“Man-In-The-Middle” Attacks in 3G. University of Tartu Computer Science Department Ksenia Orman [email protected]

“Man-In-The-Middle” Attacks in 3G. University of Tartu Computer Science Department Ksenia Orman Kseniao@Ut.Ee

“Man-in-the-middle” attacks in 3G. University of Tartu Computer science department Ksenia Orman [email protected]

Introduction. GSM (Global System for Mobile communications) is the technology that supports most of the world’s mobile phone networks. Nowadays mobile phones are used by over than one billion of users worldwide (by mid-March 2006 there were over 1.7 billion GSM subscribers) and is available in more than 190 countries. [1] GSM security issues such as theft of privacy, service and legal interception are still significantly interesting in the GSM community. The purpose of security for GSM system is to make the system as secure as the public switched telephone network and to prevent phone cloning. Today’s GSM platform is growing and evolving. 3GSM is the latest addition to the GSM family. 3G Systems enable to provide a global mobility with wide range of services including telephony, paging, messaging, Internet and broadband data. 3GSM system makes possible to migrate users of current second generation (2G) GSM wireless network to the new third generation services with minimal disruption.

1. What is GSM? In the telecommunication’s world various systems were developed without the benefit of standards. This caused many problems directly related to compatibility, especially with the development of digital radio technology. In 1982 by the European Conference of Post and Telecommunications Administrations (CEPT) was formed the name GSM, which first comes from a group called Group Special Mobile (GSM). The purpose of that conference was to develop European cellular systems that would replace the many existing inconsistent cellular systems. But in 1991 the abbreviation “GSM” was renamed to Global System for Mobile Communications. [2] GSM is the most popular phone system in the world. More than 1.7 billion people use GSM phones as of 2005, making GSM the dominant mobile phone system worldwide with about 70% of the world’s market. The legislation mandating of using the European-originated GSM (and its 3G successors), as the single mobile phone system in the countries of the European Union, gave the system a solid base for expansion to other countries who wish to roam in Europe. [3] GSM grew out of a vision that users should be able to make and receive calls on their mobiles, wherever they travelled. GSM is unique in having specific international roaming among telecommunications technologies. National roaming refers to the ability to move to a foreign service provider’s network. It is of particular interest to international tourist and business travellers. The billionth GSM user was connected in the first quarter of 2004. We can see in the figure 1 how quickly and successfully GSM has been developing.

Fig.1. GSM subscriber statistics [1]

2. The GSM Network. GSM provides recommendations, not requirements. The GSM specifications define the functions and interface requirements in detail but do not address the hardware. It is made for limiting the designers as less as possible, but encouraging the operators to buy equipment from different suppliers. The GSM network is divided into the Base Station Subsystem (BSS), the Network and Switching Subsystem (NSS), the GPRS Core Network. All of the elements in the system are combined to produce various GSM services such as voice and SMS.

Fig.2. Structure of a GSM network [2]

The figure 2 shows the simplified structure of GSM network. • The BSS The Base Station Subsystem consists of the Base Transceiver Station (BTS) and the Base Station Controller (BSC). The BSC and the BTC are connected together via the interface. The Packet Control Unit (PCU) is a late addition to the GSM standard. It performs some of the processing tasks of the BSC, but for packet data. So The PCU is also shown connected to the BTS, although exact specification depends on the vendor’s architecture. • The NSS The Network and Switching Subsystem is shown containing the MSC/VLR connected via the SS7 network to the HLR. The Mobile Switching Centre or MSC performs the telephony switching functions of the system. It controls calls to and from other telephone and data system. It also performs functions such as toll ticketing, network interfacing, common channel signalling and others. The Visitor Location Register (VLR) is a database that contains temporary information about subscribers that is needed by the MSC in order to service visiting subscribers. The VLR is always integrated with the MSC. When a mobile

