Hubbry Logo
International mobile subscriber identityInternational mobile subscriber identityMain
Open search
International mobile subscriber identity
Community hub
International mobile subscriber identity
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
International mobile subscriber identity
International mobile subscriber identity
International mobile subscriber identity
View on Wikipedia
from Wikipedia
International Mobile Subscriber Identity
AbbreviationIMSI
Statusin force
Year startedNovember 25, 1988; 36 years ago (1988-11-25)
Latest version(06/24)
June 28, 2024
OrganizationITU-T
Websiteitu.int/rec/T-REC-E.212

The international mobile subscriber identity (IMSI; /ˈɪmz/) is a number that uniquely identifies every user of a cellular network.[1] It is stored as a 64-bit field and is sent by the mobile device to the network. It is also used for acquiring other details of the mobile device in the home location register (HLR) or as locally copied in the visitor location register. To prevent eavesdroppers from identifying and tracking the subscriber on the radio interface, the IMSI is sent as rarely as possible and a randomly-generated TMSI is sent instead.[citation needed] Mobile phone identities and data are sometimes scooped up by equipment called an IMSI-catcher or Stingray phone tracker that mimics cellular networks, creating serious privacy and other human rights concerns.[2]

The IMSI is used in any mobile network that interconnects with other networks. For GSM, UMTS and LTE networks, this number was provisioned in the SIM card and for cdmaOne and CDMA2000 networks, in the phone directly or in the R-UIM card (the CDMA equivalent of the SIM card). Both cards have been superseded by the UICC.

An IMSI is usually presented as a 15-digit number but can be shorter. For example, MTN South Africa's old IMSIs that are still in use in the market are 14 digits long. The first 3 digits represent the mobile country code (MCC), which is followed by the mobile network code (MNC), either 2-digit (European standard) or 3-digit (North American standard). The length of the MNC depends on the value of the MCC, and it is recommended that the length is uniform within a MCC area.[3] The remaining digits are the mobile subscription identification number (MSIN) within the network's customer base, usually 9 to 10 digits long, depending on the length of the MNC.

The IMSI conforms to the ITU E.212 numbering standard.

IMSIs can sometimes be mistaken for the ICCID (E.118), which is the identifier for the physical SIM card itself (or now the virtual SIM card if it is an eSIM). The IMSI lives as part of the profile (or one of several profiles if the SIM and operator support multi-IMSI SIMs) on the SIM/ICCID.

Examples of IMSI numeric presentational

[edit]
IMSI:310170845466094
MCC 310 United States
MNC 170 Sprint
MSIN 845466094
IMSI:470040123456789
MCC 470 Bangladesh
MNC 04 TeleTalk
MSIN 0123456789
IMSI:502130123456789
MCC 502 Malaysia
MNC 13 Celcom
MSIN 0123456789
IMSI:460001357924680
MCC 460 China
MNC 00 CMCC
MSIN 1357924680
IMSI:520031234567890
MCC 520 Thailand
MNC 03 AIS
MSIN 1234567890
IMSI:313460000000001
IMSI 313 460 000 000 001
MCC 313 United States
MNC 460 Mobi[4]
MSIN 000000001
ICCID 891460 0000 0000 0012
(89 is the industry identifier for telecom and +1 is calling code)

IMSI analysis

[edit]

IMSI analysis is the process of examining a subscriber's IMSI to identify the network the IMSI belongs to, and whether subscribers from that network may use a given network (if they are not local subscribers, this requires a roaming agreement).

If the subscriber is not from the provider's network, the IMSI must be converted to a Global Title, which can then be used for accessing the subscriber's data in the remote HLR. This is mainly important for international mobile roaming. Outside North America, the IMSI is converted to the Mobile Global Title (MGT) format, standard E.214, which is similar to an E.164 number. E.214 provides a method to convert the IMSI into a number that can be used for routing to international SS7 switches. E.214 can be interpreted as implying that there are two separate stages of conversion; first determine the MCC and convert to E.164 country calling code then determine MNC and convert to national network code for the carrier's network. But this process is not used in practice and the GSM numbering authority has clearly stated that a one-stage process is used [1].

In North America, the IMSI is directly converted to an E.212 number with no modification of its value. This can be routed directly on American SS7 networks.

After this conversion, SCCP is used to send the message to its final destination. For details, see Global Title Translation.

Example of outside World Area 1

[edit]

This example shows the actual practice which is not clearly described in the standards.

Translation rule:

  • match numbers starting 28401 (Bulgaria mobile country code + MobilTel MNC)
  • identify this as belonging to MobilTel-Bulgaria network
  • remove first five digits (length of MCC+MNC)
  • prepend 35988 (Bulgaria E.164 country code + a Bulgarian local prefix reaching MobilTel's network)
  • mark the number as having E.214 numbering plan.
  • route message on Global Title across SCCP network

Therefore, 284011234567890 becomes 359881234567890 under the E.214 numbering plan.

