Term
| What are the 4 Denial of service attacks countered by 3G? |
|
Definition
De-registration spoofing
Location update spoofing
Camping on afalse base station
Camping on a false BTS / MS |
|
|
Term
| What are the two types of attacks on identity catching? |
|
Definition
|
|
Term
| Impersonation of the network has three attacks to it. These are? |
|
Definition
Suppressing encryption between target user and intruder
Suppress encryption between target user and true network
Forcing use of compromised key |
|
|
Term
| What are the three attacks for eavesdropping on user data? |
|
Definition
Suppressing encryption between target user and intruder
Suppressing encryption between target user and true network
Force use of a compromised key |
|
|
Term
| Impersonation of the user attacks (4) |
|
Definition
Compromised authentication vector
Eavesdropped authentication respon se
Hijacking incoming calls (with / without encryption)
Hijacking outgoingcalls (with/without encryption) |
|
|
Term
| Name the four variations of attacks which hijack calls |
|
Definition
Incoming encrypted
Outgoing encrypted
Incoming non-encrypted
Outgoing non-encrypted |
|
|
Term
| Two attacks target the authentication vector, what are these? |
|
Definition
User impersonation with compromised authentication vector
User impersonation through eavesdropped authentication response |
|
|
Term
| Between the user and which two places can you suppress encrypted |
|
Definition
user and real network
user and intruder |
|
|
Term
| What two places can you camp on? |
|
Definition
|
|
Term
| What two types of ID catching can you do? |
|
Definition
|
|
Term
| What two things can you spoof |
|
Definition
location update
De-registration spoofing |
|
|
Term
| The network cannot authenticate messages it receives over the radio interface. Three attacks target this, what are they? |
|
Definition
De-registration spoofing
Location update spoofing
Suppressing encryption between target user and true network |
|
|
Term
| What exploits the fact that the network can ask a user to send its ID in clear text? |
|
Definition
|
|
Term
| What exploits the fact that the MS can send its permanent ID in clea rtext? |
|
Definition
|
|
Term
| The fact that a user has no control over a compromised key means what? |
|
Definition
| A user can be forced to use a compromised cipher key and then eavesdropped on |
|
|
Term
| A user can use an authentication vector several times , what exploits this? |
|
Definition
| User impersonation with eavesdropped authentcation response |
|
|
Term
| Spoofing attacks (both of them) can be prevented in 3g using which measure? |
|
Definition
|
|
Term
| Both catching attacks can be protected by which 3g security measure? |
|
Definition
|
|
Term
| A combination of mandatory cipher mode, message authentication and replay inhibition can be used to stop which attack? |
|
Definition
| Suppressing encryption between the target user and the intruder |
|
|
Term
| Message authentication and replay inhibition can be used to stop which attack? |
|
Definition
| Supressing encryption between the target user and the true network |
|
|
Term
| Integrity protection alone is a protection against which two type of attacks? |
|
Definition
Spoofing attacks
Hijacking attacks |
|
|
Term
| Mandatory cipher mode alone is enough to counter which attack? |
|
Definition
| Catching attacks (active and passive) |
|
|
Term
| Suppressing encryption between the target user and the intruder can be countered by which measures? |
|
Definition
| A combination of mandatory cipher mode, message authentication and replay inhibition |
|
|
Term
| Supressing encryption between the target user and the true network can be countered by which measures? |
|
Definition
| Message authentication and replay inhibition |
|
|
Term
| A compromised key can be stopped by? |
|
Definition
| The presence of a sequence number |
|
|
Term
| The presence of a sequence number can prevent two types of attacks, what are they? |
|
Definition
Authentication vector attacks
Compromised cipher key based attacks |
|
|
Term
| A user impersonation with compromised authentication vecotr and user impersonation through authentication response can be countered by which measure? |
|
Definition
|
|
Term
| Hijacking calls can be prevented by what? |
|
Definition
|
|
Term
| How does de-registration spoofing occur? |
|
Definition
| The intruder spoofs a de-registration request known as IMSI detach, to the network. |
|
|
Term
| What measure can prevent de-registration spoofing? |
|
Definition
| Integrity protection protects against this attack. |
|
|
Term
| What does IMSI stand for? |
|
Definition
| International mobile subscriber identity |
|
|
Term
| Location update spoofing is what? |
|
Definition
| spoofing a location update request saying as if it is the legitimate user, saying it's in a different location. |
|
|
Term
| Camping on a false BTS works by? |
|
Definition
| A user camps on the radio channels of a false base station so it's out of reach |
|
|
Term
| How do you counter de-registration spoofing? |
|
Definition
|
|
Term
| The security architecture does not counteracct false bts, however... |
|
Definition
| The DoS only lasts as long as the attacker is active |
|
|
Term
| Camping on a false BTS /MS is different somehow, what is it? |
|
Definition
| A false BTS/MS can act as a 'repeater' for som etime and relay some reqs. |
|
|
Term
| If a false BTS / MS acts as a repeater what can it do to ruin everything? |
|
Definition
| Not forward or modify your requests. |
|
|
Term
| Camping on a false BTS / MS isn't protected. The fact that it acts like a repeater (MITM) is not solved by 3G. What can possibly help here? |
