scieee Science in your language
[en] (orig)

SoK: Evaluating 5G Protocols Against Legacy and Emerging Privacy and Security Attacks

Author: Eleftherakis, Stavros; Giustiniano, Domenico; Kourtellis, Nicolas
Publisher: Zenodo
DOI: 10.5281/zenodo.17294057
Source: https://zenodo.org/records/17294057/files/Eleftherakis_etal_SoK_WiSec2025.pdf
SoK: E alua ing 5G P o ocols Agains Legacy and Eme ging
P i acy and Secu i y A acks
S a os Ele he akis
[email p o ec ed]
Imdea Ne wo ks Ins i i e
Uni e sidad Ca los III de Mad id
Mad id, Spain
Domenico Gius iniano
[email p o ec ed]
Imdea Ne wo ks Ins i i e
Mad id, Spain
Nicolas Kou ellis
[email p o ec ed]
Tele onica Resea ch
Ba celona, Spain
Abs ac
Ensu ing use p i acy emains a c i ical conce n wi hin mobile
cellula ne wo ks, pa icula ly gi en he p oli e a ion o in e con-
nec ed de ices and se ices. In ac , a lo o use p i acy issues
ha e been aised in 2G, 3G, 4G/LTE ne wo ks. Recognizing his
gene al conce n, 3GPP has p io i ized add essing hese issues in
he de elopmen o 5G, implemen ing nume ous modi ica ions o
enhance use p i acy since 5G Release 15. In his sys ema iza ion
o knowledge pape , we i s p o ide a amewo k o s udying
p i acy and secu i y ela ed a acks in cellula ne wo ks, se ing
as p i acy objec i e he Use Iden i y Con iden iali y de ined in
3GPP s anda ds. Using his amewo k, we discuss exis ing p i acy
and secu i y a acks in p e-5G ne wo ks, analyzing he weaknesses
ha lead o hese a acks. Fu he mo e, we ho oughly s udy he
secu i y cha ac e is ics o 5G up o he new Release 19, and examine
mi iga ion mechanisms o 5G o he iden i ied p e-5G a acks. A -
e wa ds, we analyze how ecen 5G a acks y o o e come hese
mi iga ion mechanisms. Finally, we iden i y cu en limi a ions and
open p oblems in secu i y o 5G, and p opose di ec ions o u u e
wo k.
Keywo ds
p i acy, secu i y, iden i ie s, ad e sa ies, cellula ne wo ks
1 In oduc ion
In he digi al socie y o oday, he widesp ead use o sma phones
has become an in eg al pa o ou daily li es. In ac , he numbe
o sma phone mobile ne wo k subsc ip ions wo ldwide eached
almos 6.4 billion in 2022, and is o ecas o exceed 7.7 billion by
2028 [
1
]. Indeed, his la ge numbe o subsc ibe s can be jus i ied
by he e olu ion o cellula echnologies. The la es , 5 h Gene a ion
o Cellula Ne wo ks (5G) o e s as e da a speeds, lowe la ency,
and inc eased capaci y han i s p edecesso s, enabling inno a ions
such as he In e ne o Things (IoT), massi e MIMO and Millime e
Wa e and Te ahe z Communica ions [
2
,
3
]. Howe e , he ac ha
sma phones and cellula ne wo ks ha e become a undamen al
aspec o ou li es aises an impo an ques ion: How do we p o ec
he p i acy o cellula ne wo k use s? Vas li e a u e (see [
4
–
7
] o
some su eys) demons a ed how 4G/LTE ne wo ks and hei p e-
decesso s (2G, 3G) a e ulne able o a ious p i acy a acks o he
Use Equipmen (UE). Speci ically, a acks we e shown o iola e
di e en p ope ies o UE Iden i y Con iden iali y (Sec. 5.1 o [
8
,
9
]),
such as iden i y disclosu e [
10
–
12
], and loca ion p i acy [
13
–
15
].
Some a acks we e demons a ed in 5G ea ly e sions [
16
,
17
] and
e en wi h cheap commodi y equipmen and open-sou ce code im-
plemen a ions, hus, inc easing he p i acy isks since access o
such ools can be easy.
Indeed, i is a challenge o he cu en and u u e 5G ne wo ks o
imp o e o mi iga e he p e-5G ne wo ks’ ulne abili ies, he e o e,
enhancing use p i acy [
5
,
18
–
23
]. Consequen ly, he 3 d Gene -
a ion Pa ne ship P ojec (3GPP), he in e na ional body ha is
esponsible o cellula ne wo ks s anda diza ion, has conside ed
he a o emen ioned p oblems a e 5G Release 15, hus, in oducing
signi ican changes in he ela ed 5G Secu i y Technical Speci i-
ca ion [
24
]. Tha said, ecen su eys on he opic [
5
,
20
,
22
,
25
]
include only heo e ical ideas abou 5G p i acy mechanisms, since
hey we e w i en be o e o concu en ly wi h he olde , 5G Release
15. O he su eys ocused on speci ic use cases, such as he appli-
ca ion o Machine Lea ning algo i hms in 5G Physical laye [
26
],
he secu i y o he Ea ly Da a T ansmission 5G mechanism [
27
],
o he secu i y o al e na i e compu ing pa adigms (e.g., ca aly ic
compu ing) in 5G [
28
]. Finally, [
23
,
29
] analyzed p e ious cellula
gene a ions’ a acks and s udied co esponding mi iga ion mech-
anisms o e ed by 5G. In gene al, pas pape s on he opic we e
w i en in ea lie 5G speci ica ions, hus, no being in o med abou
newe Releases o 3GPP documen s, ecen 5G measu emen s ud-
ies [30–32] and new p i acy a acks [12, 33, 34].
In ac , an in-dep h s udy o cu en li e a u e on his opic aised
mo e unanswe ed ques ions: 1) Wha ulne abili ies did he a acks
in pas cellula gene a ions exploi , and wha we e he p i acy
implica ions o each? 2) Wha mi iga ion mechanisms ha e been
in oduced in he new elease o 5G o o e come such weaknesses?
3) Wha gaps s ill emain o u u e explo a ion in he opic o 5G
Secu i y? 4) How ecen 5G speci ic a acks ake ad an age o hem?
In o de o answe hese ques ions, we pe o m his sys emiza ion o
knowledge (SoK) pape . We i s p opose a amewo k o s udy he
e iciency o cu en cellula gene a ion secu i y aspec s, gi en well-
s udied ad e sa ies demons a ed in pas cellula gene a ions, unde
speci ic use p i acy objec i es. Second, we examine he esilience
o new 5G secu i y ea u es up o Release 19, called 5G-Ad anced,
wi h espec o a acks on p e ious gene a ions. Thi d, we examine
hei adap abili y in e ms o ope a o s’ implemen a ion, classi ying
hem as ‘op ional’ o ‘manda o y’. Fou h, we aise open ques ions
and gaps o u u e wo k.
Wi h his SoK, ou con ibu ions a e as ollows:
•
We de ine a amewo k o analyzing p i acy- ela ed a -
acks, se ing he Use Iden i y Con iden iali y de ined in
3GPP as ou p i acy objec i e (Sec. 3).
•
We desc ibe 12 exis ing p e-5G a acks (2G, 3G, 4G/LTE)
ha iola e Use Iden i y Con iden iali y, and highligh 12
ulne abili ies o weaknesses ha lead o hem (Sec. 4).
S a os Ele he akis, Domenico Gius iniano, and Nicolas Kou ellis
•
We discuss secu i y enhancemen s o 5G and men ion 10
mi iga ion mechanisms ha a e p oposed agains he a o e-
men ioned a acks (Sec. 5).
•
We desc ibe 7 ecen 5G a acks along wi h hei co espond-
ing 7 ulne abili ies, and he deg ee hey a e mi iga ed by
he exis ing 5G MMs (Sec. 6).
•
We gi e a didac ic summa y o ou esul s om Sec. 4, 5
and 6 in Table. 1.
•
We discuss key akeaways o ou wo k and ou line u u e
esea ch di ec ions (Sec. 7).
2 Backg ound
In his sec ion, i s , we p o ide basic in o ma ion abou he Cellu-
la Ne wo k in as uc u e and i s key en i ies and unc ionali ies
(Sec. 2.1). Second, we discuss he p ope ies o di e en UE iden i-
ie s (Sec. 2.2) and UE Capabili ies (Sec. 2.3). Then, we co e he 5G
egis a ion p ocedu e wi h i s co esponding p o ocols and mech-
anisms (Sec. 2.4). We also p o ide a b ie analysis o he paging
p ocedu e (Sec. 2.5).
2.1 5G Cellula Ne wo k In as uc u e
He e, we gi e an o e iew o he Cellula Ne wo k in as uc u e,
e e ing o he main en i ies and hei p ope ies.
Use Equipmen (UE): The UE consis s o he Mobile Equipmen
(ME) and USIM ca d. I is used by consume s o access mobile
se ices and applica ions.
Radio Access Ne wo k (RAN): The Radio Access Ne wo k con-
sis s o he di e en Base S a ions ha a e sepa a ed in o di e en
T acking A eas (TAs). I is esponsible o managing adio esou ces,
enabling hando e s, p o iding wi eless connec i i y, and acili a -
ing communica ion be ween UEs and he Co e Ne wo k. The RAN
comp ises base s a ions (e.g., gnBs in 5G), an ennas, and a ious
ha dwa e and so wa e componen s ha enable adio communica-
ion. The es ablishmen , main enance, and elease o adio connec-
ions be ween he UE and he RAN is acili a ed by he RRC (Radio
Resou ce Con ol) p o ocol [35].
Co e Ne wo k (CN): The Co e Ne wo k consis s o di e en en-
i ies called Ne wo k Func ions (NFs), ha a e esponsible o a
a ie y o ne wo k se ices and unc ionali ies. Fo ins ance, mo-
bili y managemen , au hen ica ion, subsc ibe da a managemen ,
session managemen , cha ging con ol and connec ion o ex e nal
ne wo ks a e, among o he s, some impo an se ices p o ided by
he CN ia hese unc ions. The signaling p ocedu es and messages
be ween he UE and he CN, including unc ions like egis a ion,
au hen ica ion, and mobili y managemen a e acili a ed by he
Non-Access S a um (NAS) p o ocol [36].
2.2 Iden i ie s in 5G Cellula Ne wo ks
The e a e a ious iden i ie s used in he Cellula Ne wo k, espon-
sible o he iden i ica ion o di e en en i ies pa icipa ing in he
sys em, and especially o he UE a hand. Among he di e en gen-
e a ions o cellula ne wo ks, he e a e di e ences be ween hei
s uc u e and hei name, bu hei ole has been simila . In gene al,
hey a e di ided in o pe manen and empo a y iden i ie s.
To begin wi h, he In e na ional Mobile Subsc ibe Iden i y (IMSI)
and In e na ional Mobile Equipmen Iden i y (IMEI) a e he mos
impo an pe manen iden i ie s. The i s is he iden i ie o he
USIM ca d used by he UE. This iden i ie helps he CN iden i y
he speci ic UE h ough ime and ne wo ks. I is used mainly o
he ini ial au hen ica ion o he UE o he ne wo k and in he pas
gene a ions 2G, 3G and 4G, i was submi ed in plain ex o e he
wi eless channel. As o he IMEI, i is he iden i ie o he Mobile
Equipmen (ME), manu ac u ed on he de ice du ing i s p oduc ion.
Bo h o hem a e pe manen , global and a e conside ed as ex emely
sensi i e in e ms o p i acy. 5G in oduced Subsc ip ion Pe ma-
nen Iden i ie (SUPI) in he clause 5.9.2 o he 3GPP 5G echnical
speci ica ions o secu i y a chi ec u e and p ocedu es [
37
]. While
in ui i ely SUPI is he same as IMSI, as we will see in he nex
pa ag aph ega ding empo a y iden i ie s, he e is an impo an
di e ence in he ini ial au hen ica ion: SUPI mus ne e be submi -
ed plain ex , excep o eme gency cases, as deno ed in he clause
5.2.5 o he same 3GPP 5G echnical speci ica ions [
24
]. As o he
IMEI, he e minology o he Pe manen Equipmen Iden i ie (PEI)
is used in 5G, as analyzed in Sec. 6.4 o [38].
