Another paper from our work on 5G security has been accepted to the 9th International Workshop on Emerging Network Security (ENS) in conjunction with the 21st International Conference on Availability, Reliability and Security (ARES), to be held August 24-27, 2026 in Linköping, Östergötland/Sweden. The paper is going to be presented by Hamza Ahmed Farah.
Abstract: 5G Standalone (SA) networks introduce the Subscriber Concealed Identifier (SUCI) and the 5G Authentication and Key Agreement (5G-AKA) protocol to eliminate the plaintext identity exposure of earlier generations. However, privacy leakage can persist through observable protocol behaviour rather than exposed identifiers. This paper presents an experimental evaluation of two such attack classes — the SUCI-catcher and the SQN inference attack — implemented as a transparent N2-interface proxy on a fully virtualized, 3GPP Release~16-compliant testbed built on OpenAirInterface, UERANSIM, and a custom NGAP proxy. The SUCI-catcher exploits the binary outcome of the 5G-AKA challenge-response exchange as a presence oracle, successfully recording SUCIs from six subscribers and confirming target presence without recovering any keying material, breaking location privacy and unlinkability. The SQN inference attack recovers subscriber sequence-number bits through controlled synchronisation failures, accurately inferring 8~bits of SQN verified against ground-truth core network state, and demonstrating that SQN changes between observations track subscriber activity, breaking undetectability. Both attacks share a structural dependency on abusing core-network authentication-vector generation. Operator-level rate-limiting and anomaly detection are identified as near-term mitigations; long-term protection requires protocol-level changes to 5G-AKA.
Paper Reference: Farah, Hamza Ahmed; Ahmed, Azza Hassan Mohamed and Dreibholz, Thomas: «Experimental Analysis of Authentication-Based Privacy Leakage in 5G SA», in Proceedings of the 9th International Workshop on Emerging Network Security (ENS) in conjunction with the 21st International Conference on Availability, Reliability and Security (ARES), Linköping, Östergötland/Sweden, August 2026.