Translation rule:

  • match numbers starting 310150 (America first MCC + Cingular MNC)
  • remove first six digits (length of MCC+MNC)
  • prepend 14054 (North America E.164 country code + Network Code for Cingular)[citation needed]
  • mark the number as having E.214 numbering plan.
  • route message on Global Title across SCCP network

Therefore, 310150123456789 becomes 14054123456789 under the E.214 numbering plan.

The result is an E.214 compliant Global Title, (Numbering Plan Indicator is set to 7 in the SCCP message). This number can now be sent to Global Title Analysis.

Example inside World Area 1 (North America)

[edit]

Translation rule:

  • match number starting 28401 (Bulgaria MCC + MobilTel MNC)
  • identify this as belonging to MobilTel-Bulgaria network
  • do not alter the digits of the number
  • mark the number as having E.212 numbering plan.
  • route message on Global Title across SCCP network

Therefore, 284011234567890 becomes 284011234567890 under the E.212 numbering plan.

This number has to be converted on the ANSI to ITU boundary. For more details please see Global Title Translation.

Home Network Identity

[edit]

The Home Network Identity (HNI) is the combination of the MCC and the MNC. This is the number which fully identifies a subscriber's home network. This combination is also known as the PLMN.

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

International mobile subscriber identity

View on Grokipedia
from Grokipedia
The International Mobile Subscriber Identity (IMSI) is a unique numerical identifier assigned to each subscriber in , , evolved packet system (EPS), and related cellular networks, consisting of up to 15 decimal digits structured as a of three digits, a mobile network code (MNC) of two or three digits, and a mobile subscription identification number (MSIN) for the remainder. The IMSI serves as the primary permanent key for subscriber authentication, billing, and roaming across networks, distinguishing the user account from the hardware via storage on the subscriber identity module (SIM) or universal SIM (USIM) card. While transmitted during initial network attachment for verification, operational use typically employs temporary identifiers like the temporary mobile subscriber identity (TMSI) to enhance efficiency and mitigate interception risks. Allocation of MCCs falls under administration to denote countries, with MNCs issued by national regulators to operators, ensuring global uniqueness without overlap. This structure supports seamless international mobility but has drawn scrutiny for enabling tracking via IMSI-catchers in unauthorized , underscoring tensions between network functionality and .

Definition and Purpose

Core Components and Functionality

The International Mobile Subscriber Identity (IMSI) is a unique numeric identifier assigned to each mobile subscriber, consisting of up to 15 decimal digits as specified in Recommendation E.212. This identifier is stored securely on the Subscriber Identity Module (SIM) or Universal Subscriber Identity Module (USIM) card within the mobile device, decoupling subscriber recognition from device-specific attributes like the (IMEI). At its core, the IMSI integrates a three-digit (MCC), a two- or three-digit Mobile Network Code (MNC), and the remaining digits as the Mobile Subscriber Identification Number (MSIN), enabling hierarchical identification from global to individual levels. The IMSI's fundamental functionality lies in facilitating subscriber authentication and session management within cellular networks, including GSM, UMTS, LTE, and 5G systems. Upon device attachment or service initiation, the network uses the IMSI—often initially concealed via a Temporary Mobile Subscriber Identity (TMSI) for privacy—to request authentication vectors from the subscriber's home environment, verifying identity through challenge-response mechanisms involving secret keys stored on the SIM/USIM. This process authorizes access to core services such as voice telephony, packet data, and international roaming by confirming billing eligibility and network permissions without exposing permanent identifiers routinely. Global uniqueness of the IMSI is enforced via standardized allocation: the assigns MCCs to countries or territories, while national regulators or operators allocate MNCs to specific networks and MSINs to subscribers, preventing overlaps across borders. This structured assignment, detailed in ITU-T E.212 and specifications, supports reliable subscriber tracking and fraud prevention in multi-operator environments. The International Mobile Subscriber Identity (IMSI) identifies the subscriber's service subscription within the mobile network, distinct from the , which uniquely identifies the physical hardware of the itself. The IMSI is stored on the Universal Card (UICC or SIM) and remains tied to the user's account with the mobile operator, enabling seamless transfer to any compatible device by inserting the . In contrast, the IMEI is embedded in the device's during manufacturing and cannot be altered or transferred, serving purposes such as equipment tracking, blacklisting stolen devices, and ensuring for hardware. Unlike the Mobile Station International Subscriber Directory Number (MSISDN), which functions as the publicly dialable telephone number for routing calls and messages, the IMSI operates as an internal, non-user-facing identifier used exclusively by the core network for subscriber authentication and location management. The is mapped to the IMSI in the operator's Home Location Register (HLR) or equivalent database, allowing multiple MSISDNs to potentially associate with a single IMSI for features like multi-number services, but the IMSI itself does not change with number portability or reassignment. This separation ensures that network operations rely on the stable IMSI for billing and service provisioning, while the MSISDN handles external directory and interconnection functions across public switched telephone networks. The IMSI also contrasts with temporary pseudonyms such as the Temporary Mobile Subscriber Identity (TMSI) in / networks or the Globally Unique Temporary Identifier () in LTE/ systems, which are short-lived allocations designed to mask the IMSI during over-the-air signaling exchanges. These temporary identifiers are assigned by the network after initial IMSI-based attachment and refreshed periodically to minimize broadcast exposure, but they are context-specific and require fallback to the IMSI for inter-system handovers or loss of synchronization. The IMSI thus serves as the enduring, globally unique anchor for subscriber identity resolution, while TMSI/ provide location- and session-bound anonymity without altering the underlying subscription linkage.
IdentifierPrimary ScopeKey FunctionPermanence and Transfer
IMSISubscriber subscriptionNetwork-internal identification and Permanent; transferable between devices via SIM
IMEIDevice hardwareEquipment uniqueness and trackingPermanent; fixed to specific
MSISDNDirectory/routing numberCall/message addressingSemi-permanent; mappable to but reassignable
TMSI/GUTISignaling Air-interface Temporary; network-assigned and refreshed, tied to context

