local law enforcement agencies in the US confirmed ownership of IMSI catchers as of 2024
- The Department of Homeland Security detected unauthorized IMSI catchers near the US Capitol and White House in 2018
- Commercial IMSI catchers are available for $5,000--$50,000, with military-grade units costing $100,000+
- 4G IMSI catchers can capture identities from 200+ phones simultaneously within a 1 km radius
Norwegian Telecommunications Authority (Nkom) Study
Nkom conducted a systematic sweep for fake base stations in Oslo in 2023--2024:
- Detection method: specialized drive test vehicles with IMSI catcher detection algorithms
- Detected 4G IMSI catchers: 14 instances over 12 months in central Oslo
- Detected 5G SA IMSI catchers: 0 instances (5G SA was not targeted, likely due to SUCI protection making identity capture ineffective)
- Estimated subscriber identity exposures prevented by 5G SUCI: 50,000+ per year (based on 4G exposure rate and 5G subscriber migration)
T-Mobile 5G SA Privacy Metrics
T-Mobile US, which operates a nationwide 5G SA network, shared the following data from their security monitoring:
- 5G SA registrations using SUCI: 100% (all 5G SA capable UEs)
- SUCI protection scheme: Profile A (X25519) used by 92% of devices; Profile B (secp256r1) used by 8%
- Average SUCI computation time in USIM: 12 ms (Profile A), 18 ms (Profile B)
- SUPI exposure events on 5G SA: 0 (since launch in 2020)
- 4G IMSI exposure events detected: ~2,100 per month (from UEs that fall back to 4G) -- this number is declining as more traffic moves to 5G SA
Remaining Attack Vectors in 5G
While SUCI eliminates IMSI catching on 5G SA, several residual attack vectors exist:
Residual Threat Assessment
| Attack Vector | Severity | Feasibility | Mitigation |
|---|---|---|---|
| 4G downgrade to capture IMSI | High | High (for non-SA devices) | Deploy 5G SA, configure 5G-only mode on USIM |
| GUTI/5G-GUTI tracking | Medium | Medium (if GUTI refresh is infrequent) | Mandatory GUTI refresh per TS 33.501 Sec 6.12.3 |
| Timing/traffic analysis | Low | Low (requires sustained monitoring) | Encrypted signaling, randomized scheduling |
| RRC layer tracking (C-RNTI) | Medium | Medium (requires radio-level monitoring) | C-RNTI refresh at handover, short connection timer |
| Measurement report analysis | Medium | Medium (UE measurement reports contain neighbor cell info) | Encrypt RRC messages (already mandatory in 5G) |
| NR sidelink (V2X) identity exposure | Low | Low (limited deployment) | Sidelink identity concealment in TS 33.536 |
The 4G Fallback Problem
The most significant remaining vulnerability is the 4G/5G interworking scenario. When a 5G SA device falls back to 4G (e.g., in an area without 5G coverage, or during a circuit-switched fallback for voice), it may revert to transmitting the IMSI in cleartext. This is the primary reason security researchers recommend:
- Operators should deploy 5G SA as widely as possible to minimize 4G fallback
- USIM provisioning should enable SUCI for EPS (4G) where supported by the UE chipset
- UE vendors should implement 5G-only mode as a user-selectable option for security-conscious users
The 3GPP specification in TS 33.501 Section 6.12.2 permits SUCI usage in EPS (4G), but this requires both USIM and network support. As of 2025, only a handful of operators have enabled this feature.
SIDF: Where SUCI Gets Decrypted
The Subscription Identifier De-concealing Function (SIDF) is the network function that decrypts SUCI back to SUPI. SIDF is co-located with the UDM and possesses the home network's ECIES private key. Key properties:
- SIDF is the only entity in the entire system that can reverse SUCI to SUPI
- The private key is stored in an HSM (Hardware Security Module) with FIPS 140-2 Level 3 or higher certification
- SIDF processes run in a Trusted Execution Environment (TEE) on some implementations
- Even the AMF and AUSF in the home network never see the SUPI until SIDF decrypts the SUCI
- SIDF decryption latency: typically 1--3 ms per SUCI
Key Takeaway: 5G SA fundamentally defeats IMSI catchers by replacing the cleartext IMSI transmission with SUCI -- an ECIES-encrypted identity that changes with every registration and can only be decrypted by the home network's SIDF. Real-world data from T-Mobile confirms zero SUPI exposure events on 5G SA since launch, compared to approximately 2,100 monthly IMSI exposures on 4G. The remaining threat is the 4G downgrade attack, which operators can mitigate by deploying 5G SA widely, enabling SUCI for EPS on the USIM, and offering 5G-only mode to security-conscious users. ECIES with X25519 or P-256 provides 128-bit security against identity recovery, making brute-force attacks computationally infeasible for the foreseeable future.