station roams into a new MSC area, the VLR connected to that MSC will request the mobile station data from HLR. Later, if the mobile station makes a call, the VLR will have the information needed for call setup without having to interrogate the HLR each time. The Home Location Register (HLR) is a database used for storage and management of subscriptions. The HLR is considered the most important database, as it stores permanent data about subscribers, including s subscriber’s service profile, location information, and activity status. Signalling System #7 (SS7) is a set of telephony signalling protocols which are used to set up the vast majority of the world’s public switched telephone network (PSTN) telephone calls. SS7 provides an universal structure for telephony network signalling, messaging, and network maintenance. It deals with establishment of a call, exchanging user information, call routing, different billing structures and supports Intelligent network (IN) services. The AUC and EIR, although technically separate functions from the HLR are shown together since combining them is almost standard in all Vendor’s networks. The Authentication Centre (AUC) provides authentication and encryption parameters that verify the user’s identity and ensure the confidentiality of each call. The AUC protects network operators from different types of fraud found in today’s cellular world. The Equipment identity register (EIR) is a database that contains information about the identity of mobile equipment that prevents calls from stolen, unauthorized, or defective mobile stations. The AUC and EIR are implemented as stand-alone nodes or as a combined AUC/EIR node. The NSS is connected by the A interface to the BSS. It has a direct connection to the PSTN from the MSC. There is also connection to the Packet Core although this is optional and not always implemented. • The GPRS Core Network The GPRS Core Network shown here simply and has the SGSN (connected to the BSS by the interface) and the GGSN. The GSN (GPRS Support Nodes) supports the use of GPRS in the GSM core network. All GSNs should have an interface and support the GPRS tunnelling protocol. There are two key variants of the GSN: GGSN and the SGSN defined below. For encyclopedical inquiry on GPRS please check [12] .

3. Introduction to 3G. 3GSM is the latest addition to the GSM family. It enables the provision of mobile multimedia services such as music, TV and video, rich entertainment content and Internet access. Global operators, in conjunction with the 3G Partnership Project (3GPP) standards organisation, have developed 3GSM as an open standard. [4] 1G or First generation wireless refers to analog networks introduced in the mid-1980s. Most 1G technologies and systems were country or region-specific and thus offered limited coverage. As mobile communications grew in popularity, networks often became overloaded, 1G was replaced in the early 1990s by 2G digital cell phones. This allowed a considerable improvement in voice quality. 2G networks may offer an optional service to transfer low-speed data, such as email or software, in addition to the digital voice call itself. 2G technologies can be divided into TDMA-based and CDMA-based standards depending on the type of multiplexing used. [5] The main 2G standards are: • GSM came originally from Europe but used worldwide • TDMA (Time Division Multiple Access) was used in the Americas and Latin America • CDMA (Code division multiple access) IS-95 or cdmaOne was used primarily in the Americas and Asia Pacific.

Fig.3. GSM Technologies Evolution [1]

The Evolution to 3G started in 1999. Japan is the first country, who has introduced 3G nationally, and in Japan the transition to 3G will be largely completed during 2005/2006. In other countries it can last till 2010. [6] The main reasons for these changes are basically the limited capacity of existing 2G networks. The 2G was built mainly for telephone calls and slow data transmission. The International Telecommunication Union (ITU) has defined the demands for the third generation mobile networks with the IMT-2000 standard. [7]

Today, WCDMA (Wideband CDMA) and CDMA2000 are the dominant standards in terms of current commercial services. CDMA 2000 1X was the world’s first operational 3G technology, capable of transmitting data faster than most dial-up services. Today, more than 190 million people enjoy the benefits of CDMA-2000 1X. [7]

Also known as UMTS (Universal Mobile Telecommunications System), WCDMA is the 3G standard chosen mostly by GSM/GPRS wireless network operators. WCDMA supports speeds between 384 kbit/s and 2 Mbit/sec. When this protocol is used in a WAN (wide area network), the top speed is 384 kbit/s. When it is used in LAN (local area network), the top speed is 2 Mbit/s. [7] As of February 2006, more than 51 million subscribers were using WCDMA for their mobile voice and data needs. [7] For consumers’ 3G offers high-quality, low-cost voice, fun and useful data services, such as: • Mobile Internet connectivity • Mobile email • Multimedia services (digital photos, movies etc) • Wireless application downloading • Real-time multiplayer gaming • Video-on-demand Finally, 3G technology’s data capabilities open up an enormous world of opportunity for application developers and content providers.

