Page 62 - From GMS to LTE
P. 62
48 From GSM to LTE-Advanced Pro and 5G
No encryption on the Abis interface. The communication link between the base
●
station and the BSC is not ciphered today. Attackers with equipment that is able
to intercept E1‐based communication over a microwave or cable link can poten-
tially intercept signaling messages and voice calls. In the future, this risk is likely
to be reduced with the introduction of encrypted high‐speed IP‐based communi-
cation to multiradio access technology base stations as discussed in Chapters
3 and 4.
No mandatory air interface encryption. Encryption is activated with a ciphering
●
command message by the network. If not activated, all signaling and voice calls are
transmitted without protection from eavesdropping. In practice, networks always
activate air interface encryption today. Some phones indicate an unencrypted com-
munication link with an open lock symbol.
No network authentication. In practice, this allows attacks that are based on false
●
base stations. By placing such a false base station close to a user and by using trans-
mission power higher than that of any other base station from the network operator,
the mobile device will automatically select the false base station and transmit its IMSI
in the location update dialog that is further described in Section 1.8.1. The false base
station can then use this information to intercept all incoming and outgoing com-
munication by using the user’s IMSI itself for communication with the network. By
preventing the use of encryption, the need to get access to the shared secret Ki is
dispensed with (cp. Section 1.6.4). Such devices are known as ‘IMSI catchers’ and
further details can be found in [29] and Frick and Bott [30].
Potential protection against such an attack would be to mandate authentication
and encryption on the mobile side for every connection establishment. While it
would still be possible to collect IMSIs, this would prevent the false base station from
eavesdropping on SMS messages and voice calls. At the time of publication, however,
such a protection is not implemented in mobile devices.
A5/2 Weaknesses. This encryption algorithm was created to allow the export of
●
GSM systems to countries for which export restrictions concerning security tech-
nologies exist. With the processing power of today’s computers, it is possible to
retrieve the ciphering key Kc within seconds with only little ciphering data collected.
As A5/2 is not used in countries where no export restrictions apply, this in itself is not
an issue.
A5/1 and A5/3 Active attacks. The weakness of A5/2 can potentially be used for
●
indirect attacks on communication encrypted with more secure A5 algorithms such
as A5/1 and A5/3. This requires equipment that can not only intercept a data transfer
but also act as a false base station as described above. In the first step, A5/1 or A5/3
encrypted data are recorded. In the second step, the secret ciphering key, Kc, that was
used to encrypt the conversation is recovered by actively contacting the mobile device
and instructing it to activate A5/2 ciphering without supplying new keying material.
With subsequent frames now being encrypted with A5/2, its weaknesses can be
exploited to calculate the secret ciphering key Kc. As no new ciphering material is
supplied for this conversation, the recovered Kc is the same as that previously used
for the recorded data that were encrypted using A5/1. To counter this attack, the
GSM Association recommends that new mobile devices shall no longer support A5/2.
This has been implemented in practice and today, only very old mobile devices are
still vulnerable.
