In 4G, your IMSI was sent in plaintext. Any Stingray device could capture it.
5G fixed this. But most engineers donβt know exactly how β or where the gaps still exist.
Hereβs the complete 5G security breakdown:
Identity Protection β How 5G Hides the Subscriber:
β SUPI: Subscription Permanent Identifier β replaces the 4G IMSI
β SUCI: Subscription Concealed Identifier β SUPI encrypted with HPLMN public key
β UE encrypts SUPI before every attach β never sent in plaintext over the air
β SIDF (in UDM) decrypts SUCI β only the home network can reveal the real identity
β IMEI: device identity β checked against Equipment Identity Register (EIR)
β Result: IMSI catchers and Stingray attacks are blocked at the identity level
Authentication β 5G-AKA and EAP-AKA:
β 5G-AKA: primary authentication β challenge-response via AUSF and UDM
β EAP-AKA: used for non-3GPP access (Wi-Fi calling, fixed wireless)
β AUSF: Authentication Server Function β verifies the UE identity
β UDM: stores the long-term key K β used to derive all session keys
β KAUSF β KSEAF β KAMF: key chain from auth to AMF anchor
β Mutual authentication: both UE AND the network verify each other β 4G only authenticated the UE
The 5G Key Hierarchy:
β K: root key stored in USIM β never leaves the SIM
β CK / IK: cipher and integrity keys derived from AKA
β KgNB: derived from KAMF β the gNB session key
β KRRCenc + KRRCint: RRC layer encryption and integrity
β KUPenc + KUPint: user plane encryption and integrity (integrity optional but available)
Where 5G security gaps still exist:
Γ Protocol downgrade attacks: UE can be forced to 4G where SUCI doesnβt apply
Γ Null encryption: still negotiable in some operator configurations β should not be
Γ Inter-operator roaming: N32 interface between SEPPs relies on operator trust
Γ User plane integrity: optional by 3GPP β not all operators enable it
Γ False base station attacks: still possible in some NSA deployments
Key Security NFs every engineer must know:
β AUSF β authenticates UE, issues KAUSF
β UDM/SIDF β stores subscriber key K, decrypts SUCI
β SEPP β Security Edge Protection Proxy β secures N32 roaming interface
β AMF β NAS security context holder, derives KgNB for gNB
5G is the most secure mobile generation ever designed. But security only holds if operators enable all features β and engineers understand where the boundaries are.
LinkedIn: 