The o he impo an ca ego y o iden i ie s a e he empo a y
ones. Fi s , Subsc ip ion Concealed Iden i ie (SUCI) is in oduced
in 5G (clause 5.9.2a in [
37
]). SUCI is an ellip ic c yp og aphy-based
concealed e sion o SUPI ha is cons uc ed by he USIM ca d.
Fu he mo e, he CN assigns a empo a y iden i ie o he UE o he
communica ion be ween he UE and he CN (e.g., Se ice Reques ,
paging p ocedu es). In he pas , many e minologies ha e been
used o his: Tempo a y Mobile Subsc ibe Iden i y (TMSI) in 2G
and 3G, Globally Unique Tempo a y Iden i y (GUTI) o TMSI in
4G and 5G Globally Unique Tempo a y Iden i y (5G-GUTI) in 5G.
Fo he es o his pape , we deno e i as TMSI o 3G and 4G, and
5G-GUTI o 5G. 5G-GUTI is de ined in he clause 5.9.4 o [
37
],
whe e he eade can also ind in o ma ion abou how 5G-GUTI is
cons uc ed. Finally, he UE is also assigned a empo a y iden i ie
called Cell Radio Ne wo k Tempo a y Iden i y (C-RNTI) om he
RAN, acili a ing he communica ion be ween he UE and he RAN.
2.3 UE Capabili ies
The capabili ies o a UE can be sepa a ed in o Co e Ne wo k (CN)
capabili ies [
36
] and Radio Access capabili ies [
39
]. The CN capa-
bili ies indica e gene al UE cha ac e is ics, such as he secu i y
algo i hms suppo ed by he UE o in eg i y and ciphe ing p o-
ec ion, and a e ansmi ed as a NAS message. The Radio Access
capabili ies con ain in o ma ion ega ding he adio capabili ies
o he UE, such as he suppo ed equency bands o he UE, and
a e ansmi ed as an RRC message. As explained in he ollowing
sec ion, he UE epo s i s capabili ies o he ne wo k du ing he
egis a ion p ocedu e. [
40
,
41
] p o ides u he in o ma ion abou
UE capabili ies.
2.4
UE Regis a ion & Au hen ica ion P ocedu e
Figu e 1 illus a es he basic message exchange low wi h ega ds o
some c i ical p ocedu es in 5G, as in oduced in he 3GPP 5G speci-
ica ions [
24
]. As shown in he igu e, he UE sends a egis a ion
eques including a subsc ibe iden i y (SUCI o 5G-GUTI) and he
secu i y capabili ies. I he 5G-GUTI was sen and he CN canno
esol e i , i sends o he UE an Iden i y Reques message. A e
ha , he UE sends he SUCI in a Iden i y Response, and hen he
Au hen ica ion and Key Ag eemen P o ocol (AKA) is ini ia ed by
SoK: E alua ing 5G P o ocols Agains Legacy and Eme ging P i acy and Secu i y A acks
Figu e 1: UE Regis a ion & Au hen ica ion signal low in 5G.
he CN. We highligh ha bo h EPS-AKA (E ol ed Packe Sys em
Au hen ica ion and Key Ag eemen ) and 5G-AKA (5G Au hen ica-
ion and Key Ag eemen ) can be used, bu since he di e ences a e
ou o scope o his pape , 5G-AKA (Sec. 6.1.3.2 o [
24
]) is used
in his wo k. In a nu sell, he ne wo k sends a andom numbe
(RAND) and an au hen ica ion oken (AUTN) o he UE. The UE
i s e i ies he alidi y o RAND and he eshness o AUTN and
i he e i ica ion is no success ul, i sends a MAC ailu e o Sync
Failu e espec i ely. I bo h o hem a e e i ied success ully, he
UE uses he RAND and i s pe manen key o gene a e a esponse
(RES) and sends i o he ne wo k as i s Au hen ica ion Response.
The ne wo k e i ies he alidi y o RES and, i i is alid, he au-
hen ica ion is success ul. Fu he in o ma ion abou he 5G-AKA
p o ocol can be ound in [
42
–
45
]. A e a success ul au hen ica ion
esponse sen by he UE, NAS Secu i y Command is ansmi ed in
o de o ac i a e a secu e channel o he NAS p o ocol messages,
p o iding in eg i y and ciphe ing p o ec ion.
The same p ocedu e is ollowed o he RRC messages, exchanged
be ween he UE and he gnB, o he ac i a ion o a secu e channel
o hem as well. A e wa ds, he UE adio capabili ies a e ansmi -
ed o he 5G ne wo k, a e he es ablishmen o a secu e channel
(see Figu e 1). This is in con as o p io cellula gene a ions, whe e
adio capabili ies we e sen be o e he es ablishmen o a secu e
channel be ween he EU and he adio access ne wo k. Finally, Use
Plane (UP) ciphe ing and in eg i y is ac i a ed h ough he RRC
Recon igu a ion message.
2.5 Paging Mechanism
The pu pose o he paging mechanism is o in o m he ecipien UE
o incoming da a ansmissions o a phone call. Paging messages
a e mainly sen by he Base S a ion (RRC paging), by b oadcas ing
he iden i y o he UE, ha is he ecipien o incoming da a o a
call on he paging channel. In case o incoming da a o an SMS,
he paging p ocedu e is ini ia ed and all UEs wi hin he cell lis en
o he paging channel and eac o a message i hei iden i y is
ecei ed. In case o a phone call, he same p ocedu e akes place in
a TA le el. As explained la e , he paging mechanism was a majo
Passi e
Sni e
UE
Radio Connec ion
Legi ima e Base S a ion
(a) Passi e ad e sa y.
Passi e
Sni e
Radio Connec ion
UE Legi ima e Base S a ion
(b) Semi-passi e ad e sa y.
Thanks! I am connec ing.
I o e excellen signal s eng h
Rogue Base S a ion
Jamme Phone Sni e
Op ional Equipmen
UE Legi ima e Base S a ion
(c) Ac i e ad e sa y.
Figu e 2: Di e en ypes o ad e sa ies in wi eless ne wo ks.
p i acy p oblem o many cellula gene a ions, since IMSI was used
o i , acili a ing ad e sa ies o s eal he UE’s pe manen iden i y.
3 Me hodology
In his sec ion, we desc ibe he me hodology o ou wo k. Fi s ,
in Sec. 3.1, we de ine wha Use Iden i y Con iden iali y is, and
he p ope ies ha de ine i . Then, we gi e an o e iew o he
di e en ypes o ad e sa ies ha y o iola e he p ope ies o
Use Iden i y Con iden iali y (Sec. 3.2). Finally, Sec. 3.3 p o ides
an o e iew o he F amewo k used o he sys ema iza ion o he
knowledge acqui ed by he a ious pape s and o he documen s
analyzed pe aining o his opic.
3.1 Use Iden i y Con iden iali y
Taking in o conside a ion he numbe o in e connec ed de ices
in oday ne wo ks, and he wide ange o sensi i e da a ha a e
ansmi ed, i is impo an o de ine some p i acy objec i es abou
he con iden iali y o he use iden i y. S a ing om 3G and 4G
cellula ne wo ks, he Sec. 5.1.1 o bo h [
8
] and [
9
] e e s o he
secu i y objec i e o he use iden i y con iden iali y and i s co e-
sponding p ope ies. In a nu shell, he p o ec ion o use s’ iden i y
(IMSI), loca ion and deli e ed se ices a e o pa amoun impo ance.
Use iden i y con iden iali y equi emen s a e s ill ele an in 5G as
s a ed in [
43
]. Fo example, he Sec. 5.2.5 o [
24
] e e s o he use
iden i y con iden iali y, by men ioning he SUPI and PEI p o ec ion,
5G ela ed iden i ie s ha a e equal o IMSI and IMEI in p e ious
gene a ions as men ioned be o e in he Sec. 2.2. In ac , UE iden i y
con iden iali y, as de ined in he Sec. 5.1.1 o bo h [
8
,
9
], has been
aken in o conside a ion in nume ous p e ious wo ks [
23
,
46
–
49
].
Based on he abo e, UE iden i y con iden iali y is conside ed as
he p i acy objec i e in his wo k and he ollowing p ope ies a e
necessa y o i s p o ec ion:
S a os Ele he akis, Domenico Gius iniano, and Nicolas Kou ellis
Challenged by
UE Confiden iali y
(Sec. 3.1)
A acks
Ad e sa ies
(Sec. 3.2)
P o ocol
Weaknesses
•Li e a u e
•3GPP Specifica ions
& Repo s
5G Secu i y
Cha ac e is ics
Mi iga ion
Analysis
Sec ion 5: 5G Sys em Secu i y
Sec ions 4 & 6: P e-5G and 5G A acks
Sec ion 7
Discussion
Exploi
E alua ion
P i acy Objec i es
In o m
Figu e 3: Gene al F amewo k o ou Sys ema iza ion.
•
UE Iden i y P i acy: " he pe manen use iden i y (IMSI)
o a use o whom a se ices is deli e ed canno be ea es-
d opped on he adio access link".
•
UE Loca ion P i acy: " he p esence o he a i al o a use
in a ce ain a ea canno be de e mined by ea esd opping
on he adio access link".
•
UE Un aceabili y: "an in ude canno deduce whe he
di e en se ices a e deli e ed o he same use by ea es-
d opping on he adio access link".
3.2 Ad e sa ies
We ocus on ypes o ad e sa ies epo ed in li e a u e and classi ied
as passi e, semi-passi e and ac i e, as also p oposed in [40]. Nex ,
we p o ide an o e iew o each (Fig. 2 illus a es each a ack):
(1)
Passi e ad e sa y: I has he abili y o ea esd opping adio
signals wi hin a speci ic ange, using channel sni e s [
50
].
I can ecei e, decode and s o e hese adio signals, he eby
managing o ex ac aluable and sensi i e in o ma ion o
he UE. As i is passi e, i is di icul o be de ec ed.
(2)
Semi-Passi e ad e sa y: This is a passi e ad e sa y ha can
also somehow ping i s a ge . The mos common example is
a passi e ad e sa y, ha also sends some (silen ) messages,
o makes some (silen ) calls [14] o i s ic im.
(3)
Ac i e ad e sa y: This ad e sa y is capable o sending adio
signals and messages o i s a ge (e.g., [
16
,
51
]) o modi y
messages ha we e sen om o o he ic im [
34
]. Mos o
he imes, i is consis ed o a ake base s a ion ha o e s
excellen signal s eng h [
52
]. An ac i e ad e sa y may
also ha e access o sni e s [
53
], ano he UE, o jamme
de ices [
54
,
55
]. I is usually e e ed o as a “Man-in- he-
Middle” (MiTM) ad e sa y [29].
We men ion ha nowadays, he equipmen needed o such a -
acks can be bo h a o dable and easily deployable. Fo example, a
ogue base s a ion can be cons uc ed by using a Uni e sal So wa e
Radio Pe iphe al (USRP) [
56
] wi h a modi ied code o open-sou ce
p ojec s like OpenLTE [
57
], s sRAN [
58
,
59
], g -LTE [
60
,
61
] and
OAI [
62
,
63
], o by using a sho e ange base s a ion called em-
ocell [
64
]. Fu he mo e, he e a e a ailable open-sou ce ools o
channel sni e s, such as [
50
,
53
,
65
–
67
], ha a e capable o decod-
ing downlink a ic. Finally, jamme s can be implemen ed using
commodi y equipmen [68, 69].
3.3 F amewo k
In his sec ion, we explain he amewo k ha is used o he sys-
ema iza ion o he knowledge analyzed in his pape , as depic ed
in Figu e 3. The e y i s s ep is o selec he p i acy equi emen s
o objec i es ha should be me by he ne wo k sys em, in o de
o p o ec he di e en s akeholde s. We s udy ele an scien i ic
li e a u e and 3GPP documen s, in o de o se as p i acy objec i e
he UE Iden i y Con iden iali y, as analyzed ea lie in Sec. 3.1. Then,
we assume ha he ad e sa ies deno ed in Sec. 3.2 y o challenge
he UE Iden i y Con iden iali y, by pe o ming ele an a acks.
