acea 參與者 存儲 sin zed area get gsm hit

Detection of malicious base station attacks through the carrier analysis——偽基站，降維攻擊

Abstract: In 2G and 3G mobile standards there are vulnerabilities caused by the use of false Base Station (BS). In 3G security architecture offers protection against BS attacks, however when the User Equipment (UE) is configured in automatic GSM/3G mode this UE can accept connections coming from GSM/GPRS BSs that are configured as an attacker finally establishing a connection with such malicious BTS located within the UE‘s coverage area. Even without the use of a frequency jammer, potential attack danger exists because the connection between an UE and the fake BTS can be achieved if the BS is transmitting with more power than the real base station, and the UE enters in the handover process imposed by the 2G standard. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems——註意是4G https://arxiv.org/pdf/1510.07563.pdf We carefully analyzed LTE access network protocol specifications and uncovered several vulnerabilities. Using commercial LTE mobile devices in real LTE networks, we demonstrate inexpensive, and practical attacks exploiting these vulnerabilities. Our first class of attacks consists of three different ways of making an LTE device leak its location: In our experiments, a semi-passive attacker can locate an LTE device within a 2 km2 area in a city whereas an active attacker can precisely locate an LTE device using GPS co-ordinates or trilateration via cell-tower signal strength information. Our second class of attacks can persistently deny some or all services to a target LTE device. To the best of our knowledge, our work constitutes the first publicly reported practical attacks against LTE access network protocols.——實際的攻擊類型包括： LOCATION LEAK ATTACKS OVER AIR INTERFACE DOS ATTACKS ON LTE AIR INTERFACE A SURVEY ON THREATS, VULNERABILITIES AND SECURITY SOLUTIONS FOR CELLULAR NETWORK

Cellular networks generations have suffered many threats such as eavesdropping and phone cloning, impersonation of a user, Man
in the middle, compromising authentication vectors in the network, spoofing, camping on a false
BTS, Denial of Service (DoS), passive identity caching, encryption suppression, suppressing
encryption between the target user and the intruder, eavesdropping on user data by suppressing
encryption, hijacking outgoing calls in networks with encryption disabled.
UMTS systems suffer from Eavesdropping signaling or control data, Masquerading as a user,
Masquerading as a serving network, jamming the user’s traffic and Denial of Service (DoS).
The common attacks in LTE are Distributed Denial of Service (DDoS) and Denial of Service (DoS)
attacks. Other threats are spam over VoIP, spoofing and misdirection, SIP registration hijacking and
interception and cryptanalysis of IP traffic.
2. SECURITY AND PRIVACY SERVICES
The most critical issue in cellular network is personal privacy requirements which would involve
security and privacy services. Due to the increasing number of m-business, security services will get
more critical in the future cellular system. Such services include entity authentication of the
principal entities, data confidentiality, data integrity, message origin and destination authentication,
anonymity, location confidentiality and identity confidentiality, untraceability, transaction
confidentiality and privacy.
Principal entities have identity structures to be authenticated. The main entities may have multiple
identities. Some of these identities may be public while others may be unknown. The identities may
be long lived or they may be short lived.
Data confidentiality protects the data against eavesdrop attack. Data integrity protects the data
against unlawful modification. Message origin and destination authentication provide corroboration
of the transmitter/receiver identities or more the associated routing addresses. These services are
provided by symmetric and asymmetric cryptographic methods.
The subscriber may not want to publish his/her identity. The subscriber identity that it may be the
system identity and international mobile subscriber identity (IMSI) is known for both the home
operator and the serving network. So it should be protected against eavesdropping on the radio
interface by any third party. The home operator is required to know the legal identity of the
subscriber.
Location confidentiality and identity confidentiality are provided by the existing systems but no
authoritative solution is yet provided for the current 2G/3G/4G systems. The issue is tied to identity
management to solve the problem of the mobile cellular and network identity management with
authentication at the link layer level.
The intruder may not able to derive the name or network address of the subscriber, but could
successfully trace the subscriber based on radio transmission properties. This arises the concepts of
untraceability and transaction confidentiality privacy.
3. THREATS/ INTRUDERS
Two main motivations for attackers are theft of service and interception of data. Theft of service
comes in many forms, but the most technically interesting is the cloning of a phone. When
“cloning” a phone, attackers steal the identifying information from a legitimate phonetic and load it
to another phone.
Data interception of mobile phone networks is a similar threat to other wireless networks. Using
relatively unsophisticated tools can listen to the transmissions of the phone and the base station in
an effort to eavesdrop on the voice and data transmissions occurring. The largest defense to this
type of attack is encryption of the data in the air.
An intruder may be attempted to eavesdrop on user traffic, signaling data and control data, or
disappear in many forms such as a legitimate party in the use and saving or management of cellular
network services.
The role of the intruders attempts to violate the confidentiality, integrity, availability of Cellular
network, their services or fraud users, home environments or serving networks or any other party.

