这是一个创建于 85 天前的主题,其中的信息可能已经有所发展或是发生改变。
结果今天实验测试 (四川电信) 发现, 虽然接入给的 ID 类型是 SUCI, 但 protection schema 却是 null, IMSI 就这么直接被当作加密后的 ID 来传输了.
第 1 条附言 84 天前
append 一下测试条件:
- 4月底新换的四川电信 SIM 卡
- 索尼国行手机
- 接入目标是自家的测试基站
- 检查是通过抓 MSG5 里的 NAS 消息的明文部分
系统信息中的字段 SIB1::cellSelectionInfo::q-QualMinOffset 是 Cond standalone, 但测试基站没有填写该字段, 不知是否会有影响.
附 wireshark 解析出的内容 (append 长度限制去除一些部分):
5GS mobile identity Length: 11 1... .... = Spare: 1 .1.. .... = Spare: 1 ..1. .... = Spare: 1 ...1 .... = Spare: 1 .... 0... = Spare: 0 .... .010 = Type of identity: 5G-GUTI (2) Mobile Country Code (MCC): China (460) Mobile Network Code (MNC): Unknown (11) AMF Region ID: 81 0001 0000 11.. .... = AMF Set ID: 67 ..00 0011 = AMF Pointer: 3 5G-TMSI: ***** (与手机中查询的 IMSI 一致) UE security capability Element ID: 0x2e Length: 4 1... .... = 5G-EA0: Supported .1.. .... = 128-5G-EA1: Supported ..1. .... = 128-5G-EA2: Supported ...1 .... = 128-5G-EA3: Supported .... 0... = 5G-EA4: Not supported .... .0.. = 5G-EA5: Not supported .... ..0. = 5G-EA6: Not supported .... ...0 = 5G-EA7: Not supported 0... .... = 5G-IA0: Not supported .1.. .... = 128-5G-IA1: Supported ..1. .... = 128-5G-IA2: Supported ...1 .... = 128-5G-IA3: Supported .... 0... = 5G-IA4: Not supported .... .0.. = 5G-IA5: Not supported .... ..0. = 5G-IA6: Not supported .... ...0 = 5G-IA7: Not supported 1... .... = EEA0: Supported .1.. .... = 128-EEA1: Supported ..1. .... = 128-EEA2: Supported ...1 .... = 128-EEA3: Supported .... 0... = EEA4: Not supported .... .0.. = EEA5: Not supported .... ..0. = EEA6: Not supported .... ...0 = EEA7: Not supported 0... .... = EIA0: Not supported .1.. .... = 128-EIA1: Supported ..1. .... = 128-EIA2: Supported ...1 .... = 128-EIA3: Supported .... 0... = EIA4: Not supported .... .0.. = EIA5: Not supported .... ..0. = EIA6: Not supported .... ...0 = EIA7: Not supported 第 2 条附言 84 天前
抱歉, 截取的抓包有误, 可能被同名文件覆盖了, 但我留有截图:
第 3 条附言 84 天前
重测了一下, 抓取了 Identity Response 的内容, 用文本发出来方便查看:
Non-Access-Stratum 5GS (NAS)PDU Security protected NAS 5GS message Extended protocol discriminator: 5G mobility management messages (126) 0000 .... = Spare Half Octet: 0 .... 0001 = Security header type: Integrity protected (1) Message authentication code: 0x031e4c05 Sequence number: 21 Plain NAS 5GS Message Extended protocol discriminator: 5G mobility management messages (126) 0000 .... = Spare Half Octet: 0 .... 0000 = Security header type: Plain NAS message, not security protected (0) Message type: Identity response (0x5c) 5GS mobile identity Length: 13 0... .... = Spare: 0 .000 .... = SUPI format: IMSI (0) .... 0... = Spare: 0 .... .001 = Type of identity: SUCI (1) Mobile Country Code (MCC): China (460) Mobile Network Code (MNC): Unknown (11) Routing indicator: 0 .... 0000 = Protection scheme Id: NULL scheme (0) Home network public key identifier: 0 MSIN: ****** (与手机读取的 IMSI 一致)  | 1 Licsber 85 天前 先 Mark ,等我下周旅行回来验证一下看看,印象中是有临时 SUCI 的。 |
 | 2 charryshiv 85 天前 印象里好像是需要 SIM 卡支持的吧,卡支持吗?国内的 5G SA 没换卡也能用应该是苹果按内地运营商要求关闭了这项验证要求,其他的运营商如果在 iPhone 上没换卡是开启不了 SA 的,会提示当前 SIM 卡不支持。 |
3 dsx826 85 天前 via Android 三家都有真正使用 |
 | 4 gotZ9 OP @charryshiv append 了一些测试信息, 手机卡是 4 月底找营业厅换的新卡, 手机是 Android 的. 基站的 SIB1 有点问题, 不知道会不会产生影响. |
| 5 charryshiv 83 天前 @gotZ9 没关注过国内的这块现状,如果没上感觉也很正常,xx 部门部署的探针未来还要拿 IMSI 吧 |
Select Language