Thus, in he nex Sec ion 4, we o e iew exis ing a acks moun ed
on 2G, 3G and LTE ne wo ks, ob aining in o ma ion om he a ail-
able li e a u e. Du ing his p ocess o a ack e iew, we iden i y
he weaknesses ha lead o each a ack, hus inc easing ou unde -
s anding o he con ibu ing ac o s o each a ack. In he nex s ep,
as explained in Sec ion 5, we e e again o he a ailable scien i ic
li e a u e and 3GPP documen s, bu now ocusing on 5G Sys ems
(5GS) and hei secu i y cha ac e is ics. We i s analyze hese cha -
ac e is ics, compa e hem o he ones p e iously men ioned o he
pas cellula gene a ions (Sec. 4) and hei co esponding p i acy
ela ed weaknesses, and e alua e i hese a e mi iga ed in 5G; i
yes, we also discuss o which deg ee. As men ioned be o e, he 2G,
3G, and 4G ela ed a acks exploi ed he weaknesses we highligh .
Thus, i is s aigh o wa d ha he (comple e o pa ial) mi iga ion
o hese weaknesses con ibu es o he (comple e o pa ial) mi iga-
ion o he ela ed a acks as well in 5G. The same p ocess is applied
o ecen 5G a acks in Sec. 6, highligh ing hei weaknesses and
e i ying i hey can be mi iga ed by 5G mechanisms.
To acili a e he eade ’s unde s anding o he pe spec i e o
his wo k, we gi e a conc e e example o ou amewo k wi h he
IMSI Ca ching. This is a well-known a ack (Sec. 4.1.1.1), pe o med
by an ac i e ad e sa y, ha iola es all o he h ee p ope ies o
he UE Ideni y Con iden iali y, hus b eaking he sys em’s p i acy
objec i es. The weakness behind his a ack in 2G, 3G, and 4G is he
plain ex ansmission o he USIM pe manen iden i ie IMSI (UE
iden i ie s we e analyzed in Sec. 2.2). As a ix o his p oblem, a new
5G Secu i y cha ac e is ic has been in oduced, which is he SUCI
mechanism (Sec. 5.1), ha enc yp s he pe manen USIM iden i ie .
So, e alua ing his new 5G secu i y cha ac e is ic called SUCI, we
conclude ha he p e iously men ioned weakness, ha led o IMSI
ca ching a ack, is mi iga ed. Finally, in he las sec ion, we e e o
some limi a ions o his speci ic 5G secu i y enhancemen due o
he lack o a ailable 5G s and-alone (SA) ne wo ks, and no s ic
3GPP egula ions (SUCI is an op ional ea u e).
4 P e-5G Cellula Gene a ion A acks
In his sec ion, ollowing ou amewo k as de ined in Sec. 3.3, we
analyze a a ie y o di e en a acks ha a e a ailable in he scien-
i ic li e a u e o e ing di e en laye s o ca ego iza ion. Fi s , he
di e en a acks a e ca ego ized in o p i acy and secu i y a acks.
Then, p i acy a acks a e u he sepa a ed in o pe manen and em-
po a y iden i ie s-based a acks, p o ocol exploi a ion a acks and
measu emen da a exploi a ion a acks. Rega ding secu i y a acks,
hey a e ca ego ized in o Da a Manipula ion a acks and P o ocol
Downg ade ones. Fu he , we analyze he ype o ad e sa ies ha
can pe o m hese a acks and e alua e hei impac , in e ms o
UE Con iden iali y as de ined in Sec. 3.1. Finally, he weaknesses
ha led o hese a acks a e ou lined (in I alic on ) and enume a ed
SoK: E alua ing 5G P o ocols Agains Legacy and Eme ging P i acy and Secu i y A acks
om
𝑊
1 o
𝑊
12. We summa ize ou indings on all a acks and
weaknesses hey ake ad an age o in Table 1.
4.1 Use P i acy a acks
4.1.1 A acks based on Pe manen Iden i ie s
4.1.1.1 IMSI Ca ching: IMSI Ca ching [
51
,
70
–
75
], which aims
o s eal he IMSI o he USIM, was one o he i s p ac ical a acks
in 2G [
76
] and has also been pe sis en in 3G [
77
] and 4G [
78
].
The a acke uses a de ice called IMSI Ca che , which as shown
in [
52
,
79
–
81
] is easily deployable and a o dable. IMSI ca che s
ope a e in ac i e mode as ake ( ogue) base s a ions [
11
,
82
,
83
], some-
imes empowe ed by addi ional equipmen , such as jamme s [
16
].
Fi s , he IMSI ca che akes ad an age o he phone’s beha io o
connec o he Cell ha o e s he s onges signal powe . Thus, he
IMSI ca che is an ac i e ogue base s a ion ha ies o make he ic-
im UE connec o i , by o e ing be e signal quali y. When he UE
connec s o he IMSI ca che de ice, he ad e sa y sends an Iden i y
Reques message. Then, he UE answe s wi h an Iden i y Response
message, including he IMSI wi hou enc yp ion (plain ex ), hus,
leading o UE iden i y disclosu e, UE aceabili y and loca ion ack-
ing, consequences ha b eak he UE Con iden iali y, as de ined in
Sec 3.1. Fu he mo e, IMSI ca che s can wo k in conjunc ion wi h
a a ie y o di e en a acks, such as SIM ca d cloning [
84
], DoS
a acks [
85
,
86
], s ealing o he UE’s phone numbe [
87
]. E iden ly,
he plain ex IMSI ansmission was cha ac e ized as a key ulne a-
bili y in he clause 6.1.3 o 3GPP Speci ica ions [
9
]. When he IMSI
o he UE has been ob ained, he ad e sa y can wo k in passi e
mode and only ack he Pe son o In e es h ough hei IMSI. The
passi e e sion desc ibed abo e is e e ed o as IMSI p obing [
88
]
and has been cha ac e ized as low isk in 3GPP TS 33.846 [
89
], so
i is no analyzed u he in his pape .
Many di e en p oposals ha e been made, aiming o s op IMSI
Ca che s. One one hand, he e a e i e di e en se s o solu ions
wo king on he ne wo k side. A i s se o solu ions p oposed ei he
he usage o mul iple IMSIs [
90
,
91
] pe UE, o a new pseudonym
ins ead o he IMSI [
92
–
94
]. Howe e , bo h o hem su e om
synch oniza ion p oblems be ween he USIM and he ne wo k as
desc ibed in [
95
,
96
]. Second, [
97
–
102
] p oposed signi ican changes
bo h in he AKA p o ocol messages and he en i ies o he mobile
ne wo k, hus making hei implemen a ions imp ac ical. In addi-
ion, [
11
,
103
–
106
] p oposed ne wo k-based solu ions, examining
possible abno mali ies (e.g., s ange equencies, unusual Cell loca-
ions and Cell IDs, signal noise le el, unusual ne wo k pa ame e s)
ha could ha e been c ea ed by he exis ence o an IMSI Ca che .
I is unclea i any ope a o has implemen ed such a de ec ion
amewo k. Besides, [
107
–
109
] showed he easibili y o applying
Machine Lea ning echniques o IMSI ca che de ec ion bu nei he
an exac amewo k was p oposed no issues like compu a ional
complexi y and accu acy we e analyzed. Las bu no leas , Sea-
Glass [
110
] is a senso -based app oach whe e ehicles wi h po able
senso s collec ne wo k measu emen s o e a long pe iod o ime,
ying o ind anomalies caused by he p esence o IMSI ca che s.
On he o he hand, di e en applica ions we e eleased [
111
–
115
],
aiming o sol e he p oblem om he subsc ibe s’ side, bu hey
aced limi a ions such as he low IMSI Ca che de ec ion accu acy
and he need o oo ing pe mission o he use ’s phone, as ana-
lyzed in [
116
–
118
]. Summa izing, IMSI ca ching akes ad an age
o Weakness #1 (W1):
W1: The plain ex IMSI ansmission du ing UE au hen ica ion.
4.1.1.2 IMSI Ex ac o and UE Localiza ion: The goal o he sig-
nal o e shadowing a ack is o dis up he wi eless communica ion
by eplacing legi ima e signals o e he ai . This a ack equi es
ime and equency synch oniza ion wi h he legi ima e Base S a-
ion (BS), o e ing signal s eng h sligh ly s onge [
119
] o sligh ly
weake [
120
] han he legi ima e one. In ac , his a ack is s eal hie
compa ed o he adi ional ake BS ones, since i uses a no mal sig-
nal s eng h, hus making i s de ec ion e enmo e di icul . Al hough
mos o he exis ing wo ks use signal o e shadowing o Denial
o Se ice (DoS) a acks [
86
,
119
,
120
], a ecen wo k [
12
] imple-
men s i o IMSI ca ching and UE passi e localiza ion. LT ack [
12
]
is an ad e sa y ha uses a ake BS wi h sligh ly inc eased signal
s eng h and pe ec synch oniza ion wi h he legi ima e BS and
jus sends one ad e sa ial message (Iden i y Reques ) o he ic im.
Then, he a acke uses an UL passi e sni e o eco d he Iden i y
Response message, hus ex ac ing he plain ex IMSI. This a ack
is called IMSI Ex ac o [
12
,
86
], in o de o be di e en ia ed by
he adi ional IMSI Ca che s ha do no use signal o e shadowing
echniques. Based on he de ini ions gi en in Sec. 3.2, his ad e sa y
is ac i e bu i we conside ha i ansmi s only one ad e sa ial
message, wi hou nei he inc easing he signal s eng h o i s ogue
BS no es ablishing a connec ion wi h he ic im, he e is a di e -
ence wi h he majo i y o exis ing a acks. Since he a ge o his
a ack is accomplished mainly wi h he Uplink (UL) and Downlink
(DL) sni e s, we cha ac e ize his a ack as passi e in o de o show
how s eal hy is compa ed o he adi ional ogue BS a acks. Finally,
he ad e sa y eco ds he iming ad ance (TA), a pa ame e ha
is ansmi ed wi hou enc yp ion [
121
] in LTE, he eby managing
o loca e he ic im wi h a localiza ion e o o a ound 6 me e s.
This is a s anda d weakness due o he message low in 3G and LTE,
since he TA is ansmi ed be o e he PCDP laye so he enc yp ion
has no been ac i a ed ye . On he con a y as s a ed in [
122
], in
2G he TA ea esd opping p oblem did no exis since he signal
low was di e en and he TA was ansmi ed a e he ac i a ion
o enc yp ion. Fo his eason, his a ack is conside ed as pa ially
applicable in 2G caused only by he plain ex IMSI ansmission.
Concluding, he wo weaknesses behind his a ack a e W1 and a
new, Weakness #2 (W2):
W2: The lack o ciphe ing in MAC messages.
4.1.1.3 IMSI Paging: Ano he impo an p oblem comes om
he paging p ocedu es. Paging (Sec. 2.5) is ini ia ed when he ne -
wo k sea ches o a UE in o de o deli e a se ice o i , such as a
phone call o an SMS. In gene al, he empo a y iden i ie (TMSI)
is used o paging, bu in some cases (e.g., TMSI canno be esol ed
by he ne wo k) IMSI can be used as well [
123
]. The ac ha IMSI
could be sen clea ex in paging messages made he paging p o-
cess ulne able o many semi-passi e ad e sa ies in 2G [
124
–
126
],
3G [
127
,
128
] and 4G [
40
,
129
]. In his ype o a ack, he ad e sa y
al eady knows some in o ma ion abou he ic im UE (e.g., phone
numbe o social ne wo k accoun s) and ies o ake ad an age o
he paging p ocess weaknesses o ack he ic im’s loca ion and

S a os Ele he akis, Domenico Gius iniano, and Nicolas Kou ellis
also lea n he UE’s IMSI. The a acke ini ia es he paging p ocess
by sending (silen ) messages, o making (silen ) calls o he ic im
and a he same ime hey use a sni e o obse e he unenc yp ed
downlink paging messages o iden i y he IMSI o he ic im’s UE.
Mo e in o ma ion abou silen calls and messages can be ound
in [
14
,
130
], bu in summa y, i is a call o message ha ac i a es
he paging mechanism wi hou he ecipien o ge no i ied. This
a ack iola es he whole se o Use Iden i y’s Con iden iali y p op-
e ies, since i ca ches he IMSI (iden i y disclosu e) and h ough
he paging messages sni ing, also b eaks he loca ion and un ace-
abili y p i acy, as well. Based on he abo e, he cause behind his
a ack is Weakness #3 (W3):
W3: Paging p ocedu e wi h plain ex IMSI ansmission.
