Article

A man-in-the-middle attack on UMTS

Authors:

Ulrike Meyer,

Susanne WetzelAuthors Info & Claims

WiSe '04: Proceedings of the 3rd ACM workshop on Wireless security

Pages 90 - 97

https://doi.org/10.1145/1023646.1023662

Published: 01 October 2004 Publication History

Get Access

Abstract

In this paper we present a man-in-the-middle attack on the Universal Mobile Telecommunication Standard (UMTS), one of the newly emerging 3G mobile technologies. The attack allows an intruder to impersonate a valid GSM base station to a UMTS subscriber regardless of the fact that UMTS authentication and key agreement are used. As a result, an intruder can eavesdrop on all mobile-station-initiated traffic.Since the UMTS standard requires mutual authentication between the mobile station and the network, so far UMTS networks were considered to be secure against man-in-the-middle attacks. The network authentication defined in the UMTS standard depends on both the validity of the authentication token and the integrity protection of the subsequent security mode command.We show that both of these mechanisms are necessary in order to prevent a man-in-the middle attack. As a consequence we show that an attacker can mount an impersonation attack since GSM base stations do not support integrity protection. Possible victims to our attack are all mobile stations that support the UTRAN and the GSM air interface simultaneously. In particular, this is the case for most of the equipment used during the transition phase from 2G (GSM) to 3G (UMTS) technology.

References

[1]

E. Barkan, E. Biham, and N. Keller. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. In Advances in Cryptology -CRYPTO 2003 LNCS 2729, August 2003.

Google Scholar

[2]

Deutsche Bank Research. Mobile Banking's Banana Problem: Too Little Business in Sight. E-Banking snapshot 2002. http://www.dbresearch.com.

Google Scholar

[3]

ETSI Technical Specification. ETSI TS 100.929, V8.0.0, Digital Cellular Telecommunications System (phase 2+) (GSM); Security Related Network Functions. 2000.

Google Scholar

[4]

D. Fox. Der IMSI Catcher. DuD, Datenschutz und Datensicherheit 2002.

Google Scholar

[5]

G. Horn and P. Howard.Review of Third Generation Mobile System Security Architecture. In ISSE 2000 September 2000.

Google Scholar

[6]

C. J. Mitchell. The Security of the GSM Air Interface Protocol.Technical Report RHUL MA 2001-3, RoyalHolloway University of London, 2001.

Google Scholar

[7]

D. Wagner and B. Schneier. Analysis of the SSL 3.0 Protocol. In 2nd USENIX Workshop on Electronic Commerce November 1996.

Digital Library

Google Scholar

[8]

3GPP. S3-030651: Further Development of the Special RAND Mechanism. http://www.3gpp.org/TB/SA/SA3/SA3.htm

Google Scholar

[9]

3GPP. S3-99206: Response to "CR to TS 25.301 Integrity Control Mechanism". http://www.3gpp.org/TB/SA/SA3/SA3.htm.

Google Scholar

[10]

3GPP Technical Report. 3GPP TR 33.909 V1.0.0, Third Generation Partnership Project; Technical Specification Group Services and System Aspects; Report on the evaluation of 3GPP Standard Confidentiality and Integrity Algorithms. December 2000.

Google Scholar

[11]

3GPP Technical Specification. 3GPP TS 21.133, V4.1.0, Third Generation Partnership Project; 3G Security; Security Threats and Requirements. December 2001.

Google Scholar

[12]

3GPP Technical Specification. 3GPP TS 23.009, V5.6.0, Third Generation Partnership Project; Handover Procedures. October 2003.

Google Scholar

[13]

3GPP Technical Specification. 3GPP TS 33.102, V5.3.0, Third Generation Partnership Project; Technical Specifications Group Services and System Aspects; 3G Security; Security Architecture. September 2003.

Google Scholar

[14]

3GPP Technical Report. 3GPP TR 31.900, V5.3.0., Third Generation Partnership Project; SIM/USIM Internal and External Interworking Aspects. 2003.

Google Scholar

Cited By

View all

Zhao XRoy ABanerjee ASrinivasan KKim YKim JKoushanfar FRasmussen K(2024)Fewer Demands, More Chances: Active Eavesdropping in MU-MIMO SystemsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656136(162-173)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656136
Dong SLi YChen LZhang X(2024)Optimal Stealthy Attack With Side Information Under the Energy Constraint on Remote State EstimationInternational Journal of Control, Automation and Systems10.1007/s12555-023-0702-222:9(2723-2733)Online publication date: 2-Sep-2024
https://doi.org/10.1007/s12555-023-0702-2
Cui ZCui BSu LDu HXu JFu J(2024)A formal security analysis of the fast authentication procedure based on the security context in 5G networksSoft Computing10.1007/s00500-023-09486-x28:3(1865-1881)Online publication date: 10-Jan-2024
https://doi.org/10.1007/s00500-023-09486-x
Show More Cited By

