Problems with GSM security •2G communication system only provides one-way authentication mechanism which just authenticates the identities of mobile users. •Only provides access security-communications and signaling traffic in the fixed network are not protected. •Does not address active attacks. •Only as secure as the fixed networks to which they connect. •Lawful interception only considered as an after- thought •Terminal identity cannot be trusted •Difficult to upgrade the cryptographic mechanisms •Lack of user visibility
Transcript
Problems with GSM security
•2G communication system only provides one-way authentication mechanism which just authenticates the identities of mobile users.•Only provides access security-communications and signaling traffic in the fixed network are not protected.•Does not address active attacks.•Only as secure as the fixed networks to which they connect.•Lawful interception only considered as an after-thought•Terminal identity cannot be trusted•Difficult to upgrade the cryptographic mechanisms•Lack of user visibility
Attacks on GSM networks•Eavesdropping. This is the capability that the intruder eavesdrops signalling and data connections associated with other users. The required equipment is a modified MS.
•Impersonation of a user. This is the capability whereby the intruder sends signalling and/or user data to the network, in an attempt to make the network believe they originate from the target user. The required equipment is again a modified MS.
•Impersonation of the network. This is the capability whereby the intruder sends signalling and/or user data to the target user, in an attempt to make the target user believe they originate from a genuine network. The required equipment is modified BTS.
•Man-in-the-middle. This is the capability whereby the intruder puts itself in between the target user and a genuine network and has the ability to eavesdrop, modify, delete, re-order, replay, and spoof signalling and user data messages exchanged between the two parties. The required equipment is modified BTS in conjunction with a modified MS.
•Compromising authentication vectors in the network. The intruder possesses a compromised authentication vector, which may include challenge/response pairs, cipher keys and integrity keys. This data may have been obtained by compromising network nodes or by intercepting signalling messages on network links.
Camping on a false BTS•An attack that requires a modified BTS and exploits the weakness that a user can be enticed to camp on a false base station.•Once the target user camps on the radio channels of a false base station, the target user is out of reach of the paging signals of the serving network in which he is registered.
3G vs. GSM•A change was made to defeat the false base station attack. The security mechanisms include a sequence number that ensures that the mobile can identify the network.•Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity.•Mechanisms were included to support security within and between networks.•Security is based within the switch rather than the base station as in GSM. Therefore links are protected between the base station and switch.•Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that introduced late into GSM.
•GSM authentication vector: temporary authentication data that enables an VLR/SGSN to engage in GSM AKA with a particular user. A triplet consists of three elements: a) a network challenge RAND, b) an expected user response SRES and c) a cipher key Kc.
•UMTS authentication vector: temporary authentication data that enables an VLR/SGSN to engage in UMTS AKA with a particular user. A quintet consists of five elements: a) a network challenge RAND, b) an expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN.
Procedure for the MT to search for BTS around its vicinity
Mode of operation for fake BTS
• BTS transmits on a beacon frequency of the victim’s provider,• and that his BTS transmits the MCC and MNC of the same
provider.
Search for the BTSThere are several situations in which MS starts to look for a new BTS station to
connect to. We may divide them into scenarios in which the network signal is available and those in which it is not.
In the first case MS does not receive any network signal. It starts then from checking all frequencies used by the BTS stations which were near to the location of the BTS to which MS was successfully connected last time. If none is found it switches to the search mode. In this mode it scans through the standard frequencies in order to find active BTS stations. In this case the attacker’s fake BTS must provide the following parameters of the real network: mobile country code MCC, mobile network code MNC, and network short name. This behavior can be triggered through several ways but usually it is done through jamming of the real BTS signal.
In the second case MS is already connected to the network. In this situation there are only two events which may lead to selection of a new BTS.
● MS may find a BTS station with better signal than one to which it is connected to. In this case fake BTS station is sending signal on the frequency channel used by one of the BTS stations which are near the victim’s MS. This scenario is called a forced BTS re-seclection.
● A second is a situation in which the frequency channel used by MS in connection with BTS is jammed. In such a situation the mobile station will automatically start to search for a new BTS. This scenario is realized with usage of the Jammer. The jammer is a device designed to send a distortion signal on the given frequency to disrupt the existing connection between MS and BTS.
