Detection of malicious base station attacks through the carrier analysis——偽基站，降維攻擊

  Abstract: In 2G and 3G mobile standards there are vulnerabilities caused by the use of false Base Station (BS). In 3G security architecture offers protection against BS attacks, however when the User Equipment (UE) is configured in automatic GSM/3G mode this UE can accept connections coming from GSM/GPRS BSs that are configured as an attacker finally establishing a connection with such malicious BTS located within the UE's coverage area. Even without the use of a frequency jammer, potential attack danger exists because the connection between an UE and the fake BTS can be achieved if the BS is transmitting with more power than the real base station, and the UE enters in the handover process imposed by the 2G standard.   Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems——注意是4G https://arxiv.org/pdf/1510.07563.pdf We carefully analyzed LTE access network protocol specifications and uncovered several vulnerabilities. Using commercial LTE mobile devices in real LTE networks, we demonstrate inexpensive, and practical attacks exploiting these vulnerabilities. Our first class of attacks consists of three different ways of making an LTE device leak its location: In our experiments, a semi-passive attacker can locate an LTE device within a 2 km2 area in a city whereas an active attacker can precisely locate an LTE device using GPS co-ordinates or trilateration via cell-tower signal strength information. Our second class of attacks can persistently deny some or all services to a target LTE device. To the best of our knowledge, our work constitutes the first publicly reported practical attacks against LTE access network protocols.——實際的攻擊型別包括： LOCATION LEAK ATTACKS OVER AIR INTERFACE DOS ATTACKS ON LTE AIR INTERFACE   A SURVEY ON THREATS, VULNERABILITIES AND SECURITY SOLUTIONS FOR CELLULAR NETWORK

Cellular networks generations have suffered many threats such as eavesdropping and phone cloning, impersonation of a user, Man
in the middle, compromising authentication vectors in the network, spoofing, camping on a false
BTS, Denial of Service (DoS), passive identity caching, encryption suppression, suppressing
encryption between the target user and the intruder, eavesdropping on user data by suppressing
encryption, hijacking outgoing calls in networks with encryption disabled.
UMTS systems suffer from Eavesdropping signaling or control data, Masquerading as a user,
Masquerading as a serving network, jamming the user’s traffic and Denial of Service (DoS).
The common attacks in LTE are Distributed Denial of Service (DDoS) and Denial of Service (DoS)
attacks. Other threats are spam over VoIP, spoofing and misdirection, SIP registration hijacking and
interception and cryptanalysis of IP traffic.
2. SECURITY AND PRIVACY SERVICES
The most critical issue in cellular network is personal privacy requirements which would involve
security and privacy services. Due to the increasing number of m-business, security services will get
more critical in the future cellular system. Such services include entity authentication of the
principal entities, data confidentiality, data integrity, message origin and destination authentication,
anonymity, location confidentiality and identity confidentiality, untraceability, transaction
confidentiality and privacy.
Principal entities have identity structures to be authenticated. The main entities may have multiple
identities. Some of these identities may be public while others may be unknown. The identities may
be long lived or they may be short lived.
Data confidentiality protects the data against eavesdrop attack. Data integrity protects the data
against unlawful modification. Message origin and destination authentication provide corroboration
of the transmitter/receiver identities or more the associated routing addresses. These services are
provided by symmetric and asymmetric cryptographic methods.
The subscriber may not want to publish his/her identity. The subscriber identity that it may be the
system identity and international mobile subscriber identity (IMSI) is known for both the home
operator and the serving network. So it should be protected against eavesdropping on the radio
interface by any third party. The home operator is required to know the legal identity of the
subscriber.
Location confidentiality and identity confidentiality are provided by the existing systems but no
authoritative solution is yet provided for the current 2G/3G/4G systems. The issue is tied to identity
management to solve the problem of the mobile cellular and network identity management with
authentication at the link layer level.
The intruder may not able to derive the name or network address of the subscriber, but could
successfully trace the subscriber based on radio transmission properties. This arises the concepts of
untraceability and transaction confidentiality privacy.
3. THREATS/ INTRUDERS
Two main motivations for attackers are theft of service and interception of data. Theft of service
comes in many forms, but the most technically interesting is the cloning of a phone. When
“cloning” a phone, attackers steal the identifying information from a legitimate phonetic and load it
to another phone.
Data interception of mobile phone networks is a similar threat to other wireless networks. Using
relatively unsophisticated tools can listen to the transmissions of the phone and the base station in
an effort to eavesdrop on the voice and data transmissions occurring. The largest defense to this
type of attack is encryption of the data in the air.
An intruder may be attempted to eavesdrop on user traffic, signaling data and control data, or
disappear in many forms such as a legitimate party in the use and saving or management of cellular
network services.
The role of the intruders attempts to violate the confidentiality, integrity, availability of Cellular
network, their services or fraud users, home environments or serving networks or any other party.

