2 - Physical- & Link-Layer Security (Cellular Networks) Flashcards
What is GSM and how it relates to 3G and LTE?
Global System for Mobile Communication (2G) is a (old) standard that describes protocols for digital cellular networks used by mobile phones.
All countries have GSM networks and it is used to complement modern networks coverage, such as 3G and LTE (4G).
Describe the GSM infrastructure.
Mobile Stations (phones) interact with Base Transceiver Stations (antennas) via radio link.
Base Transceiver Stations connect to a Base Station Controller.
Base Station Controller connects to a Mobile Switching Center that is responsible for routing data, coordinate handovers and connect cellular network to Public Switched Telephone Network.
What are HLR and VLR?
Home Location Register is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network.
Visiting Location Register is a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center which it serves.
What is TDMA?
Time Division Multiple Access is a channel access method that allow users to share frequency channel by dividing the signal into different time slots. It is used by GSM to provide multiple logical channels through a single physical channel.
Which are the three categories of channels in a GSM network? Explain each one.
Traffic Channels: establish point-to-point connections between BTS (antennas) and MS (phones).
Common Control Channels: signaling between BTS and MS (requesting resources by a MS, accessing mobile network, broadcasting beacons, paging).
Dedicated Control Channels: signaling messages related to services such as handover procedures or connection establishment.
Which categories of GSM channels are of special interest to attackers?
Control channels (CCCH and DCCH).
Explain why GMS offered “security by obscurity”.
The authentication (A3) and encryption (A5) algorithms were kept secret initially, but they became public through leaks and reverse engineering and now are vulnerable to attacks.
Security relied on the assumption that there is no open GSM equipament available. NOT TRUE ANYMORE!
Open firmware for baseband processors (found in MS) and open implementations of BTS and BSC.
End-user and provider technology are freely available!!! :D
Which are the three attacks on GSM networks?
- IMSI Catcher
- Denial of Service
- Hijacking Services
Explain the IMSI Catcher attack goal and how it works.
Goal: eavesdrop on communication.
How: Man-in-the-Middle and turning off the encryption.
Details: Subscribers globally identified by International Mobile Subscriber Identity (IMSI). Attacker has a rogue BTS (to receive requests) and MS (to forward requests).
- MS victim accepts rogue BTS as its base station.
- Attacker register to the network and forward the messages, pretending to be the victim.
- Attacker does not forward ciphering mode request to victim and replies Fault.
- Network uses mode “no ciphering”.
- Attacker forwards “no ciphering” mode to victim.
- Non-encrypted communication takes place :)
Possible because GSM networks does not authenticate itself to the mobile phone.
Explain the paging mechanism and its procedure.
Paging is used by the network to notify a MS about incoming services (SMS, call, etc).
Once a MS is registered in a cell, it listen only to the PCH to save energy. MS should update location when changing Location Area. Page requests (Network —> MS) are broadcast over the entire Location Area.
Procedure:
- BTS —> MS: paging request (broadcast over LA)
- MS —> BTS: channel request
- BTS —> MS: details of allocated channel
- MS —> BTS: paging response
- MS BTS: authentication, ciphering, service
Explain the DoS attack.
Goal: ensure a person or device is not reachable.
How: provoke a race condition in the GSM’s state machine.
Details: attacker should answer a paging request (with a channel request) before the victim. When the victim answer, the state machine will be in the wrong state.
Explain the Hijacking Services attack.
Extension of DoS attack.
Goal: hijack incoming call or receive a victim’s SMS.
How: Few GSM networks authenticate all servies. Attacker can proceed with the GSM protocol and redirect the service to itself. Even if encryption is used, it can deactivate (IMSI-Catcher) or crack the session key (encryption algorithms are broken).