Once a fake BTS is switched on and transmits the signal it is still not recognized by the victim’s MS. In order to force selection of his BTS attacker can exploit the fact that the MS measures on regular time periods the connection strength to the nearest BTS stations.
Knowing frequencies of those connections he may setup the fake BTS to send a signal which will be stronger than any other from BTS stations in the nearest neighborhood. This signal should be send on the frequency of the station with the weakest one. When the received signal will be better than the signal of the existing connection, the MS will change the BTS automatically. This scenario will work only if the MS is in the stand-by mode and no active communication is undergoing. In case there is active communication, we are forcing the handover of this connection within the network. That cannot be done without access to MNO’s BSC.
Figure 2.12 shows an illustration of exemplary scenario. In this scenario MS is connected at the beginning to the BTS one. MS knows about the nearest BTS stations, particularly: BTS two, BTS three, and BTS four. The attacker is checking the frequency channel of each BTS station. Later when he will switch on his fake BTS it will start to send a signal on the same channel as the BTS four, which had during the attacker’s measurement the worst signal quality. The MS will notice that the quality of the signal from BTS four has improved and switch into it. In such a way victim’s mobile station has been lured to connect to the attacker’s owned GSM network.
Signal Jamming
Using this technique, the attacker will first send a distortion signal on the frequency of the existing connection between the victim’s MS and BTS. If these distortions are strong enough, the connection will be broken. Later, the MS will automatically start BTS search procedure in order to find a substitute for the jammed one. In such a way it may select the attacker’s BTS but it may also happen that the signal from another BTS will have a better quality and the MS will select it. In order to be sure that the selection’s result will be a fake BTS, the attacker may try to jam for a short while the signals from the other closest BTS, based on the neighbor list.
The biggest advantage of jamming all nearest BTS stations is that we may force a situation in which the MS will go into a BTS signal search mode and start scanning all frequency channels, not only the neighbor list ones. As a result, the attacker may lure the MS to connect to a fake BTS on any supported by the phone ARCFN channel. That will give him much better connection quality.
Cell Selection and Re-selection• According to [4] (Section 6.6), MS will synchronize to and read the BCCH
information for the 6 strongest non-serving carriers, and at least every 5s the MS shall calculate the value of C1 (path loss criterion parameter) and C2 for the serving cell and re-calculate C1 and C2 values for non serving cells.
• A cell reselection may take place if following condition is met:• 1) The calculated value of C2 for a non-serving suitable cell exceeds the
value of C2 for the serving cell for a period of 5 seconds (both cells are in the same location area).
• 2) The calculated value of C2 for a non-serving suitable cell exceeds the value of C2 for the serving cell by at least CELL_RESELECT_HYSTERESIS dB as defined by the BCCH data from the current serving cell for a period of 5 seconds (the two cells are in different
• location areas).• 3) The path loss criterion (C1) for current serving cell falls below zero for a
period of 5 seconds. This indicates that the path loss to the cell has become too high.
• 4) Current serving cell is barred.• 5) MS downlink signaling failure counter (DSC) expires, which takes a time
TF [1]. (Case 5 is used by [1] and [2])
● If we can make the value of C2 for the fake-base station calculated by MS higher than the value of C2 for the serving cell by at least CELL_RESELECT_HYSTERESIS dB, then a cell reselection will happen (we can use this feather to give CELL_RESELECT_HYSTERESIS of our fake-base station a large value to prevent MS switch to other BS easily).
● The path loss criterion parameter C1 used for cell selection and reselection is defined by:
● C1 = (A - Max(B,0))● where● A = RLA_C – RXLEV_ACCESS_MIN , B =
MS_TXPWR_MAX_CCH – P except for the class 3 DCS 1 800 MS where:
● B = MS_TXPWR_MAX_CCH + POWER OFFSET – P
● RLA_C = received level averages● RXLEV_ACCESS_MIN = Minimum received
signal evel at the MS required for access to the system.
● MS_TXPWR_MAX_CCH = Maximum TX power level
● an MS may use when accessing the system until otherwise commanded. POWER OFFSET = The power
● offset to be used in conjunction with the MS TXPWR MAX CCH parameter by the class 3 DCS 1 800 MS. P = Maximum RF output power of the MS. All values are expressed in dBm. The path loss criterion [7] is satisfied if C1 > 0
● According to the definition of C1 above, we can see the closer MS is to the BS, the higher the value of C1 will be. Since MS will try to connect to the BS with the highest C1 value at power up, we can simply make the signal level of the fake-base station the highest in the target area by improve the transmit power.
