Recommendations to enhance subscriber privacy in 5G

There are clear benefits of 5G SIM capabilities to protect the most prominent personal data involved in mobile communications, according to the Trusted Connectivity Alliance.

Addressing privacy risks

The IMSI, known as a Subscription Permanent Identifier (SUPI) in 5G, is the unique identifier allocated to an individual SIM by an MNO. Despite representing highly personal information, the IMSI is exposed to significant security vulnerabilities as it is sent unencrypted over-the-air in 2G, 3G and 4G technologies.

Most notably, ‘IMSI catchers’ are readily and inexpensively available and can be used to illegally monitor a subscriber’s location, calls and messages.

“To address the significant privacy risks posed by IMSI catchers, the 5G standards introduced the possibility for MNOs to encrypt the IMSI before it is sent over-the-air,” comments Claus Dietze, Chair of Trusted Connectivity Alliance.

“But as the standards state that encryption can be performed either by the SIM or by the device, and even be deactivated, there is potential for significant variability in terms of implementation. This creates scenarios where the IMSI is not sufficiently protected and the subscriber’s personal data is potentially exposed.”

Managing IMSI encryption within the 5G SIM

Given these scenarios, the white paper recommends that MNOs consider limiting the available implementation options to rely on proven, certified solutions. Of the available options, executing IMSI encryption within the 5G SIM, which refers to both the SIM or eSIM as defined by Trusted Connectivity Alliance as the Recommended 5G SIM, emerges as a comprehensive solution when examined against a range of key criteria. This includes ownership and control, the security of the SIM and its production process, and certification and interoperability.

“Eurosmart fully supports the Trusted Connectivity Alliance position on subscriber privacy encryption, and agrees it should be managed within the 5G SIM. If we consider the direct impact on the security and resilience of critical infrastructures and essential services, and the requirements of the NIS directives, it is also apparent that a robust regulatory response is warranted to support these recommendations,” adds Philippe Proust, President of Eurosmart.

“We therefore contend that regulatory measures should be implemented to define an ad hoc security certification scheme addressing IMSI encryption within the 5G SIM under the EU Cybersecurity Act. In addition, it should be a requirement for the IMSI to be encrypted within the 5G SIM, and for the 5G SIM to be mandatorily security certified to demonstrate its capabilities.”

Claus concludes: “Managing IMSI encryption within the 5G SIM delivers control, best-in-class security and interoperability to prevent malicious and unlawful interception. And with 5G creating a vast array of new use-cases, SIM-based encryption is the only viable way to establish interoperability across emerging consumer and industrial IoT use-cases and, ultimately, enable a secure connected future.”