„Obstacles to surveillance“: How authorities insecure 5G telephony

In the fifth generation of mobile communications, encrypted and anonymous connections are technically feasible. Police and secret services, however, provide new interception possibilities

Following the auction of frequencies, mobile operators are building the new 5G network. This fifth generation of mobile phones is considered particularly secure because of its concept of „Privacy by Design“. Connections can be encrypted end-to-end, which makes interception much more difficult. The device numbers of the telephones and the unique identification of the SIM cards are also transmitted in encrypted form. Under 5G, the registered mobile phones also recognize suspicious mobile cells. This makes the IMSI catcher currently in use unusable for locating and listening to telephones in the vicinity.

The new possibilities for encryption and anonymisation are causing police forces and secret services headaches. The German Federal Ministry of the Interior complains of „additional technical hurdles in the monitoring of telecommunications and the implementation of technical investigation measures“ and announces „adjustments“ of the telecommunications legislation.

The planned 5G architecture with network slicing (ETSI).

International interception working groups

The technical standards for 5G are discussed and defined in international organizations. One of them is the European Telecommunications Standards Institute (ETSI), which in turn cooperates with the worldwide 3rd Generation Partnership Project (3GPP). 3GPP belongs to the International Telecommunication Union of the United Nations, whose specifications are also adopted by the participating countries. Both organizations also take care of the possibilities of decrypting and intercepting telecommunications. At ETSI, the TC LI („Technical Committee Lawful Interception“) working group is responsible for this, at 3GPP the SA3 LI („Lawful Interception“).

Among the „hurdles“ in surveillance dealt with by ETSI and 3GPP are the decentralized network architecture of 5G and multi-access edge computing. This means that data whose fast transmission has no priority can be outsourced to the network periphery. In the „Internet of Things“ this means that data packets are also transmitted via decentralized routers, devices like refrigerators or other networked units. They may therefore bypass the mobile phone masts of the network operators, which means that they cannot be archived or intercepted there.

Numerous „Points of Intercept

Earlier generations of mobile phones were primarily designed for voice transmission and later for Internet connections. The network architecture under 5G distributes these services to different virtual environments. These network elements include, for example, the transmission of data packets, short messages, the allocation of IP addresses, a location management function or the logging of billing to be charged by 5G customers.

In total, the 5G architecture consists of nine such network elements. A large number of interception interfaces are therefore required so that they can be monitored by police forces and intelligence services. They are referred to as „Points of Intercept“ (POI). The approval of 5G services is linked to the establishment of these interfaces. This is the message of the EU Directive on the European Code of Electronic Communications, which was renewed a year ago for the fifth generation of mobile phones.

„E-Warrants“ of authorized authorities are received and forwarded via an „Administration Function“, a „Lawful Intercept Control Function“ checks and administers the order. The „Lawful Intercept Provisioning Function“ is responsible for monitoring, while the „Law Enforcement Monitoring Facility“ is responsible for data transmission. (Graphic: ETSI)

Secret list of targets

The German Federal Ministry of the Interior expects a „considerably higher data rate“ at the „Points of Intercept“ and writes that these are “ presumably to be adapted in terms of hardware and software“. Relevant listening interfaces with the corresponding input and output servers are sold by companies such as the German Utimaco. The applications distinguish between two different types of data. Telephone calls, Internet communication or SMS are referred to as „Content of Communication“ (CC). Each time content is transmitted, traffic data is also generated, including numbers, IP addresses and locations of devices, the time of a call or called subscribers. This data is called Intercept Related Information (IRI).

There are also various technical terms for monitoring telecommunications. Real-time interception is known as „Lawful Interception“ (LI), the subsequent interrogation of locations and other metadata, for example within the framework of a cell site analysis, as „Lawful Access Location Services“ (LALS). In a „Lawful Interception“ measure, police and secret services want to be informed at all times when a target or a certain device appears in the 5G network. Those who are affected are kept in a „target list“, which is stored with the network operators and permanently updated. The companies are responsible for keeping the list confidential.

Interception interfaces impede fast transmission

Among the mobile radio generations 3G and 4G, this target list was located only at a single point of intercept. However, the decentralized network architecture of 5G would require the list of target persons to be mirrored on the other virtual network elements so that it can be queried there for each new communication process.

However, this distribution over the entire 5G architecture also carries the risk that the list is compromised and falls into the wrong hands. It would therefore also be possible to deposit the list exclusively at the „Lawful Intercept Control Function“. This is the interface to which the authorities submit their interception orders. However, this would mean that every communication process would have to take a detour via the „Target List“ on this central server. This would considerably increase latencies and melt an important advantage of 5G telephony, which is up to 100 times faster than former network generations.

Final standards in June 2020

By December of this year, ETSI intends to develop technical specifications to monitor 5G, Release #16, which will then be addressed by the United Nations in 3GPP, which aims to define a mandatory standard by June 2020. For example, it is still unclear whether 5G telephony will actually be encrypted end-to-end.

According to Alf Zugenmaier, professor for mobile networks and security at the Munich University of Applied Sciences, this has long been decided behind the scenes and will only be formally decided in Release #16. According to this, 5G should only allow a step-by-step encryption so that the responsible authorities can access the content or metadata at different network nodes. Zugenmaier himself is vice-chairman of a 3GPP working group dealing with security and data protection.

Authorities urge hurry

The nature of the „Points of Intercept“ has also not yet been definitively decided. It is clear that the authorities will continue to have access to interception features, but the IT architecture required for this is much more complicated. This is why European police forces and secret services are urging a hurry and calling for more influence in the standardization organizations. In spring, the police agency Europol published a position paper on 5G. Subsequently, the EU Counter-Terrorism Coordinator suggested that Europol become a member of ETSI.

The German Federal Criminal Police Office, the Federal Office for the Protection of the Constitution and the Federal Network Agency have also been participating in the interception working groups at ETSI and 3GPP for many years, as have the Bavarian State Criminal Police Office and the State Criminal Police Office of Lower Saxony. Probably to increase the pressure, the Federal Ministry of the Interior has also sent the new „Central Office for Information Technology in the Security Sector“ of secret services and police there since June of this year.

Cross-border consultation of „electronic evidence“

Further legal problems arise with the fifth generation of mobile communications. The new network architecture uses so-called network slicing, whereby certain services can be preferred and safeguarded. For example, there will be segments under 5G for autonomous driving, as well as for the „Internet of Things“ or cloud services. Some of the applications can also be located abroad or routed via foreign servers. Access is difficult for national police forces and secret services there, as the cumbersome international legal process must be followed for orders to intercept or subsequently transmit metadata.

This explains the haste that can currently be observed at EU level for the cross-border retrieval of „electronic evidence“. The EU Commission has presented a proposal for a regulation to secure and publish cloud content, which would allow police forces and secret services to query metadata directly from Internet providers. However, this would only be possible within the European Union.

The EU Parliament has not yet discussed this. Nevertheless, the governments of the member states have already given the Commission a mandate to negotiate with the US so that European authorities can also make direct enquiries to local Internet companies without having to go through legal assistance procedures. The US government is prepared to compromise, but demands concessions. Among other things, the local authorities want to be able to approach European companies quite legally in order to be able to intercept Internet-based telephone conversations in real time.