4. GSM Security model. What is different in 3G. GSM was designed with a moderate level of security. The system was designed to authenticate the subscriber using the shared secret cryptography. Communications between the subscriber and the base station can be encrypted. GSM security features: • Authentication of a user. International Mobile Subscriber identity (IMSI) is a unique number that is associated with all GSM and UMTS network mobile phone users. The number is stored in the SIM. It is sent by the mobile to the network and is used to look up the other details of the mobile in the HLR or as locally copied in the VLR. An IMSI is usually fifteen digits long, however they can be shorter. The first three digits are the country code (MCC), and the next digits are the network code (MNC). The MNC can be either two digits long (in Europe) or three digits long (in North America), the remaining digits, up to the maximum length are the unique subscriber number (MSIN) within the network’s customer base. • Data and signalling confidentiality This requires that all signalling and user data (such as text messages and speech) are protected against interception by means of ciphering. Currently there are 3 algorithms defined – A5/1, A5/2 and A5/3. A5/1 and A5/2 were the original algorithms defined by the GSM standard and are based on simple clock-controlled linear feedback shift registers. A5/2 was a deliberate weakening of the algorithm for certain export regions, where A5/1 is used in countries like the US, UK and Australia. A5/3 was added in 2002 and is based on the open Kasumi algorithm defined by 3GPP.[9] A large security advantage of GSM over earlier systems is that the Ki, the crypto variable stored on the SIM card that is the key to any GSM ciphering algorithm, it is never sent over the air interface. Serious weaknesses have been found in both algorithms, and it is possible to break A5/2 in real-time in a cipher text-only attack. The system supports multiple algorithms so operators may replace that cipher with a stronger A5/1, provided that also the equipment on the user’s side is upgraded to support this algorithm.

• Confidentiality of a user Designed to protect the user against someone, who knows the user’s IMSI, from using this information to track the location of the user or to identify calls made to or from that user by eavesdropping on the radio path.

Next figure (Fig. 4) gives us more detailed an overview of the GSM security architecture.

• Authentication of the user in GSM.

Fig 4. GSM system There exists a permanent secret key Ki for each user i. As we can see in Fig. 4 this key is stored in two locations: • In the user’s Subscriber Identity Module (SIM) card; • At the Authentication Centre (AuC).

The key Ki never leaves either of these two locations. Authentication and key agreement is needed to protect from unauthorized service access. The network authentication is done by a response and challenge method. A random 128- bit number (RAND) is generated by the algorithm using a secret key Ki (128 bits) assigned to that mobile, encrypts the RAND and sends the signed respone (SRES-32 bits) back.

Figure 5. Identification and authentication of a user. GSM security protocol The authentication procedure: • The mobile station sends the IMSI to the network • The network received the IMSI looks for the correspondent Ki in that IMSI • The network generates a 128 bit random number (RAND) and sends it to the mobile station over the air interface • The MS calculates a SRES with the A3 algorithm using the given Challenge (RAND) and the Ki resindes in the SIM. • At the same time, the network calculates the SRES using the same algorithm and the same inputs. • The MS sends the SRES to the network. • The network tests the SRES for validity.

So the authentication is based on a shared secret Ki between the subscriber’s home network’s HLR and the subscriber’s SIM. This Ki was generated and written to the SIM card at a safe place when the SIM card is personalised, and a copy of the key is puten to the HLR.

GSM makes use of a ciphering key to protect both user data and signal over the air interface. Similarly, a temporary session key Kc is generated as an output of another oneway function A8 that takes the same input parameters Ki and RAND. The serving network has no knowledge of the master key Ki and, therefore, it cannot handle all the security alone. Instead, other relevant parameters ( the so-called authentication triplet – RAND, SRES, Kc) are sent to the serving network element MSC/VLR (Mobile Switching Centre/Visitor Location Register), or SGSN (Serving GPRS Support Node) in the case of GPRS (General Packet Radio Service) from the AuC. That process of identification, authentication and cipher key generation is showen in Figure 5. 5. 3G Security Principles There are three key principles behind 3G security: 1. 3G security builds on the security of second generation systems. Required security elements within GSM and other second generation systems provided must be adopted for 3G security. 2. 3G security improves on the security of second generation systems – 3G security will address and correct real and perceived weaknesses in second generation systems. 3. 3G security offers new security features and will secure new services offered by 3G.