4.1.1.4 ToRPEDO: Ano he p oblem o p e ious gene a ions o
cellula ne wo ks is ha he Paging Occasions (POs) o a UE a e co -
ela ed o he IMSI [
131
,
132
]. A PO is a speci ic ime in e al du ing
which a UE is expec ed o moni o he paging channel o incoming
paging messages. Mo e speci ically, one o he pa ame e s o he
PO is he Paging F ame Index (PFI) o a UE ha is es ima ed using
he IMSI (
𝑃𝐹𝐼 =𝐼𝑀𝑆𝐼 mod
1024) (Sec. 7 o [
133
]). The ToRPEDO
semi-passi e ad e sa y [
131
] obse es he unenc yp ed and ixed
PFI o a UE, he eby managing o ob ain synch oniza ion be ween
he UE and i s co esponding paging delay. Finally, ToRPEDO ob-
ains in o ma ion abou he IMSI om he ixed PFI managing o
lea n 7 bi s o he ic im’s IMSI, leading o pa ial Use iden i y
leakage among wi h loca ion acking and aceabili y. In a nu shell,
he ulne abili y ha leads o his a ack is Weakness #4 (W4):
W4: Es ima e o ixed POs based on IMSI.
4.1.1.5 IMEI Ca ching: As men ioned ea lie in Sec. 2.2, IMEI
is ano he sensi i e pe manen iden i ie , co esponding o he
Mobile Equipmen (ME). In 2G and 3G, he clea ex ansmission
o his iden i ie was pe mi ed as a esponse o an Iden i y Reques
Message. Thus, an ac i e ad e sa y using a ake base s a ion, simila
o IMSI ca che s’ ad e sa ies, could send an Iden i y Reques using
he IMEI ins ead o he IMSI, and s eal he IMEI o he ME [
11
,
103
].
LTE s anda d speci ica ion iden i ied his p oblem and changed
he s anda d app op ia ely so ha IMEI can be sen only a e he
ac i a ion o a secu e channel, as men ioned in [
9
] and [
80
]. The
analysis made in [
134
] e i ied he p i acy enhancemen o LTE
in e ms o IMEI p i acy and as shown in [
78
,
135
] only some
old 4G MEs a e ulne able o he IMEI Ca ching a ack. Based on
he ac ha his ulne abili y in 4G/LTE comes om mis aken
implemen a ion in he ME side and no p o ocol ulne abili y, IMEI
ca ching is conside ed as sol ed in LTE. Concluding, he cause o
his a ack is Weakness #5 (W5):
W5: Plain ex IMEI ansmission.
4.1.2 A acks based on Tempo a y Iden i ie s
4.1.2.1 TMSI Anonymi y: The main eason o using he em-
po a y iden i ie (TMSI) is he minimiza ion o IMSI ansmissions,
o e ing be e anonymi y o he UE. In heo y, TMSI has o be
pe iodically upda ed by he ne wo k o a oid UE be easily acked
and iden i ied [
136
]. Howe e , as shown in [
127
,
136
] he TMSI
emained cons an e en o h ee days, in 2G and 3G ne wo ks
du ing expe imen s ha ook place in di e en Eu opean coun ies.
Simila esul s we e ob ained in LTE ne wo ks [
14
,
40
,
137
]. Mo e
in de ail, in [
14
] he e idence o he mis aken GUTI e eshmen
ules is eally s ong. De ailed expe imen s in 11 coun ies and 28
di e en ope a o s showed ha e en when he TMSI alue was
e eshed, he new alue was p edic able. A semi-passi e ad e sa y,
consis ing o a passi e sni e and a phone ha sends some (silen )
calls o messages o he ic im’s UE, leads o linkabili y o he ic-
im’s phone numbe wi h i s TMSI. As a consequence, loca ion
acking and aceabili y in 2G [
124
,
138
], 3G [
14
] and LTE [
14
,
40
]
was achie ed, hus b eaking wo o he h ee p i acy objec i es
de ined in Sec. 3.1. The main weakness behind TMSI Deanonymi y
a ack is Weakness #6 (W6):
W6: No equen o misscon igu ed upda e policy o TMSI.
4.1.2.2 C-RNTI acking: C-RNTI based a acks is ano he po-
en ial dange o he UE loca ion p i acy [
139
–
145
] and un ace-
abili y [
146
]. C-RNTI is local o he use s’ se ing Base S a ion
(BS) and is used o he communica ion be ween he UE and he
RAN. C-RNTIs can be ound in bo h UL and DL con ol plane mes-
sages. [
139
] passi ely analyzed he a ic in LTE and ound ha
he C-RNTI is included wi hou enc yp ion in he heade o e e y
single packe , ega dless o whe he i is signaling o use a ic.
Linkabili y be ween C-RNTI and he ic im’s phone numbe o a
social ne wo k accoun (e.g., Teleg am o Wha sApp) can be easily
done by a semi-passi e ad e sa y wi h some silen messages o
calls, as desc ibed in [
14
]. In e ms o decoding he DL messages in-
cluding he C-RNTI, passi e sni e s a e a ailable [
50
,
53
,
67
], hus,
b eaking he UE loca ion p i acy and un aceabili y p ope ies. The
main ulne abili y behind his a ack is Weakness #7 (W7):
W7: The lack o ciphe ing in RRC messages.
4.1.3 P o ocol Exploi a ion a acks
4.1.3.1 AKA P o ocol Linkabili y: As men ioned in Sec. 2.4, Au-
hen ica ion and Key Ag eemen (AKA) p o ocols a e used o he
mu ual au hen ica ion be ween he UE and CN om 3G and be-
yond. When he au hen ica ion is no success ul, he e a e wo
ailu e easons: MAC Failu e o Sync Failu e. An ac i e ad e -
sa y [
127
,
128
,
147
] i s obse es an AKA session o he a ge
use and eco ds he Au hen ica ion Reques including he au hen-
ica ion challenge (RAND) and oken (AUTN). Then, he RAND and
AUTN can be eplayed by he ad e sa y each ime i wan s o e i y
he p esence o he a ge in a speci ic a ea. Indeed, hanks o he
unenc yp ed ailu e messages (Sync o MAC ailu e), he ad e sa y
can dis inguish o he use s om he a ge use who is he one
he Au hen ica ion Reques was o iginally sen o. The answe o
he a ge use on he eplayed (RAND, AUTN) is a Sync ailu e,
whe eas all he o he use s answe wi h MAC ailu e. Thus, linking
wo AKA sessions comp omises he UE loca ion p i acy and ace-
abili y. We highligh ha bo h 3G-AKA and 4G-AKA (EPS-AKA) did
no sol e he p oblem o linkabili y o AKA ailu e messages, since
ailu e messages con inue being ansmi ed in clea ex [
148
,
149
].
Solu ions o he AKA linkabili y p oblems we e p oposed bo h in
3G [
127
,
128
] and 4G [
102
,
148
,
150
], bu hei compa ibili y wi h
cu en deploymen s is limi ed due o wide changes o he AKA
SoK: E alua ing 5G P o ocols Agains Legacy and Eme ging P i acy and Secu i y A acks
p o ocols, high compu a ional o e head and high communica ion
cos . In a nu shell, his a ack exploi s Weakness #8 (W8):
W8: AKA session ailu e cause is exposed in plain ex .
4.1.3.2 De ice Finge p in ing: De ice inge p in ing a ack was
p oposed in LTE ne wo ks by Shaik e . all [
41
]. The ad e sa y con-
s uc ed a da abase o di e en de ices’ Co e Ne wo k and Radio
capabili ies. They p opose bo h a passi e and an ac i e e sion
o hei a ack. Fi s , a passi e ad e sa y ea esd ops on he i s
NAS message which up o LTE included he whole se o Co e Ne -
wo k Capabili ies (e.g., secu i y algo i hms suppo ed, elephony
ea u es, powe sa ing ea u es, e c). Then he ad e sa y uses he
inge p in ing da abase o unde s and he de ice model and he
se ice deli e ed o he use . Besides, an ac i e e sion o his ad-
e sa y ansmi s a UE Capabili ies Inqui y message o he ic im,
exploi ing he Weakness 12 as desc ibed la e in he Sec. 4.2.2.1,
and hus chea ing he Radio Capabili ies o he UE. As a esul , he
de ice inge p in ing a ack is mo e accu a e a his ime since he
ad e sa y ob ained bo h he Co e Ne wo k and he Radio Capabili-
ies o he UE. This a ack b eaks he loca ion and un aceabili y
p ope ies and po en ially he iden i y disclosu e p ope y as well,
since he IMSI is ansmi ed in he i s NAS message. The causes
behind his a ack is he W12 and a new one, Weakness #9 (W9):
W9: T ansmission o he whole se o Co e Ne wo k capabili ies in
he ini ial NAS message.
4.1.4 Measu emen Da a Exploi a ion A acks
4.1.4.1 UE measu emen epo s acking: In cellula ne wo ks,
UE pe o ms ne wo k measu emen s and sends hem o he Base S a-
ion (BS) when eques ed as an RRC message [
151
,
152
]. Speci ically,
UE measu emen s epo includes signal cha ac e is ics (e.g., signal
s eng h o nea by BSs) acili a ing he hando e p ocedu e and he
main enance o Radio Access Ne wo ks. An ac i e a acke using
a ogue base s a ion wi h high signal quali y can make he ic im
o connec o i , and ask o he UE measu emen s, managing o
es ima e he UE’s loca ion wi h iangula ion [
40
,
153
]. Fu he -
mo e, [
80
] p oposes a passi e e sion o his a ack, by simply
decoding he plain ex RRC messages including he UE measu e-
men epo s among wi h he use ’s C-RNTI. The abo e-men ioned
pape s e e o 4G ne wo ks, bu his kind o a ack is simila o
2G and 3G [
154
]. We men ion ha LTE s anda ds manda ed ha
he UE measu emen epo s should be ansmi ed a e he ac i-
a ion o an RRC secu e channel in he Release 13 (LTE ad anced)
o TS. 36.331 [
155
] and as a esul , he ac i e e sion o his a ack
is mi iga ed. On he o he hand, he passi e e sion o his a ack
can be mi iga ed only i he ciphe ing o RRC messages is ac i a ed,
some hing ha is ope a o ’s speci ic since he ciphe ing o RRC
messages is op ional [
9
]. Based on he abo e he UE measu emen s
epo s a ack is conside ed as pa ially applicable in LTE ne wo ks
as shown in Table 1. The ulne abili ies behind his p oblem a e
W7 and a new one, Weakness #10 (W10):
W10 (up o LTE Release 13):T ansmission o UE measu emen s
epo s be o e he es ablishmen o a secu e channel.
4.2 Use Secu i y A acks
4.2.1 Da a Manipula ion A acks
4.2.1.1 ALTER and IMP4GT a acks: Da a manipula ion a acks
a e pe o med by ac i e ad e sa ies ha exploi he lack o in eg i y
in use plane messages, hus managing o edi ec he ic im UE o
a malicious se e o impe sona e him [
141
,
156
]. Mo e in de ail,
he ALTER a ack [
141
] allows o edi ec a ic im o a malicious
websi e by manipula ing he des ina ion add ess o IP packe s. The
ad e sa y in e cep s and modi ies he Uplink DNS eques message,
so ha his message eaches an ad e sa ial DNS se e ins ead o
he in ended one. Then, he ad e sa y also modi ies acco dingly
he Downlink DNS esponse o he se e , so ha he a ack is
no no iced by he ic im UE. Fu he mo e, IMPe sona ion in 4G
neTwo ks (IMP4GT) a ack [
156
] is a dange ous ex ension o he
ALTER a ack ha is able o impe sona e no only he UE bu he
cellula ne wo k as well. The cause o Da a Manipula ion a ack is
Weakness #11 (W11):
W11: Lack o in eg i y in use plane messages.
4.2.2 P o ocol Downg ade a acks
4.2.2.1 Radio Capabili ies Bidding-Down a ack: Bidding-Down
a acks [
34
,
40
,
41
] aim o downg ade he UE o a lowe cellula ech-
nology. The lowe he cellula gene a ion he weake he p i acy
mechanisms (e.g., 2G has no AKA p o ocol), he e o e, his kind o
a ack can po en ially acili a e all he a acks men ioned in Sec. 4.
