Could someone track my movements by listening to signaling exchanges on the radio channel? That's the question we'll answer in this video. The IMSI is a permanent identifier, unique in the world. As we already saw, before each communication, the mobile terminal authenticates itself to the network. You may recall, ciphering is not activated during the first exchanges and, if it used the IMSI for identification systematically, it would be very simple for someone to track our movements. The solution consists in putting in place a mechanism that limits the use of the IMSI to a strict minimum. During the first authentication, the terminal has no other choice but to use the IMSI. On the other hand, once authentication has succeeded and encryption of the radio link has been activated, the network allocates a temporary identifier which is used afterwards systematically. This temporary identifier is called TMSI or Temporary Mobile Subscriber Identity. Because the TMSI is only allocated once encryption is activated, it is impossible for an attacker to make the link between it and the subscriber’s IMSI. The TMSI will be used as identifier for all further communication, guaranteeing that an attacker will no longer be able to identify the subscriber. The TMSI is independently allocated by the mobile terminal’s current MME: it can be changed more frequently or less frequently, depending on the operator’s policies. It can be kept as long as the UE stays in the same cell, or changed each time the UE starts a new session. It changes with each MME change. The TMSI is a very short identifier, 4 bytes with a local significance for an MME. The same value can be used by two MMEs, for two different UEs. Therefore, a larger identification structure is needed, with global significance. This structure is called the GUTI, Globally Unique Temporary Identity. It enables the network to locate the MME that allocated the TMSI. This is the structure of the GUTI. The GUTI contains the TMSI as well as the unique identifier of the MME which allocated the TMSI. This identifier is made up of the identity of the operator (the MCC MNC pair) and an MME code allocated by the operator. More precisely, the MMEs work as a group. We have an MME group identity, Group ID, and an MME code belonging to the group. At all times, a GUTI identifies a subscriber in a unique way to the world, while retaining the possibility of changing a subscriber’s GUTI. Just as authors or singers - like Agatha Christie or Lady Gaga for example, use pseudonyms- the GUTI is like a pseudonym for the UE. However, unlike authors or singers who tend to keep the same pseudonym throughout their lives, here, the pseudonym is often changed. When the terminal makes a network request, for example, when it attaches to the network, it sends the first message using the GUTI as identifier. The MME is the only one that can make the correspondence and find the subscriber’s IMSI and find the security context. That way, it can verify the integrity of the message. That serves as proof that the mobile terminal is what it claims to be and it is authenticated. The MME can activate ciphering on the radio link, configure the necessary keys on the eNodeB, and thereby protect all communication from the first transmitted message on. It’s important to note here that the HSS is not contacted during this procedure, which limits the load on this central network point significantly. This procedure also functions if the mobile terminal moves. If the terminal is covered by a new MME, it’s the new MME that receives the authentication request. By looking at the GUTI, it can find the identity of the former MME, the one that assigned the TMSI. It can relay the message and, after its validation, recuperate the IMSI of the subscriber together with a security context. Therefore, the new MME can also activate ciphering and integrity, without going through a complete authentication cycle. Again, this avoids contacting the HSS. To prevent a hacker from tracking the location of a UE, a temporary identity called TMSI is allocated to the UE. The TMSI is chosen by the MME that controls the UE and is transferred only after activation of ciphering. The TMSI can be frequently renewed. The TMSI is used to build a globally unique temporary identity called GUTI. Using the GUTI is necessary to recover the IMSI of the UE in case of change of MME.
