Content for TS 21.133 Word version: 4.1.0

6.1 Threats associated with attacks on the radio interface 6.2 Threats associated with attacks on other parts of the system 6.3 Threats associated with attacks on the terminal and UICC/USIM
...

6 Security threats p. 14

The purpose of this clause is to list possible security threats to the 3G system, detailing what the threats achieve, how they are carried out and where in the system they could occur.

It is possible to classify security threats in many different ways. In this clause threats in the following categories have been considered.

Unauthorised access to sensitive data (violation of confidentiality)

Eavesdropping: An intruder intercepts messages without detection.
Masquerading: An intruder hoaxes an authorised user into believing that they are the legitimate system to obtain confidential information from the user; or an intruder hoaxes a legitimate system into believing that they are an authorised user to obtain system service or confidential information.
Traffic analysis: An intruder observes the time, rate, length, source, and destination of messages to determine a user's location or to learn whether an important business transaction is taking place.
Browsing: An intruder searches data storage for sensitive information.
Leakage: An intruder obtains sensitive information by exploiting processes with legitimate access to the data.
Inference: An intruder observes a reaction from a system by sending a query or signal to the system. For example, an intruder may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface.

Unauthorised manipulation of sensitive data (Violation of integrity)

Manipulation of messages: Messages may be deliberately modified, inserted, replayed, or deleted by an intruder
Disturbing or misusing network services (leading to denial of service or reduced availability)
Intervention: An intruder may prevent an authorised user from using a service by jamming the user's traffic, signalling, or control data.
Resource exhaustion: An intruder may prevent an authorised user from using a service by overloading the service.
Misuse of privileges: A user or a serving network may exploit their privileges to obtain unauthorised services or information.
Abuse of services: An intruder may abuse some special service or facility to gain an advantage or to cause disruption to the network.

Repudiation: A user or a network denies actions that have taken place.

Unauthorised access to services

Intruders can access services by masquerading as users or network entities.
Users or network entities can get unauthorised access to services by misusing their access rights.

A number of security threats in these categories are subsequently treated in the remainder of this clause according to the following points of attack:

Radio interface;
Other part of the system;
Terminals and UICC/USIM.

Note also that Annex A gives some extra information as regards threats connected to active attacks on the radio interface. The threats treated in annex A are incorporated in the following lists.

6.1 Threats associated with attacks on the radio interface p. 15

The radio interface between the terminal equipment and the serving network represents a significant point of attack in 3G. The threats associated with attacks on the radio interface are split into the following categories, which are described in the following subclauses:

unauthorised access to data;
threats to integrity;
denial of service;
unauthorised access to services.

6.1.1 Unauthorised access to data p. 16

T1a

Eavesdropping user traffic: Intruders may eavesdrop user traffic on the radio interface.

T1b

Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on the radio interface. This may be used to access security management data or other information which may be useful in conducting active attacks on the system.

T1c

Masquerading as a communications participant: Intruders may masquerade as a network element to intercept user traffic, signalling data or control data on the radio interface.

T1d

Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations of messages on the radio interface to obtain access to information.

T1e

Active traffic analysis: Intruders may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface.

6.1.2 Threats to integrity p. 16

T2a

Manipulation of user traffic: Intruders may modify, insert, replay or delete user traffic on the radio interface. This includes both accidental or deliberate manipulation.

T2b

Manipulation of signalling or control data: Intruders may modify, insert, replay or delete signalling data or control data on the radio interface. This includes both accidental or deliberate manipulation.

6.1.3 Denial of service attacks p. 16

T3a

Physical intervention: Intruders may prevent user traffic, signalling data and control data from being transmitted on the radio interface by physical means. An example of physical intervention is jamming.

T3b

Protocol intervention: Intruders may prevent user traffic, signalling data or control data from being transmitted on the radio interface by inducing specific protocol failures. These protocol failures may themselves be induced by physical means.

T3c

Denial of service by masquerading as a communications participant: Intruders may deny service to a legitimate user by preventing user traffic, signalling data or control data from being transmitted on the radio interface by masquerading as a network element.

6.1.4 Unauthorised access to services p. 16

T4a

Masquerading as another user: An intruder may masquerade as another user towards the network. The intruder first masquerades as a base station towards the user, then hijacks his connection after authentication has been performed.

6.2 Threats associated with attacks on other parts of the system p. 17

Although attacks on the radio interface between the terminal equipment and the serving network represent a significant threat, attacks on other parts of the system may also be conducted. These include attacks on other wireless interfaces, attacks on wired interfaces, and attacks which cannot be attributed to a single interface or point of attack. The threats associated with attacks on other parts of the system are split into the following categories, which are described in the following subclauses:

unauthorised access to data;
threats to integrity;
denial of service;
repudiation;
unauthorised access to services.

6.2.1 Unauthorised access to data p. 17

T5a

Eavesdropping user traffic: Intruders may eavesdrop user traffic on any system interface, whether wired or wireless.

T5b

Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on any system interface, whether wired or wireless. This may be used to access security management data which may be useful in conducting other attacks on the system.

T5c

Masquerading as an intended recipient of data: Intruders may masquerade as a network element in order to intercept user traffic, signalling data or control data on any system interface, whether wired or wireless.

T5d

Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations of messages on any system interface, whether wired or wireless, to obtain access to information.

T5e

Unauthorised access to data stored by system entities: Intruders may obtain access to data stored by system entities. Access to system entities may be obtained either locally or remotely, and may involve breaching physical or logical controls.