Mo e in de ail, [
40
,
41
] analyzes an a ack based on he UE adio
capabili ies. An ac i e ad e sa y ( ogue-base s a ion) in e cep s he
UE Capabili y Enqui y message, including he adio capabili ies o
he UE, ha was ansmi ed up o 4G be o e he es ablishmen o a
secu e channel, so no in eg i y p o ec ion had been ac i a ed. The
ad e sa y modi ies app op ia ely he adio capabili ies’ cha ac e -
is ics (e.g., modi y he equencies suppo ed by he UE Modem),
hus managing o downg ade he UE o a lowe cellula gene a ion.
Loca ion p i acy is di ec ly iola ed since he ad e sa y in e cep s
he ic im’s message, whe eas iden i y p i acy and un aceabili y
p ope ies may be po en ially iola ed as well. The cause o his
a ack is Weakness #12 (W12):
W12: T ansmission o UE Radio Capabili ies be o e he es ablish-
men o a secu e RRC channel.
5 5G Sys ems Secu i y
In his sec ion, we analyze he secu i y p o ocols and mechanisms
p oposed o 5G in he ela ed 3GPP documen [
24
], aiming o
minimize o elimina e he p oblems and secu i y isks o Sec. 4.
These imp o emen s s and as mi iga ion mechanisms, as men ioned
in ou F amewo k in Sec. 3.3 and a e enume a ed clea ly in he end
o each subsec ion. Fu he , we e alua e hei po en ial e iciency in
e ms o p i acy enhancemen , ma ching hem o he weaknesses
(𝑊1−𝑊12) men ioned in Sec. 4. Finally, hei comple e o pa ial
adap abili y (op ional o manda o y mechanisms) o he cu en 5G
ne wo ks is conside ed. The las wo columns o Table 1 summa ize
ou indings o 5G.
S a os Ele he akis, Domenico Gius iniano, and Nicolas Kou ellis
A ack Name
P i acy
Implica ions
Ad e sa y
Type
P e 5G
Gene a ion
5G Secu i y
Cha ac e is ics
Iden i y Disclosu e
Loca ion T acking
T aceabili y
Ac i e
Semi-Passi e
Passi e
2G
3G
4G
Weakness
Exploi ed
Mi iga ion
Mechanisms
Op ional o Manda o y
IMSI Ca ching
[10, 11, 16, 52, 70–72, 77, 78, 80] W1 (Sec. 4.1.1.1) MM1 (Sec. 5.1)
MM10 (Sec. 5.6)
O
O
IMSI Ex ac o and
Localiza ion [12, 86]
W1 (Sec. 4.1.1.1)
W2 (Sec. 4.1.1.2)
MM1 (Sec. 5.1)
MM10 (Sec. 5.6)
O
O
IMSI Paging [40, 124, 128, 129] W3 (Sec. 4.1.1.3) MM3 (Sec. 5.2.2) M
ToRPEDO [131] W4 (Sec. 4.1.1.4) MM4 (Sec. 5.2.2) M
IMEI Ca ching
[11, 78, 80, 135] W5 (Sec. 4.1.1.5) Sol ed since LTE M
TMSI Anonymi y
[14, 124, 127, 136] W6 (Sec. 4.1.2.1) MM2 (Sec. 5.2.1) M
C-RNTI acking
[139–141, 146] W7 (Sec. 4.1.2.2) MM6 (Sec. 5.3) O
AKA P o ocol
Linkabili y [127, 128, 147, 148] W8 (Sec. 4.1.3.1) No MM -
De ice Finge p in ing [41] W12 (Sec. 4.2.2.1)
W9 (Sec. 4.1.3.2)
MM9 (Sec. 5.5)
MM8 (Sec. 5.4)
M
M
UE Measu emen s
epo s [40, 80, 153, 154]
W7 (Sec. 4.1.2.2)
W10 (Sec. 4.1.4.1)
MM6 (Sec. 5.3)
Sol ed since LTE
O
M
Da a Manipula ion [141, 156] W11 (Sec. 4.2.1.1) MM7 (Sec. 5.3)
MM10 (Sec. 5.6)
O
O
Radio Capabili ies
bidding down
a ack [34, 40, 41]
W12 (Sec. 4.2.2.1) MM9 (Sec. 5.5) M
Quan um SUCI [157] W13 (Sec. 6.1.1.1) MM5 (Sec. 5.3) O
CSI Repo s localiza ion
a ack [158] W14 (Sec. 6.1.2.1) No MM -
ISAC based acking a ack
[159–162] W15 (Sec. 6.1.2.2) No MM -
Sa elli e and NTN acking
a ack [163, 164] W16 (Sec. 6.1.2.3) No MM -
PRS spoo ing a ack [33, 165] W17 (Sec. 6.2.1.1) MM10 (Sec. 5.6) O
Ambien -IoT de ice
spoo ing a ack [166, 167] W18 (Sec. 6.2.1.2) No MM -
5G Bidding Down
a ack [17] W19 (sec. 6.2.2.1) MM10 (Sec. 5.6) O
: Applicable, : Pa ially Applicable, : No Applicable.
Table 1: Top pa : O e iew o p e-5G (2G-4G) a acks agains UE Con iden iali y, co esponding weakness (W#) exploi ed, and
any mi iga ion me hod (MM#) p oposed. Bo om pa : O e iew o new 5G a acks, co esponding weakness exploi ed and any
mi iga ion me hod p oposed.
SoK: E alua ing 5G P o ocols Agains Legacy and Eme ging P i acy and Secu i y A acks
5.1
Imp o ed UE Iden i y P i acy based on SUCI
As men ioned in Sec. 2.2, SUPI is he co esponding Iden i ie o
IMSI in 5G ne wo ks. In o de o a oid he plain ex ansmission o
SUPI, Subsc ibe Unique Concealed Iden i ie (SUCI) is in oduced
as an enc yp ed o m o SUPI, based on ellip ic c yp og aphy. In
ac , SUCI can be mainly used o au hen ica ion i he empo a y
iden i ie , 5G-GUTI, is no a ailable. We highligh ha he imple-
men a ion o SUCI is o pa amoun impo ance o he UE’s p i acy,
since i mi iga es he a acks imposed by he IMSI plain ex ans-
mission as desc ibed in Sec ions 4.1.1.1 and 4.1.1.2. The e o e, we
unde s and ha SUCI mechanism can eally imp o e UE iden i y
p i acy. Howe e , i s implemen a ion is s ill op ional based on [
24
].
In summa y, he mi iga ion mechanism #1 (MM1) is:
MM1: Concealmen o SUPI using SUCI.
5.2 Imp o emen s on 5G-GUTI
5.2.1 S ic 5G-GUTI upda e mechanism 5G Global Unique Tempo-
a y Iden i ie (5G-GUTI) is he co esponding iden i ie o TMSI in
p e ious cellula ne wo k gene a ions. As analyzed in Sec. 4.1.2.1,
p e ious gene a ions aced se ious p i acy p oblems due o he
in equen o miss-con igu ed e eshmen o his empo a y iden-
i ie [
14
]. Based on his ou look, 5G s ic ly de ines when he
5G-GUTI should be upda ed o e eshed by he Co e Ne wo k in
he clause 6.12.3 o [24]:
•
Upon ecei ing Regis a ion Reques message o ype "ini-
ial egis a ion" o "mobili y egis a ion upda e" om UE.
•
Upon ecei ing Se ice Reques message sen by he UE in
esponse o a Paging message.
•
Upon ecei ing Regis a ion Reques message o ype "pe i-
odic egis a ion upda e" om a UE.
•
Upon ecei ing an indica ion om lowe laye s he RRC
connec ion has been esumed o a UE in 5GMM IDLE mode
wi h suspend indica ion in esponse o a Paging message.
•E en mo e equen ly, based on ope a o implemen a ion.
In addi ion, i is deno ed in he same 3GPP documen ha 5G-GUTI
should be gene a ed in an unp edic able way, b inging us o he
Mi iga ion Mechanism #2 (MM2):
MM2: F equen and unp edic able 5G-GUTI upda e.
5.2.2 5G-S-TMSI-based paging and POs es ima e Ano he impo -
an imp o emen o 5G compa ed o p e ious gene a ions is he
decoupling o he IMSI/SUPI om he paging mechanisms. In 5G,
paging akes place wi h a sho ened e sion o 5G-GUTI, called
5G-S-TMSI (5G S-Tempo a y Mobile Subsc ip ion Iden i ie ) as men-
ioned in Sec. 2.10.1 o [
38
]. 5G-S-TMSI is de i ed om 5G-GUTI,
so i s s ic upda e mechanism ha was analyzed in he p e ious
sec ion holds o 5G-S-TMSI as well. Based on his ou look, 5G-
GUTI-based paging elimina es he IMSI paging a ack as analyzed
in Sec. 4.1.1.3. Thus, ano he mi iga ion mechanism #3 (MM3) is:
MM3: Decoupling o IMSI om paging.
Fu he mo e, he Paging F ame Index (PFI) is now es ima ed based
on 5G-S-TMSI, as men ioned in Sec. 7.1 o [
168
] ins ead o he IMSI.
Based on his, he ToRPEDO a ack (Sec. 4.1.1.4) is no applicable
anymo e. We highligh p i acy Mi iga ion Mechanism #4 (MM4):
MM4: Decoupling o IMSI om POs’ es ima e.
5.3 Imp o ed In eg i y & Con iden iali y
P o ec ion
In eg i y and con iden iali y in 5G ne wo ks has many simila i-
ies wi h he s a us o LTE. Fi s , cu en 5G Sys ems a e expec ed
o implemen he same 128-bi secu i y algo i hms wi h LTE sys-
ems: New Radio Enc yp ion Algo i hm (NEA) 0, 128-NEA1 and
128-NEA2 o con iden iali y (ciphe ing) and New Radio In eg i y
Algo i hm (NIA) 0, 128-NIA1 and 128-NIA2 o in eg i y p o ec ion,
as ou lined in Secs. 5.2.2 and 5.2.3 o [
24
]. On he o he hand, he
po en ial use o 256-bi keys has been in oduced as an op ional
ea u e in 5G [
24
,
169
] o mi iga e po en ial quan um a acks, such
as he Quan um SUCI a ack (Sec. 6.1.1.1). So, he 5G Mi iga ion
Mechanism #5 (MM5) is:
MM5: 256-bi algo i hm suppo o quan um ad e sa y mi iga ion.
Fu he mo e, in e ms o speci ic messages p o ec ion, i is s a ed
ha RRC and NAS in eg i y a e manda o y, whe eas NAS and RRC
ciphe ing a e op ional, some hing ha is simila o LTE. As shown
in Sec. 4, he a acks desc ibed in Secs. 4.1.2.2 and 4.1.4.1 can be
mi iga ed by he RRC ciphe ing so i is added as he Mi iga ion
Mechanism #6 (MM6) in o de o ma ch wi h hese a acks, s a ing
ha MM6 is simila in LTE as well:
MM6 (simila in LTE): Ciphe ing o RRC messages.
Mo eo e , ano he 5G enhancemen compa ed o LTE is he
op ional in eg i y p o ec ion o Use Plane (UP) messages, as in-
oduced in Sec. 5.3 o [
24
] ha mi iga es he Da a Manipula ion
a acks (Sec. 4.2.1.1). So, he Mi iga ion Mechanism #7 (MM7) is:
MM7: In eg i y p o ec ion o use plane messages.
5.4 P i acy o he ini ial NAS message
Ano he impo an and manda o y 5G secu i y mechanism is he
p i acy o he ini ial NAS message as desc ibed in he sec ion
6.4.6 o [
24
]. In con as o p e ious gene a ions ha he whole
se o UE Co e ne wo k capabili ies we e ansmi ed plain ex in
he ini ial NAS message, in 5G only he secu i y capabili ies a e
ansmi ed. The es o he UE capabili ies a e ansmi ed a e
he ac i a ion o a secu e NAS channel. This mi iga es he De ice
inge p in ing a ack, as desc ibed in Sec. 4.1.3.2. Concluding, he
Mi iga ion Mechanism #8 (MM8) is:
MM8:Enhanced p i acy o he ini ial NAS message.
5.5 Secu ed Radio Capabili ies ansmission
As analyzed in Sec. 4.2.2.1, he UE adio Capabili ies we e ansmi -
ed be o e he es ablishmen o he RRC secu i y channel, enabling
bidding down a acks. This mis aken low was co ec ed in 5G, as
al eady men ioned in Sec. 2.4, and depic ed in Fig. 1. This is because
he RRC UE Capabili y Inqui y is ansmi ed a e he RRC Secu i y
Mode Comple e, when in eg i y p o ec ion is enabled. Based on his
ou look, he bidding-down a acks based on UE Radio capabili ies
a e elimina ed by he manda o y Mi iga ion Mechanism #9 (MM9):
MM9: Radio Capabili ies ansmission in a secu e RRC channel.
