Security in GSM and 3G networks

• Charles Bizimungu Omara

• Uganda Kampala October 2010
 Agenda

• Background
• Overview of the GSM and 3G networks
• Security Requirements
• Security Framework for Telecommunications
• Examples of attacks on the GSM Networks
• Examples of attacks on the 3G networks
• Securing the GSM & 3G Networks
 Background
• Traditional telecommunication systems relied only on physical security (
locks etc.)
• One would need physical access to the switches, devices and wires in
order to become a threat to the switches
• 1st Generation GSM was the earliest cellular system to be developed (
1978 1st GSM in USA)
• 1st G GSM was purely analogue and used for voice call only
• First generation analogue phones (1980 onwards) were horribly insecur
e
• Eavesdropping in 1G was very easy , all you have to do is tune a radio
receiver until you can hear someone talking
• 2G GSM networks were the logical next stage in the development of wi
reless systems after 1st G
• 2nd Generation GSM provides a basic range of security features to pro
tect both the operator and the customer such as Anonymity, Authenticat
ion, and Users and data signaling protection
 Background ………
• 2nd G is the most successful Telephone network with more than 800milli
on users world wide today
• 3G mobile telephone networks are the latest stage in the development
of wireless communications technology today
• 3G systems support much higher data transmission rates and offer incr
eased capacity,
• 3G systems use packet-switching technology, which is more efficient an
d faster than the traditional circuit-switched system
• 3G mobile phones can offer subscribers a wide range of data services,
such as mobile Internet access and multimedia applications as well as
voice services
• 3G makes mobiles Telecommunication systems to become computer a
nd network based.
• Wide spread access and loose coupling of interconnected telecommuni
cation and IT systems are a primary source of widespread vulnerability
• Operators must now seek cost-effective comprehensive security solutio
ns that can be applied to various types of networks, services and applic
ations
 Overview of GSM Network

• GSM network has the following components

• Mobile Station: This is carried by the subscriber. It is made up of the
Mobile Equipment (ME) also known as the terminal, and smart card kno
wn as subscriber Identity Module(SIM)
 GSM Network ….
• Base Transceiver Station (BTS). Physically composed of antennas and t
owers. It provides connectivity between the network and the mobile station
via the radio interface.
• Radio Network Controller (RNC) or Base Station Controller (BSC): Tak
es care of all the central function and controls a set of BTS via the radio int
erface
• Mobile Station Centre (MSC): The MSC controls a large number of BSC.
• MSC is very similar to a digital telephone exchange or a switch and it hand
le the routing of incoming and outgoing calls
• Home Location Register (HLR): The HLR is a data repository that stores
the subscriber’s specific parameters of large number of subscribers
• The most important parameters of a subscriber like Ki and IMSI is stored on
the HLR
• Authentication Centre (AUC): AUC has as a key component a database o
f Identification and Authentication Information for each subscriber and in mo
st cases an integral part of HLR.
 GSM Network ….

• Visitors Location Register(VLR) : The VLR like HLR contains also s

ubscriber information ,
• VLR contains only information for those subscriber who roam in the are
a for which the VLR is responsible
• When a subscriber roam away form the network of his/her own service
provider, information is forwarded from subscriber home HLR to visitor
VLR of the serving network in order to complete the authentication proc
ess
• When a subscriber moves out of the VLR, the HLR takes care of the rel
ocation of the VLR to the new VLR.
• Signaling Network: Signaling System 7 (SS7) protocol for exchange
of information between telecommunication nodes and networks on an o
ut of band basis
 Problems with GSM security
• Only provides access security – communications and signali
ng traffic in the fixed network are not protected.
• Does not address active attacks, whereby some network ele
ments (e.g. BTS: Base Station) may be faked
• Only as secure as the fixed networks to which they connect
• Lawful interception only considered as an after-thought
• Terminal theft cannot be controlled
• Lack of user visibility (e.g. doesn’t know if encrypted or not)
 2.5/3G Mobile Networks

Circuit
Network Circuit/
Signaling
Gateway Mobility
Manager
Feature
Circuit
IN Services Server(s)
Switch

RNC Call
Agent
Voice Data +
Packet IP Core
Voice
Radio Access Network Intranet
Control Packet
Gateway
IP RAN

2G 2.5G BTS 3G

Myagmar, Gupta UIUC 2001

 2.5 moving to 3G Network…..

