Toward Self-Sovereign Management of Subscriber Identities in 5G/6G Core Networks

1. Introduction

Privacy in the digital world can be challenging to achieve within systems, due to concerns stemming from data leaks, the rise of de-anonymization techniques, the growing complexity of interfaces between communication stacks, side-channel attacks, and numerous other factors. Thus, the comprehensive mitigation of privacy-threatening attacks needs to play an increasingly important role when planning such systems and technologies. During the design of complex technological architectures, trade-offs must be considered to maintain the project’s feasibility. However, not all devices or protocols within an ecosystem are created equal. For example, resource-constrained devices, legacy equipment, low-latency & high-reliability emergency operations, and low-power edge devices all require significant tradeoffs for their design and operation. Thus, the reality is that the same level of identity protection cannot be achieved across all systems that we utilize, or even across all aspects of a system. However, the core tenet should always be to prioritize the protection of user identities, both for current systems and for the design of future technologies.

1.1. Identity Protections and Needs in 5G

From studying recent publications, we can observe an increasing focus on and discussion of privacy protections within 5G cellular networks, as well as their integration into planning and standardization efforts for 6G [1,2]. When releasing the 5G specification, the 3GPP (3rd Generation Partnership Project) introduced solutions to address some of the privacy concerns that existed for decades, around how 4G and prior generations utilized a subscriber’s permanent identifiers, such as IMSI (which in 5G is referred to as SUPI), being sent over-the-air without protection. With the introduction of the SUCI into 5G cellular networks, users’ identities are sent to their Home Network (HN) encrypted, thereby thwarting attackers’ ability to intercept them and track users on the network. Although the SUCI protects users from threats on the air interface, privacy mechanisms within 5G Core Networks lack the ability to preserve the full anonymity of users due to the SUPI being utilized in databases, billing operations, internal network communications, and other applications. Current 5G cellular networks lack the framework to maintain full subscriber identity privacy, as current standardization instills trust within all CN operations to safeguard sensitive information. However, this philosophy, in general, is made under the assumption that all CN operations can be fully trusted and secured. Even as telcos protect their systems with state-of-the-art mechanisms and equipment, this still leaves unresolved the feasibility of insider threats, malware campaigns, and social engineering tactics. Threat actors have demonstrated that this approach can be exploited to gain unauthorized access to subscribers’ metadata, enabling eavesdropping and extraction of location information, text messages, phone calls, network activity, and more.

Recent attacks on prominent US telecom companies, which included attackers obtaining information detrimental to prominent individuals, prove the need for further protections for subscribers’ identities within 5G CNs [3]. During the unauthorized exfiltration of subscriber metadata, attackers obtained information on prominent government officials and their proceedings, which led to the theft of classified information. Due to the lack of robust measures to protect subscribers’ permanent identities on the network, there are currently no mechanisms that allow a user to privately connect to a cellular network, given the inherent nature of the protocols and the use of permanent identifiers within them. Consequently, information can be gathered, such as location, behavioral tendencies, website visits, SMS text messages, phone calls, and more, and can be linked back to a specific user based on the permanent identifiers stored within the HN’s database and the subscriber’s SIM content [4]. For instance, if a user, Alice, connects to a 5G network using a mobile phone and visits different websites, makes calls, and sends text messages, then an HN operator has the ability to link this information directly to Alice’s device. The collection of this information is directly linked to Alice’s identity, posing a risk if the HN operator is not inherently trusted or if insider threats are present. If Alice is also part of a critical organization or government, this data collection and misuse could be especially detrimental if leaked or stolen, similar to the attacks that occurred in late 2024. The implementation of any privacy mechanism in 5G/6G CNs to prevent information from being directly tied back to Alice’s identity, however, must be carefully weighed against their potential impact on the standard specifications and several core services, such as lawful interception, security, billing, fraud detection, roaming support, and more. Figure 1 is a graphical representation showing how SUCI is used during initial connection to a 5G network, but then becomes decrypted into SUPI after the initial stages of authentication of the subscriber.

