Criminal IMSI catchers are pretty much dead, but with the aid of carriers law enforcement can still use similar technology even with full standalone 5G networks. I don't know how often unauthorized IMSI catchers are used in the wild, but I doubt it's a relevant percentage of the total amount of IMSI catchers out there.
Thanks to mmWave and beam forming, 5G allows operators to practically track you down to the exact centimeter in 3D space. Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
Basically, who needs IMSI catchers when you can just see all of the information you'd get from them remotely on a computer screen on the other side of the country?
Of course this is great to protect against criminals that are looking to find your personal phone number or whatever by showing up to your doorstep, but for the vast majority of cases, IMSI catchers are defeated because they're no longer necessary.
> Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
It should be feasible for an operator to issue a command to the (e)UICC (SIM) in the phone to fetch the current location from the modem and send it back via SMS. At least this was the case for a relatively long time.
Not that it _really_ matters because most people willfully give away their location information to Google anyways. There's a reason why Google has the best Wi-Fi AP -> Location database that they provide commercially. Send them a list of Wi-Fi BSSID's and their associated RSSI's and you'll get a fairly accurate location.
In comparison, using Cell ID's for geolocationing is finicky. In dense urban environments, you're likely looking at ~500 m radius of accuracy - at least based on the commercially available options.
5G beamforming is not that accurate a proxy signal, and mmWave is phone vaporware, instead only significantly used for point-to-point connections. Line-of-sight requirements make it dead in the water for anything else.
"5G UW" is good service, but it's not usually mmWave. It's primarily mid-band stuff, usually Band n77 (3.7ghz C-Band)
It's usually good, but that's primarily because Verizon is going a good-ish job (in Michigan, at least) of deploying it densely in smaller neighborhood/urban cell sites (2x to 3x site density over traditional PCS-spaced cell towers). It's basically Verizon's version of what Clear was supposed to be doing with WiMax.
Notably, C-Band is not mmWave. mmWave bands start at like the 24.2ghz+, way way higher up the spectrum band.
If your phone reads "5G UW", there's like a 95% chance you aren't on mmWave, you are on n77 / C-Band / 'mid-band'.
I regularly see it in Atlanta in the big tech business areas (Buckhead, Midtown, etc) but it is hilariously bad.
Whenever I notice my cellular data has regressed to 3G speeds and reliability, I look up at the network status and see “5G UW”.
I don’t know if they deployed it without enough bandwidth on the trunk to handle all of the users or something else but I generally have to toggle airplane mode to drop back into 5G or LTE to get off of it.
"5G UW" is marketing bullshit by Verizon that they force cellphone makers to display. Basically it originally meant "mmWave" but was later revised to "mmWave or mid-band". You are probably seeing the mid-band due to the limitations of mmWave.
Nokia is also currently rolling out Europe’s first 5G standalone mmWave Radio Access Network in Italy. More to the point though, it could be integral in how we deal with NTN - particularly LEO D2C provisioning
It never worked unless you were walking on the street. Expensive too, I heard $20 per antenna. Millimeter is good for fixed antenna and delivering internet last mile to homes. Verizon bought into it millimeter while TMobile focused on mid bands, why T-Mobile is faster on average than Verizon. People use their phones indoors.
Stadiums are pretty much the only place where mmWave in phones makes sense. For the other 99.99% of usage, it's an expensive power-hungry extra radio that doesn't work. mmWave 5G is mostly a sunk cost for Verizon, and largely irrelevant to everyone else.
> Stadiums are pretty much the only place where mmWave in phones makes sense.
And Airports, and Parks, and Ampitheateaters, and Malls, and Theme Parks...
mmWave isn't a general solution, sure. But mmWave is great for anywhere crowded enough to benefit from a DAS setup, and there are a lot of DAS setups around.
Neither did LTE (or VoLTE) work well at the start.
WiMAX didn't get the funding and backing primarily because it didn't integrate well with existing systems. Hilariously it fit the criteria as 4G before LTE did. I guess there was a strong vendor push to include LTE into 4G.
They did - it was an atypically awful engineering decision that caused them to bungle their 5G rollout and cede market share to TMobile.
It only makes sense as a cable tv displacement that’s easier to deploy (and cuts out their unions) in cities. But to my knowledge, they haven’t done that. They dtoppef hundreds of poles in my city that aren’t even active.
> depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware
Do you know if (at least some) basebands actually limit network-side location requests to emergency call/text situations only?
All I know is that some don't. I don't know brands or if there are even common modems that are filtering for this.
If you don't have a Faraday cage and cell site equipment, you're going to have a hard time verifying any of this. The modem is closed source, the SIM card is closed source, and various firmware blobs to make phones work are all closed source. I believe Qualcomm has debug interfaces on some chipsets, which might catch these messages, but verifying that they catch all use cases is impossible unless you have knowledge of the actual mechanism used (or usable) to activate the modem.
This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones), but it only takes a small group of Linux enthusiasts to actually catch the phone network in the act.
Of course, the trouble is that you'll need to be the target of government surveillance to be even at risk of any of this. If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you, and whatever criminal enterprise hacked its way into the carrier network won't either. If you are being tracked by either of those, I think developing open source modem firmware is probably the least of your concerns.
I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
It's all rather pointless anyway when 5G and to an extend 4G can geolocate you about as well as GPS can, barring reflections and such.
> If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you
If there's one thing we know for certain about the US and domestic spying it's that they're targeting literally everyone. They were caught copying all internet traffic going over the AT&T backbone in the early 2000s and decades later Snowden showed us they never stopped pointing their secret spying equipment at us. The best you can hope for is that if you don't become an activist or commit enough crimes they won't pay much attention to the massive and ever-growing troves of data they have on you personally.
> This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones) [...]
This is very unlikely to happen, primarily because certifying these modems is extremely expensive. I doubt any commercial vendor (e.g., a phone manufacturer) would commit the necessary resources to support them. Modern modems are also highly complex; they not only support various radio technologies but also incorporate numerous offloading mechanisms and a range of proprietary communication methods with telecom operators (e.g., VoLTE). Furthermore, the firmware must be carefully optimized for the hardware, so unless you have access to the complete package, this will likely remain confined to amateur circles.
> I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
The standard is written to accommodate the most prevalent use cases. Given the ongoing efforts to improve security and address known vulnerabilities, I highly doubt it was written with bad intentions. However, that does not mean they will catch everything, nor does it guarantee that they will always prioritize stronger security over better usability - whether for network operators or end users.
Agreed – it's not really a personal concern I have (I have no illusions about the chances that none of the apps I grant location access to are selling it to the highest bidder), but I'm still curious. I can also imagine some legitimate use cases, such as pinging the location of somebody that had an accident and is possibly unable to call 911 themselves.
And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
> And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
They are technical standards designed to ensure interoperability (though not always successfully — cough VoLTE cough) rather than exhaustive guides on how to implement features. They have been developed over a long period of time and have become quite complicated to read, especially if you are not familiar with the specific nomenclature. However, with enough time and willpower you can make sense of them quite quickly.
