Tech-invite   3GPPspecs   RFCs   Search in Tech-invite

Top   in Index   Prev   Next

TR 33.809 (SA3) ☆ (Rel-16 draft)
Study on 5G Security enhancements
against False Base Stations

use "3GPP‑Page" to get the Word version
for a better overview, the Table of Contents (ToC) is reproduced
V0.4.0 (Wzip)  2019/05  49 p.

Rapporteur:  Ms. Guo, Ivy

The present document uses the term "false base station" in general to denote wireless devices that impersonate genuine base stations.
False base stations are also popularly known as IMSI catchers. While one of their initial attacks was to catch subscribers' IMSIs, more advancements have happened since - not only to the false base stations technologies, but also to the mobile network security.
Today, the capabilities of false base stations vary depending upon whether the mobile network is GPRS, UMTS, LTE, or 5G. The 5G system in particular has already made significant improvements to combat false base stations, the improvements like SUPI concealment, guaranteed GUTI refreshment, protected redirections, and a general informative detection framework. There are also other security features that the 5G security inherited from earlier generations like mutual authentication between UE and network, integrity protected signalling, and secure algorithm negotiations.
The present document investigates key-issues and solutions that will potentially enhance 5G system's resistance to false base stations even further. The 5GC and NR/gNB are in the scope of the present document, and E-UTRA/ng-eNB is out of the scope.

full Table of Contents for  TR 33.809  Word version:   0.4.0


Here   Top


1  ScopeWord-p. 7
2  References
3  Definitions and abbreviationsWord-p. 8
4  Security overview of 5G system against false base stations
5  Key issues
6  Candidate Solutions
6.1  Solution #1: Protection for the UE Capability Transfer
6.2  Solution #2: Protection of RRCReject message in RRC_INACTIVE stateUp
6.3  Solution #3: Protection of uplink UECapabilityInformation RRC message
6.4  Solution #4: Enriched measurement reports
6.5  Solution #5: Mitigation against the authentication relay attack
6.6  Solution #6: Avoiding UE connecting to false base station during HO
6.7  Solution #7: Verification of authenticity of the cell
6.8  Solution #8: Network detection of near by false base stations from call statistics and measurements
6.9  Solution #9: Using symmetric algorithm with assistance of USIM and home network
6.10  Solution #10: Protection on the unicast message based on ECDH
6.11  Solution #11: Certificate based solution against false base stationWord-p. 37
6.12  Solution #12: ID based solution against false base stationWord-p. 40
6.13  Solution 13: Protecting RRCResumeRequest against MiTMWord-p. 44
6.14  Solution #14: Shared key based MIB/SIBs protection
6.15  Solution #15: Mitigation against the authentication relay attack with different PLMNs
7  Conclusions
A  Assessment of system, architectural and security impacts of signing SI messages
B  Change history

Up   Top