6 Security threats

21.1333G security3GPPSecurity threats and requirementsTS

The purpose of this clause is to list possible security threats to the 3G system, detailing what the threats achieve, how they are carried out and where in the system they could occur.

It is possible to classify security threats in many different ways. In this clause threats in the following categories have been considered.

Unauthorised access to sensitive data (violation of confidentiality)

– Eavesdropping: An intruder intercepts messages without detection.

– Masquerading: An intruder hoaxes an authorised user into believing that they are the legitimate system to obtain confidential information from the user; or an intruder hoaxes a legitimate system into believing that they are an authorised user to obtain system service or confidential information.

– Traffic analysis: An intruder observes the time, rate, length, source, and destination of messages to determine a user’s location or to learn whether an important business transaction is taking place.

– Browsing: An intruder searches data storage for sensitive information.

– Leakage: An intruder obtains sensitive information by exploiting processes with legitimate access to the data.

– Inference: An intruder observes a reaction from a system by sending a query or signal to the system. For example, an intruder may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface.

Unauthorised manipulation of sensitive data (Violation of integrity)

– Manipulation of messages: Messages may be deliberately modified, inserted, replayed, or deleted by an intruder

Disturbing or misusing network services (leading to denial of service or reduced availability)

– Intervention: An intruder may prevent an authorised user from using a service by jamming the user’s traffic, signalling, or control data.

– Resource exhaustion: An intruder may prevent an authorised user from using a service by overloading the service.

– Misuse of privileges: A user or a serving network may exploit their privileges to obtain unauthorised services or information.

– Abuse of services: An intruder may abuse some special service or facility to gain an advantage or to cause disruption to the network.

Repudiation: A user or a network denies actions that have taken place.

Unauthorised access to services

– Intruders can access services by masquerading as users or network entities.

– Users or network entities can get unauthorised access to services by misusing their access rights.

A number of security threats in these categories are subsequently treated in the remainder of this clause according to the following points of attack:

– Radio interface;

– Other part of the system;

– Terminals and UICC/USIM.

Note also that Annex A gives some extra information as regards threats connected to active attacks on the radio interface. The threats treated in annex A are incorporated in the following lists.

6.1 Threats associated with attacks on the radio interface

The radio interface between the terminal equipment and the serving network represents a significant point of attack in 3G. The threats associated with attacks on the radio interface are split into the following categories, which are described in the following subclauses:

– unauthorised access to data;

– threats to integrity;

– denial of service;

– unauthorised access to services.

6.1.1 Unauthorised access to data

T1a Eavesdropping user traffic: Intruders may eavesdrop user traffic on the radio interface.

T1b Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on the radio interface. This may be used to access security management data or other information which may be useful in conducting active attacks on the system.

T1c Masquerading as a communications participant: Intruders may masquerade as a network element to intercept user traffic, signalling data or control data on the radio interface.

T1d Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations of messages on the radio interface to obtain access to information.

T1e Active traffic analysis: Intruders may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface.

6.1.2 Threats to integrity

T2a Manipulation of user traffic: Intruders may modify, insert, replay or delete user traffic on the radio interface. This includes both accidental or deliberate manipulation.

T2b Manipulation of signalling or control data: Intruders may modify, insert, replay or delete signalling data or control data on the radio interface. This includes both accidental or deliberate manipulation.

NOTE: Replayed data which cannot be decrypted by an intruder may still be used to conduct attacks against the integrity of user traffic, signalling data or control data.

6.1.3 Denial of service attacks

T3a Physical intervention: Intruders may prevent user traffic, signalling data and control data from being transmitted on the radio interface by physical means. An example of physical intervention is jamming.

T3b Protocol intervention: Intruders may prevent user traffic, signalling data or control data from being transmitted on the radio interface by inducing specific protocol failures. These protocol failures may themselves be induced by physical means.

T3c Denial of service by masquerading as a communications participant: Intruders may deny service to a legitimate user by preventing user traffic, signalling data or control data from being transmitted on the radio interface by masquerading as a network element.

6.1.4 Unauthorised access to services

T4a Masquerading as another user: An intruder may masquerade as another user towards the network. The intruder first masquerades as a base station towards the user, then hijacks his connection after authentication has been performed.

6.2 Threats associated with attacks on other parts of the system

Although attacks on the radio interface between the terminal equipment and the serving network represent a significant threat, attacks on other parts of the system may also be conducted. These include attacks on other wireless interfaces, attacks on wired interfaces, and attacks which cannot be attributed to a single interface or point of attack. The threats associated with attacks on other parts of the system are split into the following categories, which are described in the following subclauses:

– unauthorised access to data;

– threats to integrity;

– denial of service;

– repudiation;

– unauthorised access to services.

6.2.1 Unauthorised access to data

T5a Eavesdropping user traffic: Intruders may eavesdrop user traffic on any system interface, whether wired or wireless.

T5b Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on any system interface, whether wired or wireless. This may be used to access security management data which may be useful in conducting other attacks on the system.

T5c Masquerading as an intended recipient of data: Intruders may masquerade as a network element in order to intercept user traffic, signalling data or control data on any system interface, whether wired or wireless.

T5d Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations of messages on any system interface, whether wired or wireless, to obtain access to information.

T5e Unauthorised access to data stored by system entities: Intruders may obtain access to data stored by system entities. Access to system entities may be obtained either locally or remotely, and may involve breaching physical or logical controls.

