The introduction of encrypted subscriber identifiers in 5G promises significant privacy improvements, but these benefits can be negated by exploiting other known weaknesses, like the Linkability of Failure Messages (LFM) flaw. For the LFM flaw, the impact on subscriber privacy depends on an attacker’s ability to quickly exploit the flaw multiple times, which we investigate and evaluate in the context of commercial mobile networks. Previous work has demonstrated that repeated application of the LFM flaw is possible, and that its performance depends on the commercial mobile network’s willingness to repeatedly authenticate the victim, which significantly limits the attack’s usefulness. We show that parallel use of multiple authentication paths, e.g. different cells in parallel or non-3GPP access can bypass these limits and effectively scale the LFM flaw’s exploitation arbitrarily. This approach was evaluated by performing measurements against three major mobile network providers in Germany and demonstrates the first end-to-end attack against a commercial mobile network. These results show that the Multi-Path LFM (MP-LFM) attack poses a serious threat to subscriber privacy in 5G and highlight the need for further privacy improvements in the upcoming 6G standard.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

MP-LFM: Breaking Subscriber Privacy (even more) by Exploiting Linkability in 5G AKA

  • Julian Sturm,
  • Daniel Bücheler,
  • Oliver Zeidler,
  • Daniel Fraunholz,
  • Wolfgang Kellerer,
  • Hartmut Koenig

摘要

The introduction of encrypted subscriber identifiers in 5G promises significant privacy improvements, but these benefits can be negated by exploiting other known weaknesses, like the Linkability of Failure Messages (LFM) flaw. For the LFM flaw, the impact on subscriber privacy depends on an attacker’s ability to quickly exploit the flaw multiple times, which we investigate and evaluate in the context of commercial mobile networks. Previous work has demonstrated that repeated application of the LFM flaw is possible, and that its performance depends on the commercial mobile network’s willingness to repeatedly authenticate the victim, which significantly limits the attack’s usefulness. We show that parallel use of multiple authentication paths, e.g. different cells in parallel or non-3GPP access can bypass these limits and effectively scale the LFM flaw’s exploitation arbitrarily. This approach was evaluated by performing measurements against three major mobile network providers in Germany and demonstrates the first end-to-end attack against a commercial mobile network. These results show that the Multi-Path LFM (MP-LFM) attack poses a serious threat to subscriber privacy in 5G and highlight the need for further privacy improvements in the upcoming 6G standard.