Content for TR 33.701 Word version: 19.0.0

3.1 Terms 3.2 Symbols 3.3 Abbreviations 4.1 Key Issue #1: Bidding down attacks from LTE/NR to decommissioned GERAN/UTRAN
...

1 Scope p. 7

The present document focuses on mitigating bidding down attack, i.e. how to prevent UEs that are currently connected to LTE/5G from establishing a connection with a GERAN/UTRAN FBS considering for example the decommissioning of GERAN and UTRAN networks. In particular, the present document aims at:

Identifying attack scenarios and threats in the context of decommissioning of GERAN and UTRAN networks, e.g. cell (re)selection or forced handovers on GERAN or UTRAN once LTE and 5G signalling are blocked when GERAN/UTRAN networks are decommissioned; and
Documenting solutions for the identified security threats and requirements.

2 References p. 7

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TS 23.502: "Procedures for the 5G System (5GS)".

[3]

TS 33.501: "Security architecture and procedures for 5G System".

[4]

TS 23.501: "System architecture for the 5G System (5GS)".

[5]

TS 23.122: "Non-Access-Stratum (NAS) functions related to Mobile Station (MS) in idle mode".

[6]

TS 24.501: "Non-Access-Stratum (NAS) protocol for 5G System (5GS)".

3 Definitions of terms, symbols and abbreviations p. 7

3.1 Terms p. 7

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

3.2 Symbols p. 7

Void

3.3 Abbreviations p. 7

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

AMF

Access and Mobility management Function

AUSF

AUthentication Server Function

CSS

Cell Site Simulator

FBS

False Base Station

GSMA

GSM Association

New Radio

SMC

Security Mode Command

SoR

Steering of Roaming

TAI

Tracking Area Identifier

UDM

Unified Data Management

UICC

Universal Integrated Circuit Card

UPU

UE Parameter Update

4 Key issues p. 8

4.1 Key Issue #1: Bidding down attacks from LTE/NR to decommissioned GERAN/UTRAN p. 8

4.1.1 Description p. 8

The GERAN and UTRAN decommissions are part of a global trend. Operators are currently decommissioning legacy infrastructure from their networks. Decommissioning is a phased approach which entails legacy infrastructure is gradually phased out from the network.

As GERAN and UTRAN uses weak encryption between the base station and the UE, the communication can be cracked in real time by an attacker to intercept calls or text messages. Known vulnerabilities of GPRS are: one way authentication, GPRS algorithms such as A5/0 (no confidentiality), compromised algorithms A5/1 and A5/2 (GSMA deprecated in 2006), no inherent integrity protection over the air, and authentication and ciphering over the air are optional to implement. In terms of UMTS, known vulnerabilities are: IMSI is still sent in clear text in initial RRC connection request; also, if TMSI is not recognized by the network, then UE is forced to reveal IMSI in clear text, user plane is not integrity protected, messages sent before Security Mode Command (SMC) are not integrity protected, etc.

In a scenario where the operator has decommissioned GERAN and UTRAN networks, the UE cannot determine on its own that such radio access networks are no longer available in certain areas. Therefore, if 5G-NR and LTE networks are being blocked by an attacker, the UE can fall back to selecting and connecting to false UTRAN and GERAN base stations.

When UE is in an area with no coverage of 5G-NR or LTE, an attacker capable of mounting a false UTRAN/GERAN in the same area will be successful in making the 5G-NR and LTE UE camp on the false UTRAN/GERAN based on the signal strength. Further, in GERAN there is no authentication of the base station to the device, which means that anyone can seamlessly impersonate as a legit GERAN base station. Therefore, if 5G-NR and LTE networks are being blocked by an attacker, a UE can fall back (bid-down) to selecting and connecting to false GERAN/UTRAN base stations.

4.1.2 Threats p. 8

One such attack scenario is, if the MNO is only 5G-NR operator, then the UE camping on the GERAN Cell Site Simulator (CSS) mounted by an attacker may provide the IMSI in clear, which allows the attacker to bind the UE and the IMSI to track the UE location in the 5G network (if the home network has configured "null-scheme" to be used).

Further, UE connecting to a UTRAN or GERAN FBS is vulnerable to bidding down attacks, e.g. fraudulent SMS or phone calls, which could cause significant financial losses for subscribers.

The FBS can also make use of a PLMN-ID that is different from the home operator, while at the same time blocking the UE from accessing the home network operator's PLMN. This means, that the radio interface of the UE experiences a roaming scenario without actually moving.

4.1.3 Potential requirements p. 9

UE and the EPS/5GS should support mechanisms to mitigate bidding down attacks from LTE/NR to decommissioned GERAN/UTRAN by an attacker over the air interface.