Security of Cellular Networks:

Man-in-the Middle Attacks

Mario Čagalj

University of Split

2013/2014.

‘Security in the GSM system’ by Jeremy Quirke, 2004

Introduction
 Nowadays, mobile phones are used by 80-90% of the
world’s population (billion of users)
 Evolution
 1G: analog cellular networks GSM security specifications
 2G: digital cellular networks with GSM (Global System for Mobile
Communications) beign the most popular and the most widely used
standard (circuit switching)
 other 2G: technologies IS-95 – CDMA based (US), PDC (Japan), etc.

 2.5G: GPRS (General Packet Radio Service) – packet switching

 2.75G: EDGE – faster data service
 3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)
 other 3G: CDMA2000 (US, S. Korea)

 4G: LTE (OFDM based), peak data rates of 100Mbps

2
Cellular Network Architecture
A high level view

Databases
(e.g., Home
Location Register)

External
Mobile
Station Base Mobile
Network
Station Switching
Center

Cellular Network

3
EPFL, JPH
Cellular Network Architecture
Registration Process

Nr: 079/4154678

Tune on the strongest signal

4
EPFL, JPH
Cellular Network Architecture
Service Request

079/4154678
079/8132627 079/4154678
079/8132627

5
EPFL, JPH
Cellular Network Architecture
Paging Broadcast (locating a particular mobile station in case of mobile
terminated call)

079/8132627?
079/8132627?

079/8132627?

079/8132627?

Note: paging makes sense only over a small area

6
EPFL, JPH
Cellular Network Architecture
Response

079/8132627

079/8132627

7
EPFL, JPH
Cellular Network Architecture
Channel Assignement

Channel
Channel 47
Channel
47 68

Channel
68

8
EPFL, JPH
Cellular Network Architecture
Conversation

9
EPFL, JPH
Cellular Network Architecture
Handover (or Handoff)

10
EPFL, JPH
Cellular Network Architecture
Message Sequence Chart
Base Switch Base
Caller Station Callee
Station

Periodic registration Periodic registration

Service request Service request

Page request Page request

Paging broadcast Paging broadcast

Paging response Paging response

Assign Ch. 47 Assign Ch. 68 Tune to Ch. 68

Tune to Ch.47

Ring indication Ring indication Alert tone

User response User response

Stop ring indication Stop ring indication
11
EPFL, JPH
GSM System Architecture
Based on ‘Mobile Communications: Wireless
Telecommunication Systems’
Architecture of the GSM system
 GSM is a PLMN (Public Land Mobile Network)
 several providers setup mobile networks following the GSM
standard within each country
 components
 MS (mobile station)
 BS (base station)
 MSC (mobile switching center)
 LR (location register)
 subsystems
 RSS (radio subsystem): covers all radio aspects
 NSS (network and switching subsystem): call forwarding, handover,
switching
 OSS (operation subsystem): management of the network
13
 Please check http://gsmfordummies.com/architecture/arch.shtml

GSM: overview
OMC, EIR,
AUC
HLR GMSC
NSS fixed network
with OSS
VLR MSC MSC
VLR

BSC

BSC

RSS

14
GSM: system architecture
radio network and switching fixed
subsystem subsystem networks

MS MS
ISDN
PSTN
MSC

BTS
BSC EIR
BTS

SS7 HLR

BTS VLR
BSC ISDN
BTS MSC PSTN
BSS IWF
PSPDN 15
CSPDN
System architecture: radio subsystem
radio network and switching
subsystem subsystem  Components
 MS (Mobile Station)
MS MS
 BSS (Base Station Subsystem):
consisting of
 BTS (Base Transceiver Station):
BTS sender and receiver
BSC MSC  BSC (Base Station Controller):
BTS
controlling several transceivers

BTS
BSC MSC
BTS
BSS

16
Radio subsystem
 The Radio Subsystem (RSS) comprises the cellular mobile
network up to the switching centers
 Components
 Base Station Subsystem (BSS):
 Base Transceiver Station (BTS): radio components including sender,
receiver, antenna - if directed antennas are used one BTS can cover
several cells
 Base Station Controller (BSC): switching between BTSs, controlling BTSs,
managing of network resources, mapping of radio channels onto
terrestrial channels

 Mobile Stations (MS)

