Security in Cellular Communication                                        Home :





Security In Cellular Communication


In any information technology, there has always been some risk of security / hacking. But until recently (probably until now) cellular communication is relatively hard (considered impossible to many people) to attack. However, I don't think it is the case any more and it is about the time to start thinking of security issues seriously in cellular communication.

Just for short, I can think of several possible points of security volnerability (i.e, points of attack). Of course, there would be more points that I failed to think of and will come out more.




Possible Points of Attacks


For most person, the point (A) (Security Attack by Mobile phone App) would be the most widely known type. But strictly speaking this type of attack would not be classified as security issues on cellular communication itself unless it is hacking the modem chipset or mobile radio protocol. It is more of conventional (?) type of attack that we often hear of for other application like PC etc.  

Other type of attack that are relatively well known would be point (D). But Jammer can be used not for attack, but for an intended purpose (e.g, blocking culluar communication in workshop hall etc), but this can be considered as a serious attacker if it is blocking (or sometimes even harming directly on hardware of the system).

When I am talking about "Security In cellular communication", I would focus more on point (B), (C), (D). These are the main topics in this note.





Why we didn't worry much of Cellular Security ?


For some reason, (at least from 3G or later technololgy) cellular communication is almost perfectly secure from any type of security attack. I don't know exactly what is the reasoning behind this perception... I personally would think of a few reason as follows :

  • The security algorithm in Cellular Communication is very robus by design. It has several differently layers of security protection mechanism running at multiple layers by default (e.g, authentication, integrity protection and ciphering). I am not an expert to technically verify that this kind of algorithm in cellular communication is stronger than other by design).
  • Security Key (e.g, K, AMF, OPc etc) is not managed by each individual user. Even the user would not know of those key values on their own devices. These information are stored in USIM card and data base in Carrier side. The structure of those key has a certain level of complexity by default (you cannot set something like 1234568 or your birthday or phone number etc for those key -:))
  • For attackers to develop any method of attacks, they need to do some research and experiments on the target system. But it has been prohibitably expensive to get access to those R&D system.
  • There are relatively small number of people who understand the details of the system to the point where the attacker understand the system and figure out the weakpoint of the system.




Why now we should worry of this ?


To me, I haven't see much differences from 3G through 5G in terms of fundamental security protection algorithm. Why we should consider seriously on this issue. What I have seen in terms of security issue is more of changes in environmental changes in accessbility of the technology. Some of those changes that I can think of are as follows.

  • Development of software technology and reduced cost of hardware : Now there are many implementations of purely software based protocols running on general purpose hardware (like PC, even in very low cost PC like Raspberry Pi). Of course, the original motivation of this kind of software based implementation on general purpose equipment is not for attacking anything. But historically we all know that most of these attack is just reuse the well-intentioned technology for ill-purposed application.
  • Also it would be getting more difficult to guarantee the quality assurance in terms of security as more diverse implementation comes out especially implemented in software running on general purpose. This concern is also raised in a 6G whitepaper from SamSung.
  • Number of people who are fluent at the technology : As mentioined above, I think the security attack is mostly based on ethical issues rather than on technical issues. Usually at the initial phase (early phase) of technology where there are not huge mass of experts on the specific technology, the ethics on utilization is relatively well maintained .. but as the technology gets more command and access to wider range of people it gets more and more difficult to maintain the ethics to what has originally intended.. and even the definition of the ethics varies depending on various factors.
  • Now there are active discussions on next generation cellular communication system (6G). It is good time to think of this from inovating the security protection algorithm itself through how to deal with the ethical issues using technology.




What to expect in Security Protection in next generation (6G) cellular system ?


In this section, I will try to compile various ideas and visions proposed by different sources.


Source : Roadmap to 6G (NextG Alliance)



Following is some suggestions in 6G whitepaper from SamSung at security point of view.

  • Hardware-based secure environment that provides secure operation of software code and protection of credential
  • Secure-by-design approach to guarantee that any hardware/software can be trusted
  • Transparency to ensure that the system identifies how and when the AI system accesses any code, training data, etc. related to personal information as well as how securely the AI system operates against adversarial machine learning
  • Mechanisms to securely utilize an unprecedented amount of information concerning business and human users and to strictly maintain the privacy of such information




How to attack ?


Don't get me wrong. This is not about to let you know of tricks of attac to be an attacker. This is for illustrating some cases of volnerability and motivating you to get interested in how to improve those volnerability by design.  I will also try to summarize what I have learned from various technichs introduced in various sources that I have read and experts who I have personal connection to.



Impersonalization Attack


I think this is the most well known type of attack. Basically it is hijacking the victim UE and network's authentication and security parameters and manipulate it in such a way that network would apply the lowest level of security mechanism (Authentication only and no integrity protection & Ciphering) and occupay the traffic channel with victim UE's access information.


Source :  LTE security disabled: misconfiguration in commercial networks by Chlosta, Merlin et al.


The description of this procedure already described in very readable way -:), I am just copying the descrition from the original paper as it is :

    (1) The benign UE connects to the attacker and sends an Attach Request, containing the IMSI and Security Capabilities.

    (2) The attacker forwards the Attach Request but modifies the supported algorithms to EIA0 and EEA0 only.

    (3) The commercial network starts the AKA with an Authentication Request containing the challenge and network authentication (RAND and AUTN).

    (4) The attacker forwards the Authentication Request to the victim UE.

Note that in case the UE connects with Attach Request but identifies with TMSI, the attacker requests the IMSI with an Identity Request. If the UE connects with Service Request or Tracking Area Update, the attacker denies access with reason Implicitly Detached, forcing the UE to re-attach with Attach Request




Resource Depletion Attack


Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim et al


Following is the direct citation from the paper linked above :


The adversary repeatedly performs Random Access and generates RRC Connections in order to increase the number of active RRC Connections as depicted in the diagram shown above. In a normal situation, immediately after the RRC Connection is established, an initial NAS Connection procedure proceeds through either an NAS Attach request or NAS Service request piggybacked on an RRC Connection complete message. In our attack, the adversary sends the NAS Attach request with an arbitrary user IMSI. Unlike the normal procedure, once the adversary receives the NAS Authentication request, it restarts Random Access to establish a new RRC Connection. The reason the adversary does not reply to the NAS Authentication request from the MME is to sustain the established RRC Connection while the MME waits for a valid NAS Authentication response. If the adversary replies with an invalid NAS Authentication response, it causes immediate RRC Connection release. One consideration for the attack to succeed is that the number of newly established RRC Connections has to be greater than the number of existing RRC Connections that are released.




Blind DoS Attack


This attack prevents the Network from sending paging to the victim UE or cause Radio Link Failure by continuously triggering RRC Connection with the victim's S-TMSI.


Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim  et al


For this kind of attack, the attacker should figure out Victim's S-TMSI first. How ?  This is the quote from the paper linked above.

  • An adversary who has knowledge of the victim’s phone number or accounts on social media (such as Facebook and Whatsapp) could obtain the victim’s S-TMSI by performing a silent Paging attack.
  • An adversary located in the vicinity of the target user could operate a rogue eNB to obtain the NAS TAU request of the victim UE. This request contains the S-TMSI of the victim UE. As soon as this message is received, the adversary turns off the rogue eNB to enable the victim UE to recover the LTE service by connecting to a carrier network.
  • The adversary sniffs the RRC Connection procedure of the target UE to obtain the S-TMSI of the target UE as specified in the RRC Connection setup




Remote de-registration attack



Source : Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane - Hongil Kim  et al