2. Background

To understand the necessity of decoupling subscriber identity from network operations, it is essential to review the current authentication standards, the prevailing trust models within the 3rd Generation Partnership Project (3GPP) specifications, and the specific vectors through which insider threats exploit these architectures.

2.1. Standard 5G Authentication and Data Exposure

The 5G system utilizes the 5G Authentication and Key Agreement (5G-AKA) or EAP-AKA protocols to mutually authenticate the User Equipment (UE) and the network. A significant enhancement in 5G, as noted in 3GPP Release 15, was the introduction of the Subscription Concealed Identifier (SUCI). The SUCI prevents 4G’s International Mobile Subscriber Identity (IMSI) catching attacks over the air interface by encrypting 5G’s Subscription Permanent Identifier (SUPI) using the Home Network’s public key before transmission [3]. However, the privacy protection offered by SUCI is terminated once the packet reaches the Authentication Server Function (AUSF) and the Unified Data Management (UDM) function within the Core Network (CN). Upon decryption, the SUPI is stored and processed in plaintext to facilitate essential network functions, including lawful interception, billing, and session management. Consequently, while the air interface is secured, the critical backend infrastructure maintains a centralized repository of user identities, namely the UDM, effectively creating a high-value target for adversaries once they penetrate the network perimeter [5]. Figure 2 provides a simplified view of a 5G CN, highlighting where SUCI is protected on the air-interface versus where the decrypted SUPI is exposed across other VNFs.

2.2. Insider Threats and Architectural Vulnerabilities

Insider threats represent one of the most difficult challenges in cellular network security since they operate within the "trust boundary" of the Mobile Network Operator (MNO). Insider threats are generally categorized into two types: malicious insiders (disgruntled employees or spies) and unintentional insiders (staff whose credentials have been compromised via social engineering or malware) [6]. In the context of 5G Core Networks, the Service-Based Architecture (SBA) relies heavily on APIs for communication between network functions (NFs). If an attacker gains access to the Core Network through compromised credentials or supply chain vulnerabilities, they effectively possess the privileges of an insider. Research in [7] highlights that traditional perimeter defenses are insufficient against such threats because the internal traffic between the UDM, AUSF, and other NFs often lacks granular access controls or secondary identity verification layers. Furthermore, recent high-profile breaches in telecommunications have demonstrated that attackers specifically target Lawful Interception (LI) interfaces and Customer Relationship Management (CRM) databases. These systems require access to the unencrypted SUPI to function. Once an insider adversary creates a lateral movement path to these specific nodes, they can passively monitor subscriber metadata, location, and communications without triggering standard intrusion detection systems, as the queries appear to be legitimate administrative actions.

2.3. MNO Threat Modeling

For robust privacy-preserving 5G/6G architectures, it is necessary to formally define the adversary. The trust relationship between the subscriber and the MNO has evolved from implicit trust to a "zero-trust" necessity. Table 1 categorizes the four distinct threat models defined in recent literature, ranging from legacy assumptions to state-level coercion.

The existence of the Coerced and Malicious-but-Cautious models necessitates architectures where the MNO is cryptographically blinded to the user’s true identity, as reliance on policy-based trust, such as in the HbC model, is insufficient for high-risk use cases such as healthcare, government & military operations, or critical infrastructure control.