6. Weaknesses in Second Generation security. The following weaknesses in the security of GSM must be corrected in 3G security: 1. active attacks using a „false BTS” are possible; 2. cipher keys and authentication data are transmitted in clear between and within networks 3. encryption does not extend far enough towards the core network resulting in the cleartext transmission of user and signalling data across microwave links (in GSM, from the BTS to the BSC) 4. user authentication using a previously generated chiper key (where user authentication using for example A3/8 is not provided) and the provision of protection against channel hijack rely on the use of encryption, which provides implicit user authentication. However, encryption is not used in some networks, leaving opportunities for fraud

5. data integrity is not provided. Data integrity defeats certain false BTS attacks and, in the absence of encryption provides protection against channel hijack 6. the IMEI (International Mobile Equipment Identity) is an unsecured identity and should be treated as such 7. second generation systems do not have the flexibility to upgrade and improve security functionality over time.

7. Man-in-the-Middle Attacks • Authentication in GSM is one-way: base station is not authenticated • Anyone with proper equipment can impersonate a base station to user.

In the attacks which will be described next, the attacker is required to impersonate the network to the MS or impersonating the MS to the network or combining both in a so called man-in-the-middle atack.

Figure 6. Active attack

Active attacks on the network are possible, in principle, by somebody who has requisite equipment to masquerade as a legitimate network element and or legitimate user terminad (there is an example in Fig. 6) Before an active attack can be conducted the attacker may have to capture the MS. An attacker equipped with a False BS resinding between the MS and the Correct BS, providing higher power levels than the BS is able to make the MS use the False BS, thereby having total control over which system information the MS gets and even which messages (and with

which content) will rach the legitimate network from this MS. The MS is captured by the attacker who controls that messages go between the MS and the legitimate network as well as messages flowing in the other direction. The captured MS indentity will then be used to provide fabricated messages on behalf of a legitimate subscriber. Capturing MSs not only gives the attacker the ability to mount several attacks on GSM users, it is in itself a quite severe attack. Captured MSs have no contact with the network (apart from information that the attacker relys) and are therefore unable to get servides. It is fully possible and quite easy to do, though it is also easy to detect. Now we take a brief look at the most known possibilities for attackers called „man-in-the- middle” in GSM.

7.1 Integrity protection of RRC (Radio Resource Control) signalling The Radio Recource Control (RRC) protocol is used to carry control information over the radio link. The RRC protocol routes mobility and connection management control messages submitted by higher layers, and establishes connections and user plane radio barers.[4] It is very important to authenticate individual control messages, because it is one of the main reasons of the integrity protection. We know that separate authentication procedures only give us warranty of the identities of the communicating parties at the time of the authentication. And there is possibility for an attacker called „man-in-the-middle”. It gives odds to act as simple relay and deliver all messages in their correct form until the authentication procedure is complitely executed. After that, „the man-in-the-middle” is free to manipulate messages between users. However, if messages are protected individually, premeditated manipulation of messages can be noticed and false messages can be discarded. The integrity protection mechanism is based on the concept of a message authentication code, which is one-way function controlled by the secret Integrity Key (IK). The algorithm for integrity protection is based on the same core function as encryption. Indeed, the KASUMI block cipher is used in a special mode to create a message authentication code function. This block cipher transforms 64-bit inout to 64-bit output. The transofrmation is controlled by the 128-bit CK. More information about Kasumi block cipher in [9] .A detailed description of the first 3GPP integrity protection algorithm is given in source [8]. Definitely, there are RRC control messages whose integrity cannot be protected by the mechanism. Indeed, messages sent before Integrity Key is in place cannot be protected.