● C2 = C1 - CELL_RESELECT_OFFSET for PENALTY_TIME = 11111
● Where T is a timer implemented for each cell in the list of strongest carriers, CELL_RESELECT_OFFSET is used to give different priorities to different bands when multiband operation is used,
● TEMPORARY_OFFSET applies a negative offset to C2 for the duration of PENALTY_TIME after the timer T has started for that cell,
● PENALTY_TIME is the duration for which TEMPORARY_OFFSET applies.
● CELL_RESELECT_OFFSET, TEMPORARY_OFFSET, PENALTY_TIME and CELL_BAR_QUALIFY are optionally broadcast on the BCCH of the cell. If not broadcast, the default values are CELL_BAR_QUALIFY = 0, and C2 = C1. [1]
Mobile InitializationThere are three main goals of the mobile initialization procedure:
• Frequency Synchronization. As the terminal is switched on, it scans over the available GSM RF channels and takes several readings of their RF levels to obtain an accurate estimate of the signal strengths. Starting with the channel with the highest level, the terminal searches for the frequency correction burst on the BCCH. If no frequency correction burst is detected, it then moves to the next highest level signal and repeats the process until it is successful. In this event, the terminal will then synchronize its local oscillator with the frequency reference of the base station transceiver.
• Timing Synchronization. After frequency synchronization has been achieved, the terminal will search for the synchronization burst for the timing information present on the SCH. If it is not successful, it then moves to the next highest level signal and repeats the process starting from the frequency synchronization procedure until it is successful. In this event, it moves to the BCCH to acquire overhead system information.
• Overhead Information Acquisition. After timing synchronization has been achieved, the terminal will search for overhead information on the BCCH. If the BCCH information does not include the current BCCH number, it will restart the mobile initialization procedure. In a successful event, the terminal will have acquired, from the BCCH and through the system information message present on the BCCH, the following main information:
• Country code , Network code , Location area code, Cell identity, Adjacent cell list , BCCH location, Minimum received signal strength
The terminal checks if the acquired identification codes coincide with those in the SIM card. In a successful event, it will maintain the link and monitor the PCH. Otherwise, it will start a location update procedure. [2]
When a MS enters the network, it first looks for beacon frequencies of the nearby Base Tranceivers by scanning all possible channels. All base stations transmit their beacon frequencies at a fixed frequency and power level. The MS finds the beacon frequency by searching the frequency with the highest signal level for a timeslot with a sequence of "00000..."-a sine wave-which is transmitted on the frequency Correction Channel (FCCH). FCCH is one logical channel in the physical channel called the Broadcast Control Channel (BCCH) and it is used for bit synchronization. BCCH is always on the 0-timeslot of the beacon frequency.
After MS achieves bit synchronization, it finds the Synchronization Channel (SCH) from the BCCH physical channel. From the SCH, the MS derives frame synchronization. Then the MS can find the logical channel BCCH also located in the physical channel BCCH. The logical channel BCCH transmits important BTS information such as the frequency hopping sequences, other frequencies, and neighboring cells.
When the MS is turned on, the network knows the location ares (LA) where the MS is located. A location area may consists of several cells. Thus the MS is paged in all cells.
Cell Selection
GSM MS List of States for the cell selection process
● The GSM mobile station (MS) enters various states when switched on, but in the idle mode. Three such states are PLMN selection, cell selection and location registration that GSM standards described as a "set of states". The overall state of the mobile is thus a "composite of the states of the three processes". As TS 100 930 makes mention "In some cases, an event which causes a change of state in one process may trigger a change of state in another process, e.g., camping on a cell in a new registration area triggers an LR request." Below are those states relevant for MS cell selection but for a more detailed description of the behaviour of these states read GSM05.08.
● C1 Normal Cell Selection ‑ This is the process of initial cell selection, searching all RF channels.
● C2 Stored List Cell Selection ‑ This is the process of initial cell selection where BCCH carrier information (e.g. a BA list) for the selected PLMN is stored in the MS.