3. Related Works

3.1. Current 5G Subscriber Identity Protection Proposals

Current research supports a trend toward stronger identity privacy mechanisms within 5G and also for future 3GPP CNs, as shown in [13]. The author of this paper outlines and proposes new solutions for two major identity privacy concerns within 5G networks: defeating the sophisticated SUCI catchers [14] and addressing the "Bring Your Own Identity" issue for 5G. Reviews of previously stated works on SUCI catching within the authors’ research deem the suggested approaches thwarting SUCI-catching largely inadequate in practice due to either tackling only one variant (e.g. hidden HN public key, MAC-in-SUCI, & timestamps/replay lists [3]) or requiring disruptive changes (linking registration to authentication or authenticating base stations [3,16]), thus motivating research into a backward-compatible solution. The author proposes a new approach to addressing this issue, which involves utilizing a new ephemeral identity based on SUPI between the UE and the HN, referred to as "hSUPI" (a hashed SUPI). In this case, the SUPI is hashed prior to being encrypted by the UE to form the hSUPI, which replaces the direct use of the SUPI when forming the SUCI. The HN then includes the “next” hSUPI in the Authentication Token (AUTN) MAC, and after a valid RES* (extended user authentication response), both the UE and HN advance their stored hSUPI values, so that any captured SUCI becomes useless after at most the next one or two authentications. This approach is claimed to thwart SUCI catching attacks where a rogue base station is able to infer the identity of an individual, thus protecting the subscriber’s identity privacy on initial attachments to the network. Following this proposal, the author also introduces a scheme that allows users to "bring their own identity" to a 5G network. In practice, this scheme introduces an external identity provider that works in conjunction with the CN to authenticate users to the network, enabling organizations to control subscriber access and identities. Although this scheme allows an external organization to control access to certain subscribers, it does not fully decouple the true identity of a subscriber connected to the network, as stated in the work, which notes that a subscriber’s identity can be read by the HN. Future work outlooks, such as "more radical proposals that eliminate the HN entirely to decouple the roles of account management and network operation," also support this claim.

Similar proposals from 2024 for enhanced subscriber identity privacy are presented in [9] and revisited in [18], where the authors propose a model aimed at eliminating "cellular subscriber tracking" to prevent data linkage attacks from identifying subscriber behavior on the network. The authors introduce the "Anonymous Authentication and Key Agreement (AAKA)" protocol, which allows legitimate subscribers to connect to a 5G network without revealing their true identity. In theory, this approach fills a gap that currently exists in cellular networks: the ability for network operators to infer users’ behaviors and metadata across different network connections or sessions. One major assumption in their model is that this scheme only applies to HbC network operators. This HbC network operator model implies that the administrators of a network adhere to proper privacy rules regarding their customers’ data, yet may still inspect or analyze that data to the extent allowed by the rules and technical capabilities. This assumes that the network plans to follow all rules, such as not bypassing the scheme by adding silent back-doors into their AAKA protocol, which would ultimately render the scheme entirely ineffective. This also still leaves the possibility for an insider threat, whether that is authorized personnel acting in bad faith or an intruder to the network looking to nullify privacy schemes, as it does not fully decouple the subscriber’s privacy protections from the domain of the MNO. The authors in [19] discuss different subscriber identity attacks within both standalone (SA) and non-standalone (NSA) 5G network architectures. Their experiments are based upon three tenets, which shall be upheld with respect to the radio access link: UE Identity Privacy, UE Location Privacy, and UE Untraceability. The aforementioned tenets are to be upheld in the case of an active eavesdropper on the radio access link, whereas insider threats are not considered. Through their experiments, the researchers found two new privacy vulnerabilities. The first is a GUTI Reallocation Command attack, which exploits the lack of integrity protection and ciphering during the transmission of the Configuration Update Command, potentially leading to Denial of Service (DoS) or location tracking. The second is a Security Capabilities Bidding-Down attack, which exploits the omission of the Message Authentication Code (MAC) in the NAS Security Mode Command, enabling adversaries to downgrade the security protocols used by the device. Crucially, these exploits operate under the assumption of an external adversary acting as a Man-in-the-Middle or eavesdropper on the air interface, rather than a compromised element within the Core Network. Consequently, the vulnerabilities highlight risks arising specifically from the lack of integrity and confidentiality protections on the radio link, allowing unauthorized third parties to manipulate signaling traffic without requiring insider access.