T5f

Compromise of location information: Legitimate user of a 3G service may receive unintended information about other users locations through (analysis of) the normal signalling or voice prompts received at call set up.

6.2.2 Threats to integrity p. 17

T6a

Manipulation of user traffic: Intruders may modify, insert, replay or delete user traffic on any system interface, whether wired or wireless. This includes both accidental and deliberate manipulation.

T6b

Manipulation of signalling or control data: Intruders may modify, insert, replay or delete signalling or control data on any system interface, whether wired or wireless. This includes both accidental and deliberate manipulation.

T6c

Manipulation by masquerading as a communications participant: Intruders may masquerade as a network element to modify, insert, replay or delete user traffic, signalling data or control data on any system interface, whether wired or wireless.

T6d

Manipulation of applications and/or data downloaded to the terminal or USIM: Intruders may modify, insert, replay or delete applications and/or data which is downloaded to the terminal or USIM. This includes both accidental and deliberate manipulation.

T6e

Manipulation of the terminal or USIM behaviour by masquerading as the originator of applications and/or data: Intruders may masquerade as the originator of malicious applications and/or data downloaded to the terminal or USIM.

T6f

Manipulation of data stored by system entities: Intruders may modify, insert or delete data stored by system entities. Access to system entities may be obtained either locally or remotely, and may involve breaching physical or logical controls.

6.2.3 Denial of service attacks p. 18

T7a

Physical intervention: Intruders may prevent user or signalling traffic from being transmitted on any system interface, whether wired or wireless, by physical means. An example of physical intervention on a wired interface is wire cutting. An example of physical intervention on a wireless interface is jamming. Physical intervention involving interrupting power supplies to transmission equipment may be conducted on both wired and wireless interfaces. Physical intervention may also be conducted by delaying transmissions on a wired or wireless interface.

T7b

Protocol intervention: Intruders may prevent user or signalling traffic from being transmitted on any system interface, whether wired or wireless, by inducing protocol failures. These protocol failures may themselves be induced by physical means.

T7c

Denial of service by masquerading as a communications participant: Intruders may deny service to a legitimate user by preventing user traffic, signalling data or control data from being transmitted by masquerading as a network element to intercept and block user traffic, signalling data or control data.

T7d

Abuse of emergency services: Intruders may prevent access to services by other users and cause serious disruption to emergency services facilities by abusing the ability to make USIM-less calls to emergency services from 3G terminals. If such USIM-less calls are permitted then the provider may have no way of preventing the intruder from accessing the service.

6.2.4 Repudiation p. 18

T8a

Repudiation of charge: A user could deny having incurred charges, perhaps through denying attempts to access a service or denying that the service was actually provided.

T8b

Repudiation of user traffic origin: A user could deny that he sent user traffic.

T8c

Repudiation of user traffic delivery: A user could deny that he received user traffic.

6.2.5 Unauthorised access to services p. 18

T9a

Masquerading as a user: Intruders may impersonate a user to utilise services authorised for that user. The intruder may have received assistance from other entities such as the serving network, the home environment or even the user himself.

T9b

Masquerading as a serving network: Intruders may impersonate a serving network, or part of an serving network's infrastructure, perhaps with the intention of using an authorised user's access attempts to gain access to services himself.

T9c

Masquerading as a home environment: Intruders may impersonate a home environment perhaps with the intention of obtaining information which enables him to masquerade as a user.

T9d

Misuse of user privileges: Users may abuse their privileges to gain unauthorised access to services or to simply intensively use their subscriptions without any intent to pay.

T9e

Misuse of serving network privileges: Serving networks may abuse their privileges to gain unauthorised access to services. The serving network could e.g. misuse authentication data for a user to allow an accomplice to masquerade as that user or just falsify charging records to gain extra revenues from the home environment.

6.3 Threats associated with attacks on the terminal and UICC/USIM p. 19

T10a

Use of a stolen terminal and UICC: Intruders may use stolen terminals and UICCs to gain unauthorised access to services.

T10b

Use of a borrowed terminal and UICC: Users who have been given authorisation to use borrowed equipment may misuse their privileges perhaps by exceeding agreed usage limits.

T10c

Use of a stolen terminal: Users may use a valid USIM with a stolen terminal to access services.

T10d

Manipulation of the identity of the terminal: Users may modify the IMEI of a terminal and use a valid USIM with it to access services.

T10e

Integrity of data on a terminal: Intruders may modify, insert or delete applications and/or data stored by the terminal. Access to the terminal may be obtained either locally or remotely, and may involve breaching physical or logical controls.

T10f

Integrity of data on USIM: Intruders may modify, insert or delete applications and/or data stored by the USIM. Access to the USIM may be obtained either locally or remotely.

T10g

Eavesdropping the UICC-terminal interface: Intruders may eavesdrop the UICC-terminal interface.

T10h

Masquerading as an intended recipient of data on the UICC-terminal interface: Intruders may masquerade as a USIM or a terminal in order to intercept data on the UICC-terminal interface.

T10i

Manipulation of data on the UICC-terminal interface: Intruders may modify, insert, replay or delete user traffic on the UICC-terminal interface.

T10j

Confidentiality of certain user data in the terminal or in the UICC/USIM: Intruders may wish to access personal user data stored by the user in the terminal or UICC, e.g. telephone books.

T10k

Confidentiality of authentication data in the UICC/USIM: Intruders may wish to access authentication data stored by the service provider, e.g. authentication key.