17
GSM: cellular network
segmentation of the area into cells

possible radio coverage of the cell

idealized shape of the cell

cell

 use of several carrier frequencies

 not the same frequency in adjoining cells
 cell sizes vary from some 100 m up to 35 km depending on user density,
geography, transceiver power etc.
 hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)
 if a mobile user changes cells
 handover of the connection to the neighbor cell
18
System architecture: network and
switching subsystem
Components
network fixed partner
subsystem networks  MSC (Mobile Services Switching Center)
 IWF (Interworking Functions)
ISDN
PSTN
MSC
 ISDN (Integrated Services Digital Network)
 PSTN (Public Switched Telephone Network)
 PSPDN (Packet Switched Public Data Net.)
EIR
 CSPDN (Circuit Switched Public Data Net.)
SS7

HLR
Databases
 HLR (Home Location Register)
VLR  VLR (Visitor Location Register)
ISDN
 EIR (Equipment Identity Register)
MSC
PSTN
IWF
PSPDN
CSPDN
19
Network and switching subsystem
 NSS is the main component of the public mobile network GSM
 switching, mobility management, interconnection to other networks,
system control
 Components
 Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal
within the domain of the MSC - several BSC can belong to a MSC
 Databases (important: scalability, high capacity, low delay)
 Home Location Register (HLR)
central master database containing user data, permanent and semi-permanent
data of all subscribers assigned to the HLR (one provider can have several HLRs)
 Visitor Location Register (VLR)
local database for a subset of user data, including data about all user currently in
the domain of the VLR
20
Mobile Services Switching Center
 The MSC (mobile switching center) plays a central role in
GSM
 switching functions
 additional functions for mobility support
 management of network resources
 interworking functions via Gateway MSC (GMSC)
 integration of several databases

21
Operation subsystem
 The OSS (Operation Subsystem) enables centralized operation,
management, and maintenance of all GSM subsystems
 Components
 Authentication Center (AUC)
 generates user specific authentication parameters on request of a VLR
 authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system
 Equipment Identity Register (EIR)
 registers GSM mobile stations and user rights
 stolen or malfunctioning mobile stations can be locked and sometimes even
localized
 Operation and Maintenance Center (OMC)
 different control capabilities for the radio subsystem and the network subsystem

22
 Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml

Mobile Terminated Call

1: calling a GSM subscriber 4
HLR VLR
2: forwarding call to GMSC 5
8 9
3: signal call setup to HLR 3 6 14 15
4, 5: request MSRN (roaming calling 7
PSTN GMSC MSC
number) from VLR station 1 2
6: forward responsible 10 10 13 10
MSC to GMSC 16
BSS BSS BSS
7: forward call to
11 11 11
current MSC
8, 9: get current status of MS 11 12
17
10, 11: paging of MS MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection
23
Mobile Originated Call
1, 2: connection request
3, 4: security check
VLR
5-8: check resources (free circuit)
9-10: set up call 3 4
6 5
PSTN GMSC MSC
7 8
2 9

MS
1 BSS
10

24
Mobile Terminated and Mobile Originated Calls
MS MTC BTS MS MOC BTS
paging request
channel request channel request
immediate assignment immediate assignment
paging response service request
authentication request authentication request
authentication response authentication response
ciphering command ciphering command
ciphering complete ciphering complete
setup setup
call confirmed call confirmed
assignment command assignment command
assignment complete assignment complete
alerting alerting
connect connect
connect acknowledge connect acknowledge
data/speech exchange data/speech exchange
25
Security in GSM
Based on:
‘Security in the GSM system’ by Jeremy Quirke

‘The GSM Standard (An overview of its security)’ by SANS Institute

InfoSec Reading Room

‘Mobile Communications: Wireless Telecommunication Systems’

 Security Services in GSM
 Access control/authentication
x
 user <-- -- SIM (Subscriber Identity Module): secret PIN (personal
identification number)
x
 SIM <-- -- network: challenge response method

 Confidentiality
 voice and signaling encrypted on the wireless link (after successful
authentication)
 Anonymity
 temporary identity TMSI (Temporary Mobile Subscriber Identity)
 newly assigned at each new location update (LUP)
 encrypted transmission