● C3 Camped Normally ‑ This is where the MS is camped on a cell of the selected PLMN and may be able to make and receive calls. (Whether or not the MS can make and receive calls depends on the state within the location registration process). The MS monitors received level and the system information and checks whether cell reselection is needed.
● C4 Normal Cell Reselection ‑ This is where the MS has determined that cell reselection is needed and an attempt is being made to reselect a new cell.
● C5 Choose Cell ‑ This is where the MS has returned to idle mode from "connected mode" and is choosing a suitable cell to camp on.
● C6 Any Cell Selection ‑ This is where the MS is unable to camp normally on any cell of the selected PLMN, or cannot obtain service because of certain responses to a location registration (LR) attempt. It is searching for a cell of any PLMN to camp on (so that emergency calls can be made).
● C7 Camped on any Cell ‑ This is where the MS has camped on a cell irrespective of its PLMN identity, so that emergency calls can be made.
● C8 Any Cell Reselection ‑ This is where the MS is attempting to reselect a cell, irrespective of PLMN identity.
● C9 Choose Any Cell ‑ This is where the MS is returning to idle mode, after having entered "connected mode" from the "camped on any cell" state to make an emergency call. It is attempting to find an acceptable cell to camp on.
PLMN Selection1.Home PLMN. The Multi-RAT MS shall search for the Home PLMN using all access technologies it is capable of and start its search using the " access technologies priority list" stored in the Subscriber Identity Module (SIM)
2.Each PLMN in the "user controlled PLMN list" stored in the SIM in priority order. The Multi-RAT MS shall try find each PLMN using the "access technologies priority list“ stored for each PLMN in the SIM.
3.Each PLMN in the "operator controlled PLMN list" stored in the SIM in priority order. The Multi-RAT MS shall try find each PLMN using the "access technologies priority list" stored for each PLMN in the SIM.
4.Other PLMN/access technology combinations with received high quality signal in random order. For GSM: SS > -85 dBm and WCDMA: CPICH RSCP > -95 dBm.
5.All other PLMN/access technology combinations in order of decreasing signal strength.
Conformance requirement
● At switch on, or following recovery from lack of coverage,the MS selects the registered PLMN or equivalent PLMN (if it is available) using all access technologies that the MS is capable of and if necessary (in the case of recovery from lack of coverage, see TS 23.122, clause 4.5.2) attempts to perform a Location Registration.
● If successful registration is achieved, the MS indicates the selected PLMN.
● If there is no registered PLMN, or if registration is not possible due to the PLMN being unavailable or registration failure, the MS follows either Automatic or Manual Network Selection Mode Procedure depending on its operating mode.
Cell Reselection to UMTS based on cell ranking
Camping Strategy for a Combined WCDMA/GSM Network
● The choice of system for idle mode camping is important. The Multi-RAT MS should camp on the system where it is expected to set up its services and where it will be paged. In order for the Multi-RAT MS to be able to access UTRAN specific services it need to camp on UTRAN. The recommended strategy is therefore
● — camp on UTRAN whenever there is UTRAN coverage.
● Outside UTRAN coverage the Multi-RAT MS will camp on GSM, to get accessto standard GSM services. Once a UTRAN cell is selected/reselected theparameter setting in UTRAN should try to keep the UE in UTRAN as long asthe quality and received signal strength of the UTRAN cell is good enough.The GSM parameter settings recommended
in this engineering guidelineenable the camping strategy described above.
Cell Reselection to UMTS
● It is important to coordinate the parameters in GSM and UTRAN to achieve the wanted inter RAT cell reselection behaviour and thus a smooth co-existence.For extensive information on the cell reselection algorithm from UTRAN toGSM and corresponding parameters, parameter ranges and default values,seeReference [15].
● The recommended cell reselection parameter setting in the following subchapters are coordinated with the corresponding parameter recommendationsfor UTRAN to GSM cell reselection found
inReference [15].
Measurements for mobiles on dedicated channels and for cellreselection to UMTS
based on cell ranking● Besides measurements on surrounding GSM/GPRS/EGPRS cells a Multi-
RAT MS also performs measurements on UTRAN neighbouring cells. These measurements are performed in a different way than for GSM cells and may beless frequently than measurements on GSM. In general UTRAN measurements are done during spare time, that is, GSM measurements have priority and UTRAN measurements are done if there is time left.