PS. The software behind these standards is probably the most complex we have in the world. At least I am not aware of anything else that is as complicated.
Also worth noting that if the carrier is cooperating then you can do better than static snapshots. Tracking signal strength of a target moving between towers will give you quite a precise historic path (within a few seconds or minutes depending on velocity).
Is this a US-centric view? Presumably crossing national borders, as noted in the article, it would be more effective to catch IMSIs. When there are lots of countries clustered together in a smaller geographical space, ie, not the USA, it might be relevant.
It's common to discover IMSI-catchers in national capitals around the world. There are many interesting targets.
Washington, D.C. mobile traffic is probably the most spied in the world. Especially now when it's run by technological cavemen and overly confident techbros. Israeli, Russians, Chinese, French and everyone.
The Soviet/Russian station in San Francisco was heavily involved in SIGINT back in the days of microwave radio trunks and analog mobile phones, and I would imagine the Chinese have taken the throne from them today.
Back in the mid-80s, it was an open secret that some AMPS transmissions could be received on ordinary TV tuners which were capable up to Channel 83 or so.
My father being a DXer and installer of a home-built Yagi and rotator system, I discovered this fairly easily. All he told me was to just guard the privacy of these people I was snooping on, because they were supposed to be private conversations after all. I never heard anything of substance anyway. It was one of the more boring surveillance activities of my misspent youth.
To see news related to them, search "Fake Base Stations" or "SMS Blaster", as this is how they're commonly referred to in the media now.
Other notable highlights from the last few years include: the news from Paris a few years ago where police detonated a car with an imsi-catcher in it because they thought it was a bomb, but actually the driver was being paid to send out sms spam via 2g downgrade attacks: https://commsrisk.com/paris-imsi-catcher-mistaken-for-bomb-w.... Also the attempt to disrupt the federal elections in the Phillippines using a kind of "SMS blaster" that takes advantage of unauthenticated emergency alert messages, so a step beyond the "classic" imsi catching attack that we haven't seen used in the wild before.
If you force 4G and 5G only, you are likely to lose access to mobile calls. VoLTE interoperability is still lacking, and this issue is unlikely to be resolved without intervention from a standards organization mandating interoperability and default settings. Unfortunately it will only get attention when somebody can't do an Emergency Call.
'Android allows users to disable 2G at the radio hardware level on any device that implements the capability constant, "CAPABILITY_USES_ALLOWED_NETWORK_TYPES_BITMASK". This stops a device from scanning or connecting to 2G networks.
Note: Emergency calling is never impacted. A device still scans and connects to 2G networks for emergency services.'
I've always been wondering: Is there a SIM card configuration flag that allows telling the phone to never even attempt an attach using a given technology?
This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.
SIM cards don't connect to networks, the phone modem can just disable support for such protocols. That'd probably be illegal, though, in case you're trying to call emergency services and don't have 5G reception.
Some Android phones have a setting to at least disable 2G and you can easily configure them to a "preference" of only 5G. I believe iPhones have a 2G toggle as well if you enable lockdown mode.
It'll be years before you can reliably get rid of 4G without losing coverage, though.
I don't know about any such settings on mobile platforms such as watches, though. I also doubt cars have a setting for this (maybe if you use one of those Chinese Android-tablet-with-a-car-skin systems?).
SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
That said, some knobs are frustratingly missing, though – why is manually entering an APN a thing, but the default SMSC can be stored on the SIM?
That's true, of course, but SIMs can be reprogrammed by the carrier on a whim. Plus, there are handover features that command the modem to downgrade the connection from the network side, and who knows if the modem will listen to the SIM's config if the network commands it to do something.
I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
I think limiting this at the modem side will be more effective than reprogramming the SIM card, but the specifications are open enough that you could take a look at a SIM's contents by throwing it in a reader.
You could also look at the code and blobs dealing with eSIMs, as they provide the same features but often come packaged in the form of software.
Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
In terms of existing examples, there's a few equivalent (or at least similar) fields defined as SIM files - for example, the FPLMN (forbidden PLMN) list of networks your phone shouldn't attempt to attach to.
You're right that this needs limited at the modem - but the main user accessible method of configuring the modem is the phone UI. As this setting is one which needs network support, and is likely to disconnect a user who misconfigured this, a SIM file for permitted RAT (radio access technology) types would make sense, as SIM files are under the responsibility of the operator.
Where this would get complex is edge cases, like under roaming scenarios, where your home network can't predict what might be available, and your handset may need to permit downgrading to a technology not permitted on the home network.
The toggle in Android to disable 2G seems a start towards a user accessible setting for this, which selects what the modem is willing to join, but it's certainly far from a user friendly way to enable and disable particular technologies.
> Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
Generally the contents of specific important Elementary Files (EF) are protected by requiring you to have an ADM code to read/write.
> I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
You might need to enter an APN if you have a B2B contract with the operator, where they'll route all traffic from your device(s) through a VPN directly to you. Besides that and static addresses, I am not aware of any other prevalent use-case for changing an APN.
> SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
There is EF-UST (USIM Service Table) but it doesn't explicitly allow/deny radio access technologies.
The wording your usage here seems to suggest that the phones can be configured to not connect to 2G networks. This is false if you live in the USA. The phone will not connect to 2G networks regardless of any setting. There have not been any to connect to for a while now. The only thing out there that is 2G any longer is malicious actors.
It should come as no small surprise that phones in the US markets ship with a feature that is a de-facto backdoor.
Tangentially related, the latest major Android release supports updates from the modem with details about whenever your IMSI/IMEI/unencrypted SUCI are disclosed to the network (with support for some contextual information, e.g. which protocol message was it disclosed in), as well as insight into the in-use network cryptography configuration for different protocols.
if you pay the google tax for a pixel, you get a convenient 2G toggle.
if you don't have an extra $400-900 and buy a cheaper android, you get to dial ##4636## (hn screws asterisks, look it up) them go into phone info, select each sim radio and change the drop down (and hopefully you know all the standards by all names to make the right choice. hint 5G is NR there)
There's a convenient toggle on my Moto G Stylus 5G 2023, if not a convenient name. In the carrier settings right next to allow 5G. Can't easily disable 3G or LTE though. IIRC, LTE is also mutually authenticates, but if we're talking about passive catching and the ismi is sent in the clear as the article says, then that doesn't eliminate passive catching. I'm not sure about 3G, I thought it wasn't mutual auth either.
Definitely, mutual authentication and (not) using long-term identifiers in the initial attach request are largely orthogonal concerns.
I believe even 3G supports mutual authentication (at least if the SIM supports it, i.e. it’s not a very old GSM only one), but anonymized identifiers only appeared with 5G.
The 2G toggle can also be found in some other phones, but not every phone manufacturer has support for configuring their modems like that or has bothered to keep the setting in their settings app overhaul.
I know that setting, but I'm not entirely sure if that controls a preference or a mandatory cell config, and if it will prevent downgrades from the network side or not.
