1. bookVolume 2019 (2019): Issue 3 (July 2019)
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year
access type Open Access

New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols

Published Online: 12 Jul 2019
Page range: 108 - 127
Received: 30 Nov 2018
Accepted: 16 Mar 2019
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year

Mobile communications are used by more than two-thirds of the world population who expect security and privacy guarantees. The 3rd Generation Partnership Project (3GPP) responsible for the worldwide standardization of mobile communication has designed and mandated the use of the AKA protocol to protect the subscribers’ mobile services. Even though privacy was a requirement, numerous subscriber location attacks have been demonstrated against AKA, some of which have been fixed or mitigated in the enhanced AKA protocol designed for 5G.

[1] Tamarin tool code.Search in Google Scholar

[2] 3GPP. 3G Security; Formal Analysis of the 3G Authentication Protocol. TS 33.902, (3GPP).Search in Google Scholar

[3] 3GPP. 3G security; Security architecture. TS 33.102, (3GPP).Search in Google Scholar

[4] 3GPP. 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification. Technical Specification (TS) 35.206, (3GPP).Search in Google Scholar

[5] 3GPP. 3GPP System Architecture Evolution (SAE); Security architecture. TR 33.401, (3GPP).Search in Google Scholar

[6] 3GPP. AT command set for User Equipment (UE). TS 27.007, (3GPP).Search in Google Scholar

[7] 3GPP. SA3 - Security.Search in Google Scholar

[8] 3GPP. Security architecture and procedures for 5G System. TS 33.501, (3GPP).Search in Google Scholar

[9] 3GPP. Service requirements for the Evolved Packet System (EPS). TS 122.278, (3GPP).Search in Google Scholar

[10] 3GPP. Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: Algorithm specification. Technical Specification (TS) 35.231, (3GPP).Search in Google Scholar

[11] 3GPP. Study on subscriber privacy impact in 3GPP. TR 33.849, (3GPP).Search in Google Scholar

[12] 3GPP. Study on the security aspects of the next generation system. TR 33.899, (3GPP).Search in Google Scholar

[13] Advanced Card Systems Holdings Limited. ACR38 Smart Card Reader.Search in Google Scholar

[14] Anand R. Prasad, Alf Zugenmaier, Adrian Escott and Mirko Cano Soveri. 3GPP 5G Security.Search in Google Scholar

[15] Myrto Arapinis, Tom Chothia, Eike Ritter, and Mark Ryan. Analysing unlinkability and anonymity using the applied pi calculus. In 2010 23rd IEEE Computer Security Foundations Symposium, pages 107–121. IEEE, 2010.Search in Google Scholar

[16] Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Nico Golde, Kevin Redon, and Ravishankar Borgaonkar. New privacy issues in mobile telephony: fix and verification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 205–216. ACM, 2012.Search in Google Scholar

[17] Jari Arkko. Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAPAKA). RFC 4187.Search in Google Scholar

[18] D. Basin, C. Cremers, K. Miyazaki, S. Radomirovic, and D. Watanabe. Improving the Security of Cryptographic Protocol Standards. IEEE Security Privacy, 13(3):24–31, May 2015.Search in Google Scholar

[19] David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1383–1396. ACM, 2018.Search in Google Scholar

[20] A. N. Bikos and N. Sklavos. LTE/SAE Security Issues on 4G Wireless Networks. IEEE Security Privacy, 11(2):55–62, March 2013.Search in Google Scholar

[21] B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In Proceedings of CSFW’01, pages 82–96. IEEE Comp. Soc. Press, 2001.Search in Google Scholar

[22] Vincent Cheval and Bruno Blanchet. Proving more observational equivalences with ProVerif. In Principles of Security and Trust, pages 226–246. Springer, 2013.Search in Google Scholar

[23] Stephanie Clifford and Quentin Hardy. Attention Shoppers: Store is Tracking Your Cell. New York Times, 14, 2013.Search in Google Scholar

[24] S. Delaune and L. Hirschi. A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols. ArXiv e-prints, October 2016.Search in Google Scholar

[25] Jannik Dreier, Lucca Hirschi, Sasa Radomirovic, and Ralf Sasse. Automated Unbounded Verification of Stateful Cryptographic Protocols with Exclusive OR. In 31st IEEE Computer Security Foundations Symposium (CSF’2018), 2018.Search in Google Scholar

[26] Tobias Engel. Locating Mobile Phones using Signalling System 7. https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf.Search in Google Scholar

[27] Ettus Research. USRP B210.Search in Google Scholar

[28] Dan Forsberg, Gnther Horn, Wolf-Dietrich Moeller, and Valtteri Niemi. LTE Security. Wiley Publishing, 2nd edition, 2012.Search in Google Scholar

[29] Gamry Instrumens. Faraday Cage: What Is It? How Does It Work?Search in Google Scholar

