This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.
Some Android phones have a setting to at least disable 2G and you can easily configure them to a "preference" of only 5G. I believe iPhones have a 2G toggle as well if you enable lockdown mode.
It'll be years before you can reliably get rid of 4G without losing coverage, though.
I don't know about any such settings on mobile platforms such as watches, though. I also doubt cars have a setting for this (maybe if you use one of those Chinese Android-tablet-with-a-car-skin systems?).
SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
That said, some knobs are frustratingly missing, though – why is manually entering an APN a thing, but the default SMSC can be stored on the SIM?
I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
I think limiting this at the modem side will be more effective than reprogramming the SIM card, but the specifications are open enough that you could take a look at a SIM's contents by throwing it in a reader.
You could also look at the code and blobs dealing with eSIMs, as they provide the same features but often come packaged in the form of software.
Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
You're right that this needs limited at the modem - but the main user accessible method of configuring the modem is the phone UI. As this setting is one which needs network support, and is likely to disconnect a user who misconfigured this, a SIM file for permitted RAT (radio access technology) types would make sense, as SIM files are under the responsibility of the operator.
Where this would get complex is edge cases, like under roaming scenarios, where your home network can't predict what might be available, and your handset may need to permit downgrading to a technology not permitted on the home network.
The toggle in Android to disable 2G seems a start towards a user accessible setting for this, which selects what the modem is willing to join, but it's certainly far from a user friendly way to enable and disable particular technologies.
It should come as no small surprise that phones in the US markets ship with a feature that is a de-facto backdoor.
if you don't have an extra $400-900 and buy a cheaper android, you get to dial ##4636## (hn screws asterisks, look it up) them go into phone info, select each sim radio and change the drop down (and hopefully you know all the standards by all names to make the right choice. hint 5G is NR there)
I believe even 3G supports mutual authentication (at least if the SIM supports it, i.e. it’s not a very old GSM only one), but anonymized identifiers only appeared with 5G.
\*\*You can include asterisks if you escape them, like \*: *#*#4636#*#*.
Thanks to mmWave and beam forming, 5G allows operators to practically track you down to the exact centimeter in 3D space. Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
Basically, who needs IMSI catchers when you can just see all of the information you'd get from them remotely on a computer screen on the other side of the country?
Of course this is great to protect against criminals that are looking to find your personal phone number or whatever by showing up to your doorstep, but for the vast majority of cases, IMSI catchers are defeated because they're no longer necessary.
Do you know if (at least some) basebands actually limit network-side location requests to emergency call/text situations only?
If you don't have a Faraday cage and cell site equipment, you're going to have a hard time verifying any of this. The modem is closed source, the SIM card is closed source, and various firmware blobs to make phones work are all closed source. I believe Qualcomm has debug interfaces on some chipsets, which might catch these messages, but verifying that they catch all use cases is impossible unless you have knowledge of the actual mechanism used (or usable) to activate the modem.
This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones), but it only takes a small group of Linux enthusiasts to actually catch the phone network in the act.
Of course, the trouble is that you'll need to be the target of government surveillance to be even at risk of any of this. If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you, and whatever criminal enterprise hacked its way into the carrier network won't either. If you are being tracked by either of those, I think developing open source modem firmware is probably the least of your concerns.
I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
It's all rather pointless anyway when 5G and to an extend 4G can geolocate you about as well as GPS can, barring reflections and such.
And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
If there's one thing we know for certain about the US and domestic spying it's that they're targeting literally everyone. They were caught copying all internet traffic going over the AT&T backbone in the early 2000s and decades later Snowden showed us they never stopped pointing their secret spying equipment at us. The best you can hope for is that if you don't become an activist or commit enough crimes they won't pay much attention to the massive and ever-growing troves of data they have on you personally.
Washington, D.C. mobile traffic is probably the most spied in the world. Especially now when it's run by technological cavemen and overly confident techbros. Israeli, Russians, Chinese, French and everyone.
My father being a DXer and installer of a home-built Yagi and rotator system, I discovered this fairly easily. All he told me was to just guard the privacy of these people I was snooping on, because they were supposed to be private conversations after all. I never heard anything of substance anyway. It was one of the more boring surveillance activities of my misspent youth.
This isn't true, there are major incidents related to IMSI-catchers going on globally right now. E.g. last week from Japan: https://newsonjapan.com/article/145466.php, https://commsrisk.com/amateur-detectives-find-numerous-fake-..., and mass arrests happening in Thailand related to the operation of them recently.
To see news related to them, search "Fake Base Stations" or "SMS Blaster", as this is how they're commonly referred to in the media now.
Other notable highlights from the last few years include: the news from Paris a few years ago where police detonated a car with an imsi-catcher in it because they thought it was a bomb, but actually the driver was being paid to send out sms spam via 2g downgrade attacks: https://commsrisk.com/paris-imsi-catcher-mistaken-for-bomb-w.... Also the attempt to disrupt the federal elections in the Phillippines using a kind of "SMS blaster" that takes advantage of unauthenticated emergency alert messages, so a step beyond the "classic" imsi catching attack that we haven't seen used in the wild before.
mmWave is as dead as dead. The cellular Betamax. iPhone 16e (the everyman's iPhone) doesn't support it, and neither did the SE before it.
VZW will be converting those base stations into birdhouses in 5-7 years.
Examples of Android phones that often support mmWave 5G:
Samsung: Many Galaxy S and Z series models, including recent releases.
Google: Pixel phones, especially the Pro models.
