V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
gotZ9
V2EX  ›  信息安全

5G IMSI 保护 (SUCI) 目前是形同虚设?

  •  1
     
  •   gotZ9 · 100 天前 · 1487 次点击
    这是一个创建于 100 天前的主题,其中的信息可能已经有所发展或是发生改变。
    结果今天实验测试 (四川电信) 发现, 虽然接入给的 ID 类型是 SUCI, 但 protection schema 却是 null, IMSI 就这么直接被当作加密后的 ID 来传输了.
    第 1 条附言  ·  99 天前

    append 一下测试条件:

    1. 4月底新换的四川电信 SIM 卡
    2. 索尼国行手机
    3. 接入目标是自家的测试基站
    4. 检查是通过抓 MSG5 里的 NAS 消息的明文部分

    系统信息中的字段 SIB1::cellSelectionInfo::q-QualMinOffset 是 Cond standalone, 但测试基站没有填写该字段, 不知是否会有影响.

    附 wireshark 解析出的内容 (append 长度限制去除一些部分):

    5GS mobile identity
        Length: 11
        1... .... = Spare: 1
        .1.. .... = Spare: 1
        ..1. .... = Spare: 1
        ...1 .... = Spare: 1
        .... 0... = Spare: 0
        .... .010 = Type of identity: 5G-GUTI (2)
        Mobile Country Code (MCC): China (460)
        Mobile Network Code (MNC): Unknown (11)
        AMF Region ID: 81
        0001 0000 11.. .... = AMF Set ID: 67
        ..00 0011 = AMF Pointer: 3
        5G-TMSI: ***** (与手机中查询的 IMSI 一致)
    UE security capability
        Element ID: 0x2e
        Length: 4
        1... .... = 5G-EA0: Supported
        .1.. .... = 128-5G-EA1: Supported
        ..1. .... = 128-5G-EA2: Supported
        ...1 .... = 128-5G-EA3: Supported
        .... 0... = 5G-EA4: Not supported
        .... .0.. = 5G-EA5: Not supported
        .... ..0. = 5G-EA6: Not supported
        .... ...0 = 5G-EA7: Not supported
        0... .... = 5G-IA0: Not supported
        .1.. .... = 128-5G-IA1: Supported
        ..1. .... = 128-5G-IA2: Supported
        ...1 .... = 128-5G-IA3: Supported
        .... 0... = 5G-IA4: Not supported
        .... .0.. = 5G-IA5: Not supported
        .... ..0. = 5G-IA6: Not supported
        .... ...0 = 5G-IA7: Not supported
        1... .... = EEA0: Supported
        .1.. .... = 128-EEA1: Supported
        ..1. .... = 128-EEA2: Supported
        ...1 .... = 128-EEA3: Supported
        .... 0... = EEA4: Not supported
        .... .0.. = EEA5: Not supported
        .... ..0. = EEA6: Not supported
        .... ...0 = EEA7: Not supported
        0... .... = EIA0: Not supported
        .1.. .... = 128-EIA1: Supported
        ..1. .... = 128-EIA2: Supported
        ...1 .... = 128-EIA3: Supported
        .... 0... = EIA4: Not supported
        .... .0.. = EIA5: Not supported
        .... ..0. = EIA6: Not supported
        .... ...0 = EIA7: Not supported
    
    
    第 2 条附言  ·  99 天前

    抱歉, 截取的抓包有误, 可能被同名文件覆盖了, 但我留有截图:

    https://imgur.com/a/Auutn2D

    第 3 条附言  ·  99 天前

    重测了一下, 抓取了 Identity Response 的内容, 用文本发出来方便查看:

    Non-Access-Stratum 5GS (NAS)PDU
        Security protected NAS 5GS message
            Extended protocol discriminator: 5G mobility management messages (126)
            0000 .... = Spare Half Octet: 0
            .... 0001 = Security header type: Integrity protected (1)
            Message authentication code: 0x031e4c05
            Sequence number: 21
        Plain NAS 5GS Message
            Extended protocol discriminator: 5G mobility management messages (126)
            0000 .... = Spare Half Octet: 0
            .... 0000 = Security header type: Plain NAS message, not security protected (0)
            Message type: Identity response (0x5c)
            5GS mobile identity
                Length: 13
                0... .... = Spare: 0
                .000 .... = SUPI format: IMSI (0)
                .... 0... = Spare: 0
                .... .001 = Type of identity: SUCI (1)
                Mobile Country Code (MCC): China (460)
                Mobile Network Code (MNC): Unknown (11)
                Routing indicator: 0
                .... 0000 = Protection scheme Id: NULL scheme (0)
                Home network public key identifier: 0
                MSIN: ****** (与手机读取的 IMSI 一致)
    
    5 条回复    2025-07-19 18:12:29 +08:00
    Licsber
        1
    Licsber  
       100 天前
    先 Mark ,等我下周旅行回来验证一下看看,印象中是有临时 SUCI 的。
    charryshiv
        2
    charryshiv  
       100 天前
    印象里好像是需要 SIM 卡支持的吧,卡支持吗?国内的 5G SA 没换卡也能用应该是苹果按内地运营商要求关闭了这项验证要求,其他的运营商如果在 iPhone 上没换卡是开启不了 SA 的,会提示当前 SIM 卡不支持。
    dsx826
        3
    dsx826  
       100 天前 via Android
    三家都沒有真正使用
    gotZ9
        4
    gotZ9  
    OP
       99 天前
    @charryshiv append 了一些测试信息, 手机卡是 4 月底找营业厅换的新卡, 手机是 Android 的. 基站的 SIB1 有点问题, 不知道会不会产生影响.
    charryshiv
        5
    charryshiv  
       98 天前
    @gotZ9 没关注过国内的这块现状,如果没上感觉也很正常,xx 部门部署的探针未来还要拿 IMSI 吧
    关于   ·   帮助文档   ·   自助推广系统   ·   博客   ·   API   ·   FAQ   ·   Solana   ·   828 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 21:30 · PVG 05:30 · LAX 14:30 · JFK 17:30
    ♥ Do have faith in what you're doing.