Historical Development

Origins in GSM Standardization (1980s–1990s)

The development of the International Mobile Subscriber Identity (IMSI) emerged from efforts to overcome the fragmentation and limitations of first-generation () analog mobile systems, such as NMT and TACS, which supported national operations but lacked standardized international and efficient subscriber tracking across borders. In 1982, the Conference of European Posts and Telecommunications (CEPT) established the Groupe Spéciale Mobile () to create a unified digital standard for a pan-European , addressing capacity constraints and interoperability issues inherent in analog technologies that relied on without robust digital encryption or global numbering plans. This initiative prioritized empirical validation through field trials, culminating in a 1987 among 13 European nations to commercialize the system by 1991, with IMSI conceived as a permanent, for subscribers to enable seamless mobility and billing across operators. IMSI's format was integrated into GSM's core architecture during the , drawing on ITU principles for international numbering to ensure global uniqueness via a structure comprising a (MCC), Mobile Network Code (MNC), and subscriber-specific digits. The Recommendation E.212, which formalized the identification plan for mobile users and networks, supported this by defining a hierarchical scheme for MCC and MNC allocation, facilitating beyond . specifications, transferred from CEPT to the European Telecommunications Standards Institute (ETSI) in 1989, finalized IMSI requirements in Phase 1 documents by 1990, emphasizing its role in and updates without tying it to temporary identifiers like the Temporary Mobile Subscriber Identity (TMSI) to mitigate signaling overhead. Empirical multi-operator trials in the late , including tests across simulated scenarios, confirmed IMSI's effectiveness in maintaining subscriber uniqueness and network access amid digital TDMA signaling shifts. The first commercial GSM deployment, incorporating IMSI for subscriber management, occurred in Finland on July 1, 1991, when Radiolinja launched service with the inaugural call between former Harri and Tampere's deputy mayor Kaarina Suonio, validating the system's capabilities in real-world conditions. This milestone stemmed from rigorous pre-launch testing that prioritized causal reliability over proprietary analog extensions, establishing IMSI as foundational for digital subscriber-centric operations.

Expansion to Subsequent Generations (2000s–2010s)

The International Mobile Subscriber Identity (IMSI) maintained its core role as the permanent subscriber identifier during the transition to third-generation () networks via the Universal Mobile Telecommunications System (), whose first commercial deployment occurred on October 1, 2001, by in . In , the IMSI resided on the Universal Subscriber Identity Module (USIM), which evolved from the GSM SIM to support enhanced security features like while preserving the IMSI's 15-digit structure for compatibility with existing GSM infrastructure. This retention ensured uninterrupted and billing across generations without altering the IMSI's format or allocation principles defined in Technical Specification 23.003. As networks advanced to fourth-generation () Long-Term Evolution (LTE) under Release 8 specifications completed in 2008, the IMSI remained integral to the Evolved Packet System (EPS), stored on USIM or IMS SIM (ISIM) cards to facilitate with and . LTE core elements, such as the Mobility Management Entity (MME), utilized the IMSI for initial attach procedures, temporary identifier mapping (e.g., to ), and authentication vectors, enabling seamless and data session continuity across radio access technologies. No fundamental changes to IMSI encoding or usage were introduced, prioritizing over redesign amid the shift to all-IP architectures. By the 2010s, IMSI-based identification supported the scaling of voice-over-LTE (VoLTE) services, integrated via the (IMS) in LTE deployments, where the IMSI authenticated users for circuit-switched fallback and packet-switched voice calls. This framework underpinned authentication for billions of active subscriptions; global mobile connections surpassed 6 billion by mid-decade, with IMSI serving as the foundational identifier in over 90% of networks still reliant on GSM-derived technologies including and LTE. Early LTE trials and rollouts, such as those in 2009-2010, demonstrated IMSI's robustness in handling increased traffic without format modifications, though temporary identifiers like the SAE Temporary Mobile Subscriber Identity (S-TMSI) were emphasized for paging efficiency.