5.6 Fake Base S a ion De ec ion F amewo k
Fake ( ogue) base s a ions (FBS) we e esponsible o many di e -
en a acks in he p e ious cellula gene a ions, as desc ibed in
Sec. 4. 3GPP speci ica ions, o he i s ime, included an op ional
S a os Ele he akis, Domenico Gius iniano, and Nicolas Kou ellis
[134]
S. F. Mjølsnes and R. F. Olimid, “Expe imen al Assessmen o P i a e In o ma ion
Disclosu e in LTE Mobile Ne wo ks.,” in SECRYPT, pp. 507–512, 2017.
[135]
C. Pa k, S. Bae, B. Oh, J. Lee, E. Lee, I. Yun, and Y. Kim, “
{
DoLTEs
}
: In-dep h
downlink nega i e es ing amewo k o
{
LTE
}
de ices,” in 31s USENIX Secu-
i y Symposium (USENIX Secu i y 22), pp. 1325–1342, 2022.
[136]
M. A apinis, L. I. Mancini, E. Ri e , and M. Ryan, “P i acy h ough
Pseudonymi y in Mobile Telephony Sys ems.,” in NDSS, 2014.
[137]
C. Sø se h, S. X. Zhou, S. F. Mjølsnes, and R. F. Olimid, “Expe imen al analysis o
subsc ibe s’ p i acy exposu e by l e paging,” Wi eless Pe sonal Communica ions,
ol. 109, pp. 675–693, 2019.
[138]
S. Saha an and J. Kuma , “Exploi ing GSM Vulne abili ies: An Expe imen al
Se up And P ocedu e To Map TMSI And Mobile Numbe .,” In e na ional Jou nal
o Ad anced Resea ch in Compu e Science, ol. 8, no. 5, 2017.
[139]
R. P. Jo e , “LTE secu i y, p o ocol exploi s and loca ion acking expe imen a-
ion wi h low-cos so wa e adio,” a Xi p ep in a Xi :1607.05171, 2016.
[140] R. P. Jo e , “LTE secu i y and p o ocol exploi s,” Shmoocon 2016, 2016.
[141]
D. Rupp ech , K. Kohls, T. Holz, and C. Pöppe , “B eaking LTE on laye wo,” in
2019 IEEE Symposium on Secu i y and P i acy (SP), pp. 1121–1136, IEEE, 2019.
[142]
K. Kohls, D. Rupp ech , T. Holz, and C. Pöppe , “Los a ic enc yp ion: inge -
p in ing LTE/4G a ic on laye wo,” in P oceedings o he 12 h Con e ence on
Secu i y and P i acy in Wi eless and Mobile Ne wo ks, pp. 249–260, 2019.
[143]
T. Oh, S. Bae, J. Ahn, Y. Lee, D.-T. Hoang, M. S. Kang, N. O. Tippenhaue , and
Y. Kim, “Enabling Physical Localiza ion o Uncoope a i e Cellula De ices,”
a Xi p ep in a Xi :2403.14963, 2024.
[144]
I. Bang, T. Kim, H. S. Jang, and D. K. Sung, “Impac o Uplink Powe Con ol
on Use Loca ion T acking A acks in Cellula Ne wo ks,” in ICC 2021-IEEE
In e na ional Con e ence on Communica ions, pp. 1–6, IEEE, 2021.
[145]
D. Yu and W. Wen, “Non-access-s a um eques a ack in E-UTRAN,” in 2012
Compu ing, Communica ions and Applica ions Con e ence, pp. 48–53, IEEE, 2012.
[146]
D. Rupp ech , K. Kohls, T. Holz, and C. Pöppe , “Call me maybe: Ea esd opping
enc yp ed
{
LTE
}
calls wi h
{
ReVoLTE
}
,” in 29 h USENIX secu i y symposium
(USENIX secu i y 20), pp. 73–88, 2020.
[147]
M. S. A. Khan and C. J. Mi chell, “Ano he look a p i acy h ea s in 3G mobile
elephony,” in Aus alasian Con e ence on In o ma ion Secu i y and P i acy,
pp. 386–396, Sp inge , 2014.
[148]
C. Hahn, H. Kwon, D. Kim, K. Kang, and J. Hu , “A p i acy h ea in 4 h gene a-
ion mobile elephony and i s coun e measu e,” in Wi eless Algo i hms, Sys ems,
and Applica ions: 9 h In e na ional Con e ence, WASA 2014, Ha bin, China, June
23-25, 2014. P oceedings 9, pp. 624–635, Sp inge , 2014.
[149]
I. Ka im, S. R. Hussain, and E. Be ino, “P ochecke : An au oma ed secu i y
and p i acy analysis amewo k o 4g l e p o ocol implemen a ions,” in 2021
IEEE 41s In e na ional Con e ence on Dis ibu ed Compu ing Sys ems (ICDCS),
pp. 773–785, IEEE, 2021.
[150]
T. Fei and W. Wang, “The ulne abili y and enhancemen o AKA p o ocol
o mobile au hen ica ion in LTE/5G ne wo ks,” Compu e Ne wo ks, ol. 228,
p. 109685, 2023.
[151]
M. M. Saeed, M. K. Hasan, A. J. Obaid, R. A. Saeed, R. A. Mokh a , E. S. Ali,
M. Akh a uzzaman, S. Amanlou, and A. Z. Hossain, “A comp ehensi e e iew
on he use s’ iden i y p i acy o 5G ne wo ks,” IET Communica ions, ol. 16,
no. 5, pp. 384–399, 2022.
[152]
M. S ensson, N. Paladi, and R. Gius olisi, “5G: Towa ds secu e ubiqui ous
connec i i y beyond 2020,” 2015.
[153]
D. Fo sbe g, H. Leping, K. Tsuyoshi, and S. Alana a, “Enhancing secu i y and
p i acy in 3GPP E-UTRAN adio in e ace,” in 2007 IEEE 18 h In e na ional
Symposium on Pe sonal, Indoo and Mobile Radio Communica ions, pp. 1–5, IEEE,
2007.
[154]
E. Bi sikas and C. Pöppe , “Don’ hand i o e : Vulne abili ies in he hando e
p ocedu e o cellula elecommunica ions,” in Annual Compu e Secu i y Appli-
ca ions Con e ence, pp. 900–915, 2021.
[155]
“3GPP TS 36.331, “G oup Radio Access Ne wo k; E ol ed Uni e sal Te es ial
Radio Access (E-UTRA); Radio Resou ce Con ol (RRC); P o ocol speci ica ion,”
e sion 18.1.0 Rel. 18.” h ps://www.3gpp.o g/, 2024. Accessed: 2024-05.
[156]
D. Rupp ech , K. Kohls, T. Holz, and C. Pöppe , “IMP4GT: IMPe sona ion A acks
in 4G NeTwo ks.,” in NDSS, 2020.
[157]
V. Q. Uli zsch, S. Pa k, S. Ma zougui, and J.-P. Sei e , “A pos -quan um secu e
subsc ip ion concealed iden i ie o 6g,” in P oceedings o he 15 h ACM Con-
e ence on Secu i y and P i acy in Wi eless and Mobile Ne wo ks, pp. 157–168,
2022.
[158]
N. Ludan , M. Vom as, and G. Noubi , “Unp o ec ed 4G/5G Con ol P ocedu es
a Low Laye s Conside ed Dange ous,” a Xi p ep in a Xi :2403.06717, 2024.
[159]
S. Lu, F. Liu, Y. Li, K. Zhang, H. Huang, J. Zou, X. Li, Y. Dong, F. Dong, J. Zhu,
e al., “In eg a ed sensing and communica ions: Recen ad ances and en open
challenges,” IEEE In e ne o Things Jou nal, 2024.
[160]
J. Wang, N. Va shney, C. Gen ile, S. Blandino, J. Chuang, and N. Golmie, “In e-
g a ed sensing and communica ion: Enabling echniques, applica ions, ools
and da a se s, s anda diza ion, and u u e di ec ions,” IEEE In e ne o Things
Jou nal, ol. 9, no. 23, pp. 23416–23440, 2022.
[161]
F. Liu, Y. Cui, C. Masou os, J. Xu, T. X. Han, Y. C. Elda , and S. Buzzi, “In eg a ed
Sensing and Communica ions: Towa d Dual-Func ional Wi eless Ne wo ks o
6G and Beyond,” IEEE Jou nal on Selec ed A eas in Communica ions, ol. 40,
no. 6, pp. 1728–1767, 2022.
[162]
Z. Liu, C. Xu, Y. Xie, E. Sie, F. Yang, K. Ka waski, G. Singh, Z. L. Li, Y. Zhou,
D. Vasish , e al., “Explo ing p ac ical ulne abili ies o machine lea ning-based
wi eless sys ems,” in 20 h USENIX Symposium on Ne wo ked Sys ems Design and
Implemen a ion (NSDI 23), pp. 1801–1817, 2023.
[163]
J. Pa u and I. Ma ino ic, “Sok: Building a launchpad o impac ul sa elli e
cybe -secu i y esea ch,” a Xi p ep in a Xi :2010.10872, 2020.
[164]
E. Jede mann, M. S ohmeie , V. Lende s, and J. Schmi , “RECORD: A
RECep ion-Only egion de e mina ion a ack on LEO sa elli e use s,” in 33 d
USENIX Secu i y Symposium (USENIX Secu i y 24), (Philadelphia, PA), pp. 6113–
6130, USENIX Associa ion, Aug. 2024.
[165]
K. Gao, H. Wang, and H. L , “Su gical S ike on 5G Posi ioning: Selec i e-PRS-
Spoo ing A acks and I s De ence,” IEEE Jou nal on Selec ed A eas in Communi-
ca ions, 2024.
[166]
R. Na ayanan, A. Va shney, and P. Papadimi a os, “Ha es p in : Secu ing
ba e y- ee backsca e ags h ough inge p in ing,” in P oceedings o he 20 h
ACM Wo kshop on Ho Topics in Ne wo ks, pp. 178–184, 2021.
[167] T. Jiang, Y. Zhang, W. Ma, M. Peng, Y. Peng, M. Feng, and G. Liu, “Backsca e
communica ion mee s p ac ical ba e y- ee In e ne o Things: A su ey and
ou look,” IEEE Communica ions Su eys & Tu o ials, 2023.
[168]
“3GPP TS 38.304, “NR; Use Equipmen (UE) p ocedu es in Idle mode and RRC
Inac i e s a e,” e sion 17.7.0 Rel. 17.” h ps://www.3gpp.o g/, 2023. Accessed:
2024-05.
[169] “3GPP TR 33.841, “S udy on he suppo o 256-bi algo i hms o 5G,” e sion
16.1.0 Rel. 16.” h ps://www.3gpp.o g/, 2019. Accessed: 2024-02.
[170]
“3GPP TS 38.809, “S udy on 5G secu i y enhancemen s agains False Base
S a ions (FBS),” e sion 18.1.0 Rel. 18.” h ps://www.3gpp.o g/, 2023. Accessed:
2024-05.
[171]
C. J. Mi chell, “The impac o quan um compu ing on eal-wo ld secu i y: A 5G
case s udy,” Compu e s & Secu i y, ol. 93, p. 101825, 2020.
[172]
V.-L. Nguyen, P.-C. Lin, B.-C. Cheng, R.-H. Hwang, and Y.-D. Lin, “Secu i y and
p i acy o 6G: A su ey on p ospec i e echnologies and challenges,” IEEE
Communica ions Su eys & Tu o ials, ol. 23, no. 4, pp. 2384–2428, 2021.
[173]
J. Yang and T. Johansson, “An o e iew o c yp og aphic p imi i es o possible
use in 5G and beyond,” Science China In o ma ion Sciences, ol. 63, no. 12,
p. 220301, 2020.
[174]
T. C. Clancy, R. W. McGwie , and L. Chen, “Pos -quan um c yp og aphy and 5g
secu i y: u o ial,” in P oceedings o he 12 h Con e ence on Secu i y and P i acy
in Wi eless and Mobile Ne wo ks, pp. 285–285, 2019.
