Nori: Concealing the Concealed Identifier in 5G
This addresses a critical privacy vulnerability in 5G mobile networks for subscribers, though it is incremental as it builds on existing padding mechanisms.
The paper analyzed the Subscription Concealed Identifier (SUCI) in 5G networks and found it provides only 1-anonymity, allowing easy subscriber tracking when used with variable length identifiers. They proposed an improved padding scheme that reduces message expansion for better anonymity.
IMSI catchers have been a long standing and serious privacy problem in pre-5G mobile networks. To tackle this, 3GPP introduced the Subscription Concealed Identifier (SUCI) and other countermeasures in 5G. In this paper, we analyze the new SUCI mechanism and discover that it provides very poor anonymity when used with the variable length Network Specific Identifiers (NSI), which are part of the 5G standard. When applied to real-world name length data, we see that SUCI only provides 1-anonymity, meaning that individual subscribers can easily be identified and tracked. We strongly recommend 3GPP and GSMA to standardize and recommend the use of a padding mechanism for SUCI before variable length identifiers get more commonly used. We further show that the padding schemes, commonly used for network traffic, are not optimal for padding of identifiers based on real names. We propose a new improved padding scheme that achieves much less message expansion for a given $k$-anonymity.