Structure and Format

Mobile Country Code (MCC)

The (MCC) comprises the first three digits of the International Mobile Subscriber Identity (IMSI), functioning as a fixed identifier for the subscriber's home country or specified geographical area within the global mobile telecommunications framework. Defined under ITU-T Recommendation E.212, the MCC is allocated exclusively by the ITU's Telecommunication Standardization Bureau (TSB) director to national administrations or designated entities, ensuring a unique, non-overlapping assignment that partitions the IMSI namespace geographically for unambiguous international network identification. This allocation principle supports causal partitioning of mobile subscribers by origin, preventing routing ambiguities in a system where billions of IMSIs must be processed across borders without reliance on variable national policies. MCC values are structured into numerical blocks aligned with ITU-designated world geographical zones to optimize global routing efficiency: codes 200–299 for ; 300–399 for and the ; 400–499 for and the ; 500–599 for ; 600–699 for ; and 700–799 for South and Central America, with 000 reserved for test networks and 900–999 for international or shared use. Within these, specific assignments are country-fixed; for example, the employs 310–316, while the uses 234, as published in ITU operational bulletins and E.212 annexes. These ranges reflect deliberate ITU planning from the era onward, prioritizing stable, hierarchical coding over ad-hoc national expansions to maintain interoperability amid network growth. In network operations, the MCC enforces geographic determinism in subscriber handling by allowing any visited network to extract the home country's code from an IMSI, thereby directing signaling messages—such as location updates or billing queries—to the corresponding national PLMN infrastructure without exhaustive global searches. This mechanism underpins roaming causality: a foreign network parses the MCC to route to the home country's HLR or equivalent, minimizing latency and errors in international interconnects, as IMSI analysis is limited to MCC digits for initial partitioning before deeper MNC evaluation. Allocations remain static post-assignment, with ITU oversight ensuring no reallocations disrupt established routing tables used by operators worldwide.

Mobile Network Code (MNC)

The Mobile Network Code (MNC) forms the second component of the (PLMN) identifier in the International Mobile Subscriber Identity (IMSI), following the three-digit (MCC) to specify the exact within that country. It consists of two or three decimal digits, with the length determined by the national numbering authority's assignment to accommodate varying numbers of operators per country. National regulatory bodies allocate MNCs to operators, notifying the (ITU) to register the MCC-MNC pair in Recommendation ITU-T E.212, ensuring global uniqueness and preventing identifier collisions across networks. The provides supplementary guidelines for MNC usage, including application processes for operator names associated with these codes. MNC length varies regionally to reflect operator density: typically two digits in and , allowing up to 100 networks per MCC, while employs three digits to support greater granularity amid numerous operators. For instance, in the United States (MCC 310), AT&T Mobility is assigned MNC 410, distinguishing it from other carriers like Verizon (MNC 004). This structure enables precise routing and billing in international roaming without overlap. As of the , over 2,000 active MNCs are in use worldwide, reflecting network proliferation, with the alone accounting for more than 200 such codes due to its competitive market. ITU operational bulletins periodically update these allocations based on national notifications, maintaining the system's integrity for authentication and interconnectivity.

Mobile Subscriber Identification Number (MSIN)

The Mobile Subscriber Identification Number (MSIN) constitutes the final segment of the International Mobile Subscriber Identity (IMSI), comprising up to 10 digits that uniquely identify a specific mobile subscription within the designated by the preceding and Mobile Network Code (MNC). This structure ensures subscriber individuality decoupled from device hardware, as the MSIN resides on the Universal Card (UICC) and persists across device changes while maintaining service continuity. The absence of a device-bound linkage supports principles of subscription portability, allowing networks to authenticate and provision services based on subscription credentials rather than transient equipment identifiers. Mobile network operators allocate MSINs internally to guarantee uniqueness within their MNC scope, typically employing sequential numbering or algorithmic hashing methods without adherence to a universal format beyond the digit limit. This operator-specific assignment accommodates scalability, providing a theoretical capacity exceeding 10^9 subscribers per network, sufficient for large-scale deployments as evidenced by major operators managing hundreds of millions of active lines. The MSIN's role in empirical network functions includes precise mapping for billing records and authentication challenges, where it serves as the anchor for subscriber-specific keys and usage logs, independent of temporary identifiers like the Temporary Mobile Subscriber Identity (TMSI). Prior to subscription concealed identifiers in later standards, MSIN exposure in signaling lacked normative restrictions on public dissemination, relying on operator policies for protection.

Network Operations and Usage

Authentication and Session Management

In mobile networks adhering to GSM and LTE standards, the IMSI is transmitted during the initial attach procedure when no valid temporary identifier is available, enabling the network to initiate and Key Agreement (AKA). In , the mobile station sends the IMSI via the Mobile Application Part () protocol to the Visitor Location Register (VLR), which queries the Home Location Register (HLR) for authentication vectors using the IMSI as the subscriber key. Similarly, in LTE, the (UE) includes the IMSI in the Non-Access Stratum (NAS) Attach Request message if lacking a Globally Unique Temporary Identifier (GUTI), allowing the Mobility Management Entity (MME) to retrieve vectors from the Home Subscriber Server (HSS). The AKA process leverages the IMSI to index the subscriber's secret key (Ki) stored on the SIM or USIM card, applying algorithms such as for computing the signed response (SRES) to a random challenge (RAND) and A8 for deriving the cipher key (Kc) in environments. In LTE, EPS-AKA extends this with enhanced integrity protection, but the IMSI's role in vector retrieval remains foundational, ensuring between the UE and core network without revealing Ki over the air interface. This signaling flow verifies subscriber legitimacy and establishes session keys for encrypting subsequent communications, with the network challenging the UE's computation to confirm possession of the correct Ki-derived credentials. Upon successful AKA, the network assigns a Temporary Mobile Subscriber Identity (TMSI) or equivalent (e.g., Packet TMSI in GPRS, in LTE) to replace the IMSI in future signaling, pseudonymizing the permanent identifier to curtail repeated transmissions. This mechanism confines IMSI exposure to initial attaches or temporary identifier failures, empirically limiting risks as observed in protocol traces where use correlates with fewer permanent identifier leaks. The IMSI's structure and authentication integration have persisted without core modifications since GSM's 1990s deployment, maintaining the E.212 format of (MCC), Mobile Network Code (MNC), and Mobile Subscriber Identification Number (MSIN) for backward-compatible vector retrieval across to networks.

