5G makes IMSI catching harder, but fallback is where the risk remains.
The old IMSI catcher problem was fairly simple. A device could be pulled towards a stronger rogue cell, persuaded to connect, and then pushed into revealing identity information before the session was properly protected.
In 2G, 3G and 4G environments, that created a practical route to subscriber identification, tracking and follow-on targeting.
That weakness sits in the order of events. The device identifies itself before enough trust has been established.
5G Standalone changes that model. But that protection is not absolute in every real-world condition.
The permanent subscriber identity is no longer supposed to be exposed over the air in clear text. Instead, the device sends SUCI, the Subscription Concealed Identifier, which protects the underlying subscriber details using ECIES, the Elliptic Curve Integrated Encryption Scheme.
That means the fake base station may still attract the device, but it should not be able to read the permanent subscriber identity in clear text. That is a major architectural improvement.
But from an offensive security perspective, the important question is not simply:
Can 5G protect the identity?
The better question is:
Can the device be forced into a condition where that protection no longer applies?
This is where the operational risk remains. If a device, SIM, operator configuration or coverage environment allows fallback to 4G, then the older identity exposure path can still become relevant.
The attacker may not need to “break 5G” at all. They may only need to shape the radio environment, degrade service, manipulate selection behaviour, or force the user equipment into a weaker mode.
That is the part often missed in simplified security discussions.
Cryptography can be strong. The standard can be improved. The architecture can be better.
But the real world still depends on configuration, coverage, fallback behaviour, handset capability, operator maturity and the radio environment around the target.
For high-risk individuals, executives, journalists, legal teams, investigators and sensitive organisations, mobile surveillance risk should not be dismissed just because “5G is secure”.
The more realistic position is this:
5G Standalone makes traditional IMSI capture significantly harder, but mixed 4G/5G environments still create downgrade and exposure opportunities.
Consider:
What can be seen?
What can be forced?
What can be downgraded?
What can be tracked?
What happens when the device leaves the ideal security model and enters the real environment?
Security is not only about what the protocol promises. It is about what an attacker can make the target system do.
IntSpired® | Offensive Cyber & Wireless Security | UK
We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.
intspired.co.uk
