7 Risk Assessment

21.1333G security3GPPSecurity threats and requirementsTS

7.1 Evaluation of threats

Threats have been analysed and evaluated as regards the combined likelihood of occurrence and severity of impact. The threat analysis and the assessment of risks has followed the procedure outlined in ETSI Technical Report ETR 332 [3]. Extensive use has been made of the collected experiences of operators of first generation (analogue) systems and second generation (especially GSM) systems as regards current and envisaged threats to mobile systems. Note that this evaluation normally emanates from the situation as it is before any security mechanisms have been applied, whereas in some cases threats relate also to the situation where GSM-like security mechanisms have been assumed.

The evaluation results are given here as a list of threats evaluated as being of major or medium (significant) impact. Major threats are indicated, other threats listed are assumed to be medium impact.

7.1.1 Threats evaluated to be of major or medium value.

T1a Eavesdropping user traffic: Intruders may eavesdrop user traffic on the radio interface. (MAJOR)

T1b Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on the radio interface. This may be used to access security management data or other information which may be useful in conducting active attacks on the system.

T1c Masquerading as a communications participant: Intruders may masquerade as a network element to intercept user traffic, signalling data or control data on the radio interface. (MAJOR)

T1d Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations of messages on the radio interface to obtain access to information. (MAJOR)

T4a Masquerading as another user: An intruder may masquerade as another user towards the network.. The intruder first masquerades as a base station towards the user, then hijacks his connection after authentication has been performed.

T5b Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on any system interface, whether wired or wireless. This may be used to access security management data which may be useful in conducting other attacks on the system.

T6e Manipulation of the terminal or USIM behaviour by masquerading as the originator of applications and/or data: Intruders may masquerade as the originator of malicious applications and/or data downloaded to the terminal or USIM.

T9a Masquerading as a user: Intruders may impersonate a user to utilise services authorised for that user. The intruder may have received assistance from other entities such as the serving network, the home environment or even the user himself. (MAJOR)

T9b Masquerading as a serving network: Intruders may impersonate a serving network, or part of an serving network’s infrastructure, perhaps with the intention of using an authorised user’s access attempts to gain access to services himself.

T9d Misuse of user privileges: Users may abuse their privileges to gain unauthorised access to services or to simply intensively use their subscriptions without any intent to pay. (MAJOR)

T10a Use of a stolen terminal and UICC: Intruders may use stolen terminals and UICCs to gain unauthorised access to services. (MAJOR)

T10c Use of a stolen terminal: Users may use a valid USIM with a stolen terminal to access services. (MAJOR)

T10d Manipulation of the identity of the terminal: Users may modify the IMEI of a terminal and use a valid USIM with it to access services. (MAJOR)

T10e Integrity of data on a terminal: Intruders may modify, insert or delete applications and/or data stored by the terminal. Access to the terminal may be obtained either locally or remotely, and may involve breaching physical or logical controls.

T10f Integrity of data on USIM: Intruders may modify, insert or delete applications and/or data stored by the USIM. Access to the USIM may be obtained either locally or remotely.

T10k Confidentiality of authentication data in the UICC/USIM: Intruders may wish to access authentication data stored by the service provider, e.g. authentication key. (MAJOR)

7.2 Results of threat analysis

Not surprisingly, as the experience from operating mobile systems has shown, most of the significant threats can be categorised into a small number of groups:

Masquerading: as other users to gain unauthorised access to services (i.e. charged to another user’s account),

Eavesdropping: which may lead to compromise of user data traffic confidentiality, or of call-related information like dialled numbers, location data, etc.

Subscription fraud: where subscribers exploit the services with heavy usage without any intention to pay.

What is new is the acknowledgement of threats which exploit more sophisticated, active attacks to achieve the eavesdropping or masquerading (see Annex A). These may involve attacks which involve the manipulation of signalling traffic on the radio interface and attacks where the intruder masquerades as a radio base station. Furthermore, attention is now not only focused on radio interface attacks, but also on other part of the system.