3.2. Self-Sovereign Identity Proposals for 6G

Research in [20] discusses the need for decentralized subscriber identities due to the proposed nature of cross-domain interoperability in 6G networks. The authors propose decentralized identifiers and self-sovereign identity as the basis for identity management in 6G, which transforms subscribers’ personal data into verifiable credentials under the customer’s control. Decentralized Identifiers (DID) are stated to enable a more homogeneous network landscape, as the subscriber identity is no longer controlled by a single PLMN inside the UDM. However, even though the proposed distributed ledger shared between MNOs does not share personal data of the subscriber, the authors do mention that the home network is responsible for issuing the necessary verifiable credentials used in creating the SSI. This implies that the HN still has the ability, in some scenarios, to know the identity of an individual connected to the network. On the contrary, the authors do mention that identity and behavior tracking are greatly or totally diminished in roaming and edge access scenarios due to the nature of the SSI architecture, and no longer needing to signal to the HN in these cases. In a supplementary technical analysis written by the same authors [21], they explicitly define the MNO’s responsibility as the ’issuer’ of identity within the trust layer, which confirms the link in their previous work stating that a subscriber’s identity remains tethered to the HN even when verifications are decentralized. This is built on the foundation of the commonly used "Know-Your-Customer" (KYC) principles. 6G privacy schemes in [22] follow a similar path: to separate the digital identity from MNOs and place the management of identity into the subscribers’ hands. This is achieved through a blockchain and zero-knowledge proofs, assuming that the necessary identity infrastructure elements are HbC. The authors state that the use of zero-knowledge proofs drastically reduces the chances that an MNO could track user behaviors and metadata on a network, thereby supporting their claims of unlinkability. The authors in [23] present a unified self-sovereign identifier (U-SSI) architecture that stresses how the U-SSI is not owned by any one organization, similar to the SUPI in 5G. This, like similar architectures, enables the sharing of a user’s identity between cellular operators. The authors do not mention the strategy or protocols behind the onboarding of a customer, or whether the network operator has a mapping between the U-SSI and true PII. Figure 3 illustrates the comparison between the current 5G architecture, in which the SUPI is managed by the subscriber’s MNO, with the proposed method that decouples subscriber identity via a blockchain and zero-knowledge proofs in 6G.

4. The Need for Subscriber Identity Privacy in 5G/6G Core Networks

Current methods for subscriber identity within 5G CNs focus on protecting the SUPI over the air interface with the introduction of the SUCI. The SUCI conceals the subscriber identity via encryption and is designed for only the CN to be able to decrypt the SUCI to obtain the SUPI. This protects the user from passive air-interface eavesdroppers, as seen in previous generations of cellular networks, via IMSI catchers [24]. Although the SUCI protects the user over the air interface from profiling or linkage attacks, it immediately becomes decrypted once the concealed identifier enters the CN during 5G-AKA. Clear-text storage and mapping of the SUPI to subsequent identifiers, as studied in our previous work [25], open the door to possible attacks such as metadata exfiltration, where attackers can link network activities to specific users, potentially revealing high-profile individuals. In this section, we will detail the processes within the CN that link SUPI to residual encryption keys and identifiers, such as $K_{AMF}$ and GUTI, describing the vectors in which attackers could exploit in order to track subscriber behaviors on the network.

Table 2 outlines the cryptographic "chain-of-custody" used within 5G CNs during a UE’s attachment to the network as defined in 3GPP standards [3]. The keys listed in the table follow a chronological order, from $K_{AUSF}$ used as the initial anchor in the CN to $K_{gNB}$ and beyond for the encryption of air interface traffic. Of particular significance to subscriber identity privacy is the derivation of $K_{AMF}$. As shown in the 3rd row of Table 2, the generation of this key explicitly requires the clear-text SUPI as an input to the key-derivation function (KDF). This confirms the usage of SUPI to link subscriber actions on the network in the current architecture of 5G systems. Since $K_{AMF}$ serves as an anchor for subsequent derivations, a cryptographic lineage is established that permanently binds session keys to the subscriber’s permanent identity. Thus, any exfiltration of stored environment operations in the generation of $K_{AMF}$ could allow an attacker to de-anonymize subscriber traffic on the network, rendering the encryption pointless.

