5G-AKA Linkability Attacks: Why 5G Did Not Kill the IMSI Catcher

5G did not kill the IMSI catcher, it raised the cost and changed the method. 5G conceals the permanent subscriber identity so it is no longer broadcast in clear text, which defeats the simplest identity-harvesting attacks. It does not, however, eliminate the ability to single out and track a specific subscriber. A family of linkability attacks against 5G-AKA, the authentication protocol at the heart of 5G, lets an attacker confirm whether a known target is present in an area, even when the identity itself stays encrypted.

This article explains the three established linkability attacks on 5G-AKA, why they survive standards-compliant deployments, how they connect to fake base stations and downgrade, and what mitigations exist. For the foundations, our breakdown of AKA authentication and our explainer on SUPI and SUCI are the right starting points.

Did 5G kill the IMSI catcher?

No. 5G stopped the passive plaintext-identity catcher, but active linkability and presence-testing attacks still work. In 2G, 3G, and 4G, a rogue cell could simply ask a handset for its permanent identity (the IMSI) and receive it in clear text, as explained in our overview of what IMSI is. 5G removed that easy win by replacing the cleartext IMSI exchange with the concealed SUCI. The result is that a passive listener can no longer read identities off the air.

The catch is that tracking a subscriber does not require reading the identity. It only requires distinguishing one subscriber from another reliably. Several features of 5G-AKA leak exactly that distinguishing signal, which is why privacy researchers describe 5G as resistant to the old IMSI catcher but still vulnerable to linkability.

What SUCI actually protects, and what it does not

SUCI protects the confidentiality of the permanent identifier. The SUPI is encrypted with the home network public key using an elliptic-curve scheme, so the value on the air interface changes and cannot be read by an eavesdropper. What SUCI does not provide on its own is unlinkability across authentication attempts. If the protocol behaves differently for a target subscriber than for everyone else, an attacker can use that difference as an oracle, regardless of whether the identity is readable.

This is the gap the following attacks exploit. None of them break the encryption. They abuse the logic of the authentication exchange and its error handling.

The three linkability attacks on 5G-AKA

Academic security research, including formal analysis of 5G-AKA, has documented three distinct linkability problems. Each turns a small observable difference into a yes or no answer about whether a specific target is present.

1. Failure message linkability

The attacker first captures a legitimate authentication challenge, the pair of values RAND and AUTN, that was sent to a known target. The attacker then replays that captured challenge to devices in an area. The targeted subscriber, whose SIM holds the matching long-term key, validates the message authentication code but rejects the challenge because the sequence number is stale. It answers with a synchronisation failure. Every other subscriber fails the message authentication code check first and answers with a MAC failure. In 5G these are signalled as distinct NAS causes in the Authentication Failure message, with cause 20 for MAC failure and cause 21 for synch failure. Because the two responses differ, the attacker learns whether the target is one of the responding devices.

2. Sequence number inference

The same replay primitive leaks more than presence. The synchronisation failure response carries a concealed sequence number value that is masked with the anonymity key. By replaying a challenge repeatedly and combining successive concealed values, an attacker can infer differences in the subscriber sequence number counter over time. That counter advances with use, so it can act as a coarse activity and linkability signal for a target across separate sessions.

3. SUCI and encrypted identity replay

The SUCI is meant to be fresh, but if an attacker captures a SUCI sent by a target and replays it to the network during registration, the downstream behaviour can differ for the genuine subscriber compared with others. That difference again works as a presence oracle. The attack does not recover the identity, it confirms that the holder of a previously seen SUCI is back in range.

Why these attacks survive standards-compliant deployments

The most uncomfortable part is that an operator can follow 3GPP to the letter and remain exposed. These are design-level properties of the protocol, not configuration mistakes. The distinct failure causes exist so that a device can tell the network whether to resynchronise or to treat the challenge as invalid, which is useful operationally. The sequence number scheme is what gives AKA its replay protection. The behaviours that make the network robust are the same behaviours that leak a distinguishing signal.