Some manufacturers and most custom ROMs also seem to offer that option without a dial code, but I haven't found any documentation about that feature yet to be sure it actually forces the modem configuration. I've found mentions online about this setting being changed without user interaction, so there seems to be a mechanism on some phones (carrier-branded ones maybe?) that alters this config.
every modem have to have that control. and you can access it on every model I've ever seen with the code i shared. i think it might be a requirement for some of the regulations they plaster stickers for.
having the ui it not is a balance between playing nice with over reaching law enforcement and enterprise clients.
5G Standalone networks don’t have 4G to fall back to. 5G Non-standalone networks are essentially 4G networks with a 5G RAN, so SUCI remains optional and most core vendors don’t support it.
That's not what 5G standalone means, as far as I understand.
The network I'm using supports 5G SA in some cells, but my phone definitely still falls back to both 4G and 5G non-SA in some areas where it's not yet available.
And even if 5G SA were available everywhere, there's the concern of roaming.
Correct, your phone needs to actually re-connect between the two networks. It's a whole new session and you can't handover between 5G SA and 5G NSA/LTE networks. There are some configurations that make this not much of an issue, but technically they are totally different networks.
> To help ensure compatibility of iPhone and cellular iPad devices on private 5G SA networks, infrastructure vendors must adhere to the following security and privacy requirements:
> Privacy concealment: The Subscription Concealed Identifier (SUCI) must use a non-null protection scheme. This can be achieved through either an on-SIM SUCI calculation or an ME SUCI calculation, as outlined in TCA 2.3.1 and 3.1 specifications. For detailed information, refer to the 3GPP Technical Specification 33.501.
This pertains to private networks rather than public operator networks, but it certainly seems to imply that use of SUCI is an expectation on 5G SA networks (private in this context).
I know very little about the protocol aspects of cellular communication, so can anyone explain how such a huge gaping security hole could come into existence?
In the beginning of cell phones, security was too expensive. Telcos also like to do their own things, so GSM encryption wasn't built on best practices. And some countries forbid use of even GSM encryption.
Early mobile phone networks suffered from cloning, so work was done to improve verification of clients, but verifying the network wasn't seen as required. Telcos have been historically light on authentication and verification; so it's not surprising.
Adding to this the GSM A3/A8 algo were broken shortly after they arrived in the US. The only mitigating control was my boss in a wireless provider and the FBI meeting up with someone that was going to demo breaking it. They were advised what prison they would be relocating to and the demo was called off. Rinse and repeat. This was before the internet was popular or even widely used. The word eventually got out.
Before 2G, networks used completely unencrypted analog voice. You could snoop on anyone's calls with a slightly-modified radio; at least until Congress heard about this and made it illegal to sell a radio that could be modified to do this[0].
2G was actually considered a huge bump up in security because you could encrypt the contents of calls. Albeit with hilariously insecure crypto mandated by the old ITAR regime[1]. IMSI catchers weren't part of their threat model, for the same reason why people only recently have realized that metadata is relevant to security.
[0] This law is still on the books, even though analog cellular is entirely dead. It's still a pain in the ass to properly comply with this for, e.g. software-defined radio.
[1] This is the same reason why DVD CSS was so easy to crack, and why we there used to be 10 different ways to strip SSL before we decided to stop serving old browsers entirely.
The networks are insecure by standard. They are designed such that they can have "lawful intercept" by government entities. The key material on the SIM card is readily transferred between the carrier and SIM/eSIM card manufacturers, which enables multiple levels of supply chain attacks if the material is mishandled.
IMSI-catchers are not considered a security hole by the carriers or the standards bodies. SUCI/SUPI was put in at the request of phone vendors, if I remember correctly, and is still the only piece of public key cryptography in the networks. Everything else is symmetric keys.
"Depending on national requirements, the CSP may be required to report the location of the Target at the beginning and
end of CS calls and PS and IMS sessions on a per warrant or per intercept basis. It may also be a national requirement
for the CSP to report the location of the Target [...]"
The phreaking [1] community was huge and becoming increasingly sophisticated long before mobile was even a thing. I think it's mostly that telecoms were traditionally discouraged from pursuing security. There's, at most, a minimal commercial incentive to it, and the government loves comms that can be easily spied on meaning you're going to get pushback from that side if you start aiming for security.
The idea to start using SMS for secure purposes was similarly probably never really about security, but an advertising/government driven effort given that it helps create a fairly reliable tracking identity for a person. It makes no sense otherwise to use SMS over something like a 2FA app which is completely cross platform, secure, free, and has basically 0 downsides relative to SMS, and a whole bunch of upsides. The only thing is that it's also anonymous.
Don’t 2FA apps have the major downside that if you lose the specific mobile device you installed it on you’re SOL, unless you have backup codes that are too technical for most. SMS gets you more human support since you pay your carrier, I can walk into my nearest teleco branch with my ID if I lose my phone and change the SIM to another phone. So most of the time unless your SIM is hijacked it’s a good proxy for being actually you.
Plus having to download another app adds friction to the signup process and most users aren’t going to bother, so for most it’s SMS 2FA or nothing. Since apps often want your phone number anyway for bot prevention, and users are used to verification codes, it’s not a big deal.
Also a tail end of other issues with 2FA apps (and SMS 2FA predates the nice ones anyway); in other countries there are devices other than iOS/Android to suggest an authenticator app for, limited network speeds and device storage, etc. Heck, I know people in the U.S. with full device storage who can’t download new apps without deleting some stuff. If you’re a random app and not a tech company SMS 2FA is just going to be much easier to implement.
The whole point of 2FA is that once you lose possession of your physical second factor, you lose access. If you can maintain access after losing the hardware, you've just added a second password. SIM swapping attacks have proven very effective at showing how easy it is for someone to bypass SMS 2FA. It's better than no 2FA, but it's the worst second factor out there.
If you don't want to lose access after losing your second factor, you don't want two factor authentication. Trying to make 2FA something it's not only muddies the waters and makes things annoyingly confusing.
I don't think "I know someone whose phone can't handle a 2MiB TOTP app" is a good reason not to offer real 2FA on a website. Sure, offer SMS codes for people who don't care much about security beyond ticking auditor boxes.
No curious reason for it coming into existence. It's software, it will have bugs and oversights. What's curious is that it and so many other problems of the cellular grid have been left untended to for almost three decades.
The article mentions active catchers "requires RF transmission, which violates FCC laws (and international equivalents) and is detectable"... except...
... couldn't one build a 'modern' IMSI catcher with a CBRS LTE band 48 small cell and their own LTE infrastructure and be above-board legal anyways?
Wow a web site generated using AI[1]. (or perhaps a human using AI)
Anecdotally, when I was attending college there was a 12 year old girl also attending and in some of my classes, particularly my freshman physics class. She was knocking the curve off with high scores on all of the exams. I got a chance to talk to her at lunch one day and it turned out she had an eidetic memory. It was amazing, she could tell you what was on any page of the text book perfectly. That allowed her to recall worked problems in the text that were identical in form to the question on the test, and she could then use the same steps to solve the test problem. But, and this was an important part, she didn't really understand physics. Whenever our conversation went into areas where she could have used physics principles to derive an understanding or at least a good guess at some of the depth of a new topic, she did not. That didn't hinder her progress through school but I had to believe that at some point it would.
