Research / 5G Privacy·Field Report

SUCI probing in the wild: cracking 5G's privacy promise across commercial European networks

5G's Subscription Concealed Identifier was supposed to retire the IMSI Catcher. We bought SIM cards over the counter in Madrid, Berlin and London, set up a portable fake 5G network in a Faraday cage, and proved the promise does not hold. Four operators tested, four found vulnerable. Here is exactly how — and what would actually fix it.

AuthorsPedro Cabrera · Miguel Gallego Based on5G SUCI Probing in the Wild · 2024 Reading time~10 min
0
European
operators tested
0
Countries
covered
%
Vulnerable to
SUCI-Cracker
min
Fastest attack
completion
01 — The problem

The identifier that wasn't supposed to leak

For three mobile generations, the IMSI travelled in the clear at every initial registration. Anyone with a software-defined radio and a hundred euros of hardware could stand on a street corner and harvest the unique fingerprint of every phone within range. The IMSI Catcher became one of the best-documented surveillance tools of the past decade, used by states, criminals, and an awkward middle ground of private actors.

5G's answer was the SUCI — the Subscription Concealed Identifier. An encrypted version of the IMSI, derived using elliptic-curve cryptography with the operator's public key and a per-registration ephemeral key. Two layers of defence: the IMSI never travels unencrypted, and each SUCI is unique even for the same subscriber, so you cannot track a device just by watching its identifier change.

On paper, this closes the IMSI Catcher era. In the specification, the cryptography is sound. The encryption scheme (ECIES) is reviewed, well understood, and not what we are about to attack. The vulnerability is somewhere else entirely — in how the SUCI is used by the 5G Authentication and Key Agreement procedure, and in a design choice the specification made for backward compatibility that nobody quite remembered to revisit.

The headline

The SUCI-Cracker is an active probing attack. If you know the IMSI of a target (and you can get it from a 2G/3G/4G IMSI Catcher, which still works fine), you can confirm whether any captured SUCI belongs to that target. The encryption is fine. The protocol leaks the answer through an error message.

02 — The mechanism

An authentication procedure with three exits

To understand why this works, you need to look at exactly how a USIM card verifies an authentication challenge. When a 5G network wants to authenticate a subscriber, it sends an Authentication Request containing two values: a random number (RAND) and an authentication token (AUTN). The USIM does three checks, in this order, and the order matters more than anything else in this story.

USIM authentication verification tap each step
The order of failure causes is the vulnerability
3GPP TS 24.501 §5.4.1.3.6 — auth failure causes
1. AMF separation bit cause #26 if fails 2. MAC verification cause #20 if fails 3. SQN range cause #21 if fails Auth Response RES = f2K(RAND)
Tap a step above. Each verification has its own failure code. Because the codes are returned unencrypted, an attacker can tell which check failed — and therefore which check succeeded.

Notice what this gives the attacker. If they replay an old RAND/AUTN pair captured from a known target, the MAC verification will succeed only when the challenge was originally derived for that subscriber's secret key. If it succeeds, the SQN check comes next — and the captured SQN is by now out of range, so the USIM returns Synch_Failure. If the MAC verification fails, the USIM returns MAC_Failure first and never gets to the SQN check at all.

Two different error codes, leaking exactly the information an attacker needs to know.

The elegance of the attack is that nothing cryptographic breaks. The USIM is doing exactly what 3GPP TS 33.102 told it to do. The leak is in the error message.
03 — The attack

SUCI-Cracker, in two phases

The attack has a prerequisite worth stating plainly: you need to know the target's IMSI beforehand. Practically, this means catching it with a classic 2G/3G/4G IMSI Catcher — still trivial, still legal-grey, still operational in 2025. The SUCI-Cracker is not the complete surveillance pipeline, it is the missing link that breaks 5G's claim to be a clean break from the past.

