21.1333G security3GPPSecurity threats and requirementsTS
An intruder may succeed in disabling encryption on the radio interface by several means.
The intruder may masquerade completely as a serving network. The intruder can either use a man-in-the-middle attack by establishing two connections, one to the user and one to a valid serving network (relaying data with or without modifications between a user and a valid serving network) or just masquerade as a serving network without establishing a link to a real network. In any case, the intruder may be able to suppress encryption between the user and himself by sending the appropriate signalling messages.
Alternatively, the intruder may just manipulate the signalling messages by which the user and serving network agree on their ciphering capabilities to create an incompatibility that will prevent ciphering from being established.
The threats following these actions are described below:
– Eavesdropping of a genuine call.
Once encryption is disabled, the intruder can capture signalling and user traffic.
– Answering a mobile originated call.
When the target attempts to make a call, the intruder relays the messages between the target and the true network until after authentication is completed. The intruder cuts the connection with the true network suppresses encryption and proceeds to set up the call as a new call (to any suitable network) and under the intruder’s own full control.