The purpose of this clause is to list possible security threats to the 3G system, detailing what the threats achieve, how they are carried out and where in the system they could occur.
It is possible to classify security threats in many different ways. In this clause threats in the following categories have been considered.
Unauthorised access to sensitive data (violation of confidentiality)
Eavesdropping: An intruder intercepts messages without detection.
Masquerading: An intruder hoaxes an authorised user into believing that they are the legitimate system to obtain confidential information from the user; or an intruder hoaxes a legitimate system into believing that they are an authorised user to obtain system service or confidential information.
Traffic analysis: An intruder observes the time, rate, length, source, and destination of messages to determine a user's location or to learn whether an important business transaction is taking place.
Browsing: An intruder searches data storage for sensitive information.
Leakage: An intruder obtains sensitive information by exploiting processes with legitimate access to the data.
Inference: An intruder observes a reaction from a system by sending a query or signal to the system. For example, an intruder may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface.
Unauthorised manipulation of sensitive data (Violation of integrity)
Manipulation of messages: Messages may be deliberately modified, inserted, replayed, or deleted by an intruder
Disturbing or misusing network services (leading to denial of service or reduced availability)
Intervention: An intruder may prevent an authorised user from using a service by jamming the user's traffic, signalling, or control data.
Resource exhaustion: An intruder may prevent an authorised user from using a service by overloading the service.
Misuse of privileges: A user or a serving network may exploit their privileges to obtain unauthorised services or information.
Abuse of services: An intruder may abuse some special service or facility to gain an advantage or to cause disruption to the network.
Repudiation: A user or a network denies actions that have taken place.
Unauthorised access to services
Intruders can access services by masquerading as users or network entities.
Users or network entities can get unauthorised access to services by misusing their access rights.
A number of security threats in these categories are subsequently treated in the remainder of this clause according to the following points of attack:
Radio interface;
Other part of the system;
Terminals and UICC/USIM.
Note also that Annex A gives some extra information as regards threats connected to active attacks on the radio interface. The threats treated in annex A are incorporated in the following lists.
The radio interface between the terminal equipment and the serving network represents a significant point of attack in 3G. The threats associated with attacks on the radio interface are split into the following categories, which are described in the following subclauses:
Eavesdropping user traffic: Intruders may eavesdrop user traffic on the radio interface.
T1b
Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on the radio interface. This may be used to access security management data or other information which may be useful in conducting active attacks on the system.
T1c
Masquerading as a communications participant: Intruders may masquerade as a network element to intercept user traffic, signalling data or control data on the radio interface.
T1d
Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations of messages on the radio interface to obtain access to information.
T1e
Active traffic analysis: Intruders may actively initiate communications sessions and then obtain access to information through observation of the time, rate, length, sources or destinations of associated messages on the radio interface.
Manipulation of user traffic: Intruders may modify, insert, replay or delete user traffic on the radio interface. This includes both accidental or deliberate manipulation.
T2b
Manipulation of signalling or control data: Intruders may modify, insert, replay or delete signalling data or control data on the radio interface. This includes both accidental or deliberate manipulation.
Physical intervention: Intruders may prevent user traffic, signalling data and control data from being transmitted on the radio interface by physical means. An example of physical intervention is jamming.
T3b
Protocol intervention: Intruders may prevent user traffic, signalling data or control data from being transmitted on the radio interface by inducing specific protocol failures. These protocol failures may themselves be induced by physical means.
T3c
Denial of service by masquerading as a communications participant: Intruders may deny service to a legitimate user by preventing user traffic, signalling data or control data from being transmitted on the radio interface by masquerading as a network element.
Masquerading as another user: An intruder may masquerade as another user towards the network. The intruder first masquerades as a base station towards the user, then hijacks his connection after authentication has been performed.
Although attacks on the radio interface between the terminal equipment and the serving network represent a significant threat, attacks on other parts of the system may also be conducted. These include attacks on other wireless interfaces, attacks on wired interfaces, and attacks which cannot be attributed to a single interface or point of attack. The threats associated with attacks on other parts of the system are split into the following categories, which are described in the following subclauses:
Eavesdropping user traffic: Intruders may eavesdrop user traffic on any system interface, whether wired or wireless.
T5b
Eavesdropping signalling or control data: Intruders may eavesdrop signalling data or control data on any system interface, whether wired or wireless. This may be used to access security management data which may be useful in conducting other attacks on the system.
T5c
Masquerading as an intended recipient of data: Intruders may masquerade as a network element in order to intercept user traffic, signalling data or control data on any system interface, whether wired or wireless.
T5d
Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations of messages on any system interface, whether wired or wireless, to obtain access to information.
T5e
Unauthorised access to data stored by system entities: Intruders may obtain access to data stored by system entities. Access to system entities may be obtained either locally or remotely, and may involve breaching physical or logical controls.
T5f
Compromise of location information: Legitimate user of a 3G service may receive unintended information about other users locations through (analysis of) the normal signalling or voice prompts received at call set up.
