Distribution of 3G and 4G authentication vectors accross roaming interfaces

In this talk, we explain how 3G and 4G authentication vectors are distributed over roaming interfaces. Authenticaton vectors are generated by HLR / HSS and distributed to serving networks, so that they can authenticate with subscribers attaching. All authentication vectors are however not made equal: a 4G vector is bound to and valid only for the visited PLMN, whereas a 3G vector can be used to attach the corresponding subscriber to any PLMN. In the principle, this PLMN-binding was defined within the LTE specification to increase the security of 4G authentication vectors delivery, providing more control to operators on where authentication vectors distributed over roaming interface can be used. We will see that this is unfortunately not the case, providing concrete examples on how 3G and 4G authentication are commonly distributed without much security consideration.

When UMTS and 3G networks were specified by the 3GPP in the late 90’s, the authentication procedure evolved to provide mutual authentication between the subscriber and the serving network. This, together with the mandatory integrity-protection of the signaling, was a great security improvement. This made interception and man-in-the-middle attacks (e.g. fake base-station) in 3G much harder compared to 2G ; to do such an attack in 3G, an attacker must obtain real authentication vectors from the home PLMN of the targeted subscriber, therefore he must have access to a roaming hub or service. The way mobile networks have evolved since, it has become easier and easier to get access to such roaming interfaces for many kind of businesses and services: mobile operators, MVNO, roaming service providers, carriers… IMSI-catcher providers too. This “interconnect jungle” has become a known weakness, enabling top-of-the-line IMSI-catcher operators to do 3G interception thanks to access to roaming services.

When LTE was specified, the authentication procedure was slightly enhanced to bind the serving network’s PLMN to the authentication vector, so that the vector for a subscriber delivered by the HSS can only be used in this PLMN. This is done by deriving the keys {Ck, Ik} produced by the Milenage algorithm into Kasme, the LTE master session key, using the PLMN code of the visited network into the derivation process. Together, the most significant bit of the AMF part of the AUTN value within the authentication vector is also set to one, whereas it must be set to 0 for a standard 3G authentication vector. When a hanset attaches a LTE network, it ensures this MSB of the AMF is set to 1 (otherwise it detaches) and derives the {Ck, Ik} keys into Kasme using the PLMN code broadcasted by the eNodeB and used within the NAS signaling. In this way, the PLMN-binding is enforced on the subscriber side. This enhancement was done to enable more control at each home operator, on the way they deliver 4G authentication vectors to their roaming partners. This would help to protect subscribers against 4G interception and fake base-station attacks. In the principle, a home operator should be able to control the MCC/MNC code indicated in the Diameter AIR request to its HSS together with the IP source address and the PLMN code for which the authentication vector is requested. In the principle…

From real world roaming interconnect data, one can see that those nice principles are really hard to enforce ! The way 3G and 4G authentication vectors are distributed is much more rough than one would expect. For instance, by observing SS7 interconnect and authentication vectors delivery, 1 to 5% of the 3G vectors have the MSB of their AMF set to 1 (what should never be the case according to the 3GPP specifications). MAP extensions to properly transport 4G authentication vectors is almost never used on the other side. On the Diameter interconnect side, one can observe that there are often mismatches between the Diameter originating host and realm, and the PLMN for which an authentication vector is requested. Certain roaming scenarios and business cases are even fostering this situation. The consequences are real in terms of security: attackers can get 4G authentication vectors for almost any kind of PLMN over roaming interfaces. This enables them to run 4G interception and fake base-stations in the same way as they are already doing 3G interception.

Mobile operators can still take some actions to protect their subscribers against 4G fake base-stations attack, such as:

• never sending a 3G authentication vectors with the MSB of the AMF set to 1
• never sending a 4G authentication vectors for their own PLMN over a roaming interface

More generally, operators should monitor originating of SS7 and Diameter authentication vector requests together with their subscribers active location ; this is however much more complex as the two first actions !