Radio Access Network Security Vulnerabilities

9.1.1. Denial of Service (Registration)

One of the RAN security issues is its susceptibility to DoS attacks98_{, which can be used to}

saturate the resources of the RAN. This is done by sending very high volumes of

registration requests to the MSC, which lacks the ability to distinguish between false and

legitimate requests. As a result, for each request, the MSC will attempt to get an

authentication challenge from the HLR, keeping it busy, which will cause genuine requests to be lost in the presence of such a DoS attack99_{. In most modern networks this has now}

been mitigated.

9.1.2. Denial of Service (Attach)

Attach requests and rejects can be used to block mobile devices at the RAN99_{. This is done}

using a rogue eNodeB to send a false attach reject message, which tells a mobile device it cannot connect to a legitimate eNodeB, while pretending to be a legitimate eNodeB. This then convinces the mobile device that the nearby legitimate eNodeB has in fact rejected the attempt to connect to it. As a result, the mobile device will not attempt to connect to the legitimate eNodeB again and is therefore denied access to the legitimate services it desires from its mobile network service provider, at least for a certain amount of time100_{, or by}

moving location, or doing a power-off reset.

9.1.3. Eavesdropping

This is done via the SIB (System Information Block) and MIB (Master Information Block) packets. These packets are broadcasted periodically by the base station and contain useful system information such as the mobile operator of the cell, the identity of that cell as well as the power required to trigger handover to that cell. However, these information blocks, have no form of encryption on them, leaving them open to passive packet sniffing, where the attacker can simply listen in on the data passing through and intercept it without any real effort101_{. Using this information, it is also possible to construct a very convincing fake base}

station by impersonating a legitimate Mobile Network Operator and using a transmitted power value that will trigger mobile devices to initiate a handover to it. It is also possible to obtain the mapping of important control channels through this method, allowing for more accurate methods of executing a jamming attack, as the attacker now knows where the best locations to jam the mobile network are. However, this will be only a very localised attack, and does make the attacker vulnerable to detection by law enforcement.

9.1.4. IMSI Catcher

The IMSI of a mobile network user is usually kept private but must at some point be used in the communications process and data flow. It is usually transmitted before the encryption and authentication process in the Non-Access Stratum (NAS) functional layer, where the attach process occurs. The NAS is a set of protocols that are used to enable the transfer of non-radio signalling messages between a UE and the Core Network. The vulnerabilities in the protocol stack can be exploited to obtain the IMSI information during the network attach process. The IMSI catcher commonly impersonates a GSM base station so that a mobile device is forced to use low level security which can be used to monitor communications102_,

99 _{RadWare. (2013) Mobile Networks Security Research Paper}

100 _{Altaf Shaik, R. B.-P. (2017) Practical Attacks Against Privacy and Availability in 4G/LTE Communication} Systems

101 _{Jover, R. P. (2016) LTE Security, protocol exploits and location tracking experimentation with low-cost} software radio

see Figure 25103_{. A method to mitigate this vulnerability is by minimising the transmission of}

IMSI, which is accomplished by using a Temporary Mobile Subscriber Identity (TMSI). This identifier is shorter than the IMSI number and hence it is more efficient to transmit.

However, to be clear, the purpose of using TMSI in place of IMSI is to provide a significant improvement to security to the mobile subscriber, as IMSI does not need to be transmitted continuously.

Figure 25: IMSI catcher illustration

9.1.5. Downgrade Attack

The ‘Attach Reject’ and TAU (Tracking Area Update) reject messages can be used in a similar way to the denial of service attacks, again with a rogue eNodeB sending the reject messages to an unsuspecting UE that will then be convinced that it is not permitted to connect to a legitimate eNodeB100_{. Instead of a simple reject message to prevent an attach}

or connection, the rogue eNodeB will now additionally specify that the user is not allowed to connect to 3G and 4G services, which will leave only 2G which is more vulnerable in terms of security. The UE will then exclusively attempt to connect to a 2G network layer, exposing it to eavesdropping due to the possibly weaker encryption of 2G102_.

9.1.6. Man-in-the-Middle (MitM)

Using a false base station or rogue eNodeB, it is possible to simply impersonate a legitimate provider’s base station, using some of the prior vulnerabilities such as

eavesdropping to obtain subscriber information and illegally intercept communications. In this scenario, mobile network users initially connect to the false base station, meaning that information will pass through the false node before being routed to its desired destination, allowing the attacker to simply monitor all communications without discovery100_.

9.1.7. Tracking

It is possible to use prior methods such as MitM attacks to obtain information allowing the location of the mobile network user to be determined, however there is a newer method which allows for this to be achieved. On the physical layer, there is a 16-bit identifier known as the Cell Random Network Temporary Identifier (C-RNTI), which is unique to each device in a cell. The C-RNTI is included in the header of the physical layer packets, meaning that this information is not encrypted. From this unique identifier, it is then possible to use the

103 _{Patel, M. (2020, February) Retrieved from Paladion High Speed Cyber Defense:} https://www.paladion.net/blogs/how-to-build-an-imsi-catcher-to-intercept-gsm-traffic

packets with the C-RNTI in the header to map the traffic of the user quite easily, allowing an eavesdropper to know approximately how long a user stays at a certain location. While the C-RNTI is considered temporary, it is not refreshed very often, giving a long enough period for it to be used for tracking101_{, see Table 12 and Figure 26, though none of the contents of}

the data packets are exposed.

Table 12: Mobile network user identity mapping flow

Figure 26. Mapping user identity for tracking