Shared Flashcard Set

Details

mobile network security
Attacks countered by 3G
58
Computer Science
Undergraduate 4
04/27/2012

Additional Computer Science Flashcards

 


 

Cards

Term
What are the 4 Denial of service attacks countered by 3G?
Definition
De-registration spoofing
Location update spoofing
Camping on afalse base station
Camping on a false BTS / MS
Term
What are the two types of attacks on identity catching?
Definition
passive
active
Term
Impersonation of the network has three attacks to it. These are?
Definition
Suppressing encryption between target user and intruder

Suppress encryption between target user and true network

Forcing use of compromised key
Term
What are the three attacks for eavesdropping on user data?
Definition
Suppressing encryption between target user and intruder

Suppressing encryption between target user and true network

Force use of a compromised key
Term
Impersonation of the user attacks (4)
Definition
Compromised authentication vector

Eavesdropped authentication respon se

Hijacking incoming calls (with / without encryption)

Hijacking outgoingcalls (with/without encryption)
Term
Name the four variations of attacks which hijack calls
Definition
Incoming encrypted
Outgoing encrypted
Incoming non-encrypted
Outgoing non-encrypted
Term
Two attacks target the authentication vector, what are these?
Definition
User impersonation with compromised authentication vector

User impersonation through eavesdropped authentication response
Term
Between the user and which two places can you suppress encrypted
Definition
user and real network

user and intruder
Term
What two places can you camp on?
Definition
BTS

BTS / MS
Term
What two types of ID catching can you do?
Definition
Passive
Active
Term
What two things can you spoof
Definition
location update

De-registration spoofing
Term
The network cannot authenticate messages it receives over the radio interface. Three attacks target this, what are they?
Definition
De-registration spoofing

Location update spoofing

Suppressing encryption between target user and true network
Term
What exploits the fact that the network can ask a user to send its ID in clear text?
Definition
Passive ID catching
Term
What exploits the fact that the MS can send its permanent ID in clea rtext?
Definition
Active ID catching
Term
The fact that a user has no control over a compromised key means what?
Definition
A user can be forced to use a compromised cipher key and then eavesdropped on
Term
A user can use an authentication vector several times , what exploits this?
Definition
User impersonation with eavesdropped authentcation response
Term
Spoofing attacks (both of them) can be prevented in 3g using which measure?
Definition
Integrity protection
Term
Both catching attacks can be protected by which 3g security measure?
Definition
Mandatory cipher mode
Term
A combination of mandatory cipher mode, message authentication and replay inhibition can be used to stop which attack?
Definition
Suppressing encryption between the target user and the intruder
Term
Message authentication and replay inhibition can be used to stop which attack?
Definition
Supressing encryption between the target user and the true network
Term
Integrity protection alone is a protection against which two type of attacks?
Definition
Spoofing attacks

Hijacking attacks
Term
Mandatory cipher mode alone is enough to counter which attack?
Definition
Catching attacks (active and passive)
Term
Suppressing encryption between the target user and the intruder can be countered by which measures?
Definition
A combination of mandatory cipher mode, message authentication and replay inhibition
Term
Supressing encryption between the target user and the true network can be countered by which measures?
Definition
Message authentication and replay inhibition
Term
A compromised key can be stopped by?
Definition
The presence of a sequence number
Term
The presence of a sequence number can prevent two types of attacks, what are they?
Definition
Authentication vector attacks

Compromised cipher key based attacks
Term
A user impersonation with compromised authentication vecotr and user impersonation through authentication response can be countered by which measure?
Definition
A sequence number
Term
Hijacking calls can be prevented by what?
Definition
Integrity protection
Term
How does de-registration spoofing occur?
Definition
The intruder spoofs a de-registration request known as IMSI detach, to the network.
Term
What measure can prevent de-registration spoofing?
Definition
Integrity protection protects against this attack.
Term
What does IMSI stand for?
Definition
International mobile subscriber identity
Term
Location update spoofing is what?
Definition
spoofing a location update request saying as if it is the legitimate user, saying it's in a different location.
Term
Camping on a false BTS works by?
Definition
A user camps on the radio channels of a false base station so it's out of reach
Term
How do you counter de-registration spoofing?
Definition
Integrity protection
Term
The security architecture does not counteracct false bts, however...
Definition
The DoS only lasts as long as the attacker is active
Term
Camping on a false BTS /MS is different somehow, what is it?
Definition
A false BTS/MS can act as a 'repeater' for som etime and relay some reqs.
Term
If a false BTS / MS acts as a repeater what can it do to ruin everything?
Definition
Not forward or modify your requests.
Term
Camping on a false BTS / MS isn't protected. The fact that it acts like a repeater (MITM) is not solved by 3G. What can possibly help here?
Definition
Integrity protection of critical message MAY help to prevent some DoS attacks (no specifics)
Term
Passive identity caching is what?
Definition
Doesn't say in the slides, but it's just seeing who the person is.
Term
How can you prevent passive ID catching?
Definition
TMSI (temporary mobile subscriber identity)