Manipulation of user traffic: Intruders may modify, insert, replay or delete user traffic on any system interface, whether wired or wireless. This includes both accidental and deliberate manipulation.
T6b
Manipulation of signalling or control data: Intruders may modify, insert, replay or delete signalling or control data on any system interface, whether wired or wireless. This includes both accidental and deliberate manipulation.
T6c
Manipulation by masquerading as a communications participant: Intruders may masquerade as a network element to modify, insert, replay or delete user traffic, signalling data or control data on any system interface, whether wired or wireless.
T6d
Manipulation of applications and/or data downloaded to the terminal or USIM: Intruders may modify, insert, replay or delete applications and/or data which is downloaded to the terminal or USIM. This includes both accidental and deliberate manipulation.
T6e
Manipulation of the terminal or USIM behaviour by masquerading as the originator of applications and/or data: Intruders may masquerade as the originator of malicious applications and/or data downloaded to the terminal or USIM.
T6f
Manipulation of data stored by system entities: Intruders may modify, insert or delete data stored by system entities. Access to system entities may be obtained either locally or remotely, and may involve breaching physical or logical controls.
Physical intervention: Intruders may prevent user or signalling traffic from being transmitted on any system interface, whether wired or wireless, by physical means. An example of physical intervention on a wired interface is wire cutting. An example of physical intervention on a wireless interface is jamming. Physical intervention involving interrupting power supplies to transmission equipment may be conducted on both wired and wireless interfaces. Physical intervention may also be conducted by delaying transmissions on a wired or wireless interface.
T7b
Protocol intervention: Intruders may prevent user or signalling traffic from being transmitted on any system interface, whether wired or wireless, by inducing protocol failures. These protocol failures may themselves be induced by physical means.
T7c
Denial of service by masquerading as a communications participant: Intruders may deny service to a legitimate user by preventing user traffic, signalling data or control data from being transmitted by masquerading as a network element to intercept and block user traffic, signalling data or control data.
T7d
Abuse of emergency services: Intruders may prevent access to services by other users and cause serious disruption to emergency services facilities by abusing the ability to make USIM-less calls to emergency services from 3G terminals. If such USIM-less calls are permitted then the provider may have no way of preventing the intruder from accessing the service.
Repudiation of charge: A user could deny having incurred charges, perhaps through denying attempts to access a service or denying that the service was actually provided.
T8b
Repudiation of user traffic origin: A user could deny that he sent user traffic.
T8c
Repudiation of user traffic delivery: A user could deny that he received user traffic.
Masquerading as a user: Intruders may impersonate a user to utilise services authorised for that user. The intruder may have received assistance from other entities such as the serving network, the home environment or even the user himself.
T9b
Masquerading as a serving network: Intruders may impersonate a serving network, or part of an serving network's infrastructure, perhaps with the intention of using an authorised user's access attempts to gain access to services himself.
T9c
Masquerading as a home environment: Intruders may impersonate a home environment perhaps with the intention of obtaining information which enables him to masquerade as a user.
T9d
Misuse of user privileges: Users may abuse their privileges to gain unauthorised access to services or to simply intensively use their subscriptions without any intent to pay.
T9e
Misuse of serving network privileges: Serving networks may abuse their privileges to gain unauthorised access to services. The serving network could e.g. misuse authentication data for a user to allow an accomplice to masquerade as that user or just falsify charging records to gain extra revenues from the home environment.
Use of a stolen terminal and UICC: Intruders may use stolen terminals and UICCs to gain unauthorised access to services.
T10b
Use of a borrowed terminal and UICC: Users who have been given authorisation to use borrowed equipment may misuse their privileges perhaps by exceeding agreed usage limits.
T10c
Use of a stolen terminal: Users may use a valid USIM with a stolen terminal to access services.
T10d
Manipulation of the identity of the terminal: Users may modify the IMEI of a terminal and use a valid USIM with it to access services.
T10e
Integrity of data on a terminal: Intruders may modify, insert or delete applications and/or data stored by the terminal. Access to the terminal may be obtained either locally or remotely, and may involve breaching physical or logical controls.
T10f
Integrity of data on USIM: Intruders may modify, insert or delete applications and/or data stored by the USIM. Access to the USIM may be obtained either locally or remotely.
T10g
Eavesdropping the UICC-terminal interface: Intruders may eavesdrop the UICC-terminal interface.
T10h
Masquerading as an intended recipient of data on the UICC-terminal interface: Intruders may masquerade as a USIM or a terminal in order to intercept data on the UICC-terminal interface.
T10i
Manipulation of data on the UICC-terminal interface: Intruders may modify, insert, replay or delete user traffic on the UICC-terminal interface.
T10j
Confidentiality of certain user data in the terminal or in the UICC/USIM: Intruders may wish to access personal user data stored by the user in the terminal or UICC, e.g. telephone books.
T10k
Confidentiality of authentication data in the UICC/USIM: Intruders may wish to access authentication data stored by the service provider, e.g. authentication key.