● In order to reduce unnecessary measurements and to optimize Multi-RAT MSbattery consumption, the GSM network controls when the measurementson UTRAN cells shall be performed with the parameters QSI and QSC. The parameters QSI and QSC define thresholds and also indicate whether thesemeasurements shall be performed when the signal strength (SS) of the servingcell is below or above the threshold. It can be used to avoid unnecessarymeasurements on UTRAN cells and does not control the behaviour ofMulti-RAT MSs in terms of making decisions for cell reselection and handover. QSI is used for idle and packet switched modes and broadcast on BCCH andPBCCH (if enabled), while QSC is used for active mode, sent on SACCH. [3]
Cell Reselection Process
In order to always camp on the best cell the UE performs the cell reselection procedure in the following cases:
● When the cell on which it is camping is no longer suitable.
● When the UE, in “camped normally” state, has found a better neighboring cell than the cell on which it is camping.
● When the UE is in limited service state on an acceptable cell.
● When the UE triggers a cell reselection evaluation process, it performs ranking of cells that fulfill the following criteria.
● Cells are ranked according to the R criteria:
● Qmeas is the quality value of the received signal.
● Qmeas may be derived from the averaged CPICH Ec/No or
● CPICH RSCP for WCDMA cells.
● Qmeas uses the averaged received signal level for GSM cells.
● CPICH RSCP is always used as a measurement quantity when
● WCDMA cells are compared with GSM cells.
● Cell reselection criteria are used for intra-frequency, inter-frequencyand inter-RAT cells.
● Decision on when measurements on intra-frequencies should be performed is made using the parameter sIntraSearch in relation to Squal.
● The decision on when measurements on GSM frequencies should be performed is made using the parameter sRATSearch.
● The UE is also supposed to be able to measure on interfrequency cells. The decision on when measurements on interfrequencies should be performed is made using the parameter sInterSearch in relation to Squal.
At switch on or recovery from lack of coverage
● At switch on, or following recovery from lack of coverage, the MS selects the registered PLMN or equivalent PLMN (if it is available) using all access technologies that the MS is capable of and if necessary attempts to perform a Location Registration.
● As an alternative option to this, if the MS is in automatic network selection mode and it finds coverage of the HPLMN, the MS may register on the HPLMN and not return to the registered PLMN. The operator is able to control by SIM configuration (parameter Last RPLMN Selection Indication) whether an MS that supports this option shall perform this alternative behaviour.
● If successful registration is achieved, the MS indicates the selected PLMN. If there is no registered PLMN, or if registration is not possible due to the PLMN being unavailable or registration failure, the
● MS follows one of the following two procedures depending on its PLMN selection operating mode. At switch on, if the MS provides the optional feature of user preferred PLMN selection operating mode at switch on then this operating mode shall be used
● At switch on, if the MS is in manual mode and neither registered PLMN nor PLMN that is equivalent to it is available but EHPLMN is available, then instead of performing the manual network selection mode procedure the MS may select and attempt registration on the highest priority EHPLMN. If the EHPLMN list is not available or is empty and the HPLMN is available, then the MS may select and attempt registration on the HPLMN. The MS remains in manual mode.
● If successful registration is achieved, then the current serving PLMN becomes the registered PLMN and the MS does not store the previous registered PLMN for later use.
● As an exception, if registration is not possible on recovery from lack of coverage due to the registered PLMN being unavailable, an MS attached to GPRS services may, optionally, continue looking for the registered PLMN for an implementation dependent time. An MS attached to GPRS services should use the above exception only if one or more PDP contexts are currently active.
Automatic Network Selection ModeThe MS selects and attempts registration on
other PLMN/access technology combinations, if available and allowable, in the following order:
1)either the HPLMN (if the EHPLMN list is not present or is empty) or the highest priority EHPLMN that is available (if the EHPLMN list is present);
2)each PLMN/access technology combination in the ‘User Controlled PLMN Selector with Access Technology’ data file in the SIM (in priority order);
3)each PLMN/access technology combination in the ‘Operator Controlled PLMN Selector with Access Technology’ data file in the SIM (in priority order);
4)other PLMN/access technology combinations with received high quality signal (GSM – RLA ≥ -85 dBm, UTRAN FDD - CPICH RSCP above -95 dBm)in random order;
5)other PLMN/access technology combinations in order of decreasing signal quality.