After that experience I started paying more attention to people who "knew" facts, and people who "used" facts, which is to say that people who had learned something and understood it, would use that learning to extrapolate into new areas, open up places they didn't understand, and pursue new knowledge about those gaps. And there were people who would rebut arguments with "facts" but seemed not to grasp the fundamental principles at issue.
AI generated "answers" to prompts have exactly the same properties as answers from people who know facts but don't understand them.
I would guess that the article in question was generated with some prompts of the form, "Describe how an IMSI catcher works for each type of network." If you're a human and you read the answer and noticed that 5G was different you can add the click-bait headline and voila, article!
And yet for someone who understands how IMSI catchers work and understands the general compatibility environment of the cell phone networks, they would point out that most phones are designed to work "around the world" which means with all types of networks 2G/3G/LTE, and so even if the world around you is LTE/5G if you pop up a GSM cell tower signal a modern phone will see it and say hi. And then they would go on to describe that WiFi and Bluetooth device hardware (MAC) addresses are unique too, and those are also sent around if you bleat out your an open wifi network or a lonely bluetooth device. Finally it would point out that even with the 5G "SUCI", that value is unique to your phone and even if you don't give someone enough information to reverse map your phone to you, it is absolutely enough information to keep track of where this particular phone has been over time.
But all of that context is related to understanding why you would even want to capture and IMSI number and how the entire system was designed to make that easy even though now that is seen as a vulnerability.
So if you've spent some time recognizing the difference between people who are talking about something they understand and people who are talking about something they read about but don't understand, stuff written by AI just sort of pops out at you like that.
[1] All the generated images at the bottom was a dead giveaway but the structure of the article was also indicative of an LLM construction.
This is a very interesting comment. When I read your physics story, I thought you would be getting to the similarity to current llms. However hallucinations seem like a different issue that the young student might not have. If she incorrectly matches some scenario to a text match, maybe some hallucinations. Some humans are confident in making comments about things I don't understand, like you know who. But many humans somehow have a concept of their limited knowledge. When they add that to LLMs, that will be powerful.
I pretty much agree with this, having some way to indicate model boundaries in an LLM parameter space to create back pressure on token generation would help a lot here.
For me though the interesting bits are how the lack of understanding surfaces as artifacts in the presentation or interaction. I'm a systems person who can't help but try to fathom the underlying connections and influences that are driving the outputs of a system.
1) Yes, it's still possible to convince a phone to connect to older RAT generations. However, the idea is that as those are phased out, it's unlikely that they'll be enabled on UEs, so phones likely won't connect and "say hi" as you say. For example, 2G is already being disabled on many devices. It'll be a while before 2G-4G is fully phased out and IMSI Catchers become completely infeasible, but I think that it's safe to say that "5G got it right" in finally solving this issue.
2) I don't think you have a good understanding of how SUCIs work if you think that it's unique to a device. The UE generates a fresh ECC ephemeral public key every time it sends its SUCI (which isn't often to begin with due to GUTIs, which are one-time use and only assigned post-ciphering). You can read more about it here: https://medium.com/@aditya.koranga/ecies-in-5g-core-supi-to-...
Criminal IMSI catchers are pretty much dead, but with the aid of carriers law enforcement can still use similar technology even with full standalone 5G networks. I don't know how often unauthorized IMSI catchers are used in the wild, but I doubt it's a relevant percentage of the total amount of IMSI catchers out there.
Thanks to mmWave and beam forming, 5G allows operators to practically track you down to the exact centimeter in 3D space. Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
Basically, who needs IMSI catchers when you can just see all of the information you'd get from them remotely on a computer screen on the other side of the country?
Of course this is great to protect against criminals that are looking to find your personal phone number or whatever by showing up to your doorstep, but for the vast majority of cases, IMSI catchers are defeated because they're no longer necessary.
> Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
It should be feasible for an operator to issue a command to the (e)UICC (SIM) in the phone to fetch the current location from the modem and send it back via SMS. At least this was the case for a relatively long time.
Not that it _really_ matters because most people willfully give away their location information to Google anyways. There's a reason why Google has the best Wi-Fi AP -> Location database that they provide commercially. Send them a list of Wi-Fi BSSID's and their associated RSSI's and you'll get a fairly accurate location.
In comparison, using Cell ID's for geolocationing is finicky. In dense urban environments, you're likely looking at ~500 m radius of accuracy - at least based on the commercially available options.
For "Lawful Interception" you might want to read:
https://www.etsi.org/deliver/etsi_ts/133100_133199/133106/14...
https://www.etsi.org/deliver/etsi_ts/101600_101699/101671/02...
What command command can you send to the UICC to get the location? I did not think any phones honored those requests from the SIM.
5G beamforming is not that accurate a proxy signal, and mmWave is phone vaporware, instead only significantly used for point-to-point connections. Line-of-sight requirements make it dead in the water for anything else.
> mmWave is phone vaporware
Is it? I've definitely seen "5G UW" show up on my 15 Pro Max in the bay area. Att and Verizon are slowly expanding mmWave
"5G UW" is good service, but it's not usually mmWave. It's primarily mid-band stuff, usually Band n77 (3.7ghz C-Band)
It's usually good, but that's primarily because Verizon is going a good-ish job (in Michigan, at least) of deploying it densely in smaller neighborhood/urban cell sites (2x to 3x site density over traditional PCS-spaced cell towers). It's basically Verizon's version of what Clear was supposed to be doing with WiMax.
Notably, C-Band is not mmWave. mmWave bands start at like the 24.2ghz+, way way higher up the spectrum band.
If your phone reads "5G UW", there's like a 95% chance you aren't on mmWave, you are on n77 / C-Band / 'mid-band'.
I regularly see it in Atlanta in the big tech business areas (Buckhead, Midtown, etc) but it is hilariously bad.
Whenever I notice my cellular data has regressed to 3G speeds and reliability, I look up at the network status and see “5G UW”.
I don’t know if they deployed it without enough bandwidth on the trunk to handle all of the users or something else but I generally have to toggle airplane mode to drop back into 5G or LTE to get off of it.
Ditto, I’ve disabled 5G entirely because it performs worse in high density areas compared to LTE.
Get a non-US iPhone which doesn't support those: https://www.apple.com/iphone/cellular/
"5G UW" is marketing bullshit by Verizon that they force cellphone makers to display. Basically it originally meant "mmWave" but was later revised to "mmWave or mid-band". You are probably seeing the mid-band due to the limitations of mmWave.
Verizon has actually deployed mmWave 5G fairly widely.
Sprint deployed WiMAX (remember that?) fairly widely, lot of good that did them.
mmWave is as dead as dead. The cellular Betamax. iPhone 16e (the everyman's iPhone) doesn't support it, and neither did the SE before it.