• As mobile operators moves to 3G networks, they are for most part not
deploying new networks but they are instead leveraging on their existin
g 2.5 G network infrastructure.
• Radio Network controller (RNC): Schedule packet transmission on the
air interface and manage hand offs between BTSs.
• IP core network provides gateway between the access network and the
internet or private corporate network. It provides Authorization, authenti
cation, accounting (AAA) services, provide access to network services,
IP mobility and manage IP address
• 3G systems support much higher data transmission rates and offer incr
eased capacity
• More service is now available such as mobile Internet access and multi
media application
GPRS/UMTS Network Structure
 3 G/2.5 G Interface to other Networks
• The figure illustrate the structure of GPRS/UMTS used in 2.5/3G netw
ork to connect the GSM network and internet or corporate networks
• A subscriber using high speed IP based data service connects to other
networks through Serving GPRS Support Node (SGSN) using GPRS t
unneling protocol (GTP) to GPRS Gateway Support node(GGSN),.
• SGSN user GTP to activate a session on the subscriber’s behalf. This i
s called PDP context activation.
• The PDP context is a data structure which contains information such a
s the mobile IP address, tunnel identifier for the GTP session on both th
e GGSN and the subscriber IMSI number
• However GTP does not implement any kind of authentication, data inte
grity check or confidentiality protection,
• which means that it could be compromised by an attacker.
• GTP is used in several GSM based mobile operators network with the f
ollowing interfaces:
– Gn interface connecting SGSN and GGSN
– Gp interface connecting other operators networks
– Gi interface connection GGSN to the internet.
 3G PP Signaling and Application – IMS n
etwork

• The 3GPP (and 3GPP2 for CDMA networks) has a defined standard based net
works that sits on top of the emerging wireless 3G network.
• The IP Multimedia System(IMS) is a framework for delivering Internet protocol
Multimedia services .
• The Home subscriber System (HSS) serve a similar role like the HLR in IMS imp
lementation
• The Session Initiation Protocol (SIP) is the signaling protocol used in IMS to pro
vide voice over IP service
 Signaling and Application – IMS network

• SIP itself is vulnerable to attack such as buffer over

flow.
• By attacking the SIP the attacker could compromis
e or disable the operators voice service
• Other application servers on the IMS could also be
subjected to Denial of service attack
 Opening Up

• Mobile data networks are being opened up in two senses.

– Interconnections to other networks, such as the public internet, oth
er mobile operators networks, private network (including company
LANS), content servers etc.
– Multiple device types: Symbian smart phones, RIM Blackbery and
Windows mobile based, personal data assistant. notebook compute
rs, and data capable feature phones.
• From a security perspective, this newfound openness is a problem bec
ause there are now far more elements which are vulnerable.
• For example , the majority of 3G mobile equipment: Provides multimedi
a messaging, content downloads, web browsing, network based games
, office applications, TV and virtual private networking to subscribers.
• Malware can propagate through many of these mediums.
• MS Equipment are more open to uses modifications because of storag
e cards, synching with PCs, Internet Connectivity, Blue tooth and Wi-Fi
Evolution of cellular network
 General Security Requirements
• There is need to protect the telecommunication assets for the following
parties:
– Subscribers /customers who need confidence in the network and t
he services offered, including availability of services , especially em
ergency services
– Public community/Authorities who demands security by directives o
r legislations
– The telecommunication assets which include;
• The communication and computing devices
• The personnel who operate telecommunication devices
• Voice and data including the software that supports the telecommunicat
ion devices
• Customer who subscribes for different services in the telecommunicatio
n networks
 Security Framework in Telecommunication Networks

• The first step in securing the Telecommunication Networks is for operators to rec
ognize their new found role as an ISP.
• This means implementing a layered defense on their networks that:
– Make changes to security policies and practice to reflect the new threats.
– Protect end users by implementing security on their device and in the networks e.g. antivirus, firewall
s, content scanning that provides file level security.
– Deploy security products such as firewall, Virtual Private Networks, and Intrusion Detection Systems
at the appropriate point on the networks, which provide packet level, application level and session le
vel protection.
– Ensure that appropriate security is provided for services provided in the network example ensure onl
y valid persons are associated with provisioning service in the network
GSM User Identity Confidentiality

• User identity confidentiality on the radio access link

– temporary identities (TMSIs) are allocated and used instead of permanent
identities (IMSIs)
• Helps protect against:
– tracking a user’s location
– obtaining information about a user’s calling pattern