[30] Ismael Gomez-Miguelez, Andres Garcia-Saavedra, Paul D. Sutton, Pablo Serrano, Cristina Cano, and Douglas J. Leith. srsLTE: An Open-Source Platform for LTE Evolution and Experimentation. CoRR, abs/1602.04629, 2016.Search in Google Scholar

[31] GSMA. Definitive data and analysis for the mobile industry. https://www.gsmaintelligence.com/.Search in Google Scholar

[32] Changhee Hahn, Hyunsoo Kwon, Daeyoung Kim, Kyungtae Kang, and Junbeom Hur. A Privacy Threat in 4th Generation Mobile Telephony and Its Countermeasure. The 9th International Conference on Wireless Algorithms, Systems, and Applications, pages 624–635, 2014.Search in Google Scholar

[33] Lucca Hirschi, David Baelde, and Stéphanie Delaune. A method for verifying privacy-type properties: the unbounded case. In Michael Locasto, Vitaly Shmatikov, and Ulfar Erlingsson, editors, Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P’16).Search in Google Scholar

[34] M. Khan, A. Ahmed, and A. R. Cheema. Vulnerabilities of UMTS Access Domain Security Architecture. In Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2008. SNPD ’08. Ninth ACIS International Conference on, pages 350–355, Aug 2008.Search in Google Scholar

[35] Mohammed Shafiul Alam Khan and Chris J Mitchell. Another look at privacy threats in 3G mobile telephony. In Australasian Conference on Information Security and Privacy, pages 386–396. Springer, 2014.Search in Google Scholar

[36] F. Y. Leu, I. You, Y. L. Huang, K. Yim, and C. R. Dai. Improving security level of LTE authentication and key agreement procedure. In 2012 IEEE Globecom Workshops, pages 1032–1036, Dec 2012.Search in Google Scholar

[37] X. Li and Y. Wang. Security Enhanced Authentication and Key Agreement Protocol for LTE/SAE Network. In Wireless Communications, Networking and Mobile Computing (WiCOM), 2011 7th International Conference on, pages 1–4, Sept 2011.Search in Google Scholar

[38] S. Meier, B. Schmidt, C. Cremers, and D. Basin. The Tamarin Prover for the Symbolic Analysis of Security Protocols. In Proc. 25th International Conference on Computer Aided Verification (CAV’13), volume 8044 of LNCS, pages 696–701. Springer, 2013.Search in Google Scholar

[39] ABM Musa and Jakob Eriksson. Tracking unmodified smart-phones using Wi-Fi monitors. In Proceedings of the 10th ACM conference on embedded network sensor systems, pages 281–294. ACM, 2012.Search in Google Scholar

[40] Piers O’Hanlon, Ravishankar Borgaonkar, and Lucca Hirschi. Mobile subscriber WiFi privacy. In Proceedings of Mobile Security Technologies (MoST’17), held as part of the IEEE Computer Society Security and Privacy Workshops (SPW’17), 2017. To appear.Search in Google Scholar

[41] Open5GCore. Open5GCore – The Next Mobile Core Network Testbed Platform.Search in Google Scholar

[42] OpenAirInterface. History.Search in Google Scholar

[43] Osmocom Project. pySIM: A python tool to program magic SIMs. http://cgit.osmocom.org/pysim/.Search in Google Scholar

[44] PC/SC Workgroup. PC/SC Workgroup Specifications.Search in Google Scholar

[45] Peter Howard. AKA usage in 3GPP.Search in Google Scholar

[46] SecT- TU Berlin. SCAT: Signaling Collection and Analysis Tool.Search in Google Scholar

[47] Altaf Shaik, Jean-Pierre Seifert, Ravishankar Borgaonkar, N. Asokan, and Valtteri Niemi. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. In 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016.Search in Google Scholar

[48] Sysmocom. sysmoUSIM-SJS1.Search in Google Scholar

[49] Telegraphy. TeliaSonera launches world’s first commercial LTE networks in Sweden and Norway.Search in Google Scholar

[50] Swapnil Udar and Ravishankar Borgaonkar. Understanding IMSI Privacy. https://www.isti.tu-berlin.de/fileadmin/fg214/ravi/Darshak-bh14.pdf.Search in Google Scholar

[51] Fabian van den Broek, Roel Verdult, and Joeri de Ruiter. Defeating IMSI Catchers. Proceedings of the 2015 ACM Conference on Computer and Communications Security -CCS ’15, 2015.Search in Google Scholar

[52] Venturebeat. DEMO: Range Networks rings in cell-phone service for USD 2 a month.Search in Google Scholar

[53] Ben Wojtowicz. OpenLTE. https://sourceforge.net/projects/openlte/.Search in Google Scholar

[54] Muxiang Zhang and Yuguang Fang. Security analysis and enhancements of 3GPP authentication and key agreement protocol. IEEE Transactions on Wireless Communications, 4(2):734–742, March 2005.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo