Article

A man-in-the-middle attack on UMTS

Authors:
Ulrike Meyer

Darmstadt University of Technology, Darmstadt, Germany

Darmstadt University of Technology, Darmstadt, Germany
View Profile

,
Susanne Wetzel

Stevens Institute of Technology, Hoboken, NJ

Stevens Institute of Technology, Hoboken, NJ
View Profile

WiSe '04: Proceedings of the 3rd ACM workshop on Wireless securityOctober 2004Pages 90–97https://doi.org/10.1145/1023646.1023662

Published:01 October 2004Publication History

WiSe '04: Proceedings of the 3rd ACM workshop on Wireless security

Pages 90–97

ABSTRACT

In this paper we present a man-in-the-middle attack on the Universal Mobile Telecommunication Standard (UMTS), one of the newly emerging 3G mobile technologies. The attack allows an intruder to impersonate a valid GSM base station to a UMTS subscriber regardless of the fact that UMTS authentication and key agreement are used. As a result, an intruder can eavesdrop on all mobile-station-initiated traffic.Since the UMTS standard requires mutual authentication between the mobile station and the network, so far UMTS networks were considered to be secure against man-in-the-middle attacks. The network authentication defined in the UMTS standard depends on both the validity of the authentication token and the integrity protection of the subsequent security mode command.We show that both of these mechanisms are necessary in order to prevent a man-in-the middle attack. As a consequence we show that an attacker can mount an impersonation attack since GSM base stations do not support integrity protection. Possible victims to our attack are all mobile stations that support the UTRAN and the GSM air interface simultaneously. In particular, this is the case for most of the equipment used during the transition phase from 2G (GSM) to 3G (UMTS) technology.

References

E. Barkan, E. Biham, and N. Keller. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. In Advances in Cryptology -CRYPTO 2003 LNCS 2729, August 2003.Google Scholar
Deutsche Bank Research. Mobile Banking's Banana Problem: Too Little Business in Sight. E-Banking snapshot 2002. http://www.dbresearch.com.Google Scholar
ETSI Technical Specification. ETSI TS 100.929, V8.0.0, Digital Cellular Telecommunications System (phase 2+) (GSM); Security Related Network Functions. 2000.Google Scholar
D. Fox. Der IMSI Catcher. DuD, Datenschutz und Datensicherheit 2002.Google Scholar
G. Horn and P. Howard.Review of Third Generation Mobile System Security Architecture. In ISSE 2000 September 2000.Google Scholar
C. J. Mitchell. The Security of the GSM Air Interface Protocol.Technical Report RHUL MA 2001-3, RoyalHolloway University of London, 2001.Google Scholar
D. Wagner and B. Schneier. Analysis of the SSL 3.0 Protocol. In 2nd USENIX Workshop on Electronic Commerce November 1996. Google ScholarDigital Library
3GPP. S3-030651: Further Development of the Special RAND Mechanism. http://www.3gpp.org/TB/SA/SA3/SA3.htmGoogle Scholar
3GPP. S3-99206: Response to "CR to TS 25.301 Integrity Control Mechanism". http://www.3gpp.org/TB/SA/SA3/SA3.htm.Google Scholar
3GPP Technical Report. 3GPP TR 33.909 V1.0.0, Third Generation Partnership Project; Technical Specification Group Services and System Aspects; Report on the evaluation of 3GPP Standard Confidentiality and Integrity Algorithms. December 2000.Google Scholar
3GPP Technical Specification. 3GPP TS 21.133, V4.1.0, Third Generation Partnership Project; 3G Security; Security Threats and Requirements. December 2001.Google Scholar
3GPP Technical Specification. 3GPP TS 23.009, V5.6.0, Third Generation Partnership Project; Handover Procedures. October 2003.Google Scholar
3GPP Technical Specification. 3GPP TS 33.102, V5.3.0, Third Generation Partnership Project; Technical Specifications Group Services and System Aspects; 3G Security; Security Architecture. September 2003.Google Scholar
3GPP Technical Report. 3GPP TR 31.900, V5.3.0., Third Generation Partnership Project; SIM/USIM Internal and External Interworking Aspects. 2003.Google Scholar

Index Terms

A man-in-the-middle attack on UMTS
1. Networks
  1. Network types
    1. Mobile networks
    2. Wireless access networks

Recommendations

Security enhancements against UMTS-GSM interworking attacks

In this paper we first present three new attacks on Universal Mobile Telecommunication System (UMTS) in access domain. We exploit the interoperation of UMTS network with its predecessor, Global System for Mobile communications (GSMs). Two attacks result ...
Read More
New attacks on UMTS network access
WTS'09: Proceedings of the 2009 conference on Wireless Telecommunications Symposium

In this paper we propose two new attacks on UMTS network. Both attacks exploit the UMTS-GSM interworking and are possible in the GSM access area of UMTS network. The first attack allows the attacker to eavesdrop on the entire traffic of the victim UMTS ...
Read More
Research on Verification Method of Mutual Authentication in GSM/UMTS Inter-System Based on Finite State Machine
IMCCC '11: Proceedings of the 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control

GSM and UMTS radio network will coexist for a long time. Interoperation of GSM and UMTS network will be a more important issue in the future. The authentication mechanism is key problem in GSM/UMTS inter-system. The verification method based on finite ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WiSe '04: Proceedings of the 3rd ACM workshop on Wireless security
October 2004
104 pages
ISBN:158113925X
DOI:10.1145/1023646
General Chairs:
Markus Jakobsson
RSA Laboratories & Indiana University at Bloomington
,
Adrian Perrig
Carnegie Mellon University
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 October 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
GSM
UMTS
authentication
man-in-the-middle attack
mobile communication
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate10of41submissions,24%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 133
  Total Citations
  View Citations
- 3,650
  Total Downloads
- Downloads (Last 12 months)119
- Downloads (Last 6 weeks)21
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A man-in-the-middle attack on UMTS

WiSe '04: Proceedings of the 3rd ACM workshop on Wireless security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security enhancements against UMTS-GSM interworking attacks

New attacks on UMTS network access

Research on Verification Method of Mutual Authentication in GSM/UMTS Inter-System Based on Finite State Machine