Security of Cellular Networks:

Man-in-the Middle Attacks

Mario agalj

University of Split

2013/2014.

Security in the GSM system by Jeremy Quirke, 2004

Introduction
Nowadays, mobile phones are used by 80-90% of the
worlds population (billion of users)
Evolution
1G: analog cellular networks GSM security specifications
2G: digital cellular networks with GSM (Global System for Mobile
Communications) beign the most popular and the most widely used
standard (circuit switching)
other 2G: technologies IS-95 CDMA based (US), PDC (Japan), etc.

2.5G: GPRS (General Packet Radio Service) packet switching

2.75G: EDGE faster data service
3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)
other 3G: CDMA2000 (US, S. Korea)

4G: LTE (OFDM based), peak data rates of 100Mbps

2
Cellular Network Architecture
A high level view

Databases
(e.g., Home
Location Register)

External
Mobile
Station Base Mobile
Network
Station Switching
Center

Cellular Network

3
EPFL, JPH
Cellular Network Architecture
Registration Process

Nr: 079/4154678

Tune on the strongest signal

4
EPFL, JPH
Cellular Network Architecture
Service Request

079/4154678
079/8132627 079/4154678
079/8132627

5
EPFL, JPH
Cellular Network Architecture
Paging Broadcast (locating a particular mobile station in case of mobile
terminated call)

079/8132627?
079/8132627?

079/8132627?

079/8132627?

Note: paging makes sense only over a small area

6
EPFL, JPH
Cellular Network Architecture
Response

079/8132627

079/8132627

7
EPFL, JPH
Cellular Network Architecture
Channel Assignement

Channel
Channel 47
Channel
47 68

Channel
68

8
EPFL, JPH
Cellular Network Architecture
Conversation

9
EPFL, JPH
Cellular Network Architecture
Handover (or Handoff)

10
EPFL, JPH
Cellular Network Architecture
Message Sequence Chart
Base Switch Base
Caller Station Callee
Station

Periodic registration Periodic registration

Service request Service request

Page request Page request

Paging broadcast Paging broadcast

Paging response Paging response

Assign Ch. 47 Assign Ch. 68 Tune to Ch. 68

Tune to Ch.47

Ring indication Ring indication Alert tone

User response User response

Stop ring indication Stop ring indication
11
EPFL, JPH
GSM System Architecture
Based on Mobile Communications: Wireless
Telecommunication Systems
Architecture of the GSM system
GSM is a PLMN (Public Land Mobile Network)
several providers setup mobile networks following the GSM
standard within each country
components
MS (mobile station)
BS (base station)
MSC (mobile switching center)
LR (location register)
subsystems
RSS (radio subsystem): covers all radio aspects
NSS (network and switching subsystem): call forwarding, handover,
switching
OSS (operation subsystem): management of the network
13
 Please check http://gsmfordummies.com/architecture/arch.shtml

GSM: overview
OMC, EIR,
AUC
HLR GMSC
NSS fixed network
with OSS
VLR MSC MSC
VLR

BSC

BSC

RSS

14
GSM: system architecture
radio network and switching fixed
subsystem subsystem networks

MS MS
ISDN
PSTN
MSC

BTS
BSC EIR
BTS

SS7 HLR

BTS VLR
BSC ISDN
BTS MSC PSTN
BSS IWF
PSPDN 15
CSPDN
System architecture: radio subsystem
radio network and switching
subsystem subsystem Components
MS (Mobile Station)
MS MS
BSS (Base Station Subsystem):
consisting of
BTS (Base Transceiver Station):
BTS sender and receiver
BSC MSC BSC (Base Station Controller):
BTS
controlling several transceivers

BTS
BSC MSC
BTS
BSS

16
Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobile
network up to the switching centers
Components
Base Station Subsystem (BSS):
Base Transceiver Station (BTS): radio components including sender,
receiver, antenna - if directed antennas are used one BTS can cover
several cells
Base Station Controller (BSC): switching between BTSs, controlling BTSs,
managing of network resources, mapping of radio channels onto
terrestrial channels

Mobile Stations (MS)