OnePlus: Various 5G phones, including the 10 Pro, 10T, and Nord series.
(etc)
Apple should get their shit together.
WiMAX never really worked well at all.
Is it? I've definitely seen "5G UW" show up on my 15 Pro Max in the bay area. Att and Verizon are slowly expanding mmWave
But I don't know.
Quite the opposite. They are more popular than ever, in the form of SMS blasters.
https://commsrisk.com/first-uk-arrests-of-imsi-catching-sms-...
2018, EFF Crocodile Hunter, https://github.com/EFForg/crocodilehunter
Early mobile phone networks suffered from cloning, so work was done to improve verification of clients, but verifying the network wasn't seen as required. Telcos have been historically light on authentication and verification; so it's not surprising.
2G was actually considered a huge bump up in security because you could encrypt the contents of calls. Albeit with hilariously insecure crypto mandated by the old ITAR regime[1]. IMSI catchers weren't part of their threat model, for the same reason why people only recently have realized that metadata is relevant to security.
[0] This law is still on the books, even though analog cellular is entirely dead. It's still a pain in the ass to properly comply with this for, e.g. software-defined radio.
[1] This is the same reason why DVD CSS was so easy to crack, and why we there used to be 10 different ways to strip SSL before we decided to stop serving old browsers entirely.
IMSI-catchers are not considered a security hole by the carriers or the standards bodies. SUCI/SUPI was put in at the request of phone vendors, if I remember correctly, and is still the only piece of public key cryptography in the networks. Everything else is symmetric keys.
... couldn't one build a 'modern' IMSI catcher with a CBRS LTE band 48 small cell and their own LTE infrastructure and be above-board legal anyways?
Wow a web site generated using AI[1]. (or perhaps a human using AI)
Anecdotally, when I was attending college there was a 12 year old girl also attending and in some of my classes, particularly my freshman physics class. She was knocking the curve off with high scores on all of the exams. I got a chance to talk to her at lunch one day and it turned out she had an eidetic memory. It was amazing, she could tell you what was on any page of the text book perfectly. That allowed her to recall worked problems in the text that were identical in form to the question on the test, and she could then use the same steps to solve the test problem. But, and this was an important part, she didn't really understand physics. Whenever our conversation went into areas where she could have used physics principles to derive an understanding or at least a good guess at some of the depth of a new topic, she did not. That didn't hinder her progress through school but I had to believe that at some point it would.
After that experience I started paying more attention to people who "knew" facts, and people who "used" facts, which is to say that people who had learned something and understood it, would use that learning to extrapolate into new areas, open up places they didn't understand, and pursue new knowledge about those gaps. And there were people who would rebut arguments with "facts" but seemed not to grasp the fundamental principles at issue.
AI generated "answers" to prompts have exactly the same properties as answers from people who know facts but don't understand them.
I would guess that the article in question was generated with some prompts of the form, "Describe how an IMSI catcher works for each type of network." If you're a human and you read the answer and noticed that 5G was different you can add the click-bait headline and voila, article!
And yet for someone who understands how IMSI catchers work and understands the general compatibility environment of the cell phone networks, they would point out that most phones are designed to work "around the world" which means with all types of networks 2G/3G/LTE, and so even if the world around you is LTE/5G if you pop up a GSM cell tower signal a modern phone will see it and say hi. And then they would go on to describe that WiFi and Bluetooth device hardware (MAC) addresses are unique too, and those are also sent around if you bleat out your an open wifi network or a lonely bluetooth device. Finally it would point out that even with the 5G "SUCI", that value is unique to your phone and even if you don't give someone enough information to reverse map your phone to you, it is absolutely enough information to keep track of where this particular phone has been over time.
But all of that context is related to understanding why you would even want to capture and IMSI number and how the entire system was designed to make that easy even though now that is seen as a vulnerability.
So if you've spent some time recognizing the difference between people who are talking about something they understand and people who are talking about something they read about but don't understand, stuff written by AI just sort of pops out at you like that.
[1] All the generated images at the bottom was a dead giveaway but the structure of the article was also indicative of an LLM construction.
2) I don't think you have a good understanding of how SUCIs work if you think that it's unique to a device. The UE generates a fresh ECC ephemeral public key every time it sends its SUCI (which isn't often to begin with due to GUTIs, which are one-time use and only assigned post-ciphering). You can read more about it here: https://medium.com/@aditya.koranga/ecies-in-5g-core-supi-to-...
huslage•8h ago
lxgr•8h ago
IshKebab•8h ago
huslage•7h ago
lxgr•7h ago
The network I'm using supports 5G SA in some cells, but my phone definitely still falls back to both 4G and 5G non-SA in some areas where it's not yet available.
And even if 5G SA were available everywhere, there's the concern of roaming.
huslage•2h ago
lxgr•30m ago
gruez•8h ago
g_p•8h ago
> To help ensure compatibility of iPhone and cellular iPad devices on private 5G SA networks, infrastructure vendors must adhere to the following security and privacy requirements:
> Privacy concealment: The Subscription Concealed Identifier (SUCI) must use a non-null protection scheme. This can be achieved through either an on-SIM SUCI calculation or an ME SUCI calculation, as outlined in TCA 2.3.1 and 3.1 specifications. For detailed information, refer to the 3GPP Technical Specification 33.501.
(From https://support.apple.com/en-gb/guide/deployment/depac674731...)
This pertains to private networks rather than public operator networks, but it certainly seems to imply that use of SUCI is an expectation on 5G SA networks (private in this context).
huslage•7h ago