27
 Security Services in GSM
Authentication

 SIM (Subscriber Identity Module) card

 smartcard inserted into a mobiel phone
 contains all necessary details to obtain access to an account
 unique IMSI (International Mobile Subscriber Identity)
 Ki - the individual subscriber authentication key (128bit, used to generate all
other encryption and authentication keying GSM material)
 highly protected – the mobile phone never learns this key, mobile only forwards
any required material to the SIM
 known only to the SIM and network AUC (Authentication Center)
 SIM unlocked using a PIN or PUK
 authentication (A3 algorithm) and key generation (A8 algorithm)
is performed in the SIM
 SIM contains a microprocessor 28
Security Services in GSM
Authentication

mobile network SIM

RAND
Ki RAND RAND Ki

AC 128 bit 128 bit 128 bit 128 bit

A3 A3
SIM
SRES* 32 bit SRES 32 bit

MSC SRES
SRES* =? SRES SRES
32 bit

Ki: individual subscriber authentication key SRES: signed response 29

Security Services in GSM
Authentication

Kc: Session encryption key generated together with SRES 30

Security Services in GSM
Encryption

mobile network (BTS) MS with SIM

RAND
Ki RAND RAND Ki
AC 128 bit 128 bit 128 bit 128 bit SIM

A8 A8

cipher Kc
key 64 bit Kc
64 bit
data encrypted SRES
data
BTS MS
data
A5 A5
31
 Security Services in GSM
Authentication and Encryption

 A3 and A8 algorithms are both run in SIM at the same time on the
same input (RAND, Ki)
 A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)
 not used in UMTS
 Encryption algorithm A5
 symmetric encryption algorithm
 voice/data encryption performed by a phone using generated encryption key Kc

32
 Security Services in GSM
Encryption

 A5 algorithms
 A5/0 – no encryption used
 A5/1 and A5/2 developed far from public domain and later found
flawed
 stream ciphers based on linear feedback shift registers
 A5/2 completely broken (not used anymore in GSM)
 A5/1 is a bit stronger but also broken by many researchers

 A5/3 – is a block cipher based on Kasumi encryption algorithm

 used in UMTS, GSM, and GPRS mobile communications systems
 public and reasonably secure (at least at the moment)

33
Security Services in GSM
Summary

34
Security Weaknesess in GSM
 A mobile phone does not authenticate the base station!
 only mobile authenticate to BS (one-way authentication)
 fake BS and man-in-the middle attacks possible
 attacker does not have to know authentication key Ki

 A5/0 - No Encryption algorithm is a valid choice in GSM

 for voice, SMS, GPRS, EDGE services

 Many weaknesses in A5 family of encryption algorithms

35
Security Weaknesess in GSM

36
 Security Services in GSM
Anonymity

 Preventing eavesdropper (listening attacker) from determining if a

particular subscriber is/was in the given area
 location privacy
 thanks to long ranges a very powerful attack
 attacker uses IMSI (International Mobile Subscriber Identity)
 IMSI Catchers

 To preserve location privacy GSM defines TMSI (Temporary Mobile

Subscriber Identity)
 when a phone turned on, IMSI from SIM transmitted in clear to the AUC
 after this TMSI is assigned to this user for location privacy
 after each location update or a predefined time out, a new TMSI is assigned to the
mobile phone
 a new TMSI is sent encrypted (whenever possible)
 VLR database contains mapping TMSI to IMSI 37
Security Services in GSM
Anonymity

38
Security Services in GSM
Anonymity

39
Security Weaknesess in GSM
Attack Against the Anonymity Service

 GSM provisions for situation when the network somhow

loses track of a particular TMSI
 in this case the network must ask the subscriber its IMSI over the radio link
using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism
 however, the connection cannot be encrypted if the network does not know
the IMSI and so the IMSI is sent in plain text
 the attacker can use this to map known TMSI and unknown and user-specific
IMSI

40
 Countermeasures: UMTS
 UMTS defines 2-way authentication and mandates the
use of stronger encryption and authentication primitives
 prevents MITM attacks by a fake BS, but be cautious...

 Still many reasons to worry about

 most mobiles support < 3G standards (GPRS, EDGE)
 when signal is bad, hard to supprot UMTS rates
 mobile providers already invested a lot of money and do not give up upon
‘old’ BSS equippment
 femtocells

41
 Many Reason to Worry About Your Privacy
 http://www.theregister.co.uk/2008/05/20/tracking_phones/

 http://www.theregister.co.uk/2011/10/31/met_police_datong_mo
bile_tracking/ (check also http://www.pathintelligence.com)

 http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.black
hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-
Pico_Mobile_Attacks-Slides.pdf

 http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-
labs.tu-berlin.de%2Fbh2011.pdf
42