Authentication vulnerability in the most recent 5G AKA drafts (February 2018)

The 5th Generation (5G) mobile networks and telecommunications standards are currently under development, and are nearly finalised. We analyse the security properties of the main 5G-AKA protocol within the February 2018 version of the draft standard. Our analysis reveals a security vulnerability in the proposed 5G-AKA protocol as specified within the most recent version of 3GPP TS 33.501 (v0.7.0, Feb 2018). Without very specific additional assumptions on the underlying infrastructure, the discovered protocol vulnerability would allow a malicious actor (with no privileged network access) to impersonate another user to a Serving Network, for example in a roaming scenario.

We found the vulnerability by performing formal symbolic analysis of the protocol standard using the TAMARIN Prover. We provide two possible fixes for the issue.