T5f Compromise of location information: Legitimate user of a 3G service may receive unintended information about other users locations through (analysis of) the normal signalling or voice prompts received at call set up.

6.2.2 Threats to integrity

T6a Manipulation of user traffic: Intruders may modify, insert, replay or delete user traffic on any system interface, whether wired or wireless. This includes both accidental and deliberate manipulation.

T6b Manipulation of signalling or control data: Intruders may modify, insert, replay or delete signalling or control data on any system interface, whether wired or wireless. This includes both accidental and deliberate manipulation.

T6c Manipulation by masquerading as a communications participant: Intruders may masquerade as a network element to modify, insert, replay or delete user traffic, signalling data or control data on any system interface, whether wired or wireless.

T6d Manipulation of applications and/or data downloaded to the terminal or USIM: Intruders may modify, insert, replay or delete applications and/or data which is downloaded to the terminal or USIM. This includes both accidental and deliberate manipulation.

T6e Manipulation of the terminal or USIM behaviour by masquerading as the originator of applications and/or data: Intruders may masquerade as the originator of malicious applications and/or data downloaded to the terminal or USIM.

T6f Manipulation of data stored by system entities: Intruders may modify, insert or delete data stored by system entities. Access to system entities may be obtained either locally or remotely, and may involve breaching physical or logical controls.

6.2.3 Denial of service attacks

T7a Physical intervention: Intruders may prevent user or signalling traffic from being transmitted on any system interface, whether wired or wireless, by physical means. An example of physical intervention on a wired interface is wire cutting. An example of physical intervention on a wireless interface is jamming. Physical intervention involving interrupting power supplies to transmission equipment may be conducted on both wired and wireless interfaces. Physical intervention may also be conducted by delaying transmissions on a wired or wireless interface.

T7b Protocol intervention: Intruders may prevent user or signalling traffic from being transmitted on any system interface, whether wired or wireless, by inducing protocol failures. These protocol failures may themselves be induced by physical means.

T7c Denial of service by masquerading as a communications participant: Intruders may deny service to a legitimate user by preventing user traffic, signalling data or control data from being transmitted by masquerading as a network element to intercept and block user traffic, signalling data or control data.

T7d Abuse of emergency services: Intruders may prevent access to services by other users and cause serious disruption to emergency services facilities by abusing the ability to make USIM-less calls to emergency services from 3G terminals. If such USIM-less calls are permitted then the provider may have no way of preventing the intruder from accessing the service.

6.2.4 Repudiation

T8a Repudiation of charge: A user could deny having incurred charges, perhaps through denying attempts to access a service or denying that the service was actually provided.

T8b Repudiation of user traffic origin: A user could deny that he sent user traffic.

T8c Repudiation of user traffic delivery: A user could deny that he received user traffic.

6.2.5 Unauthorised access to services

T9a Masquerading as a user: Intruders may impersonate a user to utilise services authorised for that user. The intruder may have received assistance from other entities such as the serving network, the home environment or even the user himself.

T9b Masquerading as a serving network: Intruders may impersonate a serving network, or part of an serving network’s infrastructure, perhaps with the intention of using an authorised user’s access attempts to gain access to services himself.

T9c Masquerading as a home environment: Intruders may impersonate a home environment perhaps with the intention of obtaining information which enables him to masquerade as a user.

T9d Misuse of user privileges: Users may abuse their privileges to gain unauthorised access to services or to simply intensively use their subscriptions without any intent to pay.

T9e Misuse of serving network privileges: Serving networks may abuse their privileges to gain unauthorised access to services. The serving network could e.g. misuse authentication data for a user to allow an accomplice to masquerade as that user or just falsify charging records to gain extra revenues from the home environment.

6.3 Threats associated with attacks on the terminal and UICC/USIM

T10a Use of a stolen terminal and UICC: Intruders may use stolen terminals and UICCs to gain unauthorised access to services.

T10b Use of a borrowed terminal and UICC: Users who have been given authorisation to use borrowed equipment may misuse their privileges perhaps by exceeding agreed usage limits.

T10c Use of a stolen terminal: Users may use a valid USIM with a stolen terminal to access services.

T10d Manipulation of the identity of the terminal: Users may modify the IMEI of a terminal and use a valid USIM with it to access services.

T10e Integrity of data on a terminal: Intruders may modify, insert or delete applications and/or data stored by the terminal. Access to the terminal may be obtained either locally or remotely, and may involve breaching physical or logical controls.

T10f Integrity of data on USIM: Intruders may modify, insert or delete applications and/or data stored by the USIM. Access to the USIM may be obtained either locally or remotely.

T10g Eavesdropping the UICC-terminal interface: Intruders may eavesdrop the UICC-terminal interface.

T10h Masquerading as an intended recipient of data on the UICC-terminal interface: Intruders may masquerade as a USIM or a terminal in order to intercept data on the UICC-terminal interface.

T10i Manipulation of data on the UICC-terminal interface: Intruders may modify, insert, replay or delete user traffic on the UICC-terminal interface.

T10j Confidentiality of certain user data in the terminal or in the UICC/USIM: Intruders may wish to access personal user data stored by the user in the terminal or UICC, e.g. telephone books.

T10k Confidentiality of authentication data in the UICC/USIM: Intruders may wish to access authentication data stored by the service provider, e.g. authentication key.