大概提到了幾個關鍵點：

蜂窩網絡世代 1G 2G 3G。。。
遭受了許多威脅，如竊聽和電話克隆，冒充用戶，Man
在中間，妥協網絡中的身份驗證向量，欺騙，露營假
BTS，拒絕服務（DoS），被動身份緩存，加密抑制，抑制
目標用戶和入侵者之間的加密，通過抑制來竊聽用戶數據
加密，在禁用加密的網絡中劫持撥出呼叫。
UMTS系統遭受竊聽信令或控制數據，偽裝成用戶，
偽裝成服務網絡，幹擾用戶的流量和拒絕服務（DoS）。
LTE中的常見攻擊是分布式拒絕服務（DDoS）和拒絕服務（DoS）
攻擊。其他威脅包括VoIP上的垃圾郵件，欺騙和誤導，SIP註冊劫持和
IP流量的攔截和密碼分析。

蜂窩網絡中最關鍵的問題是涉及的個人隱私要求
安全和隱私服務。由於移動商務的數量不斷增加，安全服務將會得到
在未來的蜂窩系統中更為關鍵。這些服務包括實體認證
主體實體，數據機密性，數據完整性，消息來源和目的地認證，
匿名，位置保密和身份保密，無法追蹤，交易
保密和隱私。

其中關於3G的威脅說到：

威脅安全的分類可以分為幾類。以下部分
描述了威脅安全的分類。
未經授權訪問敏感數據
竊聽：入侵者攔截消息而不進行檢測。偽裝：入侵者
欺騙授權用戶相信他們是獲得機密的合法系統
來自用戶的信息。流量分析：入侵者觀察時間，速率，長度，來源和
消息的目的地以確定用戶的位置。瀏覽：入侵者搜索數據存儲
敏感信息。泄漏：入侵者通過利用獲取敏感信息
合法訪問數據的進程。推論：一個入侵者看到一個反應
系統通過向系統發送查詢或信號。
未經授權操縱入侵者可能修改，插入，重放或刪除的敏感數據
消息。
令人不安或誤用網絡的服務包括以下威脅：幹預：入侵者可能
使用幹擾用戶的流量，信令或控制數據來阻止授權用戶使用
服務。資源耗盡：入侵者可能會使用超載服務來阻止授權
用戶使用服務。濫用權限：用戶或服務網絡想要獲取
未經授權的服務或信息利用他們的特權。濫用服務：入侵者
可能會濫用某些特殊服務來獲取優勢或導致網絡中斷。
拒絕：用戶或網絡拒絕發生的行為。
未經授權的訪問服務會暴露給入侵者，入侵者可以通過訪問獲得服務
偽裝成用戶或網絡實體和用戶或網絡實體，可能會被未經授權
濫用訪問權限訪問服務。

空口側的威脅包含：

無線電接口受到不同的攻擊，例如：
竊聽：入侵者竊聽用戶流量的用戶流量。
竊聽信令或控制數據，入侵者竊聽信令數據或控制數據
用於訪問安全管理數據或其他信息並將其傳遞給活動
攻擊系統。
偽裝成通信，參與者：入侵者偽裝成網絡元素
攔截用戶流量，信令數據或控制。
被動流量分析，入侵者觀察時間，速率，長度，來源或目的地
消息獲得對信息的訪問。
拒絕服務（DoS）攻擊有幾種類型，例如：
·物理幹預：入侵者可能會阻止用戶流量，信令數據和控制數據
通過物理手段在無線電接口上傳輸。
·協議幹預：入侵者可能會阻止用戶流量，信令數據或控制數據
通過誘導特定的協議故障在無線電接口上傳輸。
·偽裝成通信的拒絕服務（DoS），參與者：入侵者可以
通過阻止用戶流量，信令數據或控制數據來拒絕向合法用戶提供服務
通過偽裝成網絡元素在無線電接口上傳輸。

4G的安全問題——核心還是Dos攻擊

4GSystem（LTE）安全
現代LTE蜂窩網絡為超過數十億用戶提供高級服務
傳統語音和短消息流量。 即將到來的LTE攻擊是分布式拒絕
服務（DDoS）攻擊。 通信系統的可用性解釋了重要性
增強移動網絡抵禦拒絕服務（DoS）和DDoS威脅的靈活性
確保LTE網絡可用性免受安全攻擊。
威脅的例子包括VoIP上的垃圾郵件，欺騙和誤導，SIP註冊劫持和
IP流量的攔截和密碼分析。

文中一幅圖說明很好：

3G 4G 5G中的網絡安全問題——文獻匯總