[175]
M. Chlos a, D. Rupp ech , C. Pöppe , and T. Holz, “5G SUCI-Ca che s: S ill
ca ching hem all?,” in P oceedings o he 14 h ACM Con e ence on Secu i y and
P i acy in Wi eless and Mobile Ne wo ks, pp. 359–364, 2021.
[176]
F. Liu, L. Su, B. Yang, H. Du, M. Qi, and S. He, “Secu i y Enhancemen s o
Subsc ibe P i acy P o ec ion Scheme in 5G Sys ems,” in 2021 In e na ional
Wi eless Communica ions and Mobile Compu ing (IWCMC), pp. 451–456, IEEE,
2021.
[177]
“3GPP TS 38.214, “NR; Physical laye p ocedu es o da a,” e sion 18.2.0 Rel.
18.” h ps://www.3gpp.o g/, 2024. Accessed: 2024-05.
[178]
“Wa eJudge Wi eless Analyze Solu ions.” h ps://www.keysigh .com/us/en/
p oduc s/wi eless-analyze s/wa ejudge-wi eless-analyze -solu ions.h ml,
Keysigh Technologies:.
[179]
“pCR o 33.809 – New solu ion o KI #7 and KI #5, based on modi ied CSI
epo s,”.” h ps://www.3gpp.o g/dyna epo ?code=Mee ings-S3.h m/, 2020. Ac-
cessed: 2024-05.
[180]
“3GPP TS 22.837, “Feasibili y S udy on In eg a ed Sensing and Communica ion
” e sion 19.3.0 Rel. 19.” h ps://www.3gpp.o g/, 2024. Accessed: 2024-05.
[181]
F. Adib and D. Ka abi, “See h ough walls wi h WiFi!,” in P oceedings o he ACM
SIGCOMM 2013 con e ence on SIGCOMM, pp. 75–86, 2013.
[182]
U. Ha, S. Madani, and F. Adib, “WiS ess: Con ac less s ess moni o ing using
wi eless signals,” P oceedings o he ACM on In e ac i e, Mobile, Wea able and
Ubiqui ous Technologies, ol. 5, no. 3, pp. 1–37, 2021.
[183]
Y. Gu, Y. Zhang, J. Li, Y. Ji, X. An, and F. Ren, “Sleepy: Wi eless channel da a
d i en sleep moni o ing ia commodi y WiFi de ices,” IEEE T ansac ions on Big
Da a, ol. 6, no. 2, pp. 258–268, 2018.
[184]
D. Vasish , A. Jain, C.-Y. Hsu, Z. Kabelac, and D. Ka abi, “Due : Es ima ing
use posi ion and iden i y in sma homes using in e mi en and incomple e
RF-da a,” P oceedings o he ACM on In e ac i e, Mobile, Wea able and Ubiqui ous
Technologies, ol. 2, no. 2, pp. 1–21, 2018.
[185]
Z. Wei, F. Liu, C. Masou os, N. Su, and A. P. Pe opulu, “Towa d mul i- unc ional
6G wi eless ne wo ks: In eg a ing sensing, communica ion, and secu i y,” IEEE
Communica ions Magazine, ol. 60, no. 4, pp. 65–71, 2022.
[186]
W. Sun, T. Chen, and N. Gong, “SoK: Secu e Human-cen e ed Wi eless Sensing,”
P oceedings on P i acy Enhancing Technologies, 2024.
[187]
H. M. Fu qan, M. S. J. Solaija, H. Tü kmen, and H. A slan, “Wi eless commu-
nica ion, sensing, and REM: A secu i y pe spec i e,” IEEE Open Jou nal o he

SoK: E alua ing 5G P o ocols Agains Legacy and Eme ging P i acy and Secu i y A acks
Communica ions Socie y, ol. 2, pp. 287–321, 2021.
[188]
N. Su, F. Liu, C. Masou os, and A. Al Hilli, “Secu i y and p i acy in ISAC sys ems,”
in In eg a ed Sensing and Communica ions, pp. 477–506, Sp inge , 2023.
[189]
A. Blanco, N. Ludan , P. J. Ma eo, Z. Shi, Y. Wang, and J. Widme , “Pe o mance
e alua ion o single base s a ion ToA-AoA localiza ion in an LTE es bed,” in
2019 IEEE 30 h annual in e na ional symposium on pe sonal, Indoo and Mobile
Radio Communica ions (PIMRC), pp. 1–6, IEEE, 2019.
[190]
M. Ko a u, K. Joshi, D. Bha adia, and S. Ka i, “Spo i: Decime e le el localiza ion
using wi i,” in P oceedings o he 2015 ACM con e ence on special in e es g oup
on da a communica ion, pp. 269–282, 2015.
[191]
S. Ele he akis, G. San a omi a, M. Rea, X. Cos a-Pé ez, and D. Gius iniano,
“SPRING+: Sma phone Posi ioning om a Single WiFi Access Poin ,” IEEE
T ansac ions on Mobile Compu ing, 2024.
[192]
F. Adib, H. Mao, Z. Kabelac, D. Ka abi, and R. C. Mille , “Sma homes ha mon-
i o b ea hing and hea a e,” in P oceedings o he 33 d annual ACM con e ence
on human ac o s in compu ing sys ems, pp. 837–846, 2015.
[193]
X. Fang, W. Feng, T. Wei, Y. Chen, N. Ge, and C.-X. Wang, “5G emb aces sa elli es
o 6G ubiqui ous IoT: Basic models o in eg a ed sa elli e e es ial ne wo ks,”
IEEE In e ne o Things Jou nal, ol. 8, no. 18, pp. 14399–14417, 2021.
[194]
M. Gio dani and M. Zo zi, “Non- e es ial ne wo ks in he 6G e a: Challenges
and oppo uni ies,” IEEE ne wo k, ol. 35, no. 2, pp. 244–251, 2020.
[195]
F. Rinaldi, H.-L. Maa anen, J. To sne , S. Pizzi, S. And ee , A. Ie a, Y. Kouch-
e ya y, and G. A ani i, “Non- e es ial ne wo ks in 5G & beyond: A su ey,”
IEEE access, ol. 8, pp. 165178–165200, 2020.
[196]
M. M. Aza i, S. Solanki, S. Cha zino as, O. Kodheli, H. Sallouha, A. Colpae ,
J. F. M. Mon oya, S. Pollin, A. Haqiqa nejad, A. Mos aani, e al., “E olu ion
o non- e es ial ne wo ks om 5G o 6G: A su ey,” IEEE communica ions
su eys & u o ials, ol. 24, no. 4, pp. 2633–2672, 2022.
[197]
S. Ko a and G. Giambene, “6G in eg a ed non- e es ial ne wo ks: Eme ging
echnologies and challenges,” in 2021 IEEE In e na ional Con e ence on Commu-
nica ions Wo kshops (ICC Wo kshops), pp. 1–6, IEEE, 2021.
[198]
A. Vanelli-Co alli, A. Guido i, T. Foggi, G. Cola olpe, and G. Mon o si, “5G and
Beyond 5G Non-Te es ial Ne wo ks: ends and esea ch challenges,” in 2020
IEEE 3 d 5G Wo ld Fo um (5GWF), pp. 163–169, IEEE, 2020.
[199]
O. Kodheli, E. Lagunas, N. Ma u o, S. K. Sha ma, B. Shanka , J. F. M. Mon-
oya, J. C. M. Duncan, D. Spano, S. Cha zino as, S. Kissele , e al., “Sa elli e
communica ions in he new space e a: A su ey and u u e challenges,” IEEE
Communica ions Su eys & Tu o ials, ol. 23, no. 1, pp. 70–109, 2020.
[200]
“3GPP TS 38.300, “NR; NR and NG-RAN O e all Desc ip ion; S age 2,” e sion
18.2.0 Rel. 18.” h ps://www.3gpp.o g/, 2024. Accessed: 2024-09.
[201]
“3GPP TS 38.821, “Solu ions o NR o suppo non- e es ial ne wo ks (NTN),”
e sion 16.2.0 Rel. 16.” h ps://www.3gpp.o g/, 2023. Accessed: 2024-09.
[202]
“3GPP TR 22.865, “S udy on sa elli e access Phase 3," e sion 19.2.0, Release 19.”
h ps://www.3gpp.o g/, 2023. Accessed: 2024-09.
[203]
“3GPP TR 23.700-29, “S udy on in eg a ion o sa elli e componen s in he 5G
a chi ec u e; Phase 3 ," e sion 19.0.0, Release 19.” h ps://www.3gpp.o g/, 2024.
Accessed: 2024-09.
[204]
P. Tedeschi, S. Sciancalepo e, and R. Di Pie o, “Sa elli e-based communica ions
secu i y: A su ey o h ea s, solu ions, and esea ch challenges,” Compu e
Ne wo ks, ol. 216, p. 109246, 2022.
[205]
R. Singh, I. Ahmad, and J. Huusko, “The ole o physical laye secu i y in
sa elli e-based ne wo ks,” in 2023 Join Eu opean Con e ence on Ne wo ks and
Communica ions & 6G Summi (EuCNC/6G Summi ), pp. 36–41, IEEE, 2023.
[206]
M. Vaezi, A. Aza i, S. R. Khos a i ad, M. Shi animoghaddam, M. M. Aza i,
D. Chasaki, and P. Popo ski, “Cellula , wide-a ea, and non- e es ial IoT: A
su ey on 5G ad ances and he oad owa d 6G,” IEEE Communica ions Su eys
& Tu o ials, ol. 24, no. 2, pp. 1117–1174, 2022.
[207]
I. Ahmad, J. Suomalainen, P. Po ambage, A. Gu o , J. Huusko, and M. Höy-
h yä, “Secu i y o sa elli e- e es ial communica ions: Challenges and po en ial
solu ions,” IEEE Access, ol. 10, pp. 96038–96052, 2022.
[208]
D. Ma ga ia, B. Mo ella, M. Anghile i, J.-J. Floch, I. Fe nandez-He nandez, and
M. Paonni, “Signal s uc u e-based au hen ica ion o ci il GNSSs: Recen solu-
ions and pe spec i es,” IEEE signal p ocessing magazine, ol. 34, no. 5, pp. 27–37,
2017.
[209]
F. Chi i, R. Picchi, and L. Pie ucci, “A su ey on non- e es ial quan um ne -
wo king: Challenges and ends,” Compu e Ne wo ks, p. 110668, 2024.
[210]
M. Manulis, C. P. B idges, R. Ha ison, V. Seka , and A. Da is, “Cybe secu i y
in new space: analysis o h ea s, key enabling echnologies and challenges,”
In e na ional Jou nal o In o ma ion Secu i y, ol. 20, pp. 287–311, 2021.
[211]
J. Pa u , M. S ohmeie , V. Lende s, and I. Ma ino ic, “Qpep: An ac ionable ap-
p oach o secu e and pe o man b oadband om geos a iona y o bi ,” In e ne
Socie y, 2021.
[212]
J. Huwyle , J. Pa u , G. T esoldi, and M. S ohmeie , “QPEP in he Real Wo ld:
A Tes bed o Secu e Sa elli e Communica ion Pe o mance.,” in SpaceSec, 2023.
[213]
J. Pa u , D. Mose , M. S ohmeie , V. Lende s, and I. Ma ino ic, “A ale o
sea and sky on he secu i y o ma i ime VSAT communica ions,” in 2020 IEEE
Symposium on Secu i y and P i acy (SP), pp. 1384–1400, IEEE, 2020.
[214]
A. Iqbal, M.-L. Tham, Y. J. Wong, G. Waine , Y. X. Zhu, T. Dagiuklas, e al.,
“Empowe ing non- e es ial ne wo ks wi h a i icial in elligence: A su ey,”
IEEE Access, 2023.
[215]
P. Kuma , R. Kuma , A. N. Islam, S. Ga g, G. Kaddoum, and Z. Han, “Dis ibu ed
AI and Blockchain o 6G-assis ed e es ial and non- e es ial ne wo ks:
Challenges and u u e di ec ions,” IEEE Ne wo k, ol. 37, no. 2, pp. 70–77, 2023.
[216]
G. Fon anesi, F. O íz, E. Lagunas, V. M. Baeza, M. Vázquez, J. Vásquez-Pe al o,
M. Mina di, H. Vu, P. Honnaiah, C. Lacos e, e al., “A i icial in elligence o
sa elli e communica ion and non- e es ial ne wo ks: A su ey,” a Xi p ep in
a Xi :2304.13008, 2023.