VZW will be converting those base stations into birdhouses in 5-7 years.
If mmWave is dead as dead, why are Ofcom going ahead with their spectrum auction? https://www.mobileworldlive.com/europe/ofcom-moves-ahead-wit...
Nokia is also currently rolling out Europe’s first 5G standalone mmWave Radio Access Network in Italy. More to the point though, it could be integral in how we deal with NTN - particularly LEO D2C provisioning
https://filtronic.com/news-events/white-papers/time-to-step-...
https://mmtron.com/mmwave-leo-satellites-coming-over-the-hor...
That's sad for Apple, then. A poor decision on their part.
Examples of Android phones that often support mmWave 5G:
Samsung: Many Galaxy S and Z series models, including recent releases.
Google: Pixel phones, especially the Pro models.
OnePlus: Various 5G phones, including the 10 Pro, 10T, and Nord series.
(etc)
Apple should get their shit together.
It never worked unless you were walking on the street. Expensive too, I heard $20 per antenna. Millimeter is good for fixed antenna and delivering internet last mile to homes. Verizon bought into it millimeter while TMobile focused on mid bands, why T-Mobile is faster on average than Verizon. People use their phones indoors.
Absolutely correct on all the above.
T-Mobile is also using mmwave and retaining it in urban cores, but returning a lot of the spectrum.
There's a LOT of spectrum work being done at the FCC right now... Or was...
> OnePlus: Various 5G phones, including the 10 Pro, 10T, and Nord series.
The 9 pro was the last model they sold with mmwave. The entire 10 and 11 series don't have it. The Nord never did.
> Apple should get their shit together.
They ship mmwave on everything but their budget models?
Those Samsungs lack mmWave antennas in Europe. Not sure about Apple.
"Cellular Betamax" would suggest someone knowingly used it, and a handful of people actually liked it and committed to it.
mmWave is going to be useful in places like stadiums or large arenas, though. It works wonders in these kinds of applications.
WiMAX never really worked well at all.
Stadiums are pretty much the only place where mmWave in phones makes sense. For the other 99.99% of usage, it's an expensive power-hungry extra radio that doesn't work. mmWave 5G is mostly a sunk cost for Verizon, and largely irrelevant to everyone else.
> Stadiums are pretty much the only place where mmWave in phones makes sense.
And Airports, and Parks, and Ampitheateaters, and Malls, and Theme Parks...
mmWave isn't a general solution, sure. But mmWave is great for anywhere crowded enough to benefit from a DAS setup, and there are a lot of DAS setups around.
Stadiums, downtown areas, school sports, racetracks, etc.
Any place outside, in good weather, with high population density!
> WiMAX never really worked well at all
Neither did LTE (or VoLTE) work well at the start.
WiMAX didn't get the funding and backing primarily because it didn't integrate well with existing systems. Hilariously it fit the criteria as 4G before LTE did. I guess there was a strong vendor push to include LTE into 4G.
They did - it was an atypically awful engineering decision that caused them to bungle their 5G rollout and cede market share to TMobile.
It only makes sense as a cable tv displacement that’s easier to deploy (and cuts out their unions) in cities. But to my knowledge, they haven’t done that. They dtoppef hundreds of poles in my city that aren’t even active.
[flagged]
> Criminal IMSI catchers are pretty much dead
Quite the opposite. They are more popular than ever, in the form of SMS blasters.
https://commsrisk.com/first-uk-arrests-of-imsi-catching-sms-...
> depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware
Do you know if (at least some) basebands actually limit network-side location requests to emergency call/text situations only?
All I know is that some don't. I don't know brands or if there are even common modems that are filtering for this.
If you don't have a Faraday cage and cell site equipment, you're going to have a hard time verifying any of this. The modem is closed source, the SIM card is closed source, and various firmware blobs to make phones work are all closed source. I believe Qualcomm has debug interfaces on some chipsets, which might catch these messages, but verifying that they catch all use cases is impossible unless you have knowledge of the actual mechanism used (or usable) to activate the modem.
This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones), but it only takes a small group of Linux enthusiasts to actually catch the phone network in the act.
Of course, the trouble is that you'll need to be the target of government surveillance to be even at risk of any of this. If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you, and whatever criminal enterprise hacked its way into the carrier network won't either. If you are being tracked by either of those, I think developing open source modem firmware is probably the least of your concerns.
I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
It's all rather pointless anyway when 5G and to an extend 4G can geolocate you about as well as GPS can, barring reflections and such.
> If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you
If there's one thing we know for certain about the US and domestic spying it's that they're targeting literally everyone. They were caught copying all internet traffic going over the AT&T backbone in the early 2000s and decades later Snowden showed us they never stopped pointing their secret spying equipment at us. The best you can hope for is that if you don't become an activist or commit enough crimes they won't pay much attention to the massive and ever-growing troves of data they have on you personally.
> This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones) [...]
This is very unlikely to happen, primarily because certifying these modems is extremely expensive. I doubt any commercial vendor (e.g., a phone manufacturer) would commit the necessary resources to support them. Modern modems are also highly complex; they not only support various radio technologies but also incorporate numerous offloading mechanisms and a range of proprietary communication methods with telecom operators (e.g., VoLTE). Furthermore, the firmware must be carefully optimized for the hardware, so unless you have access to the complete package, this will likely remain confined to amateur circles.
> I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
The standard is written to accommodate the most prevalent use cases. Given the ongoing efforts to improve security and address known vulnerabilities, I highly doubt it was written with bad intentions. However, that does not mean they will catch everything, nor does it guarantee that they will always prioritize stronger security over better usability - whether for network operators or end users.
Agreed – it's not really a personal concern I have (I have no illusions about the chances that none of the apps I grant location access to are selling it to the highest bidder), but I'm still curious. I can also imagine some legitimate use cases, such as pinging the location of somebody that had an accident and is possibly unable to call 911 themselves.
And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
> And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
They are technical standards designed to ensure interoperability (though not always successfully — cough VoLTE cough) rather than exhaustive guides on how to implement features. They have been developed over a long period of time and have become quite complicated to read, especially if you are not familiar with the specific nomenclature. However, with enough time and willpower you can make sense of them quite quickly.
PS. The software behind these standards is probably the most complex we have in the world. At least I am not aware of anything else that is as complicated.
Also worth noting that if the carrier is cooperating then you can do better than static snapshots. Tracking signal strength of a target moving between towers will give you quite a precise historic path (within a few seconds or minutes depending on velocity).
Is this a US-centric view? Presumably crossing national borders, as noted in the article, it would be more effective to catch IMSIs. When there are lots of countries clustered together in a smaller geographical space, ie, not the USA, it might be relevant.
But I don't know.
mmWave is used almost nowhere though.
Here in Europe phone manufacturers don't even bother including the antennas anymore.
It's common to discover IMSI-catchers in national capitals around the world. There are many interesting targets.