IMSI: International Mobile Subscriber Identity

TMSI: Temporary Mobile Subscriber Identity
GSM Security Features
• Authentication
– network operator can verify the identity of the subscriber making it infeasible to clone
someone else’s mobile phone
• Confidentiality
– protects voice, data and sensitive signalling information (e.g. dialled digits) against
eavesdropping on the radio path
• Anonymity
– protects against someone tracking the location of the user or identifying calls made to
or from the user by eavesdropping on the radio path

• Data on the radio path is encrypted between the Mobile Equipment (ME) and the Base
Transceiver Station (BTS)
– protects user traffic and sensitive signalling data against eavesdropping
– extends the influence of authentication to the entire duration of the call
• Uses the encryption key (Kc) derived during authentication
GSM Security Problems
• The GSM cipher A5/2
– A5/2 is now so weak that the cipher key can be discovered in near
real time using a very small amount of known plaintext

• Accessing Signaling network

• No requirement of
decrypting skills
• Need a instrument that
captures microwave
• Gains control of
communication between MS
and intended receiver
 Attacks on the GSM networks
• Cloning:
– Cloning refers to the ability of an intruder to determine information about a personal ter
minal and clone it i.e. create a duplicate copy, of that personal terminal using the infor
mation collected
– This can be done using physical copying of the card using a card reader device
– the intruder eavesdrops signaling and data connections associated with other users
• Cloning can take two forms
– Physical cloning: Mounting this attack requires apart from having physical access to th
e target SIM, an off the shelf smart card reader and a computer to direct the operation
:
– A simple counter measure is to change the hash function used for authentication to a
strong one. It should be noted that a COMPO 128-2 a new version of COMP 128 has
remedied the issue present in the original COM128. It’s however not known to what ex
tend the new algorithm has been adopted by the operators:
Cloning over the Air: Cloning over the air can be accomplished using a rogue base statio
n (RBTS), apart from RBTS, the attacker need to know the target IMSI or TMSI . Whe
n these resources are available the attacker starts capturing some MS after a channel
s has been allocated the RBTS then execute a procedure to clone the MS phone
- The defense against cloning over the air is to limit the number of time a
SIM can be authenticated to a number significantly smaller than 150,0
00.
•
 Theft of Service equipment

• Theft of equipment or service is a very serious problem in mobil

e personal communication.
• The network subsystem doesn’t care whether a call has origina
ted from a legitimate or form s stolen terminal as long as it bills t
he call to correct amount.
• To avoid this all personal equipment must have unique identifica
tion information that reduce the potential of the stolen equipmen
t to be reused.
• This may take the form of tamper resistance identifier permanen
tly plugged in the terminal.
 Rogue BTS

• Man-in-the-middle. This is the capability whereby the intruder puts

itself in between the target user and a genuine network and has the
ability to eavesdrop, modify, delete, re-order, replay, and spoof sign
aling and user data messages exchanged between the two parties.
The required equipment is Rougue BTS in conjunction with a modifi
ed MS.
 Compromised cipher key

• An attack that requires a modified BTS and the possession by the i

ntruder of a compromised authentication vector and thus exploits th
e weakness that the user has no control upon the cipher key.
• The target user is enticed to camp on the false BTS/MS. When a ca
ll is set-up the false BTS/MS forces the use of a compromised ciph
er key on the mobile user.

• 3G: The presence of a sequence number in the challenge allows th

e USIM to verify the freshness of the cipher key to help guard again
st forced re-use of a compromised authentication vector. However, t
he architecture does not protect against force use of compromised
authentication vectors which have not yet been used to authenticat
e the USIM.
• Thus, the network is still vulnerable to attacks using compromised a
uthentication vectors which have been intercepted between generat
ion in the authentication center and use or destruction in the servin
g network.
 Location update spoofing

• An attack that requires a modified MS and exploits the weakness th

at the network cannot authenticate the messages it receives over th
e radio interface.
• The user spoofs a location update request in a different location are
a from the one in which the user is roaming.
• The network registers in the new location area and the target user
will be paged in that new area.
• The user is subsequently unreachable for mobile terminated servic
es.

• 3G. Integrity protection of critical signaling messages protects agai

nst this attack. More specifically, data authentication and replay inhi
bition of the location update request allows the serving network to v
erify that the location update request is legitimate.
 Hijacking incoming calls in networks
with encryption enabled

• This attack requires a modified BTS/MS. In addition to the previous

attack this time the intruder has to suppress encryption.