Once you have the target IMSI, the attack runs in two phases. Phase 1 happens on a legitimate 4G network — quietly, just observing one authentication. Phase 2 happens later, anywhere, against any SUCI the attacker wants to test.

suci-cracker · attack walkthrough
Phase 1 — Get a legitimate AKA challenge for the target IMSI
passive: one attach request on the operator's 4G network
ATTACKER (srsUE) LEGIT 4G NETWORK Attach Request (target IMSI) Authentication Request (RAND, AUTN) STORE FOR LATER RAND   ·   AUTN   ·   tied to target's secret key attacker never completes the auth — drops connection after capture tool: modified srsUE · cost: ~€200 of SDR hardware
What happens: the attacker uses a modified srsRAN user-equipment simulator to attach to the operator's real 4G network using the known target IMSI. The network responds with a normal authentication challenge. The attacker drops the connection without completing authentication, but keeps the RAND and AUTN values. These two values are cryptographically tied to the target subscriber's secret key — they are now bait.
Phase 2 — Replay the bait against any SUCI
active: stand up a fake 5G-SA cell, replay the captured values
VICTIM UE FAKE 5G-SA (OAI) Registration Request (SUCI) Auth Request (REPLAYED RAND, AUTN) → response reveals the answer ORACLE: 3 POSSIBLE ANSWERS Auth Response or Synch_Failure → SUCI ≡ target IMSI MAC_Failure → not the target. SUCI belongs to someone else.
What happens: the attacker runs a fake 5G-SA network using Open Air Interface, with the AMF modified to reuse the stored RAND/AUTN instead of generating fresh values. When any UE registers with a SUCI, the fake network replies with the bait. The victim's USIM runs its three verifications — and gives back one of three answers. Two of them mean yes, this SUCI was derived from the target IMSI.
The oracle
Three responses, two of them deanonymise the target
Authentication Response
MATCH ✓
USIM accepted the replayed challenge. The bait worked, the SQN happened to still be in range. SUCI ≡ target IMSI.
Auth Failure · Synch_Failure
MATCH ✓
USIM accepted the MAC (so it was a valid challenge for this subscriber) but rejected the SQN as stale. The SQN check runs after the MAC check — confirmation is leaked.
Auth Failure · MAC_Failure
NO MATCH
USIM rejected the MAC because the challenge was derived for a different subscriber's key. Move on to the next SUCI.
04 — In the wild

Three countries, four operators, one Faraday cage

Lab demonstrations are not field results. We chose three European countries with mature commercial 5G Standalone deployments — Spain, Germany, and the United Kingdom — and bought regular consumer SIM cards over the counter in the operators' own stores. No insider access, no privileged credentials, no test SIMs. Just whatever a normal customer would walk out with.

For each SIM, the first step was checking whether the operator had actually activated the SUCI protection. This is done by reading the SIM's elementary files (EF.SUCI_Calc_Info, EF.Routing_Indicator) using the open-source pySim-shell tool. Of the four operators tested, all four had SUCI capability turned on — so all four became valid targets.

phase 1 — capture
srsRAN + modified srsUE
Open-source 4G UE simulator, patched to record RAND/AUTN from the operator's network and drop the connection cleanly.
phase 2 — fake gNB
Open Air Interface (OAI)
Open-source 5G core and gNB, with the AMF function patched to reuse captured values instead of generating fresh ones.
victim modem
Quectel RM500Q
Commercial 5G modem with the SIM under test, registering to the fake network like any normal user device.
observability
Sysmocom SIMTrace-2 + Faraday cage
ISO 7816 interceptor to see SIM-modem traffic. Faraday cage to keep the fake cell from leaking outside the lab.

Results — Authentication Response scenario

This is the fastest variant: capture, immediate replay, hope the SQN is still fresh. The exact same SIM is used in both phases, with no activity between them. Time is measured from the start of Phase 1 to confirmed correlation.

OperatorTime barDurationAuths
Operator ASpain17:245
Operator BSpain10:211
Operator CGermany26:111
Operator DUK05:331

Results — Synch_Failure scenario

The harder variant: between Phase 1 and Phase 2, the SIM is used normally on the network, advancing the SQN counter until the captured value is stale. Phase 2 still works — the MAC verification succeeds (so the attacker still gets confirmation) but now the USIM returns Synch_Failure instead of Auth Response. Both leak the answer.

OperatorTime barDurationAuths
Operator ASpain00:44h41
Operator BSpain00:27h22
Operator CGermany06:50h72
Operator DUK03:42h43

The variation matters. Operator D in the UK was the fastest in both scenarios — a window of five and a half minutes is operationally trivial for a determined attacker. Operator C in Germany took nearly seven hours in the harder scenario because of a stricter authentication policy. None of these times are limits in any meaningful sense; they reflect how often the network forces re-authentication, which is a configuration choice, not a defence.