17
GSM: cellular network
segmentation of the area into cells

possible radio coverage of the cell

idealized shape of the cell

cell

use of several carrier frequencies

not the same frequency in adjoining cells
cell sizes vary from some 100 m up to 35 km depending on user density,
geography, transceiver power etc.
hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)
if a mobile user changes cells
handover of the connection to the neighbor cell
18
System architecture: network and
switching subsystem
Components
network fixed partner
subsystem networks MSC (Mobile Services Switching Center)
IWF (Interworking Functions)
ISDN
PSTN
MSC
ISDN (Integrated Services Digital Network)
PSTN (Public Switched Telephone Network)
PSPDN (Packet Switched Public Data Net.)
EIR
CSPDN (Circuit Switched Public Data Net.)
SS7

HLR
Databases
HLR (Home Location Register)
VLR VLR (Visitor Location Register)
ISDN
EIR (Equipment Identity Register)
MSC
PSTN
IWF
PSPDN
CSPDN
19
Network and switching subsystem
NSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks,
system control
Components
Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal
within the domain of the MSC - several BSC can belong to a MSC
Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)
central master database containing user data, permanent and semi-permanent
data of all subscribers assigned to the HLR (one provider can have several HLRs)
Visitor Location Register (VLR)
local database for a subset of user data, including data about all user currently in
the domain of the VLR
20
Mobile Services Switching Center
The MSC (mobile switching center) plays a central role in
GSM
switching functions
additional functions for mobility support
management of network resources
interworking functions via Gateway MSC (GMSC)
integration of several databases

21
Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,
management, and maintenance of all GSM subsystems
Components
Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR
authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights
stolen or malfunctioning mobile stations can be locked and sometimes even
localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem

22
 Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml

Mobile Terminated Call

1: calling a GSM subscriber 4
HLR VLR
2: forwarding call to GMSC 5
8 9
3: signal call setup to HLR 3 6 14 15
4, 5: request MSRN (roaming calling 7
PSTN GMSC MSC
number) from VLR station 1 2
6: forward responsible 10 10 13 10
MSC to GMSC 16
BSS BSS BSS
7: forward call to
11 11 11
current MSC
8, 9: get current status of MS 11 12
17
10, 11: paging of MS MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection
23
Mobile Originated Call
1, 2: connection request
3, 4: security check
VLR
5-8: check resources (free circuit)
9-10: set up call 3 4
6 5
PSTN GMSC MSC
7 8
2 9

MS
1 BSS
10

24
Mobile Terminated and Mobile Originated Calls
MS MTC BTS MS MOC BTS
paging request
channel request channel request
immediate assignment immediate assignment
paging response service request
authentication request authentication request
authentication response authentication response
ciphering command ciphering command
ciphering complete ciphering complete
setup setup
call confirmed call confirmed
assignment command assignment command
assignment complete assignment complete
alerting alerting
connect connect
connect acknowledge connect acknowledge
data/speech exchange data/speech exchange
25
Security in GSM
Based on:
Security in the GSM system by Jeremy Quirke

The GSM Standard (An overview of its security) by SANS Institute

InfoSec Reading Room

Mobile Communications: Wireless Telecommunication Systems

 Security Services in GSM
Access control/authentication
x
user <-- -- SIM (Subscriber Identity Module): secret PIN (personal
identification number)
x
SIM <-- -- network: challenge response method

Confidentiality
voice and signaling encrypted on the wireless link (after successful
authentication)
Anonymity
temporary identity TMSI (Temporary Mobile Subscriber Identity)
newly assigned at each new location update (LUP)
encrypted transmission

