Nori: Concealing the Concealed Identifier in 5G

TL;DR

This paper analyzes the privacy effectiveness of the SUCI mechanism in 5G, revealing its poor anonymity with variable length identifiers and proposing an improved padding scheme to enhance subscriber privacy.

Contribution

The paper uncovers the limitations of SUCI's anonymity in 5G and introduces a novel padding scheme to improve privacy without excessive message expansion.

Findings

SUCI provides only 1-anonymity with variable length identifiers

Current padding schemes are suboptimal for name-based identifiers

Proposed padding scheme achieves better privacy with less message overhead

Abstract

IMSI catchers have been a long standing and serious privacy problem in pre-5G mobile networks. To tackle this, 3GPP introduced the Subscription Concealed Identifier (SUCI) and other countermeasures in 5G. In this paper, we analyze the new SUCI mechanism and discover that it provides very poor anonymity when used with the variable length Network Specific Identifiers (NSI), which are part of the 5G standard. When applied to real-world name length data, we see that SUCI only provides 1-anonymity, meaning that individual subscribers can easily be identified and tracked. We strongly recommend 3GPP and GSMA to standardize and recommend the use of a padding mechanism for SUCI before variable length identifiers get more commonly used. We further show that the padding schemes, commonly used for network traffic, are not optimal for padding of identifiers based on real names. We propose a new improved padding scheme that achieves much less message expansion for a given $k$-anonymity.