The uncomfortable finding

Every SIM with SUCI activated was vulnerable. The attack depends on a specification design, not on operator misconfiguration. An operator following 3GPP to the letter is still exposed. There is no flag to turn this off.

05 — Mitigation

Why this needs a specification change, not a patch

The honest version of the mitigation story: this is a specification-level fix. The 3GPP Authentication Failure message exposes the cause as a plain integer — #20 for MAC failure, #21 for Synch failure, #26 for non-5G authentication. Those integers are the leak. As long as an attacker can tell which check failed, the linkability attack works.

What would actually fix it:

  • Encrypt the failure cause inside the Authentication Failure message. The USIM and the network already share keys that could derive a one-shot key for this purpose.
  • Verify MAC and SQN before responding at all. Currently the USIM responds quickly with whatever cause it hit first. A constant-time, single-response model would close the side channel.
  • Re-evaluate AKA's backward compatibility. The linkability flaw was identified in 3G and 4G research papers more than a decade ago. 5G inherited it for backward compatibility with USIMs. The cost of that compatibility is what this paper documents.

What an individual operator can do today is more limited: monitor for unusual patterns of authentication failures, especially repeated MAC_Failure spikes from a single SUCI range. It is not a fix, it is a detection layer. The fix has to go through 3GPP.

06 — Frequently asked

What people ask us about this research

Does this break 5G encryption?
No. The ECIES encryption protecting the SUCI is sound and is not what the attack targets. What is broken is the linkability of the 5G AKA procedure: an attacker can correlate a captured SUCI back to a known IMSI without recovering any cryptographic key, by reading unencrypted error codes in the Authentication Failure message.
Does the attacker need to know the IMSI in advance?
Yes. The SUCI-Cracker is a correlation attack, not an identification-from-scratch attack. The attacker must obtain the target IMSI beforehand — typically using a 2G/3G/4G IMSI Catcher, which remains operational in commercial networks today. The SUCI-Cracker bridges the gap between legacy IMSI capture and 5G SA deployments.
Is every 5G network vulnerable?
Every commercial 5G Standalone deployment we have tested with SUCI activated has been vulnerable. The attack relies on 3GPP-mandated behaviour in the AKA procedure, so the surface is universal across compliant deployments. 5G Non-Standalone networks inherit 4G's plaintext IMSI exposure and are vulnerable to classic IMSI Catchers — there is no safe configuration without a specification change.
How fast is the attack in practice?
In the Auth Response scenario, between 5 and 26 minutes depending on the operator. In the Synch_Failure scenario (where the SQN has advanced between phases), between 27 minutes and nearly 7 hours, again depending on how aggressively the operator forces re-authentication. Both timing variants succeed against every operator tested.
What hardware does the attack require?
Commodity software-defined radio (Ettus USRP-class hardware), a commercial 5G modem (Quectel RM500Q), a SIM card reader, and open-source software stacks (srsRAN, Open Air Interface, pySim-shell). Total cost is in the low thousands of euros. No specialised access, no zero-day exploits, no nation-state resources.
Were operators notified before publication?
Yes. The research follows coordinated disclosure: operators were notified before publication, and findings were shared with GSMA and 3GPP through their formal vulnerability channels. Because the root cause is a specification design, public release was timed to push for standards-level remediation.
What can a 5G operator do right now?
Short of a 3GPP specification change, operators can: monitor for clusters of Authentication Failure messages from neighbouring SUCI ranges (a possible attack signature), apply stricter authentication policies that limit how often a SUCI can fail without escalation, and engage with 3GPP working groups to support the specification change. None of these is a fix — they are detection and pressure measures.
Independent 5G security audit for tier-1 operators
vendor-neutral · field-tested · GSMA & 3GPP disclosure track record
Talk to a specialist →

Related research

  • Borgaonkar et al. — New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols (2019)
  • Chlosta et al. — 5G SUCI-Catchers: Still catching them all? (2021)
  • Arapinis et al. — New Privacy Issues in Mobile Telephony (2012)