Algorithm 1, shown below, illustrates in greater detail how the SUPI is used in the generation of $K_{AMF}$ and its inclusion within the UE’s security context (ctx) within the CN, as defined in [3]. In phase one, $K_{AMF}$ is generated within the AMF via the inputs $K_{SEAF}$ and S into the KDF. S is a string that contains the SUPI, thereby anchoring all services in the current connection to that specific user. Phase two initializes the security context data structure that is necessary to hold cryptographic keys and state information for each user connected to the network. Finally, in phase three, keys are generated for communication with the gNB using the $K_{AMF}$ as an input to the KDF. A corresponding key derivation process also takes place on the UE side to maintain cryptographic continuity, ensuring both endpoints have identical keys, while the context structure itself remains internal to the AMF.

Algorithm 1:Derivation of $K_{\mathrm{AMF}}$ and Network Context Setup

The Algorithm 2, shown below, details the process defined by 3GPP for the creation of 5G-GUTI [3,3]. The GUTI is utilized as a temporary identifier for communications between the UE and the CN. The National Institute of Standards and Technology (NIST) details how the use of GUTI helps protect a subscriber’s identity privacy when an attacker is present between the UE and the CN [27]. However, the GUTI remains tied to the SUPI within the UE security context, thus allowing the CN to complete normal functions such as billing.

Algorithm 2:5G-GUTI Allocation and Context Storage at AMF

The creation and binding of the GUTI begins with a UE signaling its intention to connect to the network. In the case that a GUTI has not been assigned, SUPI is resolved from SUCI during the 5G-AKA process. Phase two of Algorithm 2 is then used to determine if a new GUTI is required. This process is known as GUTI Reallocation, which NIST emphasizes MNOs to practice frequently in order to make it more difficult for potential attackers between the UE and CN to track an individual. If a GUTI needs to be reallocated, a new identifier is created by concatenating specific identifiers within the UE’s security context. Consequently, in the final step of Phase 3, the UDM network function is notified of the AMF serving the UE by receiving the SUPI and GUAMI (Global Unique AMF Identifier). The process of GUTI creation or reallocation is completed in Phase 4, where the new identifier is securely sent to the UE and acknowledged.

5. Analysis of 5G VNF API Parameter Prevalence and Risks

With the previous section detailing how the SUPI is treated within 5G CNs during authentication of a subscriber to the network, along with the linkage between it and the temporary identifier GUTI, it is also important to cover the vast usage and pervasiveness of SUPI in 5G VNF API calls. Contrary to the creation of GUTI, which mainly takes place within the AMF, there are multiple instances where the subscriber’s permanent identity is exchanged between multiple VNFs [3]. 5G VNFs are networks of services that complete specific functions such as billing, authentication, location awareness, SMS messaging, etc. VNFs open the door for a more extensible and accessible 5G network architecture, such as utilizing third-party cloud providers to host servers on which these VNFs are executed. This brings with it the need for serious considerations of how to best protect subscriber identity privacy within the VNFs and in their communications between each other. In this section, we present a study examining the frequency with which the SUPI is included in 3GPP VNF API schemas. We then also discuss the significance of this prevalence for the design and behavior of 3GPP network functions and how this current architecture leaves the door open to malicious privacy attacks.