7.2 Security mode set-up The term „network domain security” in Third Generation Partnership Project (3GPP) specifications covers security of the communication between network elements. In particular, the User Equipment (EU) is not affected at all by network domain security. As we already know, the two communicating network elements in the same network can be administered by two possibilities. First of all by single operator. And as alternative they also may belong to two different networks. The second opportunity definitely requires standardized solutions. Otherwise each pair of the operators that are roaming partners would need to agree separately on a common solution. It is quite new science field, which had no cryptographic security mechanisms available for network communications before. There was a persuasion that security has been based on the fact that the global Signalling System No. 7 (SS7) network has only been accessible to a relatively small number of well admitted institutions (network operators or large corporations). SS7 was standardized by the International Telecommunications Union (ITU) and still owns the first place in the fixed part of telecommunication networks. Unfortunately, now there is a big danger that attacker can insert and manipulate SS7 messages soon. And there are two reasons: first the increasing number of different operators and service providers that need to communicate with each other; and the second, there is a trend to replace SS7-based networks by the Internet Protocol (IP)-based networks. Of course there is also a good side about the introduction of IP, which brings many profits but it also gives a possibility for a large number of hacking tools, some of which are available on the Internet, may become applicative to telecommunication networks. Especially session keys that are used to protect radio communications are sent in plaintext between operators. So there are some critical points when a communication channel is protected by security mechanisms. It is necessarily to pay attention in the very beginning of protection. First of all we need to find out what mechanisms are activated, then check at what point in the time does protection start in each derection, and finally what parameters (for example keys) are activated. An evident attack against any security mechanism is to try and prevent execution of the mechanism in the first place, even the strongest mechanisms are useless if you do not turn them on. This attack, and other similar attacks, can be carried out by a „man-in-the-middle”. A new standards track specification was called for by RFC 3329[10]. The need for such a specification arose from IMS security work. The basic idea is, first, to exchange security

capability lists between the client and the server in an unprotected manner and then check the validity of the mechanism choice later when protection is turned on (Fig.7).

Figure 7. Security agreement message flow More information is in corresponding earlier specification [10].

7.3 Message authentication codes (MAC). A MAC (cryptographic message authentication code) is a cryptographic algorithm that is used to protect the integrity and origin of data. It is a short piece of information used to authenticate a message. A MAC algorithm accepts as input a secret key. Opposite to block chipers, MAC transformitions need not be invertible. The Mac value protects both a message’s integrity and also its authenticity. The sender and receiver of a message must agree on keys before initiating communications, because MAC values are both generated and verified using the same secret key. The security specification for a MAC is that, if you don’t know the secret key, it should be not possible to produce a MAC for any new message, even when some messages and corresponding MAC values are known. For more information about MAC check in [10] [13]. The attacks against MAC algorithms can be classifield depending on the information available to an attacker as followes: • Known message attack. In this way the attacker has knows some messages (plaintext) and the corresponding MAC values. • Chosen message attack. The attacker owns possibility to select messages and obtain the corresponding MAC values. • Adaptively chosen message attack. The attacker is able to choose a number of messages and obtain the corresponding MAC values. When choosing a new message it may exploit the information of previously obtained Mac values. [14]

An attacker may try different strategies to invent MAC values. A straightforward way that cannot be prevented is simply to guess the correct MAC value for a chosen message. Another way is to try and determine the secret key. Similarly to encryption systems, an attacker may perfom an exhaustive key search given a valid pair: a message and its MAC value. More advanced attackers are based on internal collisions of the Mac algorithm. An internal collision occurs when two different messages are input and the compression function transforms them to the same values at some intermediate round. Depending on the type of compression function, an internal collision can sometimes be turned to a key recovery attack, which is faster than an exhaustive search.

7.4 Classmark Attacks This attack makes use of the classmark information that the MS sends to the network to inform about, among the other things, its ciphering capabilities. The goal of the attack is to make the MS send a message to the network, indicating that it can only encrypt and decrypt using A5/2 and A5/0 ( no ecryption). Later when a call is made, with this specific MS involved, the necryption method chosen will be one of these two(preferably A5/0). In the case of A5/0, no encryption will be used, meaning it is straightforward to eavesdrop on the conversation. In the case of A5/2 the attacker has an implementation of one of the attacks against A5/2 and is able to cryptanalyse the encryption. The attack is active in the start. The attacker functions as a repeator between the MS and the BTS. When signalling messages containing classmark IE is observed, the attacker modifies it in such way that the network thinks that this specific MS has no encryption capabilities or only A5/2. When this is done the active part of the attack is done and the attacker goes over to passive monitoring of the traffic. Every message the specific MS sends and receives will unencrypted or possible to decrypt. The scheme of attack is showen in Figure 8.