Washington, D.C. mobile traffic is probably the most spied in the world. Especially now when it's run by technological cavemen and overly confident techbros. Israeli, Russians, Chinese, French and everyone.
The Soviet/Russian station in San Francisco was heavily involved in SIGINT back in the days of microwave radio trunks and analog mobile phones, and I would imagine the Chinese have taken the throne from them today.
Few years back suspected Israeli IMSI-catcher was fond in DC https://www.politico.com/story/2019/09/12/israel-white-house...
APNewsBreak: US suspects cellphone spying devices in DC https://apnews.com/general-news-d716aac4ad744b4cae3c6b13dce1...
Back in the mid-80s, it was an open secret that some AMPS transmissions could be received on ordinary TV tuners which were capable up to Channel 83 or so.
My father being a DXer and installer of a home-built Yagi and rotator system, I discovered this fairly easily. All he told me was to just guard the privacy of these people I was snooping on, because they were supposed to be private conversations after all. I never heard anything of substance anyway. It was one of the more boring surveillance activities of my misspent youth.
> Criminal IMSI catchers are pretty much dead,
This isn't true, there are major incidents related to IMSI-catchers going on globally right now. E.g. last week from Japan: https://newsonjapan.com/article/145466.php, https://commsrisk.com/amateur-detectives-find-numerous-fake-..., and mass arrests happening in Thailand related to the operation of them recently.
To see news related to them, search "Fake Base Stations" or "SMS Blaster", as this is how they're commonly referred to in the media now.
Other notable highlights from the last few years include: the news from Paris a few years ago where police detonated a car with an imsi-catcher in it because they thought it was a bomb, but actually the driver was being paid to send out sms spam via 2g downgrade attacks: https://commsrisk.com/paris-imsi-catcher-mistaken-for-bomb-w.... Also the attempt to disrupt the federal elections in the Phillippines using a kind of "SMS blaster" that takes advantage of unauthenticated emergency alert messages, so a step beyond the "classic" imsi catching attack that we haven't seen used in the wild before.
> The only simple thing you can do, that can have an effect, is to set your network priority to 5G-SA – but most phones don’t support this feature.
'add support for "5G only" and "4G or 5G only" modes in addition to our existing "4G only" mode' - https://grapheneos.org/releases#2025022700
If you force 4G and 5G only, you are likely to lose access to mobile calls. VoLTE interoperability is still lacking, and this issue is unlikely to be resolved without intervention from a standards organization mandating interoperability and default settings. Unfortunately it will only get attention when somebody can't do an Emergency Call.
Emergency calls bypass the network restriction. I don't see it documented for GrapheneOS, but https://source.android.com/docs/security/features/cellular-s... states
'Android allows users to disable 2G at the radio hardware level on any device that implements the capability constant, "CAPABILITY_USES_ALLOWED_NETWORK_TYPES_BITMASK". This stops a device from scanning or connecting to 2G networks.
Note: Emergency calling is never impacted. A device still scans and connects to 2G networks for emergency services.'
I guess it makes sense as Emergency Calls are highly regulated.
It still applies for normal calls though. I guess this is why major smartphone operating systems do not allow you prevent 2G/3G registration.
for android phones, type `*#*#4636#*#*` in dial, you can choose phone network.
btw 4636 means INFO.
>btw 4636 means INFO.
I've been doing that all these years and never thought of that! You learn something new everyday. For people who don't know, it's T9 dialing.
I've always been wondering: Is there a SIM card configuration flag that allows telling the phone to never even attempt an attach using a given technology?
This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.
SIM cards don't connect to networks, the phone modem can just disable support for such protocols. That'd probably be illegal, though, in case you're trying to call emergency services and don't have 5G reception.
Some Android phones have a setting to at least disable 2G and you can easily configure them to a "preference" of only 5G. I believe iPhones have a 2G toggle as well if you enable lockdown mode.
It'll be years before you can reliably get rid of 4G without losing coverage, though.
I don't know about any such settings on mobile platforms such as watches, though. I also doubt cars have a setting for this (maybe if you use one of those Chinese Android-tablet-with-a-car-skin systems?).
> SIM cards don't connect to networks
SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
That said, some knobs are frustratingly missing, though – why is manually entering an APN a thing, but the default SMSC can be stored on the SIM?
That's true, of course, but SIMs can be reprogrammed by the carrier on a whim. Plus, there are handover features that command the modem to downgrade the connection from the network side, and who knows if the modem will listen to the SIM's config if the network commands it to do something.
I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
I think limiting this at the modem side will be more effective than reprogramming the SIM card, but the specifications are open enough that you could take a look at a SIM's contents by throwing it in a reader.
You could also look at the code and blobs dealing with eSIMs, as they provide the same features but often come packaged in the form of software.
Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
In terms of existing examples, there's a few equivalent (or at least similar) fields defined as SIM files - for example, the FPLMN (forbidden PLMN) list of networks your phone shouldn't attempt to attach to.
You're right that this needs limited at the modem - but the main user accessible method of configuring the modem is the phone UI. As this setting is one which needs network support, and is likely to disconnect a user who misconfigured this, a SIM file for permitted RAT (radio access technology) types would make sense, as SIM files are under the responsibility of the operator.
Where this would get complex is edge cases, like under roaming scenarios, where your home network can't predict what might be available, and your handset may need to permit downgrading to a technology not permitted on the home network.
The toggle in Android to disable 2G seems a start towards a user accessible setting for this, which selects what the modem is willing to join, but it's certainly far from a user friendly way to enable and disable particular technologies.
> Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
Generally the contents of specific important Elementary Files (EF) are protected by requiring you to have an ADM code to read/write.
> I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
You might need to enter an APN if you have a B2B contract with the operator, where they'll route all traffic from your device(s) through a VPN directly to you. Besides that and static addresses, I am not aware of any other prevalent use-case for changing an APN.
> SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
There is EF-UST (USIM Service Table) but it doesn't explicitly allow/deny radio access technologies.
The wording your usage here seems to suggest that the phones can be configured to not connect to 2G networks. This is false if you live in the USA. The phone will not connect to 2G networks regardless of any setting. There have not been any to connect to for a while now. The only thing out there that is 2G any longer is malicious actors.
It should come as no small surprise that phones in the US markets ship with a feature that is a de-facto backdoor.
Tangentially related, the latest major Android release supports updates from the modem with details about whenever your IMSI/IMEI/unencrypted SUCI are disclosed to the network (with support for some contextual information, e.g. which protocol message was it disclosed in), as well as insight into the in-use network cryptography configuration for different protocols.
if you pay the google tax for a pixel, you get a convenient 2G toggle.
if you don't have an extra $400-900 and buy a cheaper android, you get to dial ##4636## (hn screws asterisks, look it up) them go into phone info, select each sim radio and change the drop down (and hopefully you know all the standards by all names to make the right choice. hint 5G is NR there)
Is there a name for those ##number## codes? It's been years since I had to use one of them to fix some random issue on a phone.
USSD and MMI, see for example https://en.wikipedia.org/wiki/Unstructured_Supplementary_Ser... . On a quick glance the references did not seem to list what codes are usually available, so just search "ussd code list" or similar.