27
 Security Services in GSM
Authentication

SIM (Subscriber Identity Module) card

smartcard inserted into a mobiel phone
contains all necessary details to obtain access to an account
unique IMSI (International Mobile Subscriber Identity)
Ki - the individual subscriber authentication key (128bit, used to generate all
other encryption and authentication keying GSM material)
highly protected the mobile phone never learns this key, mobile only forwards
any required material to the SIM
known only to the SIM and network AUC (Authentication Center)
SIM unlocked using a PIN or PUK
authentication (A3 algorithm) and key generation (A8 algorithm)
is performed in the SIM
SIM contains a microprocessor 28
Security Services in GSM
Authentication

mobile network SIM

RAND
Ki RAND RAND Ki

AC 128 bit 128 bit 128 bit 128 bit

A3 A3
SIM
SRES* 32 bit SRES 32 bit

MSC SRES
SRES* =? SRES SRES
32 bit

Ki: individual subscriber authentication key SRES: signed response 29

Security Services in GSM
Authentication

Kc: Session encryption key generated together with SRES 30

Security Services in GSM
Encryption

mobile network (BTS) MS with SIM

RAND
Ki RAND RAND Ki
AC 128 bit 128 bit 128 bit 128 bit SIM

A8 A8

cipher Kc
key 64 bit Kc
64 bit
data encrypted SRES
data
BTS MS
data
A5 A5
31
 Security Services in GSM
Authentication and Encryption

A3 and A8 algorithms are both run in SIM at the same time on the
same input (RAND, Ki)
A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)
not used in UMTS
Encryption algorithm A5
symmetric encryption algorithm
voice/data encryption performed by a phone using generated encryption key Kc

32
 Security Services in GSM
Encryption

A5 algorithms
A5/0 no encryption used
A5/1 and A5/2 developed far from public domain and later found
flawed
stream ciphers based on linear feedback shift registers
A5/2 completely broken (not used anymore in GSM)
A5/1 is a bit stronger but also broken by many researchers

A5/3 is a block cipher based on Kasumi encryption algorithm

used in UMTS, GSM, and GPRS mobile communications systems
public and reasonably secure (at least at the moment)

33
Security Services in GSM
Summary

34
Security Weaknesess in GSM
A mobile phone does not authenticate the base station!
only mobile authenticate to BS (one-way authentication)
fake BS and man-in-the middle attacks possible
attacker does not have to know authentication key Ki

A5/0 - No Encryption algorithm is a valid choice in GSM

for voice, SMS, GPRS, EDGE services

Many weaknesses in A5 family of encryption algorithms

35
Security Weaknesess in GSM

36
 Security Services in GSM
Anonymity

Preventing eavesdropper (listening attacker) from determining if a

particular subscriber is/was in the given area
location privacy
thanks to long ranges a very powerful attack
attacker uses IMSI (International Mobile Subscriber Identity)
IMSI Catchers

To preserve location privacy GSM defines TMSI (Temporary Mobile

Subscriber Identity)
when a phone turned on, IMSI from SIM transmitted in clear to the AUC
after this TMSI is assigned to this user for location privacy
after each location update or a predefined time out, a new TMSI is assigned to the
mobile phone
a new TMSI is sent encrypted (whenever possible)
VLR database contains mapping TMSI to IMSI 37
Security Services in GSM
Anonymity

38
Security Services in GSM
Anonymity

39
Security Weaknesess in GSM
Attack Against the Anonymity Service

GSM provisions for situation when the network somhow

loses track of a particular TMSI
in this case the network must ask the subscriber its IMSI over the radio link
using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism
however, the connection cannot be encrypted if the network does not know
the IMSI and so the IMSI is sent in plain text
the attacker can use this to map known TMSI and unknown and user-specific
IMSI

40
 Countermeasures: UMTS
UMTS defines 2-way authentication and mandates the
use of stronger encryption and authentication primitives
prevents MITM attacks by a fake BS, but be cautious...

Still many reasons to worry about

most mobiles support < 3G standards (GPRS, EDGE)
when signal is bad, hard to supprot UMTS rates
mobile providers already invested a lot of money and do not give up upon
old BSS equippment
femtocells

41
 Many Reason to Worry About Your Privacy
http://www.theregister.co.uk/2008/05/20/tracking_phones/

http://www.theregister.co.uk/2011/10/31/met_police_datong_mo
bile_tracking/ (check also http://www.pathintelligence.com)

http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.black
hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-
Pico_Mobile_Attacks-Slides.pdf

http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-
labs.tu-berlin.de%2Fbh2011.pdf
42