Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 21.133  Word version:  4.1.0

Top   Top   Up   Prev   None
1…   5…   6…   7…   8…   A…

 

A  Threats linked to active attacks on the radio access linkWord‑p. 24

Threats linked to active attacks on the radio access link
The success of digital mobile communication systems leads to a larger interest for fraudsters, especially as the opportunities for attacking other systems are dwindling. Thus, it can be expected that there will be more investment by the fraudster on more complex equipment which may lead to new active attacks becoming more of a concern. This annex focuses on active attacks in which an attacker manipulates signalling on the radio interface or masquerades as a network element in order to mount various forms of attack (so called "False Base Station" attacks).
This annex analyses a number of threats related to these types of attacks. Extensive analyses have been made of these and similar threats in the baseline document "Countermeasures to active attacks on the radio access link" (see references).
Up

A.1  User identity catching

  • Active identity catching An intruder may spoof a serving network and send a request for the permanent user identity to a targeted user to capture his permanent identity in clear text.

A.2  Suppression of encryption between target and intruder

An intruder may succeed in disabling encryption on the radio interface by several means.
The intruder may masquerade completely as a serving network. The intruder can either use a man-in-the-middle attack by establishing two connections, one to the user and one to a valid serving network (relaying data with or without modifications between a user and a valid serving network) or just masquerade as a serving network without establishing a link to a real network. In any case, the intruder may be able to suppress encryption between the user and himself by sending the appropriate signalling messages.
Alternatively, the intruder may just manipulate the signalling messages by which the user and serving network agree on their ciphering capabilities to create an incompatibility that will prevent ciphering from being established.
The threats following these actions are described below:
  • Eavesdropping of a genuine call
    Once encryption is disabled, the intruder can capture signalling and user traffic.
  • Answering a mobile originated call
    When the target attempts to make a call, the intruder relays the messages between the target and the true network until after authentication is completed. The intruder cuts the connection with the true network suppresses encryption and proceeds to set up the call as a new call (to any suitable network) and under the intruder's own full control.
Up

A.3  Compromise of authentication dataWord‑p. 25

Authentication data can get compromised, either during its transport between the home environment and the serving network, or by unauthorised access to databases.
  • Forcing use of a compromised cipher key
    The intruder obtains a sample of authentication data and uses it to convince the user that he is connected to a proper serving network, and forces the use of a compromised cipher key. The intruder may force the repeated use of the same authentication data to ensure the same encryption key will be used for many calls. Leads to continuous eavesdropping.
  • Impersonating the user
    The intruder obtains a sample of authentication data and uses it to impersonate a user towards the serving network. Masquerading as a base station towards the serving network (or eavesdropping on such a connection) could be used to obtain valid authentication data for this attack.
  • Reusing authentication data
    The intruder forces the repeated use of the same authentication data. Weaknesses in the efficiency of the encryption protection may be exploited either for cipher cryptanalysis or protocol attacks.
Up

A.4  Hijacking of services

The goal of these attacks is to access mobile communication services on the target's account.
  • Hijacking services for outgoing calls
    While the target camps on the false base station, the intruder pages the target for an incoming call. The user then initiates the call set-up procedure, which the intruder allows to occur between the serving network and the target, modifying the signalling elements such that to the serving network it appears as if the target wants to set-up a mobile originated call. After authentication the intruder releases the target, and subsequently uses the connection to make fraudulent calls on the target's subscription.
    This could be possible if the network does not enable encryption, or if the intruder can disable encryption (as in A.2) or if the intruder has access to the cipher key (as in A.3).
  • Hijacking incoming calls
    While the target camps on the false base station, an associate of the intruder makes a call to the target's number. The intruder allows call set-up between target and serving network. After authentication the intruder releases the target, and subsequently uses the connection to answer the call made by his associate. The target will have to pay for the roaming leg.
    This works either if the network does not enable encryption, or if the intruder can disable encryption (as in A.2) or if the intruder has access to the cipher key (as in A.3).
Up

$  Change historyWord‑p. 26


Up   Top