Roaming and International Interconnectivity

In networks, international relies on the IMSI to route requests from the visited network's Visitor Location Register (VLR) to the subscriber's home network's Home Location Register (HLR), using the IMSI's (MCC) and Mobile Network Code (MNC) to identify the destination HLR. Upon initial attachment, the provides its IMSI to the VLR, which initiates a location update procedure over SS7 signaling to fetch subscriber profile data, including service permissions and vectors, from the HLR. This process ensures seamless service continuity across borders, provided bilateral roaming agreements exist between operators. With the transition to LTE, the IMSI continues to serve as the primary identifier for roaming, but the architecture shifts to the Mobility Management Entity (MME) in the visited network querying the home network's Home Subscriber Server (HSS) via the Diameter protocol, replacing SS7/MAP with S6a interface signaling for enhanced efficiency and security in data-heavy environments. The HSS, an evolution of the HLR, maintains IMSI-linked subscriber data while supporting additional LTE-specific parameters like access point names and QoS profiles. GSMA's IR.21 specification governs the structure of the global database, mandating the inclusion of MCC/MNC details for accurate IMSI-based routing and operator contact information to facilitate interconnect agreements and post-paid settlement via Transferred Account Procedure (TAP) files. First published in the and iteratively updated through the to incorporate and LTE requirements, IR.21 enables operators to parse IMSI components for real-time steering of and wholesale billing, underpinning a market where tariffs exceeded USD 72 billion in 2022. Number portability, implemented widely since the early 2000s, complicates by decoupling the public from the IMSI's MSIN, as ported subscribers retain their dialed number but switch home networks, necessitating supplementary mappings in visited networks to resolve IMSI lookups for call routing and avoid failed deliveries. Operators address this through centralized portability databases that link portable MSISDNs to current IMSIs, integrated into signaling since standards like ETSI TS 129 002 (2000) outlined query-release mechanisms, ensuring minimal disruption despite increased administrative overhead.

Security and Privacy Concerns

IMSI Catchers and Passive Surveillance Risks

IMSI catchers operate by impersonating legitimate cellular base stations, exploiting protocol vulnerabilities in legacy networks such as to compel mobile devices to transmit their IMSIs in during connection attempts. These devices broadcast stronger signals than genuine towers, forcing handovers and identity reveals, including the MSIN component, which uniquely identifies subscribers for tracking and linkage across sessions. Deployed commercially since the mid-1990s for and applications, IMSI catchers proliferated in contexts by the , with devices like Harris Corporation's enabling U.S. agencies to capture IMSIs from nearby phones without network cooperation. This circumvents temporary identifiers like TMSI, as catchers can downgrade or issue direct IMSI requests, rendering optimistic assumptions about pseudonymity ineffective in practice. Passive surveillance amplifies these risks through interception of unencrypted signaling, where IMSIs appear in cleartext during paging, location updates, or attachments in / protocols. Software-defined radios paired with open-source frameworks, such as implementations demonstrated around 2014, allow low-cost decoding of these broadcasts, enabling correlation of IMSIs with geographic positions via signal strength or timing without active jamming. Such techniques require minimal expertise, as affordable hardware like USRP peripherals processes bursts to extract identities passively. With over 5 billion mobile subscribers globally transmitting signaling data daily, unencrypted IMSI exposures occur routinely in operational networks lacking universal , facilitating mass tracking by equipped observers. Analyses from congressional assessments underscore how commoditized tools have democratized access, extending vulnerabilities beyond state actors to capable non-state entities exploiting these persistent protocol flaws. Legacy mitigations, such as infrequent IMSI re-authentication, fail against repeated passive captures, highlighting the empirical inadequacy of pre-4G safeguards against determined interception. In 5G standalone (SA) networks, the Subscription Concealed Identifier (SUCI) encrypts the Subscription Permanent Identifier (SUPI)—the successor to the IMSI—using asymmetric cryptography, preventing plaintext transmission of permanent subscriber identities over the radio interface and thereby diminishing the effectiveness of classic IMSI catchers compared to LTE exposures. Enhanced paging with temporary identifiers further supports this protection. However, non-standalone (NSA) deployments, which leverage LTE core networks, may revert to LTE-like procedures during initial attachments, limiting SUCI benefits. In the , documents disclosed in 2016 revealed that at least seven police forces had deployed IMSI catchers for real-time tracking of mobile devices, enabling from suspects in criminal investigations. These devices facilitate targeted operations with reported success rates approaching 80 percent in urban environments when signal strength exceeds legitimate base stations by 35 dB, allowing to identify and monitor specific IMSIs amid surrounding traffic. Such capabilities have proven efficacious in apprehending fugitives and disrupting , as evidenced by operational deployments that yield actionable intelligence without relying solely on carrier cooperation. However, these applications have sparked legal challenges over privacy intrusions, with advocacy groups arguing that IMSI catchers enable indiscriminate data harvesting from uninvolved parties, potentially violating proportionality requirements under Article 8 of the . initiated requests in 2016 targeting multiple UK police forces and the , leading to appeals and tribunal rulings through 2023 that criticized authorities' refusals to disclose usage details, thereby perpetuating opacity in bulk practices. Critics contend this lack of oversight fosters unaccountable mass collection, as IMSI catchers compel all proximate devices to reveal identifiers, amplifying risks of overreach beyond individualized suspicion. In the , IMSI catcher deployments—often termed Stingrays—have prompted Fourth Amendment litigation, with courts increasingly mandating warrants for their use due to the devices' capacity to acquire precise location data and IMSIs without carrier mediation. Cases such as United States v. Rigmaiden (2013) highlighted suppression of evidence obtained warrantlessly, underscoring debates over whether such active interception constitutes a search implicating reasonable expectations. While proponents cite enhanced counter-terrorism efficacy, including post-9/11 expansions in tools for threat disruption, empirical concerns persist regarding disproportionate impacts, as operations inevitably capture bystander data absent judicial pre-authorization. This tension reflects broader causal trade-offs: targeted gains in security versus systemic erosions in when deployments evade rigorous oversight.

