Abstract
In mobile networks, 3G and 4G authentication vectors are completely separate and should not be convertible to each other. P1 Security however discovered that some MNOs distribute over roaming interconnects, for certain subscribers, 3G authentication vectors that can be turned into 4G ones for any PLMN. This enables attackers, when they have access to an SS7 interconnect, to intercept the 4G radio communications of those subscribers.Moreover, we found that some practices in terms of addressing and PLMN identification in Diameter requests for 4G authentication vectors, may be a serious obstacle for MNOs to properly control how they distribute 4G authentication vectors to roaming partners. The report available at the end of this post provides extended information related to this research, which has been acknowledged by the GSMA CVD programme.
Subscriber Authentication
Let’s first have a quick reminder on how subscribers are authenticated in mobile networks. In the course of its evolution from 2G to now 5G, the cellular technology has evolved, together with the security level provided to subscribers and the way they are authenticated. A big improvement happened when 3G was developed: a mutual authentication procedure, relying on a new protocol, was introduced. It brought mutual authentication between the subscriber and the network. It required the introduction of new SIM cards too, in order to support this protocol and algorithm (Milenage being often chosen). The rollout spread over several years.
Situation with 4G
When 4G was designed, the subscriber authentication procedure has evolved again. It was still built upon the USIM application, its authentication algorithm (e.g. Milenage), and the inputs and outputs of the 3G authentication protocol: {RAND, SQN} and {SRES, AUTN, CK, IK}. In this way, no new SIM cards were required to be rolled out again. An enhancement was however introduced in 4G handsets and networks: the master key to be used by the serving network for protecting the subscriber traffic (i.e. Kasme) is derived from CK, IK and the serving network PLMN-ID (i.e. the MCC-MNC code broadcasted by its base-stations). The serving network hence receives from the home network the following authentication vector: {RAND, SRES, AUTN, Kasme}. That means that a 4G authentication vector is produced for a specific serving network, and cannot be used to attach a 4G subscriber on a network whose base-stations broadcast a different PLMN-ID.
This enhancement has been introduced in order to provide a way for MNOs to gain more control on the distribution of 4G authentication vectors, with the increasing number of roaming partners all over the world. It enables them to control (and eventually enforce) which roaming partners request 4G authentication vectors for which PLMN-ID. Would it sound legitimate that a roaming partner requests an authentication vector for the MCC-MNC of the home network ? Certainly not ! This enhancement was also introduced to avoid certain kind of attacks which combine an IMSI-catcher with an access to a roaming hub, as illustrated in the figure below.
P1 Security Research
Back in early 2019, P1 Security started to investigate how authentication vectors are distributed across roaming interfaces. Installation, integration and support of our P1 Telecom Monitor at our customer premises allowed us to develop new detection routines for SS7 and Diameter, in order to inspect TCAP-MAP and Diameter signaling messages with which roaming partners request authentication vectors, them being for 2G, 3G or 4G. In the course of checking how diverse and sometimes confusing the situation is with the distribution of 4G authentication vectors over Diameter, P1 Security also uncovered a security issue in the distribution of 3G authentication vectors over TCAP-MAP.
P1 wanted at first to discuss this research during the Telco Security Day of Troopers in March 2020. The event was however cancelled because of the CoVid pandemic. We then decided to submit our study in February 2021 to the GSMA in order to raise awareness in the MNO ecosystem. We are now finally publishing this study through our blog, so that it can be freely and easily accessed. This report reminds the different protocols and security levels that are defined for 2G, 3G and 4G subscriber’s authentication; and how potential attackers can leverage roaming interconnects for intercepting cellular communications at the radio interface. Then, it dives deeper into the analysis of authentication vectors distributed over TCAP-MAP and Diameter, and potential issues and weaknesses that can exist in certain situations, or at some MNOs (all published results are anonymized). Finally, a short description on how P1’s products integrate specific test cases related to those is given.
By providing your email address below, you accept to be contacted by P1 Security, and will directly receive the technical report by email (18 pages, 1.2 MB):
[contact-form-7 id=”1924″ title=”contact form Mobile-AV-roaming”]
In case you are interested in more information on this topic, do not hesitate to contact us.