If a TMSI is used rather than a IMSI then the user cannot be tracked to the same ID as it changes
Term
Active Identity caching is what?
Definition
The same as passive, but you explicitly ask for the permanent ID.
Term
How is active identity caching prevented in 3g?
Definition
Integrity confidentiality, specifically using an encryption ky shared by a group of users to protect user ID
Term
Suppressing encryption between the target user and the intruder works how?
Definition
the BTS has been modified and when a service has been initiated an intruder does not enable encryption
Term
What can you do to prevent suppression between the target user and the intruder?
Definition
Mandatory cipher mode, message authentication and replay inhibition
Term
Suppressing encryption between the target user and the true network is done by what?
Definition
Modifying the cipher capabilities of the MS to make it appear there's a compatibility issue
Term
What prevents suppressing encryption between the target user and the true network?
Definition
A mobile station with message authentication and replay inhibitio nallows the network to verify that encryption has not been suppressed
Term
A compromised cipher key is done how?
Definition
When a call is set-up the user is forced to use a compromised cipher key
Term
What does the presence of a sequence number do to prevent compromised cipher key?
Definition
Allows the USIM to verify the freshness of the cipher key.
Term
What does the presence of a sequence number NOT do to prevent compromised cipher key?
Definition
Does not protect against foce use of compromised authentiction vectors which have not yet been used to authenticate the USIM
Term
Describe the attack of eavdropping on user data by suppressing encryption between the target user and the intruder
Definition
The target user is enticed to camp on a fase BTS (big suprise) when the target user or intruder initiates a call the network does not enable encryption by spoofing the cipher mode command

The attacker then sets up his own connection with genuine network using his own subscription. The attack may then subsequently eavesdropping on the transmitted user data (it implies that he this is a MITM attack)
Term
How does suppression of encryption between target user and true network work?
Definition
The network can decide to establish an un-enciphered connection if the false BTS / MS modifies the ciphering capabilities of the MS to make it seem like there's a geniune incompatibility issue
Term
How does an intruder eavesdrop forcing the use of a compromised cipher key
Definition
Target user is enticed to camp on the false BTS/MS (oh my god, that's a first). When a service is tried to set up, the false BTS / MS forces the use of a compromised cipher key on the mobile user while it builds up a connection with the genuine network using its own subscription
Term
how does user impersonation with compromised auth vector work?
Definition
Intruder possesses a compromised auth vector which is intended to be used by the network to auth a legit user. The intruder uses the data to impersonate the target user towards the network and the other party.
Term
How does user impersonation through eavesdropped auth response work?
Definition
The inrtuder eavesdrops on the auth response and then reuses it later on
Term
If encryption is disabled how do you hijack outgoing calls?
Definition
user initiates the call setup procedure, intruder modifies the signaling elements such that for the serving network it appears as if the target user wants to set up a mobile originated call. After auth, intruder cuts the connection with the target user and uses the conn to make fradulent target user's subsription.
Term
Hijacking outgoing calls in networks with encryption enabled?
Definition
The user initiates the call setup procedure, intruder modifies the signalling elements such that for the serving network it appears as if the target user wants to set up a mobile originated call. The intruder has to suppress encryption by modification of the message in which the MS informs the network of its ciphering capabilities. After auth, intruder cuts the conn with the target user and uses the conn to make fraudulent target user's subsc.
Term
How does hijacking incoming calls in networks with encryption disabled work?
Definition
Taret user on the false base station gets a phonecall from the associate of the intruder.

Intruder acts as a relay until auth and call set-up has been done.

Intruder releases target user and subsequently uses the connection to answer the call made by his associate.
Term
How does hijacking incoming calls in networks with encryption enabled work?
Definition
Taret user on the false base station gets a phonecall from the associate of the intruder.

Intruder acts as a relay until auth and call set-up has been done. Also have to suppress encryption.

Intruder releases target user and subsequently uses the connection to answer the call made by his associate.
Supporting users have an ad free experience!