Evolution in Modern Networks

Integration with 5G SUPI and SUCI

In networks, the Subscription Permanent Identifier (SUPI) replaces the IMSI as the core permanent subscription identifier, maintaining a compatible structure comprising a (MCC), Mobile Network Code (MNC), and a subscription identifier such as the Mobile Subscriber Identification Number (MSIN). Defined in Technical Specification (TS) 23.003 under Release 15, finalized in June 2018, the SUPI ensures continuity with prior generations while enabling enhanced security features. To address privacy vulnerabilities like IMSI exposure to passive interception, mandates transmission of the SUCI rather than the plain SUPI over the radio interface. These enhancements provide security improvements over LTE in the radio layer, including concealment of the permanent subscriber identifier via SUCI, which encrypts the SUPI using schemes such as elliptic curve cryptography with the home network's public key, rendering classic IMSI catchers much less effective by preventing direct extraction of identifiable information. Additionally, 5G introduces stronger encryption and authentication protocols in the air interface, such as improved key derivation functions and cipher algorithms (e.g., NEA3), absent in pure LTE systems. As specified in TS 33.501 (Release 15, 2018), the SUCI encapsulates the concealed SUPI, generated by the (UE) via a protection scheme—typically an elliptic curve-based using the 's public key—preventing eavesdroppers from directly accessing the SUPI. The public key infrastructure (PKI) facilitates decryption upon receipt, restoring the SUPI for and without exposing it in transit. Full SUCI-based subscriber ID encryption primarily applies in 5G standalone (SA) mode with the native 5G core; in non-standalone (NSA) mode, which pairs 5G New Radio (NR) with the LTE Evolved Packet Core (EPC), initial attachment procedures often follow LTE protocols, potentially exposing the IMSI in plaintext if no temporary identifier is available, though the 5G NR radio layer still delivers partial enhancements like improved physical layer security. A null concealment scheme option preserves , allowing SUCI to equal the unprotected SUPI in scenarios lacking home network public keys, though this reverts to IMSI-like exposure and is discouraged for reasons. NIST's Cybersecurity 36A (August 2024) emphasizes enabling non-null SUCI to mitigate correlation attacks by passive adversaries, such as those inferring subscriber details from repeated transmissions, while noting SUCI protections apply solely to standalone connections and not legacy fallbacks. Practical deployments have revealed residual risks, including length-based where fixed MSIN lengths in SUCI enable attackers to link encrypted across sessions. Ericsson's 2024 enhancement proposes varying subscription identifier lengths during SUCI generation to obfuscate these patterns, reducing traceability without altering core protocols.