 

大概提到了幾個關鍵點：

蜂窩網路世代 1G 2G 3G。。。
遭受了許多威脅，如竊聽和電話克隆，冒充使用者，Man
在中間，妥協網路中的身份驗證向量，欺騙，露營假
BTS，拒絕服務（DoS），被動身份快取，加密抑制，抑制
目標使用者和入侵者之間的加密，通過抑制來竊聽使用者資料
加密，在禁用加密的網路中劫持撥出呼叫。
UMTS系統遭受竊聽信令或控制資料，偽裝成使用者，
偽裝成服務網路，干擾使用者的流量和拒絕服務（DoS）。
LTE中的常見攻擊是分散式拒絕服務（DDoS）和拒絕服務（DoS）
攻擊。其他威脅包括VoIP上的垃圾郵件，欺騙和誤導，SIP註冊劫持和
IP流量的攔截和密碼分析。

蜂窩網路中最關鍵的問題是涉及的個人隱私要求
安全和隱私服務。由於移動商務的數量不斷增加，安全服務將會得到
在未來的蜂窩系統中更為關鍵。這些服務包括實體認證
主體實體，資料機密性，資料完整性，訊息來源和目的地認證，
匿名，位置保密和身份保密，無法追蹤，交易
保密和隱私。

其中關於3G的威脅說到：

威脅安全的分類可以分為幾類。以下部分
描述了威脅安全的分類。
未經授權訪問敏感資料
竊聽：入侵者攔截訊息而不進行檢測。偽裝：入侵者
欺騙授權使用者相信他們是獲得機密的合法系統
來自使用者的資訊。流量分析：入侵者觀察時間，速率，長度，來源和
訊息的目的地以確定使用者的位置。瀏覽：入侵者搜尋資料儲存
敏感資訊。洩漏：入侵者通過利用獲取敏感資訊
合法訪問資料的程序。推論：一個入侵者看到一個反應
系統通過向系統傳送查詢或訊號。
未經授權操縱入侵者可能修改，插入，重放或刪除的敏感資料
訊息。
令人不安或誤用網路的服務包括以下威脅：干預：入侵者可能
使用干擾使用者的流量，信令或控制資料來阻止授權使用者使用
服務。資源耗盡：入侵者可能會使用超載服務來阻止授權
使用者使用服務。濫用許可權：使用者或服務網路想要獲取
未經授權的服務或資訊利用他們的特權。濫用服務：入侵者
可能會濫用某些特殊服務來獲取優勢或導致網路中斷。
拒絕：使用者或網路拒絕發生的行為。
未經授權的訪問服務會暴露給入侵者，入侵者可以通過訪問獲得服務
偽裝成使用者或網路實體和使用者或網路實體，可能會被未經授權
濫用訪問許可權訪問服務。

空口側的威脅包含：

無線電介面受到不同的攻擊，例如：
竊聽：入侵者竊聽使用者流量的使用者流量。
竊聽信令或控制資料，入侵者竊聽信令資料或控制資料
用於訪問安全管理資料或其他資訊並將其傳遞給活動
攻擊系統。
偽裝成通訊，參與者：入侵者偽裝成網路元素
攔截使用者流量，信令資料或控制。
被動流量分析，入侵者觀察時間，速率，長度，來源或目的地
訊息獲得對資訊的訪問。
拒絕服務（DoS）攻擊有幾種型別，例如：
·物理干預：入侵者可能會阻止使用者流量，信令資料和控制資料
通過物理手段在無線電介面上傳輸。
·協議干預：入侵者可能會阻止使用者流量，信令資料或控制資料
通過誘導特定的協議故障在無線電介面上傳輸。
·偽裝成通訊的拒絕服務（DoS），參與者：入侵者可以
通過阻止使用者流量，信令資料或控制資料來拒絕向合法使用者提供服務
通過偽裝成網路元素在無線電介面上傳輸。

 

4G的安全問題——核心還是Dos攻擊

4GSystem（LTE）安全
現代LTE蜂窩網路為超過數十億使用者提供高階服務
傳統語音和短訊息流量。 即將到來的LTE攻擊是分散式拒絕
服務（DDoS）攻擊。 通訊系統的可用性解釋了重要性
增強行動網路抵禦拒絕服務（DoS）和DDoS威脅的靈活性
確保LTE網路可用性免受安全攻擊。
威脅的例子包括VoIP上的垃圾郵件，欺騙和誤導，SIP註冊劫持和
IP流量的攔截和密碼分析。

文中一幅圖說明很好：