Our study aims at identifying the magnitude of occurrences of the SUPI within the vast array of API calls between 5G VNFs. Our initial hypothesis is that the SUPI is used throughout these API calls, due to its foundational nature in linking actions such as authentication, session management, and billing. The API schema dataset used for this study is a part of the collection of all 3GPP Release 18 schema standards, compiled in an exhaustive Github repository [28]. Within this corpus of standards, we restrict our analysis to VNF-specific APIs, namely those OpenAPI files whose service names follow the 3GPP TS*****_N<vnf>_<ServiceName>.yaml convention. Representative examples adhering to this nomenclature include TS29518_Namf_Communication.yaml, TS29502_Nsmf_PDUSession.yaml, and TS29510_Nnrf_NFManagement.yaml. We treat all other remaining interfaces as application or exposure functions that are considered out of scope for this study [3]. To categorize and capture all parameter data within each schema standard, the standards are processed through a "walker" that groups all possible parameters included in the URI or JSON body payload. A few examples of this are shown in Table 3 with focus on the "supi" and "subscriberIdentifier" parameters. These are the parameter names used in the API documentation of the 3GPP standards releases. They are different names, but refer to the same SUPI parameter. In fact, SUPI is represented by a wide variety of different names for different API calls, which required significant effort to accurately and comprehensively map out, link, and analyze for this study.

Once all VNF-specific standards were parsed, they were then aggregated and counted across all files. For further clarity into the prevalence of the SUPI’s presence in API calls, the descriptions of the OpenAPI schema are also considered. This is because some of the parameters we uncovered, such as "supportedFeatures", do not explicitly state that the SUPI is included in this schema by name. However, we can accurately infer that a given parameter name represents the use of the SUPI with this parameter through the description of its usage in some schema standards, because they mention the inclusion of SUPI, e.g.: "Contains the UE id (i.e., SUCI or SUPI) and the Serving Network Name.".

In order to formally present the distinction between the different sets considered in this experiment, let $\mathcal{P}$ represent the set of all distinct VNF API parameters located across the 3GPP OpenAPI standards, and let $f\left(p\right)$ denote the frequency of occurrence for any parameter $p\in \mathcal{P}$. Thus, the total parameter usage, $N_{total}$, is detailed as such:

$$\left|\mathcal{P}\right|=5,670\mathrm{and}{N}_{total}=\sum _{p\in \mathcal{P}}f\left(p\right)=22,478$$

(1)

To quantify the lesser apparent prevalence of SUPI within API calls, we define a subset ${\mathcal{P}}_{ctx}\subset \mathcal{P}$, which consists of API parameters that do not explicitly have the name "supi" but rather reference SUPI within their schema description $D\left(p\right)$:

$${\mathcal{P}}_{ctx}=\{p\in \mathcal{P}\mid ’’\mathrm{SUPI}’’\in D\left(p\right)\}$$

(2)

Thus, the cumulative prevalence of the contextual subset of SUPI included in the description of the parameter is calculated as:

$$|{\mathcal{P}}_{ctx}|=43\mathrm{and}\sum _{p\in {\mathcal{P}}_{ctx}}f\left(p\right)=1,245$$

(3)

For the target API parameter "supi", we see a significant amount of occurrences:

$$f\left(p_{supi}\right)=286\mathrm{with}\mathrm{rank}\left(p_{supi}\right)=2$$

(4)

Under this methodology, the aggregation of all VNF OpenAPI files for 3GPP Release 18 is described as a universal set of parameters $\mathcal{P}$, which yields a total of 5,670 distinct parameters, denoted as $\beta$, with 22,478 occurrences across all VNF OpenAPI files, denoted as $\psi$. The "supi" API parameter name shown in Equation 4 comes in at rank two, with 286 total occurrences, which can be denoted as $ϵ$. The parameters in the subset ${\mathcal{P}}_{ctx}$ that mention SUPI in their descriptions total 43, with 1245 total occurrences across all files, where the total parameters with this distinction can be denoted as $\kappa$, and the sum of all occurrences can be denoted as $\gamma$.

To further understand the prevalence of the "supi" API parameter name and the distribution by rank of the other parameters, Figure 4 details this stark distinction. It can be observed that the usage of parameters within the 3GPP OpenAPI VNF standards has a small set of parameters that are utilized frequently, while the majority of parameters are used much less frequently. This distribution fits a Power Law that drastically decays with a "heavy" long tail beginning around parameters ranked in the 200-300 range. This provides further evidence that the SUPI, in its various parameter naming variations, is a significant factor in 5G VNF API communications.