Backward Compatibility and Phasing Challenges

In 5G standalone (SA) deployments, the network core falls back to Evolved Packet System (EPS) procedures for interoperability with 4G LTE and earlier generations, particularly for services like voice over IMS (VoIMS) where 5G Voice over New Radio (VoNR) is unavailable. This EPS fallback redirects user equipment (UE) to the 4G Evolved Packet Core (EPC), where the International Mobile Subscriber Identity (IMSI) is transmitted in plaintext during initial attach or paging if a temporary identifier like the Globally Unique Temporary Identifier (GUTI) is not established, thereby exposing subscriber identities to interception risks. Such mechanisms remain prevalent due to limited 5G SA adoption; as of mid-2025, global 5G connections stand at approximately 1.6 billion out of over 8 billion total mobile connections, with most 5G networks operating in non-standalone (NSA) mode reliant on 4G cores that inherently use IMSI for authentication. This implies that roughly 80% or more of subscribers encounter IMSI-dependent operations in hybrid environments, especially during handovers or in areas lacking full 5G SA coverage. The proliferation of embedded SIM () technology exacerbates phasing difficulties, as eSIM profiles store IMSI alongside other credentials for , necessitating dual Subscription Permanent Identifier (SUPI)/IMSI provisioning in devices to support both concealed SUCI transmissions in 5G SA and legacy IMSI revelation in fallback scenarios. Global eSIM market revenue is projected to exceed $11 billion in 2025, driven by consumer devices and IoT, yet this shift does not eliminate IMSI reliance, as eSIM remote provisioning often embeds IMSI for multi-network and legacy . Operators face operational hurdles in migrating to SUPI-only systems, including updates for billions of devices and coordinated international agreements, as IMSI remains essential for inter-MCC/MNC identification in global roaming databases. No standardized timeline exists for full IMSI , with projections indicating persistence into the in rural, developing, and legacy-dependent regions where / networks cover over 3 billion users lacking / access. Hybrid network architectures prioritize service continuity over rapid enhancements, as abrupt phasing could disrupt interconnectivity for the estimated 70-80% of global subscribers still interfacing with pre- elements, underscoring the tension between evolutionary upgrades and comprehensive security overhauls. Empirical deployments, such as those analyzed in operator trials, reveal that even advanced SA cores revert to IMSI-based protocols during inter-radio access technology (inter-RAT) handovers, perpetuating vulnerabilities absent a wholesale replacement.

