itu-r Series-M: Mobile, Radiodetermination, Amateur and Related Satellite Services
The radio interface layer for all mobile generations — from legacy GSM to 5G NR and Non-Terrestrial Networks (NTN). M-series specifications define the physical-layer security parameters that determine whether a user's location can be triangulated, whether their device can be IMSI-caught, and whether the air interface can be jammed.
Official Scope
Study Group: SG5 — Terrestrial Services
Active Status: Ongoing
Covers IMT (International Mobile Telecommunications) radio interface specifications across all generations: IMT-2000 (3G), IMT-Advanced (4G/LTE), IMT-2020 (5G NR), and IMT-2030 (6G); maritime mobile services; aeronautical communications; Non-Terrestrial Networks (NTN/satellite-to-mobile); and radiodetermination/GNSS.
Tactical Security Significance
- Relevance: 🟢 High — 5G NR Radio Interface Security, NTN Authentication, IMSI Catcher Detection, RF Jamming Resistance
- Key Security Concepts: 5G NR Physical Layer Security (PDCP encryption), IMSI Catcher / Fake Base Station Detection, NTN (Satellite-to-Mobile) Authentication, IMT-2020 Radio Interface Security Parameters
- Attack Surface: Air interface exposure (IMSI/SUPI exposure before SUCI adoption, 5G NR downgrade attacks, fake base station injection), NTN satellite handoff security, maritime mobile communication interception
Key Recommendations
| ITU Rec | Title | Security Domain | Cross-Reference |
|---|---|---|---|
| M.1036 | Frequency arrangements for implementation of IMT | Inter-Cell Interference & Frequency Integrity | 3GPP TS 38.101 |
| M.2012 | Detailed specifications for IMT-Advanced (4G LTE) | LTE Radio Interface Security Baseline | 3GPP TS 36.300 |
| M.2083 | IMT Vision for 2020 and beyond (5G framework) | 5G Security Requirements (Radio) | 3GPP TS 38.300 |
| M.2150 | Detailed specifications for IMT-2020 (5G NR) | 5G NR Physical Security Parameters | 3GPP TS 38.300 |
| M.2160 | Framework and overall objectives for IMT-2030 (6G) | 6G Radio Security Vision | 3GPP Rel-19+ |
| M.1308 | Arrangements for implementation of the terrestrial component of IMT in developing countries | Low-tier infrastructure security | GSMA AI.1 |
| M.1581 | Generic unwanted emission characteristics of land mobile base stations | RF Emission Security / Jamming Analysis | ITU-R SM.1050 |
Security Mapping
IMSI Catcher / Fake Base Station Detection
Legacy 2G/3G networks and some LTE-fallback scenarios allow a UE to attach to a base station without mutually authenticating the network — enabling IMSI catchers (fake base stations) to collect IMSI identifiers and downgrade encryption.
- IMT-2020 protection: M.2150 (5G NR) mandates SUCI (Subscription Concealed Identifier) — the IMSI/SUPI is ECIES-encrypted before transmission, preventing passive IMSI collection
- Residual risk: Downgrade attacks that force a 5G device to fall back to 2G/3G remain possible where operators do not enforce the 5G NR-only or 5G SA policy
- Detection: Network-side anomaly detection of unusual registration patterns (mass re-registrations from a geographic area) can indicate IMSI catcher deployment; UE-side detection via unexpected RAT downgrade alerts
5G NR Physical Layer Security Parameters (M.2150)
M.2150 specifies the radio interface parameters for 5G NR (New Radio). Security-relevant physical layer parameters include:
| Parameter | Security Relevance |
|---|---|
| PDCP layer encryption (NR-PDCP) | All user-plane data encrypted at PDCP with AES-128/256 or SNOW-3G/ZUC |
| Integrity protection (SRBs) | 5G NR mandates UP-IP (User Plane Integrity Protection) — absent in 4G |
| PRACH preamble | Random access procedure; not authenticated — potential for PRACH flooding DoS |
| SSB (Synchronization Signal Block) | Broadcasts cell identity and timing; not authenticated in Rel-15/16 (improved in Rel-17) |
NTN (Satellite-to-Mobile) Security — M.2150 Extension
5G NTN connects smartphones directly to LEO/GEO satellites, extending the 5G NR security model to space. Key security challenges include:
- Long propagation delay: 5G authentication procedures assume low-latency feedback loops — NTN (600ms RTT for GEO) requires adaptation of timing-sensitive security protocols
- Satellite handoff: As a satellite moves across the sky, UEs perform frequent handoffs — each handoff is a potential security boundary that must maintain encryption continuity
- Mitigation: 3GPP Rel-17 introduces NTN-specific timing enhancements to M.2150 protocols; ensure NTN gateway nodes apply the same access control and SUCI handling as terrestrial nodes
RF Jamming and IMT Spectrum Defense
M.1036 frequency arrangements and M.1581 emission limits define the operating parameters of the 5G spectrum. Intentional jamming disrupts service in specific frequency ranges.
- Vulnerability: 5G NR FDD/TDD configurations in certain bands use predictable time slots — a narrowband jammer targeting the downlink control channel (PDCCH) can disrupt UE scheduling without jamming the full NR bandwidth
- Mitigation: Deploy spectrum monitoring per ITU-R SM.1050 around critical sites; use M.1036 frequency diversity where alternate spectrum bands are available; for critical sites, consider mmWave (n257/n258/n261) which requires high-directional antennas that are harder to jam
Operational Audit
- M.2012 Audit Checklist: Technical checklist for auditing 4G/IMT-Advanced radio interface security.
Generation-Specific Bridges
- 3GPP Rel-15: 5G Security Baseline: M.2150 → TS 38.300 implementation for initial 5G NR deployment
- 3GPP Rel-19: 6G Candidate Framework: M.2160 IMT-2030 radio security vision
!NOTE This series is part of the master Series Tracker.