Professional Documents
Culture Documents
Final Presentation 3 G and GSM Security
Final Presentation 3 G and GSM Security
• Background
• Overview of the GSM and 3G networks
• Security Requirements
• Security Framework for Telecommunications
• Examples of attacks on the GSM Networks
• Examples of attacks on the 3G networks
• Securing the GSM & 3G Networks
Background
• Traditional telecommunication systems relied only on physical security (
locks etc.)
• One would need physical access to the switches, devices and wires in
order to become a threat to the switches
• 1st Generation GSM was the earliest cellular system to be developed (
1978 1st GSM in USA)
• 1st G GSM was purely analogue and used for voice call only
• First generation analogue phones (1980 onwards) were horribly insecur
e
• Eavesdropping in 1G was very easy , all you have to do is tune a radio
receiver until you can hear someone talking
• 2G GSM networks were the logical next stage in the development of wi
reless systems after 1st G
• 2nd Generation GSM provides a basic range of security features to pro
tect both the operator and the customer such as Anonymity, Authenticat
ion, and Users and data signaling protection
Background ………
• 2nd G is the most successful Telephone network with more than 800milli
on users world wide today
• 3G mobile telephone networks are the latest stage in the development
of wireless communications technology today
• 3G systems support much higher data transmission rates and offer incr
eased capacity,
• 3G systems use packet-switching technology, which is more efficient an
d faster than the traditional circuit-switched system
• 3G mobile phones can offer subscribers a wide range of data services,
such as mobile Internet access and multimedia applications as well as
voice services
• 3G makes mobiles Telecommunication systems to become computer a
nd network based.
• Wide spread access and loose coupling of interconnected telecommuni
cation and IT systems are a primary source of widespread vulnerability
• Operators must now seek cost-effective comprehensive security solutio
ns that can be applied to various types of networks, services and applic
ations
Overview of GSM Network
Circuit
Network Circuit/
Signaling
Gateway Mobility
Manager
Feature
Circuit
IN Services Server(s)
Switch
RNC Call
Agent
Voice Data +
Packet IP Core
Voice
Radio Access Network Intranet
Control Packet
Gateway
IP RAN
2G 2.5G BTS 3G
• As mobile operators moves to 3G networks, they are for most part not
deploying new networks but they are instead leveraging on their existin
g 2.5 G network infrastructure.
• Radio Network controller (RNC): Schedule packet transmission on the
air interface and manage hand offs between BTSs.
• IP core network provides gateway between the access network and the
internet or private corporate network. It provides Authorization, authenti
cation, accounting (AAA) services, provide access to network services,
IP mobility and manage IP address
• 3G systems support much higher data transmission rates and offer incr
eased capacity
• More service is now available such as mobile Internet access and multi
media application
GPRS/UMTS Network Structure
3 G/2.5 G Interface to other Networks
• The figure illustrate the structure of GPRS/UMTS used in 2.5/3G netw
ork to connect the GSM network and internet or corporate networks
• A subscriber using high speed IP based data service connects to other
networks through Serving GPRS Support Node (SGSN) using GPRS t
unneling protocol (GTP) to GPRS Gateway Support node(GGSN),.
• SGSN user GTP to activate a session on the subscriber’s behalf. This i
s called PDP context activation.
• The PDP context is a data structure which contains information such a
s the mobile IP address, tunnel identifier for the GTP session on both th
e GGSN and the subscriber IMSI number
• However GTP does not implement any kind of authentication, data inte
grity check or confidentiality protection,
• which means that it could be compromised by an attacker.
• GTP is used in several GSM based mobile operators network with the f
ollowing interfaces:
– Gn interface connecting SGSN and GGSN
– Gp interface connecting other operators networks
– Gi interface connection GGSN to the internet.
3G PP Signaling and Application – IMS n
etwork
• The 3GPP (and 3GPP2 for CDMA networks) has a defined standard based net
works that sits on top of the emerging wireless 3G network.
• The IP Multimedia System(IMS) is a framework for delivering Internet protocol
Multimedia services .