• 3G: Integrity protection of critical signalling messages protects agai

nst this attack. More specifically, data authentication and replay inhi
bition of the MS station classmark and the connection accept mess
age helps prevent suppression of encryption and allows the serving
network to verify that the connection accept is legitimate.
 3G vs. GSM

• A change was made to defeat the false base station attack. The sec
urity mechanisms include a sequence number that ensures that the
mobile can identify the network.
• Key lengths were increased to allow for the possibility of stronger al
gorithms for encryption and integrity.
• Mechanisms were included to support security within and between
networks.
• Security is based within the switch rather than the base station as i
n GSM. Therefore links are protected between the base station and
switch.
• Integrity mechanisms for the terminal identity (IMEI) have been desi
gned in from the start, rather than that introduced late into GSM.
 Types of Attack on 3G networks
Type of Attack Target Purpose
1 Worms, virus, Trojan, SMS/MMS Other users, Harassment/denial
Spam Network elements of service/service
(content) interruption.
2 Denial of service; application layer HLR, AAA, content Attack ability to
attack, SIP flooding, etc server, signaling provide service
nodes
3 Over billing attack Operator Fraud
management
elements(AAA, HLR,
VLR, etc)

4 Spoofed PDP context Users session Service theft

5 Signaling level attack Signaling nodes Attack ability to
provide service
• Denial of Service
– Make use brute force attacks to overwhelm the target system with data so that
the response from the target is system is either slowed down or stopped
– are often remotely controlled by the organization orchestrating the attack
• Overbilling Attack:
• malicious user hijacks a subscriber’s IP address and then using that connection
to initiate fee based downloads or simply use that connection for their own
purpose. The legitimate subscriber pays the bill
 Attacks on the 3G networks…
• Spoofed PDP context
– Attack exploits weaknesses in the GTP (GPRS tunneling
protocol);
– Spoofed “Delete PDP context “ packets , which would cause
service loss or interruption to end users
– Spoofed “create PDP context” packets , which would result in
unauthorized or illegal access to the internet or customer data
networks
– GTP packet floods which is a kind of denial of service
3G Security Model

Application
(IV)
stratum
User Application Provider Application

(I) (I)
Home
(III) stratum/
USIM HE Serving
(II)
(I) (I)
Stratum
SN
Transport
(I)
stratum
ME AN
3G Security Model

– Network access security (I): the set of security features that provide u
sers with secure access to 3G services, and which in particular protect
against attacks on the (radio) access link;
– Network domain security (II): the set of security features that enable
nodes in the provider domain to securely exchange signalling data, and
protect against attacks on the wireline network;
– User domain security (III): the set of security features that secure acc
ess to mobile stations
– Application domain security (IV): the set of security features that ena
ble applications in the user and in the provider domain to securely exch
ange messages.
– Visibility and configurability of security (V): the set of features that
enables the user to inform himself whether a security feature is in oper
ation or not and whether the use and provision of services should depe
nd on the security feature.
Defense Against specific attack
Type of Attack Target Defense
1 Worms, virus, Trojan, SMS/MMS Spam Other users, Network Device and network
elements (content) anti-virus, content
scanning
2 Denial of service; application layer attack, HLR, AAA, content Firewall , signaling
SIP flooding, etc server, signaling scanning and IDP
nodes
3 Over billing attack Operator management Intrusion prevention
elements(AAA, HLR, and protection
VLR, etc)
4 Spoofed PDP context Users session Signaling firewalls
5 Signaling level attack Signaling nodes Fire wall, signaling
firewalls and IDP
Fire wall and IDP defense
 Thanks
bomara@edgedsecuritysolutions.com
 References
• 3G TS 33.120 Security Principles and Objectives
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf
• 3G TS 33.120 Security Threats and Requirements
http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF
• Michael Walker “On the Security of 3GPP Networks”
http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/mike_walker.pdf

• 3G TR 33.900 A Guide to 3rd Generation Security

ftp://ftp.3gpp.org/TSG_SA/WG3_Security/_Specs/33900-120.pdf
• 3G TS 33.102 Security Architecture
ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_s/33102-370.zip
• GSM-Security: a Survey and Evaluation of the Current Situation,
Paul Yousef, Master’s thesis, Linkoping Institute of Technology, March 2004
• GSM: Security, Services, and the SIM Klaus Vedder, LNCS 1528, pp. 224-
240,
Springer-Verlag 1998