Critical infrastructures – Main threats for 2G and 3G mobile networks

Pierluigi Paganini January 13, 2012

Which is the critical infrastructure of a country that is most exposed to cyber threat?  The question is difficult to answer, without doubts. Communication infrastructure is a vital component of every country and we add that unlike other infrastructure it could be targeted in an attack also with the only destructive purpose with the intent to steal sensitive information, in civil as military.
The industry is constantly evolving, and parallel security mechanisms should be improved. But is it really so? Are really secure our communication? What are the possible attacks leading to them? These days we read nearly all the vulnerabilities that can be exploited to undermine the communications, backdoors imposed by governments in the surveillance of mobile devices, flaws in authentication protocols that allow you to very easily pierce our wifi networks, and malware hacking used to control the VOIP communications from our PC.


As we have repeatedly reaffirmed, governments and hackers are extremely attentive to the possibility of infiltrating the communication systems. The motivations historically hackers to try their communications systems are different from being able to operate in anonymity so they can avoid being traced, the desire to test their skills with systems that were safe from the masses.

Particularly critical mobile communications due to the nature of the medium. It is my intention to dissolve any doubt about the main mobile communication systems that we encounter in our daily lives.
Let’s start with what we call 2G communication, is short for second-generation wireless telephone technology. Is has been launched commercially on the GSM standard in 1991. Main benefits of 2G networks over phone conversations are that the communication are digitally encrypted more efficient respect predecessors, and it has been introduced 2G data services for mobile (e.g. SMS text messages) .

Which are main security issues for 2G?

  • It is possible to avoid eavesdropping and cloning due to the use of encryption and authentication.
  • Weaknesses in crypto algorithms (A3 algorithm for authentication,  A5 algorithm for encryption, A8 algorithm for key generation) that were not submitted to peer review due to nondisclosure.

GSM only authenticates the user to the network and not vice versa. The security model, therefore, offers confidentiality and authentication, but limited authorization capabilities, and no non-repudiation. GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. Both algorithms have been exploited:

  • A5/2 is exploitable with a real-time a ciphertext-only attack
  • A5/1 with a rainbow table attack.
Main security concerns regarding with GSM are :
  • Communications and signaling traffic in the fixed network are not protected.
  • Does not address active attacks, whereby some network elements (e.g. BTS: Base Station)
  • Only as secure as the fixed networks to which they connect
  • Lawful interception only considered as an after-thought
  • Terminal identity cannot be trusted
while some of the major attacks are:
  •  Man-in-the-middle attack. This attacker positions itself between the target user and a network eavesdropping and modifying the traffic.
  • Eavesdropping. The attacker eavesdrops signaling and data connections.
  • Network Impersonation,  the attacker sends signaling and data to the target user pretending to be a genuine network. A fake BST must be in place.
  • User Impersonation, the intruder sends signaling data to the network pretending to be originated by the target user.
After this overview on 2G communication let see how much has changed with the introduction of 3G networks. 3G offer greater security allowing mutual authentication between terminals and networks.
With 3G network growth the mobile will play a similar ordinary role of a computer. Hackers are able to penetrate mobile devices exactly in the same way they accessed to our confidential data on our computer. Hackers can easily spy our movements, listen to our  phone call, reads our messages, access to all our private data.   This third-generation technology brings along with it a vast number of vulnerabilities, making it a haven for hackers and crackers. All this while, very few consumers were actually aware of the threats to 3G and  each operator will need to spend 5-10 percent of its gain in securing.  3G services suffer more security threats and it is necessary to define new security solutions at different levels, both at the service provider’s end and the handset manufacturer’s.
The 3G networks will make mobile communication network and bandwidth equivalent to a computer network, which will in turn, open the chances for cyber criminals to carry out attacks at will through the mobile networks.

From a purely technological perspective 3G networks use the KASUMI block crypto instead of the older A5/1 stream cipher, but also KASUMI cipher has been identified several serious weaknesses. Consider also that the increasing of connectivity means a sensible grow of the security exposure harder to manage.  Main security problems related to 3G networks

  • IMSI is sent in cleartext when allocating TMSI to the user
  • The transmission of IMEI is not protected; IMEI is not a security feature
  • A user can be enticed to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of SN
  • Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up

According to ETSI TS 121 133 specification 3G threats could be classified as

Unauthorized access to sensitive data (violation of confidentiality)

  • Eavesdropping: An intruder intercepts messages without detection.
  • Masquerading: An intruder hoaxes an authorized user into believing that they are the legitimate system to obtain confidential information from the user; or an intruder hoaxes a legitimate system into believing that they are an authorized user to obtain system service or confidential information.
  • Traffic analysis: An intruder observes the time, rate, length, source, and destination of messages to determine a user’s location or to learn whether an important business transaction is taking place.
  • Browsing: An intruder searches data storage for sensitive information.
  • Leakage: An intruder obtains sensitive information by exploiting processes with legitimate access to the data.
  • Inference: An intruder observes a reaction from a system by sending a query or signal to the system. For example, an intruder may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface.

Unauthorized manipulation of sensitive data (Violation of integrity)

  • Manipulation of messages: Messages may be deliberately modified, inserted, replayed, or deleted by an intruder

Disturbing or misusing network services (leading to denial of service or reduced availability)

  • Intervention: An intruder may prevent an authorized user from using a service by jamming the user’s traffic, signaling, or control data.
  • Resource exhaustion: An intruder may prevent an authorized user from using a service by overloading the service.
  • Misuse of privileges: A user or a serving network may exploit their privileges to obtain unauthorized services or information.
  • Abuse of services: An intruder may abuse some special service or facility to gain an advantage or to cause disruption to the network.

Repudiation: A user or a network denies actions that have taken place.

Unauthorized access to services

  • Intruders can access services by masquerading as users or network entities.
  • Users or network entities can get unauthorized access to services by misusing their access rights

We could spend months on the subject of networks communication and their protection, but I haven’t deliberately depth issues related to other types of networks such as wireless and WiMax, IP communications, and satellite networks. Communication infrastructures representing the nerve-center for a country and that must be preserved from external and internal attacks ensuring the security to end-user.
Unfortunately, the speech is very complex, and the implementation of security mechanisms clashes with security issues of government surveillance on one hand and with issues related to the technologies used on the other hand.
As always, to mediate the situation is necessary a compromise that must have an acceptable cost for the community and that must provide an high level of safe. The need is to bring that level up and up just to deal with cyber threats.

… to be continued

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GSM A5, mobile hacking)

you might also like

leave a comment