6)When following the above procedure the following requirements apply:
7)In 2) and 3) , the MS should limit its search for the PLMN to the acces technology or access technologies associated with the PLMN in the appropriate PLMN Selector with Access Technology list (User Controlled or Operator Controlled selector list). An MS using a SIM without access technology information storage (i.e. the ‘User Controlled PLMN Selector with Access Technology’ and the ‘Operator Controlled PLMN Selector with Access Technology" data files are not present) shall instead use the ‘PLMN Selector’ data file, for each PLMN in the ‘PLMN Selector’ data file, the MS shall search for all access technologies it is capable of and shall assume GSM accesstechnology as the highest priority radio access technology.
● In 2 and 3 , the MS shall search for all access technologies it is capable of, before deciding which PLMN to select.
● · In 1, the MS shall search for all access technologies it is capable of. No priority is defined for the preferred access technology and thepriority is an implementation issue, but "HPLMN Selector with Access Technology" data file on the SIM may be used to optimise the Procedure.
● In 1, an MS using a SIM without access technology information storage (i.e. the "HPLMN Selector with Access Technology" data file is not present) shall search for all access technologies it is capable of and shall assume GSM access technology as the highest priority radio access technology.
● In 5) , the MS shall order the PLMN/access technology combinations in order of decreasing signal quality within each access technology. The order between PLMN/access technology combinations with different access technologies is an MS implementation issue.
● If successful registration is achieved, the MS indicates the selected PLMN. If registration cannot be achieved because no PLMNs are available and allowable, the MS indicates ‘no service’ to the user, waits until a new PLMN is available and allowable and then repeats the procedure. If there were one or more PLMNs which were available and allowable, but an LR failure made registration on those PLMNs unsuccessful or an entry in any of the lists ‘forbidden LAs for roaming’, or ‘forbidden LAs for regional provision of service’ prevented a registration attempt, the MS selects the first such PLMN again and enters a limited service state. [4]
MS and BTS transmission at the same time
GSM Physical and logical channel concept
Frequencies in the uplink = 890.2 + 0.2 (N-1) MHz
Frequencies in the downlink = 935.2 + 0.2 (N-1) MHz
where, N is from 1 to 124 called ARFCN
As same antenna is used for transmit as well as receive, there is 3 time slots delay introduced between TS0 of uplink and TSO of downlink frequency. This helps avoid need of simultaneous transmission and reception by GSM mobile phone. The 3 slot time period is used by the Mobile subscriber to perform various functions e.g. processing data, measuring signal quality of neighbour cells etc.[5]
Traffic Channel● A traffic channel (TCH) is used to carry speech and data traffic. Traffic
channels are defined using a 26-frame multiframe, or group of 26 TDMA frames. The length of a 26-frame multiframe is 120 ms, which is how the length of a burst period is defined (120 ms divided by 26 frames divided by 8 burst periods per frame). Out of the 26 frames, 24 are used for traffic, 1 is used for the Slow Associated Control Channel (SACCH) and 1 is currently unused (see Figure 2). TCHs for the uplink and downlink are separated in time by 3 burst periods, so that the mobile station does not have to transmit and receive simultaneously, thus simplifying the
electronics. [6]
About GSM channels● Traffic channels are bi-directional. Their frequency separation (uplink and downlink) amounts to 45 MHz in the 900 MHz band and 75 MHz in the 1.8 GHz Band. In addition there is a tim e shift of 3 Burst Periods (BP) between transmitting and receiving which allows the same Time slot Number to be used for up and downward transmission. [7]
References(1) SONG, Y., ZHOU, K., CHEN, X.. Fake BTS Attacks of GSM System on
Software Radio Platform. Journal of Networks, North America, 7, feb. 2012. Available at: <http://ojs.academypublisher.com/index.php/jnw/article/view/jnw0702275281>. Date accessed: 01 May. 2013.
(2) Ika Ståhlberg, Radio jamming attacks against two popular mobile networks, Helsinki University of Technology Seminar on Network Security. 2000.
(3) User Description, GSM-UMTS-LTE CellReselection and Handover, Ericsson.com
