5G and surveillance: what the new network actually exposes

5G is described primarily in terms of speed and capacity — faster downloads, lower latency, more devices per cell. The surveillance implications of 5G networks receive considerably less attention, despite being technically significant. This article explains what 5G changes for surveillance, what it doesn't, and what practical options exist for people who want to reduce their exposure.

IMSI catchers and what 5G actually changed

An IMSI catcher — commercially known as a Stingray, though many competing products exist — is a device that impersonates a legitimate cell tower. By broadcasting a stronger signal than surrounding towers, it tricks nearby phones into connecting to it. Classic IMSI catchers exploit 2G's lack of mutual authentication: the device authenticates to the network, but the network never authenticates to the device, allowing any transmitter to impersonate a tower.

4G (LTE) improved this somewhat but retained backward compatibility with 2G in most deployments. IMSI catchers evolved to force downgrade attacks — making phones drop to 2G or early 3G protocols where vulnerabilities persist.

5G introduces a meaningful change: the IMSI is replaced by SUPI/SUCI. The Subscription Permanent Identifier (SUPI) is never transmitted in plaintext over the air. Instead, devices transmit a SUCI (Subscription Concealed Identifier) — an encrypted, single-use representation of the SUPI using the network's public key. A passive eavesdropper cannot correlate multiple SUCI transmissions to the same subscriber, and an IMSI catcher cannot extract a permanent device identifier just by intercepting radio traffic.

This is a genuine improvement. Passive IMSI harvesting — collecting device identifiers by operating a passive radio receiver near a crowd — is substantially harder in 5G SA (Standalone) deployments.

What 5G still exposes

The SUCI improvement addresses one specific attack class. It does not address the broader surveillance picture:

• IMEI remains exposed: the International Mobile Equipment Identifier — your hardware's permanent serial number — is still transmitted in plaintext during certain procedures, including emergency calls and in some network attachment flows. IMEI cannot be changed on most devices and uniquely identifies your hardware regardless of which SIM you insert.
• SUPI is linkable by the carrier: the carrier's Home Subscriber Server can decrypt any SUCI it receives. Law enforcement requests to carriers remain effective — the protection is against passive eavesdroppers, not the network operator itself.
• Location precision has increased dramatically: 5G's use of small cells — low-power base stations deployed at street-level density in urban areas — means cell tower location data is considerably more granular than 4G. In dense deployments, carrier-held location records can place a device within tens of metres rather than hundreds. This increases the surveillance value of carrier data substantially even as radio-layer interception becomes harder.
• Timing attacks: even without IMSI, sophisticated actors can use radio signal timing, signal strength patterns, and device behaviour fingerprints to track devices across sessions.

5G network slicing and its surveillance implications

Network slicing is a 5G feature that allows a single physical network infrastructure to run multiple logically separate virtual networks simultaneously — one slice for IoT devices, another for emergency services, another for enterprise customers. Each slice can have different security properties, performance characteristics, and access controls.

The surveillance implication is twofold. First, enterprise and government network slices may carry less encryption overhead or different logging requirements than consumer slices, creating segmented surveillance capability. Second, the administrative interfaces that manage slice configuration represent a significant new attack surface — a compromised network management system could redirect specific users or device types into monitoring slices without their knowledge.

Network slicing is still being deployed in most markets. Its security architecture is largely controlled by carriers and equipment vendors, with no user-facing visibility or control.

5G SA vs. NSA: the distinction that matters for privacy

Most current 5G deployments are Non-Standalone (NSA) — 5G radio is used for data speeds, but the core network remains 4G LTE infrastructure. This means the SUCI encryption benefit of 5G does not apply in NSA deployments. The phone may show a 5G indicator while still transmitting an unprotected IMSI to a 4G core.

Standalone (SA) 5G uses a full 5G core network and provides the SUCI protections described above. SA deployment is expanding but remains a minority of global 5G coverage as of early 2026. If SUCI protection matters for your threat model, verifying that your carrier has deployed SA 5G in your area — not just NSA — is necessary.

Practical protections

Understanding the threat allows for targeted countermeasures. The realistic options, roughly ordered by effectiveness:

• eSIM rotation: using eSIM profiles from multiple providers and rotating them periodically prevents any single carrier from building a long-term location and usage history tied to your identity. This is particularly effective for travel or higher-risk periods. Norypt's encrypted eSIM is designed with this use case in mind.
• Airplane mode vs. SIM removal: Airplane mode disables radio transmissions on most devices, but implementation varies by manufacturer — some devices have been documented to continue low-level radio activity in airplane mode. Physically removing a SIM (or disabling an eSIM profile) provides more reliable radio silence. A device with no active SIM cannot be located by carrier infrastructure.
• Faraday pouches: a properly shielded Faraday pouch completely blocks radio signals at all frequencies. This is the most reliable option for situations where you need guaranteed radio silence — device location cannot be updated while inside the pouch. Note that this also means you cannot receive calls or messages.
• GrapheneOS network permissions: on a GrapheneOS device, network access can be revoked per-app. While this doesn't affect the baseband radio's cellular connectivity, it prevents apps from correlating your network location with other data and reduces the overall data footprint when connected.
• Operator selection: in jurisdictions with meaningful data protection law, choosing carriers with published data retention policies and preferring carriers outside surveillance alliance countries (Five Eyes, Nine Eyes, Fourteen Eyes) for sensitive travel reduces some risk.

The overall picture

5G is a genuine improvement on some radio-layer surveillance techniques, particularly passive IMSI harvesting in full SA deployments. It is not a privacy-enhancing technology in any broader sense — it introduces finer-grained location tracking, new network architecture attack surfaces, and retains the fundamental surveillance capability of carriers and their legal obligations to governments.

The most effective protections combine eSIM flexibility with device-level controls. A Norypt Phone running GrapheneOS, combined with a rotatable eSIM, provides the strongest practical combination of radio-layer privacy and device-level isolation available on consumer hardware.