Did 5G kill the IMSI catcher?

Original Article ↗ Hacker News Discussion ↗

5G SA, SUCI, and device/SIM requirements

  • Several comments note iPhones won’t join private 5G SA networks without SUCI enabled; this implies SUCI is treated as a de‑facto requirement for SA, at least in Apple’s ecosystem.
  • US examples show 5G SA SIMs/eSIMs with SUCI provisioned from the factory; older SIMs generally cannot be retrofitted unless operators reprogram specific SIM service fields and ECC capabilities.
  • There is disagreement on handover semantics: some view 5G SA vs NSA/LTE transitions as full re‑attachments closer to roaming, others emphasize that practical session continuity exists.

Disabling legacy radio technologies

  • Users ask if SIMs can forbid specific RATs (2G/3G/4G). Replies say this is mostly a baseband/OS setting, not a SIM one, though SIMs have related files (e.g., forbidden networks lists, service tables).
  • Android and some other devices expose 2G-disable or “5G preferred/only” toggles; behavior under forced downgrades from the network side is unclear.
  • In the US, 2G is effectively gone, so any 2G attachment is strongly suspect, but elsewhere 2G/3G are still relevant for coverage and roaming.

Are IMSI catchers “dead”?

  • One camp argues that criminal IMSI catchers are largely obsolete because:
    • 5G (with SUCI) and newer stacks make classic attacks harder.
    • Carriers and law enforcement can now do better location and identifier tracking directly from the network backend.
  • Others counter this is false: “fake base stations” and “SMS blasters” are actively used for spam, phishing, and fraud, with recent cases cited in multiple countries.
  • Passive or downgrade-based attacks remain possible wherever legacy technologies are supported.

Location tracking and lawful interception

  • 5G beamforming and dense deployments can already yield high‑precision location from cell data alone; some commenters argue this makes IMSI catchers less necessary.
  • There is concern that emergency-location mechanisms (e.g., GPS reporting) can be triggered remotely by the network, depending on baseband behavior; some hardware reportedly doesn’t limit such requests to emergencies.
  • Standards explicitly define “lawful interception” and location reporting per warrant; commenters stress that interception capabilities are designed in and not viewed as “bugs” by standards bodies.

mmWave, deployment, and tracking accuracy

  • Disagreement over how widely mmWave 5G is deployed and how useful it is:
    • Critics call it “vaporware” or a niche, power‑hungry technology mostly useful in stadiums/arenas and some urban cores; many budget or non‑US phones omit mmWave support.
    • Supporters cite real‑world multi‑Gbps speeds and ongoing spectrum auctions and rollouts, arguing it remains important for high‑density venues and certain future use cases.
  • One commenter notes that for general location, cell‑ID‑based methods are often less precise than Wi‑Fi/BSSID databases, which are widely commercialized.

Why cellular security has these holes

  • Historical explanations:
    • Early analog and 2G systems prioritized cost and basic encryption of content, not mutual authentication or metadata privacy.
    • GSM encryption and algorithms were constrained or weakened, and network authentication to devices wasn’t seen as necessary.
  • Some argue insecurity is structural: networks are designed for “lawful intercept,” rely on shared symmetric keys, and long treated IMSI catchers as acceptable collateral rather than vulnerabilities.
  • Others frame many issues as long‑standing oversights and inertia rather than intentional malice.

Article quality and AI‑generation suspicion

  • A meta-thread suggests the linked article “reads like” an AI synthesis: fact‑recitation without deep understanding, missing important nuances such as:
    • Global multi‑RAT behavior (phones still connecting to 2G/3G/LTE where present).
    • The continued value of any stable identifier, even if obfuscated, for correlation and tracking.
  • Another reply defends 5G’s SUCI design, noting that correctly implemented SUCIs are not stable identifiers, since they use fresh ephemeral keys and are rarely sent.

User mitigations and their limits

  • Suggested mitigations include:
    • Forcing 4G/5G‑only or 5G‑SA‑only modes (where supported, e.g., on some Android derivatives).
    • Using 2G‑disable toggles.
    • Monitoring disclosures of IMSI/IMEI/SUCI via new Android modem‑security reporting.
  • Trade‑offs: disabling older RATs risks coverage and sometimes voice (given VoLTE interoperability problems), though emergency calls are typically exempted from such restrictions.
  • Consensus: 5G improves things, but does not “kill” IMSI catchers outright; attacks evolve, legacy networks linger, and backend surveillance remains powerful.