Top   in Index   Prev   Next

TR 33.809
Study on 5G Security enhancements against False Base Stations (FBS)

V18.1.0 (Wzip)  2023/09  131 p.
Ms. Guo, Ivy
Apple Computer Trading Co. Ltd

full Table of Contents for  TR 33.809  Word version:  18.1.0

Here   Top

0  Introductionp. 11

The present document uses the term "false base station" in general to denote wireless devices that impersonate genuine base stations.
False base stations are also popularly known as IMSI catchers. While one of their initial attacks was to catch subscribers' IMSIs, more advancements have happened since - not only to the false base stations technologies, but also to the mobile network security.
Today, the capabilities of false base stations vary depending upon whether the mobile network is GPRS, UMTS, LTE, or 5G. The 5G system in particular has already made significant improvements to combat false base stations, the improvements like SUPI concealment, guaranteed GUTI refreshment, protected redirections, and a general informative detection framework. There are also other security features that the 5G security inherited from earlier generations like mutual authentication between UE and network, integrity protected signalling, and secure algorithm negotiations.
Some of the security solutions, constraints, and requirements studied in TR 33.969 "Study on Security aspects of Public Warning System (PWS)" may also be useful when considering security enhancement against false base stations specifically, the protection of the System Information (SI) broadcasts used for the PWS warning messages.

1  Scopep. 12

The present document studies the potential threats and privacy issues associated with false base station scenarios.
The present document identifies the potential solutions for mitigating the risks caused by false base station.

2  Referencesp. 12

3  Definitions of terms, symbols and abbreviationsp. 13

3.1  Termsp. 13

3.2  Symbolsp. 13

3.3  Abbreviationsp. 13

4  Security overviews of 5G system against false base stationsp. 14

5  Key Issuesp. 14

6  Candidate Solutionsp. 21

6.0  Mapping between key issues and solutionsp. 21

6.1  Solution #1: Protection for the UE Capability Transferp. 22

6.2  Solution #2: Protection of RRCReject message in RRC_INACTIVE statep. 22

6.3  Solution #3: Protection of uplink UECapabilityInformation RRC messagep. 23

6.4  Solution #4: Enriched measurement reportsp. 24

6.5  Solution #5: Mitigation against the authentication relay attackp. 27

6.6  Solution #6: Avoiding UE connecting to false base station during HOp. 29

6.7  Solution #7: Verification of authenticity of the cellp. 33

6.8  Solution #8: Network detection of nearby false base stations from call statistics and measurementsp. 40

6.9  Solution #9: Using symmetric algorithm with assistance of USIM and home networkp. 41

6.10  Solution #10: Protection on the unicast message based on ECDHp. 49

6.11  Solution #11: Certificate based solution against false base stationp. 52

6.12  Solution #12: ID based solution against false base stationp. 57

6.13  Solution #13: Protecting RRCResumeRequest against MiTMp. 61

6.14  Solution #14: Shared key based MIB/SIBs protectionp. 62

6.15  Solution #15: Mitigation against the authentication relay attack with different PLMNsp. 63

6.16  Solution #16: Protection of RRC Reject Messagep. 66

6.17  Solution 17: Integrity protection of the whole RRCResumeRequest messagep. 68

6.18  Solution #18: Avoiding UE connecting to False Base Station during Conditional Handoverp. 69

6.19  Solution #19: AS security based MIB/SIBs integrity information provided by gNBp. 71

6.20  Solution #20: Digital Signing Network Function (DSnF)p. 73

6.20.1  Introductionp. 73

6.20.2  Solution detailsp. 74

6.20.3  Assessment using clause A.3p. 85

6.20.4  Evaluationp. 87

6.21  Solution #21: Certificate based solution against false base station for Non-Public Networksp. 88

6.22  Solution #22: Detecting false base stations based on UE positioning measurementsp. 92

6.23  Solution #23: Cryptographic CRC to avoid MitM relay nodesp. 96

6.24  Solution #24: UE&Network-assisted UE avoidance and Network detection of FBSp. 99

6.25  Solution #25: Detection of Man-in-the-Middle false base stationsp. 102

6.26  Solution #26: KI#2 with PKC-based and without tight time synchronizationp. 104

6.27  Solution #27: Short-lived asymmetric key-based solution for protecting system informationp. 108

6.27.1  Introductionp. 108

6.27.2  Solution detailsp. 110

6.27.3  Assessment using clause A.3p. 119

6.27.4  Evaluationp. 121

7  Conclusionsp. 121

A  Assessment of system, architectural and security impacts of signing SI messagesp. 123

B  Taxonomy of attacks against 5G UE over radio interfacesp. 125

$  Change historyp. 129

Up   Top