There is one practical prerequisite worth being honest about. To launch a failure-message or SUCI-replay attack against a named person, the attacker needs a captured challenge or SUCI tied to that target, or at least a way to bound the target to a small group. That often means an earlier capture step, sometimes still using a legacy 2G, 3G, or 4G catcher during a downgrade. The attacks are therefore targeted surveillance tools rather than mass dragnets, which is consistent with how nation-state and high-end actors operate. Operators that still run weak legacy authentication practices make this prerequisite easier, a problem we examine in insecure authentication vector practices.

How linkability tracking differs from a classic IMSI catcher

It helps to be precise about what changed, because the two threats are often blurred together. The classic IMSI catcher and the 5G-AKA linkability attack differ on four points.

1. What is recovered. The classic catcher recovers the permanent identity in clear text. The linkability attack recovers no identity at all. It only confirms presence of a target you can already point at.
2. Scale. The classic catcher can sweep every device in range. The linkability attack is targeted, because it needs a captured challenge or SUCI bound to a specific subscriber.
3. Prerequisites. The classic catcher works from a standing start. The linkability attack usually needs an earlier capture step, often via downgrade to a legacy generation.
4. Defence posture. The classic catcher is defeated by identity concealment, which 5G provides. The linkability attack is only defeated by protocol changes and operational monitoring, which are still maturing.

The practical conclusion is that subscriber privacy in 5G is better than in earlier generations, but it is not absolute, and high-risk subscribers can still be tracked by a capable adversary.

The downgrade and pre-authentication connection

Linkability attacks rarely live alone. A fake base station can force a device through pre-authentication procedures, prompt it to send a SUCI, or coerce a downgrade to a legacy radio technology where the old plaintext catcher still works. The radio edge gives the attacker the position to capture the values the linkability attacks need, and the protocol logic does the rest. Strong ciphering on 5G does little if the device can be nudged onto a weaker bearer, which is why we treat downgrade as a first-class risk in our review of encryption across mobile generations and in our work on RAN security.

Mitigations: what standards and operators can do

The direct answer: the cleanest fixes are protocol changes that 3GPP has studied but not yet mandated, while operators can reduce exposure today through monitoring and legacy hardening.

At the standards level, 3GPP security group SA3 examined these issues in the technical report TR 33.846, the study on authentication enhancements in the 5G System. The candidate directions include making authentication failure responses indistinguishable so that MAC failure and synchronisation failure look the same to an observer, adding freshness or encryption to prevent SUCI and challenge replay, and strengthening the concealment of the sequence number. These remain study and enhancement items rather than a universal baseline in TS 33.501.

Operators do not have to wait passively. Practical steps include:

1. Harden and retire legacy access. The easier you make 2G and 3G fallback, the easier you make the capture step these attacks depend on. Phasing out weak generations removes a key enabler.
2. Monitor for replay and anomaly patterns. Repeated identical authentication challenges, bursts of synchronisation failures, or unusual registration patterns can indicate replay-based probing. Telecom-specific signalling monitoring is better positioned to see this than generic IT tooling.
3. Manage SUCI and key configuration carefully. Ensure home network public keys are deployed and rotated correctly, and that the network does not silently accept null-scheme SUCI where a real scheme is expected.
4. Test the real behaviour. A telecom-aware assessment of NAS and authentication handling reveals whether a given deployment leaks the distinguishing signals in practice.

Key takeaways

1. 5G concealment of the SUPI through SUCI defeats the passive plaintext IMSI catcher, but it does not provide unlinkability.
2. Three documented attacks, failure message linkability, sequence number inference, and SUCI or challenge replay, let an attacker test whether a known target is present.
3. These are protocol design properties, so a standards-compliant network can still be exposed.
4. Capturing the values these attacks need often relies on fake base stations and downgrade to legacy access, which ties subscriber privacy to radio access and legacy hardening.
5. 3GPP TR 33.846 studies fixes such as uniform failure responses and replay protection, while operators can act now through legacy retirement, signalling monitoring, and careful SUCI key management.

If you want to understand how these linkability and tracking risks apply to your specific 4G or 5G deployment, P1 Security runs telecom-specific assessments of authentication and signalling behaviour. Reach out at [email protected].