Location Privacy, 5G AKA, and Enhancements.

We introduce a linkability attack variant on 5G AKA that we call the Replay In GUTI (RIG) attack. Our attack investigates the case where the temporary identifier GUTI is used for identification. Recalling that the GUTI-based identification is the most frequently used case, the goal of the RIG attack is to check the presence of a target user in an attack area, that is by linking two Authentication and Key Agreement (AKA) sessions. We further explain how our attack works also against some enhancements of 5G AKA, in which the GUTI case is not covered. We focus on protocols where authentication requires a contribution from the User Equipment (UE). As an example of such enhancements, we discuss the works in [5,15,16], then we examine the protocol proposed in [2] in more detail. Moreover, we propose a USIM-compatible fix against our attack.