Security aspects on the signaling and data-plane in 2G/3G networks

Abstract

In this work we focus on feasible attacks on mobile digital networks. Our goal is to answer the question if there are any practical implementations possible for these attacks. In order to do so we start with a discussion on basics of 2G(GSM)/3G(UMTS) networks introducing their architectures and functionalities. Furthermore we searched and collected any form of known and published security thread regarding 2G/3G networks. GSM and UMTS vulnerabilities are shown and described. The different threads are classified depending on which is their target, i.e. the core network, the access network, or the user. Most of these attacks need strong assumptions on hardware and software, that make the implementation of them difficult. One of these assumptions is accessing the lower layers of the GSM air interface protocol stack. This can nowadays be studied thanks to the OsmocomBB project which implements the whole GSM protocol stack from physical to transport layer.<br />Therefore, we use the open source OsmocomBB project as an analysis tool of GSM networks. This allows us to experiment with the different protocols and messages of GSM to demonstrate some vulnerabilities of 2G/3G networks. With the help of the OsmocomBB project we analyzed in deep the remote IMSI drop attack, which is based on the IMSI detach procedure. The results obtained from the tests show a vulnerability of the network against this attack. The different results obtained bring us to study more carefully the impact of the remote IMSI drop attack. Three different models are implemented in order to simulate real world scenarios, taking into account user mobility and active calls.