Security in Cellular Communication Home : www.sharetechnote.com
Security In Cellular Communication
In any information technology, there has always been some risk of security / hacking. But until recently (probably until now) cellular communication is relatively hard (considered impossible to many people) to attack. However, I don't think it is the case any more and it is about the time to start thinking of security issues seriously in cellular communication.
Just for short, I can think of several possible points of security volnerability (i.e, points of attack). Of course, there would be more points that I failed to think of and will come out more.
For most person, the point (A) (Security Attack by Mobile phone App) would be the most widely known type. But strictly speaking this type of attack would not be classified as security issues on cellular communication itself unless it is hacking the modem chipset or mobile radio protocol. It is more of conventional (?) type of attack that we often hear of for other application like PC etc.
Other type of attack that are relatively well known would be point (D). But Jammer can be used not for attack, but for an intended purpose (e.g, blocking culluar communication in workshop hall etc), but this can be considered as a serious attacker if it is blocking (or sometimes even harming directly on hardware of the system).
When I am talking about "Security In cellular communication", I would focus more on point (B), (C), (D). These are the main topics in this note.
For some reason, (at least from 3G or later technololgy) cellular communication is almost perfectly secure from any type of security attack. I don't know exactly what is the reasoning behind this perception... I personally would think of a few reason as follows :
To me, I haven't see much differences from 3G through 5G in terms of fundamental security protection algorithm. Why we should consider seriously on this issue. What I have seen in terms of security issue is more of changes in environmental changes in accessbility of the technology. Some of those changes that I can think of are as follows.
In this section, I will try to compile various ideas and visions proposed by different sources.
Source : Roadmap to 6G (NextG Alliance)
Following is some suggestions in 6G whitepaper from SamSung at security point of view.
Don't get me wrong. This is not about to let you know of tricks of attac to be an attacker. This is for illustrating some cases of volnerability and motivating you to get interested in how to improve those volnerability by design. I will also try to summarize what I have learned from various technichs introduced in various sources that I have read and experts who I have personal connection to.
I think this is the most well known type of attack. Basically it is hijacking the victim UE and network's authentication and security parameters and manipulate it in such a way that network would apply the lowest level of security mechanism (Authentication only and no integrity protection & Ciphering) and occupay the traffic channel with victim UE's access information.
Source : LTE security disabled: misconfiguration in commercial networks by Chlosta, Merlin et al.
The description of this procedure already described in very readable way -:), I am just copying the descrition from the original paper as it is :
(1) The benign UE connects to the attacker and sends an Attach Request, containing the IMSI and Security Capabilities.
(2) The attacker forwards the Attach Request but modifies the supported algorithms to EIA0 and EEA0 only.
(3) The commercial network starts the AKA with an Authentication Request containing the challenge and network authentication (RAND and AUTN).
(4) The attacker forwards the Authentication Request to the victim UE.
Note that in case the UE connects with Attach Request but identifies with TMSI, the attacker requests the IMSI with an Identity Request. If the UE connects with Service Request or Tracking Area Update, the attacker denies access with reason Implicitly Detached, forcing the UE to re-attach with Attach Request
Following is the direct citation from the paper linked above :
The adversary repeatedly performs Random Access and generates RRC Connections in order to increase the number of active RRC Connections as depicted in the diagram shown above. In a normal situation, immediately after the RRC Connection is established, an initial NAS Connection procedure proceeds through either an NAS Attach request or NAS Service request piggybacked on an RRC Connection complete message. In our attack, the adversary sends the NAS Attach request with an arbitrary user IMSI. Unlike the normal procedure, once the adversary receives the NAS Authentication request, it restarts Random Access to establish a new RRC Connection. The reason the adversary does not reply to the NAS Authentication request from the MME is to sustain the established RRC Connection while the MME waits for a valid NAS Authentication response. If the adversary replies with an invalid NAS Authentication response, it causes immediate RRC Connection release. One consideration for the attack to succeed is that the number of newly established RRC Connections has to be greater than the number of existing RRC Connections that are released.
This attack prevents the Network from sending paging to the victim UE or cause Radio Link Failure by continuously triggering RRC Connection with the victim's S-TMSI.
For this kind of attack, the attacker should figure out Victim's S-TMSI first. How ? This is the quote from the paper linked above.