• The Home subscriber System (HSS) serve a similar role like the HLR in IMS imp
lementation
• The Session Initiation Protocol (SIP) is the signaling protocol used in IMS to pro
vide voice over IP service
Signaling and Application – IMS network
• The first step in securing the Telecommunication Networks is for operators to rec
ognize their new found role as an ISP.
• This means implementing a layered defense on their networks that:
– Make changes to security policies and practice to reflect the new threats.
– Protect end users by implementing security on their device and in the networks e.g. antivirus, firewall
s, content scanning that provides file level security.
– Deploy security products such as firewall, Virtual Private Networks, and Intrusion Detection Systems
at the appropriate point on the networks, which provide packet level, application level and session le
vel protection.
– Ensure that appropriate security is provided for services provided in the network example ensure onl
y valid persons are associated with provisioning service in the network
GSM User Identity Confidentiality
• Data on the radio path is encrypted between the Mobile Equipment (ME) and the Base
Transceiver Station (BTS)
– protects user traffic and sensitive signalling data against eavesdropping
– extends the influence of authentication to the entire duration of the call
• Uses the encryption key (Kc) derived during authentication
GSM Security Problems
• The GSM cipher A5/2
– A5/2 is now so weak that the cipher key can be discovered in near
real time using a very small amount of known plaintext
• A change was made to defeat the false base station attack. The sec
urity mechanisms include a sequence number that ensures that the
mobile can identify the network.
• Key lengths were increased to allow for the possibility of stronger al
gorithms for encryption and integrity.
• Mechanisms were included to support security within and between
networks.
• Security is based within the switch rather than the base station as i
n GSM. Therefore links are protected between the base station and
switch.
• Integrity mechanisms for the terminal identity (IMEI) have been desi
gned in from the start, rather than that introduced late into GSM.
Types of Attack on 3G networks
Type of Attack Target Purpose
1 Worms, virus, Trojan, SMS/MMS Other users, Harassment/denial
Spam Network elements of service/service
(content) interruption.
2 Denial of service; application layer HLR, AAA, content Attack ability to
attack, SIP flooding, etc server, signaling provide service
nodes
3 Over billing attack Operator Fraud
management
elements(AAA, HLR,
VLR, etc)
Application
(IV)
stratum
User Application Provider Application
(I) (I)
Home
(III) stratum/
USIM HE Serving
(II)
(I) (I)
Stratum
SN
Transport
(I)
stratum
ME AN
3G Security Model
– Network access security (I): the set of security features that provide u
sers with secure access to 3G services, and which in particular protect
against attacks on the (radio) access link;
– Network domain security (II): the set of security features that enable
nodes in the provider domain to securely exchange signalling data, and
protect against attacks on the wireline network;
– User domain security (III): the set of security features that secure acc
ess to mobile stations
– Application domain security (IV): the set of security features that ena
ble applications in the user and in the provider domain to securely exch
ange messages.
– Visibility and configurability of security (V): the set of features that
enables the user to inform himself whether a security feature is in oper
ation or not and whether the use and provision of services should depe
nd on the security feature.
Defense Against specific attack
Type of Attack Target Defense
1 Worms, virus, Trojan, SMS/MMS Spam Other users, Network Device and network
elements (content) anti-virus, content
scanning
2 Denial of service; application layer attack, HLR, AAA, content Firewall , signaling
SIP flooding, etc server, signaling scanning and IDP
nodes
3 Over billing attack Operator management Intrusion prevention
elements(AAA, HLR, and protection
VLR, etc)
4 Spoofed PDP context Users session Signaling firewalls
5 Signaling level attack Signaling nodes Fire wall, signaling
firewalls and IDP
Fire wall and IDP defense
Thanks
bomara@edgedsecuritysolutions.com
References
• 3G TS 33.120 Security Principles and Objectives
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf
• 3G TS 33.120 Security Threats and Requirements
http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF
• Michael Walker “On the Security of 3GPP Networks”
http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/mike_walker.pdf