There's a convenient toggle on my Moto G Stylus 5G 2023, if not a convenient name. In the carrier settings right next to allow 5G. Can't easily disable 3G or LTE though. IIRC, LTE is also mutually authenticates, but if we're talking about passive catching and the ismi is sent in the clear as the article says, then that doesn't eliminate passive catching. I'm not sure about 3G, I thought it wasn't mutual auth either.
wait. which market? never seen a Motorola with the "disable 2G" toggle!
and yes, that only prevents the lower denominator which uses downgrade, which is the vast majority everywhere.
Definitely, mutual authentication and (not) using long-term identifiers in the initial attach request are largely orthogonal concerns.
I believe even 3G supports mutual authentication (at least if the SIM supports it, i.e. it’s not a very old GSM only one), but anonymized identifiers only appeared with 5G.
The 2G toggle can also be found in some other phones, but not every phone manufacturer has support for configuring their modems like that or has bothered to keep the setting in their settings app overhaul.
I know that setting, but I'm not entirely sure if that controls a preference or a mandatory cell config, and if it will prevent downgrades from the network side or not.
Some manufacturers and most custom ROMs also seem to offer that option without a dial code, but I haven't found any documentation about that feature yet to be sure it actually forces the modem configuration. I've found mentions online about this setting being changed without user interaction, so there seems to be a mechanism on some phones (carrier-branded ones maybe?) that alters this config.
every modem have to have that control. and you can access it on every model I've ever seen with the code i shared. i think it might be a requirement for some of the regulations they plaster stickers for.
having the ui it not is a balance between playing nice with over reaching law enforcement and enterprise clients.
One can backslash escape the asterisks. **
kinda of information that would be very useful displayed when you're entering a comment. it's not like i work here...
> ##4636## (hn screws asterisks, look it up)
You can include asterisks if you escape them, like \*: *#*#4636#*#*.
2025, "Rayhunter: Rust tool to detect cell site simulators on an orbic mobile hotspot", https://news.ycombinator.com/item?id=43283917
2018, EFF Crocodile Hunter, https://github.com/EFForg/crocodilehunter
See also this 2019 in-depth primer on cellular attacks I wrote for EFF: https://www.eff.org/deeplinks/2019/07/announcing-gotta-catch...
iPhones, in general, will not connect to a 5G Standalone network that doesn’t have SUCI enabled.
So they'll just fall back to 4G then, which always sends the IMSI in the clear on initial attach?
5G Standalone networks don’t have 4G to fall back to. 5G Non-standalone networks are essentially 4G networks with a 5G RAN, so SUCI remains optional and most core vendors don’t support it.
That's not what 5G standalone means, as far as I understand.
The network I'm using supports 5G SA in some cells, but my phone definitely still falls back to both 4G and 5G non-SA in some areas where it's not yet available.
And even if 5G SA were available everywhere, there's the concern of roaming.
Correct, your phone needs to actually re-connect between the two networks. It's a whole new session and you can't handover between 5G SA and 5G NSA/LTE networks. There are some configurations that make this not much of an issue, but technically they are totally different networks.
You can definitely hand over sessions between 5G and 4G (and by extension 5G NSA, which essentially is 4G from a signaling point of view).
It's not a handover in the sense that you're actually creating a second connection to a different network. It's more akin to roaming than a handover.
I don't know if you're implying that the iPhone behaviour is bad but I hope not. It's obviously better.
Source?
> 5G Standalone security and privacy requirements
> To help ensure compatibility of iPhone and cellular iPad devices on private 5G SA networks, infrastructure vendors must adhere to the following security and privacy requirements:
> Privacy concealment: The Subscription Concealed Identifier (SUCI) must use a non-null protection scheme. This can be achieved through either an on-SIM SUCI calculation or an ME SUCI calculation, as outlined in TCA 2.3.1 and 3.1 specifications. For detailed information, refer to the 3GPP Technical Specification 33.501.
(From https://support.apple.com/en-gb/guide/deployment/depac674731...)
This pertains to private networks rather than public operator networks, but it certainly seems to imply that use of SUCI is an expectation on 5G SA networks (private in this context).
In the US, the T-Mobile 5G SA eSIM and SIM cards all have SUCI at least. I don’t have any idea about other networks.
I know very little about the protocol aspects of cellular communication, so can anyone explain how such a huge gaping security hole could come into existence?
In the beginning of cell phones, security was too expensive. Telcos also like to do their own things, so GSM encryption wasn't built on best practices. And some countries forbid use of even GSM encryption.
Early mobile phone networks suffered from cloning, so work was done to improve verification of clients, but verifying the network wasn't seen as required. Telcos have been historically light on authentication and verification; so it's not surprising.
Adding to this the GSM A3/A8 algo were broken shortly after they arrived in the US. The only mitigating control was my boss in a wireless provider and the FBI meeting up with someone that was going to demo breaking it. They were advised what prison they would be relocating to and the demo was called off. Rinse and repeat. This was before the internet was popular or even widely used. The word eventually got out.
Before 2G, networks used completely unencrypted analog voice. You could snoop on anyone's calls with a slightly-modified radio; at least until Congress heard about this and made it illegal to sell a radio that could be modified to do this[0].
2G was actually considered a huge bump up in security because you could encrypt the contents of calls. Albeit with hilariously insecure crypto mandated by the old ITAR regime[1]. IMSI catchers weren't part of their threat model, for the same reason why people only recently have realized that metadata is relevant to security.
[0] This law is still on the books, even though analog cellular is entirely dead. It's still a pain in the ass to properly comply with this for, e.g. software-defined radio.
[1] This is the same reason why DVD CSS was so easy to crack, and why we there used to be 10 different ways to strip SSL before we decided to stop serving old browsers entirely.
The networks are insecure by standard. They are designed such that they can have "lawful intercept" by government entities. The key material on the SIM card is readily transferred between the carrier and SIM/eSIM card manufacturers, which enables multiple levels of supply chain attacks if the material is mishandled.
IMSI-catchers are not considered a security hole by the carriers or the standards bodies. SUCI/SUPI was put in at the request of phone vendors, if I remember correctly, and is still the only piece of public key cryptography in the networks. Everything else is symmetric keys.
Fyi the above isn't some conspiracy theory as it is standardized by 3GPP:
https://www.etsi.org/deliver/etsi_ts/133100_133199/133106/14...
Here's an interesting quote from the above:
"Depending on national requirements, the CSP may be required to report the location of the Target at the beginning and end of CS calls and PS and IMS sessions on a per warrant or per intercept basis. It may also be a national requirement for the CSP to report the location of the Target [...]"
It evolved from a time when this wouldn't have been considered a gaping security hole.
The phreaking [1] community was huge and becoming increasingly sophisticated long before mobile was even a thing. I think it's mostly that telecoms were traditionally discouraged from pursuing security. There's, at most, a minimal commercial incentive to it, and the government loves comms that can be easily spied on meaning you're going to get pushback from that side if you start aiming for security.
