What is the TMSI, who issues it, and how does it protect against movement profiling?
The TMSI (Temporary Mobile Subscriber Identity) is a temporary identity created by the VLR and sent back encrypted to the phone; it replaces the IMSI in over-the-air exchanges and changes when the phone switches base station, preventing third parties from building a movement profile.
How it works:
- The IMSI is required only at first registration with a base station (the network has to know who you really are once)
- Afterward, the VLR (Visitor Location Register) assigns a TMSI — created locally, then encrypted and sent back to the mobile
- When the phone changes base station, the TMSI changes too
The privacy payoff: because the over-the-air identity keeps changing and never reveals the permanent IMSI, a passive eavesdropper cannot link successive appearances to the same subscriber — no movement profile.
The weakness this implies: the protection only holds if the IMSI is truly sent rarely. An attacker who can force a phone to reveal its IMSI (by pretending to be a base station that "doesn't recognize" the TMSI) defeats the whole scheme — that is exactly what an IMSI catcher does.
Go deeper:
Fangespielen mit IMSI-Catchern — oshie (CCC Camp 2019) — the practical attack that defeats TMSI privacy by forcing the phone to reveal its IMSI (German, English audio track available).
IMSI-catcher (Wikipedia) — how a fake base station forces a phone to surrender its IMSI instead of the TMSI, defeating exactly this privacy scheme.