A Fail-Safe Challenge-Response Mechanism for User Equipment to Detect Rogue IMSI/SUPI Catchers

Wright, James and Wolthusen, Stephen (2025) A Fail-Safe Challenge-Response Mechanism for User Equipment to Detect Rogue IMSI/SUPI Catchers. In: Critical Infrastructure Protection XVIII : 18th IFIP WG 11.10 International Conference, ICCIP 2024, Arlington, VA, USA, March 18–19, 2024, Proceedings. IFIP Advances in Information and Communication Technology . Springer, Cham, pp. 155-178. ISBN 9783031818875

Abstract

This chapter formalizes the security promise of channel tranquility, where an agent will not transmit messages unless it can verify that the communications channel has not been manipulated by an adversary. In the 5G standard, user equipment presumes that no manipulation can occur in the wireless channel with a radio node. However, analysis of international mobile subscriber identity/subscription permanent identifier catchers has revealed that an adversary denies service to all the legitimate radio nodes in an administrative area to exploit user equipment vulnerabilities. To limit the adversary’s ability to compromise the 5G authentication and confidentiality promises, channel tranquility imposes an upper bound on the number of messages that the adversary can transmit. This work presents a verified challenge-response mechanism that detects channel tranquility violations and responds to prevent the adversary from compromising authentication and confidentiality. An applied pi calculus model of a 5G registration procedure augmented with the challenge-response mechanism is presented. The mechanism builds a layer of defense in depth into the 5G registration procedure by incorporating an independent, redundant cryptographic system that must be undermined before other security promises can be attacked. Channel tranquility enables user equipment to quickly establish if a radio node has access to the public key infrastructure of the 5G control network. Specifically, user equipment can deduce whether an international mobile subscriber identity/subscription permanent identifier catcher has been deployed in an administrative area and then deny the adversary the ability to exploit any vulnerabilities. The challenge-response mechanism is verified using a secrecy proof that demonstrates that the adversary cannot learn the semantics of the challenge and response semantics if at least one legitimate session between user equipment and a radio node has been completed.