The idea to start using SMS for secure purposes was similarly probably never really about security, but an advertising/government driven effort given that it helps create a fairly reliable tracking identity for a person. It makes no sense otherwise to use SMS over something like a 2FA app which is completely cross platform, secure, free, and has basically 0 downsides relative to SMS, and a whole bunch of upsides. The only thing is that it's also anonymous.
[1] - https://en.wikipedia.org/wiki/Phreaking
Don’t 2FA apps have the major downside that if you lose the specific mobile device you installed it on you’re SOL, unless you have backup codes that are too technical for most. SMS gets you more human support since you pay your carrier, I can walk into my nearest teleco branch with my ID if I lose my phone and change the SIM to another phone. So most of the time unless your SIM is hijacked it’s a good proxy for being actually you.
Plus having to download another app adds friction to the signup process and most users aren’t going to bother, so for most it’s SMS 2FA or nothing. Since apps often want your phone number anyway for bot prevention, and users are used to verification codes, it’s not a big deal.
Also a tail end of other issues with 2FA apps (and SMS 2FA predates the nice ones anyway); in other countries there are devices other than iOS/Android to suggest an authenticator app for, limited network speeds and device storage, etc. Heck, I know people in the U.S. with full device storage who can’t download new apps without deleting some stuff. If you’re a random app and not a tech company SMS 2FA is just going to be much easier to implement.
The whole point of 2FA is that once you lose possession of your physical second factor, you lose access. If you can maintain access after losing the hardware, you've just added a second password. SIM swapping attacks have proven very effective at showing how easy it is for someone to bypass SMS 2FA. It's better than no 2FA, but it's the worst second factor out there.
If you don't want to lose access after losing your second factor, you don't want two factor authentication. Trying to make 2FA something it's not only muddies the waters and makes things annoyingly confusing.
I don't think "I know someone whose phone can't handle a 2MiB TOTP app" is a good reason not to offer real 2FA on a website. Sure, offer SMS codes for people who don't care much about security beyond ticking auditor boxes.
>I can walk into my nearest teleco branch with my ID if I lose my phone and change the SIM to another phone.
And I can do the same pretending to be you, or simply bribe the minimum-wage cashier who doesn't really care.
Do they even have a flag for highly sensitive accounts, e.g. set off an alarm if someone tries to issue a new SIM for the President?
No curious reason for it coming into existence. It's software, it will have bugs and oversights. What's curious is that it and so many other problems of the cellular grid have been left untended to for almost three decades.
The issues with cell network security go way beyond "bugs and oversight". Whether malicious or incompetent I have no idea.
This article missed the point entirely. The answer is no, it did not kill it - not even if you‘re only on 5G as this article reports.
This is due to flaws in its design as shown here:
https://dl.acm.org/doi/10.1145/3448300.3467826
The article mentions active catchers "requires RF transmission, which violates FCC laws (and international equivalents) and is detectable"... except...
... couldn't one build a 'modern' IMSI catcher with a CBRS LTE band 48 small cell and their own LTE infrastructure and be above-board legal anyways?
This is sort of meta to the article...
Wow a web site generated using AI[1]. (or perhaps a human using AI)
Anecdotally, when I was attending college there was a 12 year old girl also attending and in some of my classes, particularly my freshman physics class. She was knocking the curve off with high scores on all of the exams. I got a chance to talk to her at lunch one day and it turned out she had an eidetic memory. It was amazing, she could tell you what was on any page of the text book perfectly. That allowed her to recall worked problems in the text that were identical in form to the question on the test, and she could then use the same steps to solve the test problem. But, and this was an important part, she didn't really understand physics. Whenever our conversation went into areas where she could have used physics principles to derive an understanding or at least a good guess at some of the depth of a new topic, she did not. That didn't hinder her progress through school but I had to believe that at some point it would.
After that experience I started paying more attention to people who "knew" facts, and people who "used" facts, which is to say that people who had learned something and understood it, would use that learning to extrapolate into new areas, open up places they didn't understand, and pursue new knowledge about those gaps. And there were people who would rebut arguments with "facts" but seemed not to grasp the fundamental principles at issue.
AI generated "answers" to prompts have exactly the same properties as answers from people who know facts but don't understand them.
I would guess that the article in question was generated with some prompts of the form, "Describe how an IMSI catcher works for each type of network." If you're a human and you read the answer and noticed that 5G was different you can add the click-bait headline and voila, article!
And yet for someone who understands how IMSI catchers work and understands the general compatibility environment of the cell phone networks, they would point out that most phones are designed to work "around the world" which means with all types of networks 2G/3G/LTE, and so even if the world around you is LTE/5G if you pop up a GSM cell tower signal a modern phone will see it and say hi. And then they would go on to describe that WiFi and Bluetooth device hardware (MAC) addresses are unique too, and those are also sent around if you bleat out your an open wifi network or a lonely bluetooth device. Finally it would point out that even with the 5G "SUCI", that value is unique to your phone and even if you don't give someone enough information to reverse map your phone to you, it is absolutely enough information to keep track of where this particular phone has been over time.
But all of that context is related to understanding why you would even want to capture and IMSI number and how the entire system was designed to make that easy even though now that is seen as a vulnerability.
So if you've spent some time recognizing the difference between people who are talking about something they understand and people who are talking about something they read about but don't understand, stuff written by AI just sort of pops out at you like that.
[1] All the generated images at the bottom was a dead giveaway but the structure of the article was also indicative of an LLM construction.
This is a very interesting comment. When I read your physics story, I thought you would be getting to the similarity to current llms. However hallucinations seem like a different issue that the young student might not have. If she incorrectly matches some scenario to a text match, maybe some hallucinations. Some humans are confident in making comments about things I don't understand, like you know who. But many humans somehow have a concept of their limited knowledge. When they add that to LLMs, that will be powerful.
I pretty much agree with this, having some way to indicate model boundaries in an LLM parameter space to create back pressure on token generation would help a lot here.
For me though the interesting bits are how the lack of understanding surfaces as artifacts in the presentation or interaction. I'm a systems person who can't help but try to fathom the underlying connections and influences that are driving the outputs of a system.
1) Yes, it's still possible to convince a phone to connect to older RAT generations. However, the idea is that as those are phased out, it's unlikely that they'll be enabled on UEs, so phones likely won't connect and "say hi" as you say. For example, 2G is already being disabled on many devices. It'll be a while before 2G-4G is fully phased out and IMSI Catchers become completely infeasible, but I think that it's safe to say that "5G got it right" in finally solving this issue.
2) I don't think you have a good understanding of how SUCIs work if you think that it's unique to a device. The UE generates a fresh ECC ephemeral public key every time it sends its SUCI (which isn't often to begin with due to GUTIs, which are one-time use and only assigned post-ciphering). You can read more about it here: https://medium.com/@aditya.koranga/ecies-in-5g-core-supi-to-...
I completely agree with you that I don't have much exposure to SUCIs. And thanks for the link.