Content for TR 33.926 Word version: 19.1.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… N… O… P… Q… R… S… T… U… V… W… X… Y…

A.1 Network product class description for the MME A.2 Assets and threats specific to the MME A.2.1 Critical assets A.2.2 Threats related to AKA procedures A.2.3 Threats related to security mode command procedure A.2.4 Threats related to security in Intra-RAT mobility A.2.5 Threats related to security in Inter-RAT mobility A.2.6 Threats related to release of non-emergency bearer
...

A Aspects specific to the network product class MME p. 33

A.1 Network product class description for the MME p. 33

A.1.1 Introduction p. 33

The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.

A.1.2 Minimum set of functions defining the MME network product class p. 33

According to TR 33.916, a network product class is a class of products that all implement a common set of 3GPP-defined functionalities. Therefore, in order to define the MME network product class it is necessary to define the common set of 3GPP-defined functionalities that is constitutive for an MME. As part of the MME network product, it is expected that the MME contains MME application, a set of running processes (typically more than one) executing the software package for the MME functions and OAM functions that are specific to the MME network product model. Functionalities specific to the MME network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.116.

A.2 Assets and threats specific to the MME p. 33

A.2.1 Critical assets p. 33

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the MME to be protected are:

MME Application;
Mobility Management data: e.g. subscriber's identities (e.g. IMSI), subscriber keys (I.e. KNASenc, KNASint, NH), authentication parameters, address of serving eNB, APN name, data related to mobility management like UE status, UE's IP address, etc., session management like PDN type, QoS and so on, or node selection and routing selection, e.g. IP address of UE related S/P-GW, selected routing connection based on UE's identity, etc.
The interfaces of MME to be protected and which are within SECAM scope: for example
- Console interface, for local access: local interface on MME
- OAM interface, for remote access: interface between MME and OAM system
NOTE 1:
The detailed interfaces of the MME class are described in clause 4, Network Product Class Description of the present document.
MME Software: binary code or executable code

NOTE 2:
MME files may be any file owned by a user (root user as well as non root uses), including User account data and credentials, Log data, configuration data, OS files, MME application, Mobility Management data or MME Software.

A.2.2 Threats related to AKA procedures p. 34

A.2.2.1 Access to 2G p. 34

Threat name: Access to 2G
Threat Category: Tampering of Data, Repudiation, Information Disclosure, Denial of Service
Threat Description: If access to 2G is allowed, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised.
Threatened Asset: User account data and credentials

A.2.2.2 Resynchronization p. 34

Threat name: Resynchronization
Threat Reference: Denial of Service
Threat Description: If RAND and AUTS are not included when synchronization fails, the resynchronization procedure does not work correctly. This can result in waste of system resources and deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity

A.2.2.3 Failed Integrity check of Attach message p. 34

Threat name: Failed integrity check of Attach message
Threat Category: Denial of Service
Threat Description: If integrity check of attach message fails, a user identity cannot be verified. This can result in waste of system resources and deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity

A.2.2.4 Forwarding EPS authentication data to SGSN p. 34

Threat name: Forwarding EPS authentication data to SGSN
Threat Category: Denial of Service
Threat Description: If EPS authentication data is forwarded to SGSN, the SGSN is not expecting the data and does not know how to handle this data. This can cause processing error on the SGSN and negatively impact system performance.
Threatened Asset: Sufficient Processing Capacity

A.2.2.5 Forwarding unused EPS authentication data between different security domains p. 34

Threat name: Forwarding unused EPS authentication data between different security domains
Threat Category: Denial of Service
Threat Description: If unused EPS authentication data is forwarded between security domains, system resources will be wasted thus requiring HSS to regenerate new EPS authentication data. This can result in waste of system resources for the receiving system to store the data as well as wasting resources in sending the data.
Threatened Asset: Sufficient Processing Capacity

A.2.3 Threats related to security mode command procedure p. 35

A.2.3.1 Bidding Down p. 35

Threat name: Bidding down
Threat Category: Tampering of Data, Information Disclosure, Denial of Service
Threat Description: If SMC does not include replayed UE security capabilities of the UE, the UE can force the system to reduce the security level by using weaker security algorithms or turning security off, making the system easily attacked and/or compromised.
Threatened Asset: User account data and credentials

A.2.3.2 NAS integrity selection and use p. 35

Threat name: NAS integrity selection and use
Threat Category: Tampering of data, Information Disclosure, Denial of Service
Threat Description: If NAS does not use the highest priority algorithm to protect SMC, SMC risks being exposed and/or modified. This can cause the system to turn off security, making the system easily attacked and/or compromised.
Threatened Asset: Sufficient Processing Capacity

A.2.3.3 NAS NULL integrity protection p. 35

Threat name: NAS NULL integrity protection
Threat Category: Elevation of Privilege
Threat Description: If NAS NULL integrity protection is not used correctly, an attacker can initiated unauthenticated non-emergency calls.
Threatened Asset: Sufficient Processing Capacity

A.2.3.4 NAS confidentiality protection p. 35

Threat name: NAS confidentiality protection
Threat Category: Tampering of Data, Information Disclosure, Denial of Service
Threat Description: If security mode complete message is not confidentiality protected, the MME cannot be certain that the SMC is executed correctly. This can result in waste of system resources and deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity

A.2.4 Threats related to security in Intra-RAT mobility p. 35

A.2.4.1 Bidding down on X2-Handover p. 35

Threat name: Bidding down on X2-Handover
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If MME cannot verify EPS security capabilities received from eNB are the same as the UE security capabilities that the MME has stored, the UE may force the system to accept a weaker security algorithm than the system is allowed forcing the system into a lowered security level making the system easily attacked and/or compromised.
Threatened Asset: User account data and credentials

A.2.4.2 NAS integrity protection algorithm selection in MME change p. 36

Threat name: NAS integrity protection algorithm selection in MME change
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If the highest priority NAS integrity protection is not able to be selected by the new MME in MME change, the new MME could end up using a weaker algorithm forcing the system into a lowered security level making the system easily attacked and/or compromised.
Threatened Asset: User account data and credential

A.2.5 Threats related to security in Inter-RAT mobility p. 36

A.2.5.1 2G SIM access via idle mode mobility p. 36

Threat name: 2G SIM access via idle mode mobility
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If access to 2G is allowed during idle mode mobility, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised. The attacker can also illegally obtain LTE service via 2G SIM
Threatened Asset: User account data and credentials

A.2.5.2 2G SIM access via handover p. 36

Threat name: 2G SIM access via handover
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If access to 2G is allowed during handover, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised. The attacker can also illegally obtain LTE service via 2G SIM.
Threatened Asset: User account data and credentials

A.2.5.3 2G SIM access via SRVCC p. 36

Threat name: 2G SIM access via handover
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If access to 2G is allowed during SRVCC, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised. The attacker can also illegally obtain LTE service via 2G SIM.
Threatened Asset: User account data and credential

A.2.6 Threats related to release of non-emergency bearer p. 37

Threat name: Release of non-emergency bearer.
Threat Category: Denial of Service.
Threat Description: If authentication fails in the MME and the non-emergency bearer is not released, the UE can continue receiving unauthorized call, wasting valuable system resources.
Threatened Asset: Sufficient Processing Capacity.