|
Definition
| Integrity protection of critical message MAY help to prevent some DoS attacks (no specifics) |
|
|
Term
| Passive identity caching is what? |
|
Definition
| Doesn't say in the slides, but it's just seeing who the person is. |
|
|
Term
| How can you prevent passive ID catching? |
|
Definition
TMSI (temporary mobile subscriber identity)
If a TMSI is used rather than a IMSI then the user cannot be tracked to the same ID as it changes |
|
|
Term
| Active Identity caching is what? |
|
Definition
| The same as passive, but you explicitly ask for the permanent ID. |
|
|
Term
| How is active identity caching prevented in 3g? |
|
Definition
| Integrity confidentiality, specifically using an encryption ky shared by a group of users to protect user ID |
|
|
Term
| Suppressing encryption between the target user and the intruder works how? |
|
Definition
| the BTS has been modified and when a service has been initiated an intruder does not enable encryption |
|
|
Term
| What can you do to prevent suppression between the target user and the intruder? |
|
Definition
| Mandatory cipher mode, message authentication and replay inhibition |
|
|
Term
| Suppressing encryption between the target user and the true network is done by what? |
|
Definition
| Modifying the cipher capabilities of the MS to make it appear there's a compatibility issue |
|
|
Term
| What prevents suppressing encryption between the target user and the true network? |
|
Definition
| A mobile station with message authentication and replay inhibitio nallows the network to verify that encryption has not been suppressed |
|
|
Term
| A compromised cipher key is done how? |
|
Definition
| When a call is set-up the user is forced to use a compromised cipher key |
|
|
Term
| What does the presence of a sequence number do to prevent compromised cipher key? |
|
Definition
| Allows the USIM to verify the freshness of the cipher key. |
|
|
Term
| What does the presence of a sequence number NOT do to prevent compromised cipher key? |
|
Definition
| Does not protect against foce use of compromised authentiction vectors which have not yet been used to authenticate the USIM |
|
|
Term
| Describe the attack of eavdropping on user data by suppressing encryption between the target user and the intruder |
|
Definition
The target user is enticed to camp on a fase BTS (big suprise) when the target user or intruder initiates a call the network does not enable encryption by spoofing the cipher mode command
The attacker then sets up his own connection with genuine network using his own subscription. The attack may then subsequently eavesdropping on the transmitted user data (it implies that he this is a MITM attack) |
|
|
Term
| How does suppression of encryption between target user and true network work? |
|
Definition
| The network can decide to establish an un-enciphered connection if the false BTS / MS modifies the ciphering capabilities of the MS to make it seem like there's a geniune incompatibility issue |
|
|
Term
| How does an intruder eavesdrop forcing the use of a compromised cipher key |
|
Definition
| Target user is enticed to camp on the false BTS/MS (oh my god, that's a first). When a service is tried to set up, the false BTS / MS forces the use of a compromised cipher key on the mobile user while it builds up a connection with the genuine network using its own subscription |
|
|
Term
| how does user impersonation with compromised auth vector work? |
|
Definition
| Intruder possesses a compromised auth vector which is intended to be used by the network to auth a legit user. The intruder uses the data to impersonate the target user towards the network and the other party. |
|
|
Term
| How does user impersonation through eavesdropped auth response work? |
|
Definition
| The inrtuder eavesdrops on the auth response and then reuses it later on |
|
|
Term
| If encryption is disabled how do you hijack outgoing calls? |
|
Definition
| user initiates the call setup procedure, intruder modifies the signaling elements such that for the serving network it appears as if the target user wants to set up a mobile originated call. After auth, intruder cuts the connection with the target user and uses the conn to make fradulent target user's subsription. |
|
|
Term
| Hijacking outgoing calls in networks with encryption enabled? |
|
Definition
| The user initiates the call setup procedure, intruder modifies the signalling elements such that for the serving network it appears as if the target user wants to set up a mobile originated call. The intruder has to suppress encryption by modification of the message in which the MS informs the network of its ciphering capabilities. After auth, intruder cuts the conn with the target user and uses the conn to make fraudulent target user's subsc. |
|
|
Term
| How does hijacking incoming calls in networks with encryption disabled work? |
|
Definition
Taret user on the false base station gets a phonecall from the associate of the intruder.
Intruder acts as a relay until auth and call set-up has been done.
Intruder releases target user and subsequently uses the connection to answer the call made by his associate. |
|
|
Term
| How does hijacking incoming calls in networks with encryption enabled work? |
|
Definition
Taret user on the false base station gets a phonecall from the associate of the intruder.
Intruder acts as a relay until auth and call set-up has been done. Also have to suppress encryption.
Intruder releases target user and subsequently uses the connection to answer the call made by his associate. |
|
|
