New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols


New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols

Ravishankar Borgaonkar and Lucca Hirschi and Shinjo Park and Altaf Shaik

Abstract: Mobile communications are used by more than two thirds of the world population who expect security and privacy guarantees. The 3rd Generation Partnership Project (3GPP) responsible for the worldwide standardization of mobile communication has designed and mandated the use of the AKA protocol to protect the subscribers’ mobile services. Even though privacy was a requirement, numerous subscriber location attacks have been demonstrated against AKA, some of which have been fixed or mitigated in the enhanced AKA protocol designed for 5G.

In this paper, we reveal a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do. Our attack exploits a new logical vulnerability we uncovered that would require dedicated fixes. We demonstrate the practical feasibility of our attack using low cost and widely available setups. Finally we conduct a security analysis of the vulnerability and discuss countermeasures to remedy our attack.

Category / Keywords: cryptographic protocols / Key Agreement, Mobile Communication, Privacy, Attack, AKA protocol

Date: received 1 Dec 2018, last revised 3 Dec 2018

Contact author: lucca hirschi at inf ethz ch

Available format(s): PDF | BibTeX Citation

Version: 2018-12-03:095353 (All versions of this report)

Short URL:


I have a few thoughts about this research.

I don’t think the core issue isn’t that the SQN (sequence number) isn’t protected well enough; it’s that it is overloaded. It is being used both as a session tracker and as a mechanism to implement perfect forward secrecy. I’m surprised the authors’ proposed fixes discussed encrypting SQN and formal verification, and not breaking up the functions into separate fields.

If you were to pursue protecting SQN, a computationally cheaper solution would seem to be randomizing it (instead of symmetrically encrypting it). This is what was done with TCP sequence numbers in the 90’s to protect from similar shenanigans (albeit future prediction instead of inferring identification for tracking).

Additionally, I can’t help but be cynical and paranoid when reading this part:

UE sends its permanent identity protected by a randomized, asymmetric encryption using the HN’s public key

Law enforcement in your respective country (most likely UK and USA) may force HNs (Home Networks, e.g. your carrier) to disclose its private key, defeating this for their latest StingRay IMSI-catcher tech, plus any criminals that crack the tools (or steal the key).

Thanks for the share!