A.4 Hijacking of services

21.1333G security3GPPSecurity threats and requirementsTS

The goal of these attacks is to access mobile communication services on the target’s account.

– Hijacking services for outgoing calls

While the target camps on the false base station, the intruder pages the target for an incoming call. The user then initiates the call set-up procedure, which the intruder allows to occur between the serving network and the target, modifying the signalling elements such that to the serving network it appears as if the target wants to set-up a mobile originated call. After authentication the intruder releases the target, and subsequently uses the connection to make fraudulent calls on the target’s subscription.

This could be possible if the network does not enable encryption, or if the intruder can disable encryption (as in A.2) or if the intruder has access to the cipher key (as in A.3).

– Hijacking incoming calls

While the target camps on the false base station, an associate of the intruder makes a call to the target’s number. The intruder allows call set-up between target and serving network. After authentication the intruder releases the target, and subsequently uses the connection to answer the call made by his associate. The target will have to pay for the roaming leg.

This works either if the network does not enable encryption, or if the intruder can disable encryption (as in A.2) or if the intruder has access to the cipher key (as in A.3).

Annex B:
Change history

Change history

TSG SA#

Spec

Version

CR

<Phase>

New Version

Subject/Comment

SP-03

21.133

2.0.0

3.0.0

Approved at SA#3

SP-06

21.133

3.0.0

001

3.1.0

Integrity of user data

SP-14

21.133

3.1.0

002

R-99

3.2.0

Definition of UICC (Also some minor editorial cleaning as per 3GPP editing decisions made since version 3.1.0)