[217]
S. Mahboob and L. Liu, “Re olu ionizing u u e connec i i y: A con empo a y
su ey on AI-empowe ed sa elli e-based non- e es ial ne wo ks in 6G,” IEEE
Communica ions Su eys & Tu o ials, 2024.
[218]
M. Ra h and S. Mish a, “Secu i y app oaches in machine lea ning o sa elli e
communica ion,” Machine lea ning and da a mining in ae ospace echnology,
pp. 189–204, 2020.
[219] L. Junzhi, L. Wanqing, F. Qixiang, and L. Beidian, “Resea ch p og ess o GNSS
spoo ing and spoo ing de ec ion echnology,” in 2019 IEEE 19 h In e na ional
Con e ence on Communica ion Technology (ICCT), pp. 1360–1369, IEEE, 2019.
[220]
S. Han, J. Li, W. Meng, M. Guizani, and S. Sun, “Challenges o physical laye
secu i y in a sa elli e- e es ial ne wo k,” IEEE Ne wo k, ol. 36, no. 3, pp. 98–
104, 2022.
[221]
B. Li, Z. Fei, C. Zhou, and Y. Zhang, “Physical-laye secu i y in space in o ma ion
ne wo ks: A su ey,” IEEE In e ne o hings jou nal, ol. 7, no. 1, pp. 33–52, 2019.
[222]
F. Fo maggio and S. Tomasin, “Au hen ica ion o sa elli e na iga ion signals by
wi e ap coding and a i icial noise,” EURASIP Jou nal on Wi eless Communica-
ions and Ne wo king, ol. 2019, pp. 1–17, 2019.
[223]
J. Liu, J. Wang, W. Liu, Q. Wang, and M. Wang, “A no el coope a i e physical
laye secu i y scheme o sa elli e downlinks,” Chinese Jou nal o Elec onics,
ol. 27, no. 4, pp. 860–865, 2018.
[224]
N. Hosseinidehaj, Z. Baba , R. Malaney, S. X. Ng, and L. Hanzo, “Sa elli e-based
con inuous- a iable quan um communica ions: S a e-o - he-a and a p edic i e
ou look,” IEEE Communica ions Su eys & Tu o ials, ol. 21, no. 1, pp. 881–919,
2018.
[225]
R. Beding on, J. M. A azola, and A. Ling, “P og ess in sa elli e quan um key
dis ibu ion,” npj Quan um In o ma ion, ol. 3, no. 1, p. 30, 2017.
[226]
G. Foca elli, S. Zanini, G. Bianchi, and S. Ba ole i, “Physical Laye Th ea s
o 5G Posi ioning: Impac on TOA-Based Me hods,” in 2024 IEEE In e na ional
Con e ence on Communica ions Wo kshops (ICC Wo kshops), pp. 926–931, IEEE,
2024.
[227]
“3GPP TS 22.369, “Se ice equi emen s o ambien powe -enabled IoT; S age
1” e sion 19.1.0 Rel. 19.” h ps://www.3gpp.o g/, 2024. Accessed: 2024-05.
[228]
“3GPP TS 38.769, “S udy on solu ions o ambien IoT (In e ne o Things);”
e sion 19.0.1 Rel. 19.” h ps://www.3gpp.o g/, 2024. Accessed: 2024-05.
[229]
A. Va shney, O. Ha ms, C. Pé ez-Peniche , C. Rohne , F. He mans, and T. Voig ,
“LoRea: A backsca e a chi ec u e ha achie es a long communica ion ange,”
in P oceedings o he 15 h ACM Con e ence on Embedded Ne wo k Senso Sys ems,
pp. 1–14, 2017.
[230]
V. Talla, M. Hessa , B. Kellogg, A. Naja i, J. R. Smi h, and S. Gollako a, “Lo a
backsca e : Enabling he ision o ubiqui ous connec i i y,” P oceedings o he
ACM on in e ac i e, mobile, wea able and ubiqui ous echnologies, ol. 1, no. 3,
pp. 1–24, 2017.
[231]
V. Liu, A. Pa ks, V. Talla, S. Gollako a, D. We he all, and J. R. Smi h, “Ambien
backsca e : Wi eless communica ion ou o hin ai ,” ACM SIGCOMM compu e
communica ion e iew, ol. 43, no. 4, pp. 39–50, 2013.
[232]
“3GPP TSG RAN WG1 #116-bis, "Ambien IoT De ice A chi ec u e,”.” h ps:
//www.3gpp.o g/dyna epo ?code=Mee ings-S3.h m/, 2024. Accessed: 2024-05.
[233]
N. Van Huynh, D. T. Hoang, X. Lu, D. Niya o, P. Wang, and D. I. Kim, “Ambien
backsca e communica ions: A con empo a y su ey,” IEEE Communica ions
su eys & u o ials, ol. 20, no. 4, pp. 2889–2922, 2018.
[234]
D. Zane i, B. Dane , and S. Capkun, “Physical-laye iden i ica ion o UHF RFID
ags,” in P oceedings o he six een h annual in e na ional con e ence on Mobile
compu ing and ne wo king, pp. 353–364, 2010.
[235]
A. Scalingi, S. D’O o, F. Res uccia, T. Melodia, D. Gius iniano, e al., “De -RAN:
Da a-D i en C oss-Laye Real-Time A ack De ec ion in 5G Open RANs,” in
IEEE In e na ional Con e ence on Compu e Communica ions, pp. 1–10, 2024.
[236]
T. Heijligenbe g, G. Knips, C. Böhm, D. Rupp ech , and K. Kohls, “BigMac:
Pe o mance O e head o Use Plane In eg i y P o ec ion in 5G ne wo ks,” in
P oceedings o he 16 h ACM Con e ence on Secu i y and P i acy in Wi eless and
Mobile Ne wo ks, pp. 145–150, 2023.
[237]
M. M. Saeed, R. A. Saeed, R. A. Mokh a , H. Alhumyani, and E. S. Ali, “A
no el a iable pseudonym scheme o p ese ing p i acy use loca ion in 5G
ne wo ks,” Secu i y and Communica ion Ne wo ks, ol. 2022, 2022.
[238]
M. M. Saeed, R. A. Saeed, and E. Saeid, “Iden i y di ision mul iplexing based
loca ion p ese e in 5G,” in 2021 In e na ional Con e ence o Technology, Science
and Adminis a ion (ICTSA), pp. 1–6, IEEE, 2021.
[239]
A. Kou sos, “The 5G-AKA au hen ica ion p o ocol p i acy,” in 2019 IEEE Eu o-
pean symposium on secu i y and p i acy (Eu oS&P), pp. 464–479, IEEE, 2019.
S a os Ele he akis, Domenico Gius iniano, and Nicolas Kou ellis
[240]
“3GPP TS 33.846, “S udy on au hen ica ion enhancemen s in he 5G Sys em
(5GS),” e sion 17.0.0 Rel. 17.” h ps://www.3gpp.o g/, 2021. Accessed: 2024-05.
[241]
A. Lo o, V. Singh, B. Ramasub amanian, A. B ighen e, M. Con i, and R. Poo en-
d an, “BARON: Base-S a ion Au hen ica ion Th ough Co e Ne wo k o Mobil-
i y Managemen in 5G Ne wo ks,” in P oceedings o he 16 h ACM Con e ence on
Secu i y and P i acy in Wi eless and Mobile Ne wo ks, pp. 133–144, 2023.
[242]
S. R. Hussain, M. Eche e ia, A. Singla, O. Chowdhu y, and E. Be ino, “Insecu e
connec ion boo s apping in cellula ne wo ks: he oo o all e il,” in P oceedings
o he 12 h con e ence on secu i y and p i acy in wi eless and mobile ne wo ks,
pp. 1–11, 2019.
[243]
A. Singla, R. Behnia, S. R. Hussain, A. Ya uz, and E. Be ino, “Look be o e you
leap: Secu e connec ion boo s apping o 5g ne wo ks o de end agains ake
base-s a ions,” in P oceedings o he 2021 ACM Asia Con e ence on Compu e and
Communica ions Secu i y, pp. 501–515, 2021.
[244]
Y. Li, S. Liu, Z. Yan, and R. H. Deng, “Secu e 5G posi ioning wi h u h disco e y,
a ack de ec ion, and acing,” IEEE In e ne o Things Jou nal, ol. 9, no. 22,
pp. 22220–22229, 2021.
[245]
P. K. Naka mi, M. A. E soy, E. U. Soykan, and K. No man, “Mu a : Mul i- a
alse base s a ion de ec o ,” a Xi p ep in a Xi :2102.08780, 2021.
[246]
K. S. Mubasshi , I. Ka im, and E. Be ino, “FBSDe ec o : Fake Base S a ion and
Mul i S ep A ack De ec ion in Cellula Ne wo ks using Machine Lea ning,”
a Xi p ep in a Xi :2401.04958, 2024.
[247]
P. K. Naka mi, J. S e nby, and I. Ullah, “Applying machine lea ning on s p-based
ea u es o alse base s a ion de ec ion,” in P oceedings o he 17 h In e na ional
Con e ence on A ailabili y, Reliabili y and Secu i y, pp. 1–7, 2022.
[248]
M. Saedi, A. Moo e, P. Pe y, and C. Luo, “RBS-MLP: A Deep Lea ning based
Rogue Base S a ion De ec ion App oach o 5G Mobile Ne wo ks,” IEEE T ans-
ac ions on Vehicula Technology, 2024.
[249]
M. Polese, L. Bona i, S. D’o o, S. Basagni, and T. Melodia, “Unde s anding O-
RAN: A chi ec u e, in e aces, algo i hms, secu i y, and esea ch challenges,”
IEEE Communica ions Su eys & Tu o ials, ol. 25, no. 2, pp. 1376–1411, 2023.
[250]
S. Pa k, D. Kim, Y. Pa k, H. Cho, D. Kim, and S. Kwon, “5G secu i y h ea
assessmen in eal ne wo ks,” Senso s, ol. 21, no. 16, p. 5524, 2021.
[251]
S. Pa k, I. You, H. Pa k, and D. Kim, “Analyzing RRC Replay A ack and Secu ing
Base S a ion wi h P ac ical Me hod,” in P oceedings o he 17 h In e na ional
Con e ence on A ailabili y, Reliabili y and Secu i y, pp. 1–8, 2022.
[252]
Z. Cheng, M. O dean, F. D. Ga cia, B. Cui, and D. Rys, “Wa ching you call:
B eaking VoLTE p i acy in LTE/5G ne wo ks,” a Xi p ep in a Xi :2301.02487,
2023.
[253]
S. Kwon, S. Pa k, H. Cho, Y. Pa k, D. Kim, and K. Yim, “Towa ds 5G-based IoT
secu i y analysis agains Vo5G ea esd opping,” Compu ing, ol. 103, pp. 425–447,
2021.
[254]
M. S. Wani, M. Rademache , T. Ho s mann, and M. K e schme , “Secu i y Vulne -
abili ies in 5G Non-S and-Alone Ne wo ks: A Sys ema ic Analysis and A ack
Taxonomy,” Jou nal o Cybe secu i y and P i acy, ol. 4, no. 1, pp. 23–40, 2024.
[255]
G. Hol up, W. Lacube, D. P. Da id, A. Me moud, G. Bo e , and V. Lende s, “5g
sys em secu i y analysis,” a Xi p ep in a Xi :2108.08700, 2021.
[256]
G. Hol up, W. Blonay, M. S ohmeie , A. Me moud, J.-P. Cha anne, and
V. Lende s, “Modeling 5G Th ea Scena ios o C i ical In as uc u e P o ec-
ion,” in 2023 15 h In e na ional Con e ence on Cybe Con lic : Mee ing Reali y
(CyCon), pp. 161–180, IEEE, 2023.
[257]
E. Bi sikas, S. Khandke , A. Salous, A. Rangana han, R. Pique as Jo e , and
C. Pöppe , “UE Secu i y Reloaded: De eloping a 5G S andalone Use -Side Secu-
i y Tes ing F amewo k,” in P oceedings o he 16 h ACM Con e ence on Secu i y
and P i acy in Wi eless and Mobile Ne wo ks, pp. 121–132, 2023.