Index Terms

A man-in-the-middle attack on UMTS
1. Networks
  1. Network types
    1. Mobile networks
    2. Wireless access networks

Recommendations

Security enhancements against UMTS-GSM interworking attacks

In this paper we first present three new attacks on Universal Mobile Telecommunication System (UMTS) in access domain. We exploit the interoperation of UMTS network with its predecessor, Global System for Mobile communications (GSMs). Two attacks result ...
New attacks on UMTS network access
WTS'09: Proceedings of the 2009 conference on Wireless Telecommunications Symposium

In this paper we propose two new attacks on UMTS network. Both attacks exploit the UMTS-GSM interworking and are possible in the GSM access area of UMTS network. The first attack allows the attacker to eavesdrop on the entire traffic of the victim UMTS ...
Research on Verification Method of Mutual Authentication in GSM/UMTS Inter-System Based on Finite State Machine
IMCCC '11: Proceedings of the 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control

GSM and UMTS radio network will coexist for a long time. Interoperation of GSM and UMTS network will be a more important issue in the future. The authentication mechanism is key problem in GSM/UMTS inter-system. The verification method based on finite ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

WiSe '04: Proceedings of the 3rd ACM workshop on Wireless security

October 2004

104 pages

ISBN:158113925X

DOI:10.1145/1023646

General Chairs:
Markus Jakobsson
RSA Laboratories & Indiana University at Bloomington
,
Adrian Perrig
Carnegie Mellon University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

WiSE04

Sponsor:

WiSE04: 2004 ACM Workshop on Wireless Security ( co-located with Mobicom 2004 Conference )

October 1, 2004

PA, Philadelphia, USA

Acceptance Rates

Overall Acceptance Rate 10 of 41 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

136
Total Citations
View Citations
3,689
Total Downloads

Downloads (Last 12 months)124
Downloads (Last 6 weeks)18

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zhao XRoy ABanerjee ASrinivasan KKim YKim JKoushanfar FRasmussen K(2024)Fewer Demands, More Chances: Active Eavesdropping in MU-MIMO SystemsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656136(162-173)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656136
Dong SLi YChen LZhang X(2024)Optimal Stealthy Attack With Side Information Under the Energy Constraint on Remote State EstimationInternational Journal of Control, Automation and Systems10.1007/s12555-023-0702-222:9(2723-2733)Online publication date: 2-Sep-2024
https://doi.org/10.1007/s12555-023-0702-2
Cui ZCui BSu LDu HXu JFu J(2024)A formal security analysis of the fast authentication procedure based on the security context in 5G networksSoft Computing10.1007/s00500-023-09486-x28:3(1865-1881)Online publication date: 10-Jan-2024
https://doi.org/10.1007/s00500-023-09486-x
Awan MDalveren YCatak FKara A(2023)Deployment and Implementation Aspects of Radio Frequency Fingerprinting in Cybersecurity of Smart GridsElectronics10.3390/electronics1224491412:24(4914)Online publication date: 6-Dec-2023
https://doi.org/10.3390/electronics12244914
Bashi OJameel SKubaisi YHameed HSabry A(2023)Threat Detection Model for WLAN of Simulated Data Using Deep Convolutional Neural NetworkApplied Sciences10.3390/app13201159213:20(11592)Online publication date: 23-Oct-2023
https://doi.org/10.3390/app132011592
Peeters CTucker TJain AButler KTraynor PHui PAmiri Sani ANurmi PLiu Y(2023)LeopardSeal: Detecting Call Interception via Audio Rogue Base StationsProceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services10.1145/3581791.3596846(410-422)Online publication date: 18-Jun-2023
https://dl.acm.org/doi/10.1145/3581791.3596846
Sharma PMartin MSwanlund D(2023) MapSafe : A complete tool for achieving geospatial data sovereignty Transactions in GIS10.1111/tgis.1309427:6(1680-1698)Online publication date: 4-Sep-2023
https://doi.org/10.1111/tgis.13094
Zhdanova MUrbansky JHagemeier AZelle DHerrmann IHöffner D(2022)Local Power Grids at Risk – An Experimental and Simulation-based Analysis of Attacks on Vehicle-To-Grid CommunicationProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3568136(42-55)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3568136
Park SYou IPark HKim D(2022)Analyzing RRC Replay Attack and Securing Base Station with Practical MethodProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544448(1-8)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544448
Shaikhanov ZHassan FGuerboukha HMittleman DKnightly EJadliwala MKim YDmitrienko A(2022)Metasurface-in-the-Middle AttackProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3507657.3528549(257-267)Online publication date: 16-May-2022
https://dl.acm.org/doi/10.1145/3507657.3528549
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Security enhancements against UMTS-GSM interworking attacks

New attacks on UMTS network access

Research on Verification Method of Mutual Authentication in GSM/UMTS Inter-System Based on Finite State Machine