Figure 8. Classmark Attacks

Since GSM does not provide integrity control of the transmitted messages, the attacker is able to alter the classmark IE. The attacker only has to change a few bits of inrformation, thereby making the network think that the victim MS is not able to use A5/1 or A5/2. As a priority, 3G security will provide the proven second generation security features and correct the weaknesses in the second generation systems.

8. Conclusion The goal of this essay was to introduce GSM and give an overview of its history, standards and structure. It presents the terminology and describes the GSM security operation, including its principles and features. We compare 2G and 3G networks from the security point of view. Though my research topic was also „Man-in-the-middle attacks in 3G” there was given an overview of most common attacks on communication networks. I am planning to study more thougthfully those attacks and research their countremeasures in 3G later on.

Dictionary of abbreviations:

CEPT – European Conference of Post and Telecommunications Administrations GSM – Group Special Mobile Global System for Mobile Communications BSS – Base Station Subsystem NSS – Network Switching Subsystem GPRS – General Packet Radio Service SMS – Short Message Service BTS – Base Transceiver Station BSC – Base Station Controller PCU – Packet Control Unit MSC – Mobile Switching Centre VLR – Visitor Location Register HLR – Home Location Register SS7 – Signalling System #7 PSTN – Public Switched telephone network

IN – Intelligent network AUC – Authentication Center EIR – Equipment register GSN – GPRS Support Nodes GGSN – Gateway GPRS Support Node UMTS – Universal Mobile Telecommunications System SGSN – Serving GPRS Support Node 3GPP – 3G Partnership Project TDMA – Time Division Multiple Access CDMA – Code Division Multiple Access cdmaOne – the brand name for IS-95. Interium Standard 95 is the first CDMA-based digital cellular standard. ITU – International Telecommunication Union WCDMA – Wideband CDMA IMSI – International Mobile Subscriber identity MCC – country code MNC- network code MSIN – the unique subscriber number LFR – Lead-Cooled Fast Reactor SIM – Subscriber Identity Module RAND – RANDOM 128-BIT NUMBER SRES –signed response XRES – expected response IMEI – International Mobile Equipment Identity UE – User Equipment BS- Base Station IK – Integrity Key RRC – Radio Resource Control ITU- International Telecommunication Union SIP – Session Initiation Protocol MAC – Message authentication codes

References [1] http://www.gsmworld.com/index.shtml

[2] http://en.wikipedia.org/wiki/ [3] http://www.gsmworld.com/index.shtml http://www.cellular.co.za/technologies/3g/3g.htm [4] http://www.3gpp.org/ [5] http://www.umtsworld.com/technology/overview.htm [6] http://www.umtsworld.com/umts/history.htm [7] http://www.umtsworld.com/ [8] 3GPP TS 35.201 V 5.0.0 (2002-06); Document f9 specification (Release 5). [9] http://en.wikipedia.org/wiki/KASUMI [10] (Security mechanism agreement for the Session Initiation Protocol (SIP). J. Arkko, V.Torvinen, G.Gamarillo, A.Niemi and T.Haukka. January 2003). [11] D. Stinson, Cryptography, Theory and Practise (2nd edn), Chapman &Hall/CRC Press, London, 2002. [12] http://en.wikipedia.org/wiki/GPRS [13] http://homes.esat.kuleuven.be/~preneel/preneel_mac_wcap06.pdf [14] UMTS Security, Valtteri Niemi and Kaisa Nyber, Nokia Research Center, Finland 2003 [15] http://en.wikipedia.org/wiki/GSM [16] http://www.etsi.org [17] Internet Security, Applications, Authentication and Cryptography, University of California, Berkley. “GSM Security and Encryption” [18] Privacy and Security in GSM, MTAT.07.006 Research Seminar in Cryptography, seminar talk, Emilia Käsper, 2005 [19] Security in the GSM system by Jeremy Quirke, 1st May 2004, http://www.ausmobile.com [20] GSM and UMTS Security by Daniel Mc Keon, Colm Brewer, James Carter and Mark Mc Taggart http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group7/index.html