References

  1. https://www.itu.int/rec/T-REC-E.212/en
  2. https://atis.org/wp-content/uploads/2020/10/IMSI-Guidelines-v16.pdf
  3. https://csrc.nist.gov/glossary/term/international_mobile_subscriber_identity
  4. https://www.itu.int/rec/dologin_pub.asp?lang=s&id=T-REC-E.212-202406-I!!PDF-E&type=items
  5. https://www.3gpp.org/ftp/workshop/2007-03-14_20%2520Years%2520of%2520GSM/Presentation/06a_20_Years_of_GSM_Vedder.pdf
  6. https://www.etsi.org/deliver/etsi_ts/123000_123099/123003/16.03.00_60/ts_123003v160300p.pdf
  7. https://www.arib.or.jp/english/html/overview/doc/STD-T63V12_10/5_Appendix/Rel11/33/33102-b70.pdf
  8. https://www.itu.int/ITU-T/worksem/ip-telecoms/e164/e212.pdf
  9. https://www.zariot.com/quick-guide-to-imsi-imei-iccid-msisdn/
  10. https://mobilepacketcore.com/imsi-msisdn-imei-ptmsi/
  11. https://www.netmanias.com/en/post/blog/5929/lte/lte-user-identifiers-imsi-and-guti
  12. https://www.gsma.com/about-us/who-we-are/our-history/
  13. https://sites.pitt.edu/~dtipper/2700/2700_Slides5K.pdf
  14. https://www.3gpp.org/specifications-technologies/specifications-by-series/gsm-specifications
  15. https://www.etsi.org/images/files/news/CreationOfStandardsForGlobalMobileCommunication.epub
  16. https://www.nokia.com/thought-leadership/articles/the-human-story-of-GSM/
  17. https://www.umtsworld.com/umts/history.htm
  18. https://www.etsi.org/deliver/etsi_ts/133100_133199/133102/03.04.00_60/ts_133102v030400p.pdf
  19. https://www.arib.or.jp/english/html/overview/doc/STD-T63v9_10/5_Appendix/Rel6/23/23003-6g0.pdf
  20. https://www.3gpp.org/specifications-technologies/releases/release-8
  21. https://www.etsi.org/deliver/etsi_ts/129200_129299/129272/08.03.00_60/ts_129272v080300p.pdf
  22. https://www.3gpp.org/technologies/volte-vonr
  23. https://www.cis.upenn.edu/wp-content/uploads/2019/08/EAS499Honors-IMSICatchersandMobileSecurity-V18F.pdf
  24. https://www.etsi.org/deliver/etsi_ts/129200_129299/129276/08.01.00_60/ts_129276v080100p.pdf
  25. https://www.itu.int/epublications/es/publication/itu-t-e-212-2024-06-the-international-identification-plan-for-public-networks-and-subscriptions/en
  26. https://www.itu.int/dms_pub/itu-t/opb/sp/T-SP-E.212A-2017-PDF-E.pdf
  27. https://www.etsi.org/deliver/etsi_ts/123000_123099/123003/08.09.00_60/ts_123003v080900p.pdf
  28. https://www.itu.int/dms_pub/itu-t/opb/sp/T-SP-E.212B-2018-PDF-E.pdf
  29. https://www.gsma.com/get-involved/working-groups/gsma_resources/ts-25-v8-0-mobile-network-codes-and-names-guidelines-and-application-form/
  30. https://ldapwiki.com/wiki/Wiki.jsp?page=Mobile%2520Network%2520Code
  31. https://docs.monogoto.io/university/what-is-mcc-mnc
  32. https://www.itu.int/dms_pub/itu-t/opb/sp/T-SP-E.212B-2023-PDF-E.pdf
  33. https://thesmsworks.co.uk/blog/what-is-mnc/
  34. https://www.etsi.org/deliver/etsi_ts/123000_123099/123003/17.06.00_60/ts_123003v170600p.pdf
  35. https://our.org.jm/wp-content/uploads/2022/12/Review-of-the-International-Mobile-Subscriber-Identity-IMSI-Assignment-Guidelines_Final.pdf
  36. https://docdb.cept.org/download/1152
  37. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.36A.ipd.pdf
  38. https://www.etsi.org/deliver/etsi_gts/03/0308/05.01.00_60/gsmts_0308v050100p.pdf
  39. https://www.netmanias.com/en/post/techdocs/10441/emm-initial-attach-lte/emm-procedure-1-initial-attach-part-2-call-flow-of-initial-attach
  40. https://www.sharetechnote.com/html/Handbook_LTE_Authentication.html
  41. https://www.researchgate.net/publication/269197062_Privacy_through_Pseudonymity_in_Mobile_Telephony_Systems
  42. https://www.sciencedirect.com/topics/computer-science/home-location-register
  43. https://pages.cs.wisc.edu/~lhl/cs740/papers/gsm-loc.html
  44. https://www.etsi.org/deliver/etsi_ts/129000_129099/129002/03.04.00_60/ts_129002v030400p.pdf
  45. https://docs.oracle.com/cd/E53506_01/docs.92/910-6843-001_rev_a.pdf
  46. https://www.gsma.com/newsroom/gsma_resources/ir-21-gsm-association-roaming-database-structure-and-updating/
  47. https://www.grandviewresearch.com/industry-analysis/global-roaming-tariff-market
  48. https://docs.oracle.com/en/industries/communications/eagle/47.0/gport-user-guide/feature-description1.html
  49. https://docs.fcc.gov/public/attachments/DOC-358074A2.pdf
  50. https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks
  51. https://restorethe4th.com/issues/stingrays/
  52. https://www.schneier.com/blog/archives/2015/04/the_further_dem_1.html
  53. https://publications.sba-research.org/publications/DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf
  54. https://www2.seas.gwu.edu/~cheng/6547/Readings/p205-arapinis.pdf
  55. https://www.govinfo.gov/content/pkg/CHRG-115hhrg30878/pdf/CHRG-115hhrg30878.pdf
  56. https://www.ericsson.com/en/blog/2019/5/fighting-imsi-catchers-5g-cellular-paging-privacy
  57. https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-5G-IMSI-Catchers-Mirage.pdf
  58. https://www.theguardian.com/world/2016/oct/10/controversial-phone-snooping-technology-imsi-catcher-seven-police-forces
  59. https://www.cablelabs.com/blog/false-base-station-or-imsi-catcher-what-you-need-to-know
  60. https://privacyinternational.org/news-analysis/5206/remember-those-imsi-catchers-uk-authorities-play-hide-and-seek-use-intrusive
  61. https://privacyresearchgroup.law.nyu.edu/2013/03/government-imsi-catchers-operate-on-the-fringes-of-fourth-amendment-privacy/
  62. https://www.law.georgetown.edu/american-criminal-law-review/wp-content/uploads/sites/15/2023/02/53-0-McCullough-stingray-searches-and-the-fourth-amendment-implications-of-modern-cellular-surveillance.pdf
  63. https://www.etsi.org/deliver/etsi_ts/123000_123099/123003/15.05.00_60/ts_123003v150500p.pdf
  64. https://www.etsi.org/deliver/etsi_ts/133500_133599/133501/16.07.01_60/ts_133501v160701p.pdf
  65. https://www.awardsolutions.com/portal/resources/5g-security-improvements
  66. https://www.ericsson.com/en/blog/2024/4/privacy-by-subscription-id-length-variation
  67. https://www.ericsson.com/en/reports-and-papers/white-papers/voice-and-communication-services-in-4g-and-5g-networks
  68. https://onlinelibrary.wiley.com/doi/10.1155/2022/7395128
  69. https://assets.1global.com/f/279938/x/9527a1ed81/mobile-world-live-industry-survey-report-2025.pdf
  70. https://www.gsma.com/solutions-and-impact/connectivity-for-good/mobile-economy/
  71. https://www.marketdataforecast.com/market-reports/esim-market
  72. https://straitsresearch.com/report/esim-market
  73. https://www.csgi.com/insights/the-3-biggest-challenges-in-5g-advanced-adoption-for-mobile-network-operators/
  74. https://www.telecomtv.com/content/access-evolution/mobile-usage-gap-remains-stubbornly-wide-as-5g-advances-53787/
  75. https://www.iplook.com/info/5g-voice-services-using-eps-fallback-i00152i1.html
Add your contribution
Related Hubs
User Avatar
No comments yet.