The general definition of the Power Law function describing the relationship between frequency (or prevalence) $f\left(x\right)$ and rank x is given by:

$$f\left(x\right)=C{x}^{-\alpha }$$

(5)

where $\alpha$ is the scaling exponent, or more generally the slope. C is described as a normalization constant. In the analysis of Zipfian distributions and scale-free networks [34], the constant C can be omitted, allowing for a strict focus on the intrinsic behavior of the system at hand. With this being said, the relationship can be expressed as proportionality:

$$f\left(x\right)\propto x^{-\alpha }$$

(6)

Generally, the exponent $\alpha$ characterizes the fundamental topology of the network, independent of its scale, whereas C is merely a normalization constant contingent on dataset-specific attributes [35]. In comparative network analyses, such as this study, the proportionality definition of the Power Law function where C is dropped is favored to emphasize the scale-free property [36]. In the case of Figure 4, the Power Law curve is fit by way of a linear least-squares regression on the log-transformed rank frequency data. This in turn estimates the slope $m\approx 0.79$. This corresponds to the Power Law exponent $\alpha \approx 0.79$ in Equation 6. Figure 5 shows the same Power Law distribution, but this time on a log-log scale and with the subset ${\mathcal{P}}_{ctx}$ highlighted in blue.

Figure 5 shows more explicitly the widespread prevalence of parameters within ${\mathcal{P}}_{ctx}$ alongside non-SUPI-related parameters. Whereas the non-SUPI-related parameters seem to span the entire distribution, and clustering near the heavy tail, the ${\mathcal{P}}_{ctx}$ set of parameters seems to be situated near the middle/top left of the distribution. This illustration reinforces the significant prevalence of SUPI-related parameters used throughout 5G VNF communications.

Due to the nature of the heavy-tailed distribution of the rank of parameter prevalence, Figure 6 uses a comparative boxen plot. The two sets of SUPI-related and non-SUPI-related parameters are grouped side by side. The blue boxes highlight a higher median prevalence for parameters that mention SUPI in their descriptions, whereas the gray plot details any non-SUPI-related parameters, which are dominated by lesser-used parameters. Visually, the median of the ${\mathcal{P}}_{ctx}$ plot is nearly one order of magnitude larger than the non-SUPI-related parameters. This difference is supported by a Mann-Whitney U test, where $p<0.001$, indicating strong evidence that the two sets do not share the same underlying distribution. These results indicate that parameters containing SUPI are not isolated outliers, but rather strongly associated with operational importance in high prevalence within 5G VNF API communications.

6. Conclusions

Subscriber identity privacy within 5G networks is based upon the assumption that the MNO adheres to all regulations and maintains a strict security posture. Recent attacks on US telecom infrastructure, where prominent subscriber metadata and behavioral information were leaked, demonstrate that this approach is not fully hardened and remains vulnerable to large-scale compromise. Our study of the 3GPP VNF schema standards strengthens this claim by clearly and unequivocally demonstrating that subscribers’ permanent identifiers and closely related identifiers play a significant role in internal network control traffic.

Thus, we need to conclude that further research into pseudonymizing, masking, SSI, or integrating ephemeral identifiers for subscribers to these networks is critically and urgently needed to advance this solution to the identity threat present within 5G Core networks. Methods that decouple a subscriber’s permanent identity from the MNO, along with moving away from a central point of identity privacy failure, aid in reducing the attack surface that attackers can exploit for tracking subscribers. Protecting a subscriber’s permanent identity on a public network requires some entity within the network to be fully trusted, or mechanisms that reduce the amount of trust necessary, such as zero-knowledge proofs. In a sense, there must be some mechanism that instills a root authority of trust that every user can confidently count on to mask and protect their identity on the network. In addition to technical advances, any applicable models must remain compliant with current legal and regulatory requirements, unless and until those frameworks are revised in the future.