Pseudonyms in mobile telephony systems: good principles but weak implementations

The TMSI rarely changes when the mobile station is idle.

• Capture taken using a UK O2 SIM card attached to the UK O2 network. The mobile station is turned on for at least 3 hours in three different days. The first TMSI reallocation is executed on the third day, then a new TMSI is reassigned after 12 hours, then 3 hours after and finally 5 hours after.
• Capture taken using a UK Vodafone SIM card attached to the UK Vodafone network. The mobile station is turned on for 3 consecutive days. The TMSI reallocation procedure is executed once a day.
• Capture taken using a UK O2 SIM card attached to the French Bouygues network. The mobile station is on for around 6 hours but no TMSI reallocation is executed.
• Capture taken using a UK O2 SIM card attached to the French Orange network. A TMSI reallocation is executed when the phone is turned on and attaches to the network, then no other TMSI reallocation is executed in the following 12 hours.
• Capture taken using a UK O2 SIM card attached to the Greek Cosmote network. The TMSI reallocation procedure is not executed for 10 hours.
• Capture taken using a UK O2 SIM card attached to the Greek Vodafone network. The TMSI reallocation procedure is not executed for 12 hours.
• Capture taken using a UK O2 SIM card attached to the Greek Wind network. No TMSI reallocation is executed in at least 6 hours.
• Capture taken using a UK Orange SIM card attached to the UK Orange network. A TMSI reallocation is executed when the mobile station attaches to the network and then the same TMSI is assigned for at least 4 hours.
• Capture taken using a UK O2 SIM card attached to the Italian Omnitel network. A TMSI reallocation is executed when the mobile station attaches to the network and then the same TMSI is assigned for 4 hours.
• Capture taken using a UK O2 SIM card attached to the Italian Wind network. A TMSI reallocation is executed after 7 hours. Some paging activity and failed location updates involve the MS. The next TMSI reallocation is executed the day after.

The TMSI rarely changes when the mobile station is busy.

• Capture using a UK Giffgaff SIM card attached to the UK O2 network. Over 4 days the mobile station was involved in lots of activity such as CM (call management) requests and paging responses with long idle periods as well. Moreover, the mobile station was switched on and off every day. Despite this, the TMSI reallocation was never executed.
• Capture taken using a UK O2 SIM card attached to the UK O2 network. This includes a fair amount of activity including call management requests, paging responses and the reception of some SMS messages, but the TMSI reallocation is not executed in 5 hours.
• Similar to the previous trace. A large number of call management requests and some paging responses are present but no TMSI reallocation is executed in 3 hours.
• Capture taken using a UK Orange SIM card attached to the UK Orange network. The TMSI reallocation is executed twice in 8 hours with some activity (10 paging responses) involving the mobile station in the meantime.
• Capture taken using a UK Lebara SIM card attached to the Italian Omnitel network. The TMSI reallocation is not executed for 6 hours with some activity (8 Call Management CM requests) involving the mobile station in the meantime, and a location update every 2 hours.
• Capture taken using a UK O2 SIM card attached to the Italian TIM network. The TMSI reallocation is not executed for 16 hours with some activity (7 CM requests) involving the mobile station in the meantime.
• Capture taken using a Italian TIM SIM card attached to the Italian TIM network. The TMSI reallocation is not executed for 8 hours with some activity (5 CM requests and 34 paging responses) involving the mobile station in the meantime.

The TMSI does not always change when the location does.

• Capture taken using a UK Orange SIM card attached to the UK Orange network. The same TMSI is maintained in two different location areas, namely 234/33/29 and 234/33/1381.
• Capture taken using a Greek Cosmote SIM card roaming on the UK T-Mobile network and while travelling between London and Birmingham. The same TMSI is accepted in different location areas.
• Trace of a UK Giffgaff SIM card attached to the UK O2 network. The same TMSI is accepted in two different location areas.
• Capture taken using a UK Orange SIM card attached to the UK Orange network. The same TMSI is maintained in different location areas while travelling from London to Birmingham.
• Capture taken using a UK O2 SIM card attached to the UK O2 network. The same TMSI is accepted in different location areas.

Previously established keys are re-used to encrypt the TMSI reallocation procedure.

• Capture taken using a UK Vodafone SIM card attached to the UK Vodafone network. The TMSI reallocation is executed without establishing a new cyphering session key.
• Capture taken using a UK Lebara SIM card attached to the UK Vodafone network. One TMSI reallocation is executed by establishing a new session key (i.e. the authentication protocol is executed). Subsequently, 5 TMSI reallocation procedures are executed using the same key.
• Capture taken using a UK Lebara SIM card attached to the UK Vodafone network while travelling from Birmingham to Reading. The TMSI reallocation is executed by establishing a new session key and then a few times with the same one before establishing a new session key again.
• Capture taken using a UK Virgin SIM card attached to the UK T-Mobile network. The TMSI reallocation is executed twice using an old session key.
• Capture taken using a UK Vodafone SIM card attached to the UK Vodafone network. The TMSI reallocation is executed a few times, re-using an old session key.
• Capture taken using an Italian Omnitel SIM card attached to the Italian Omnitel network. The TMSI reallocation is executed re-using an old session key.