T.3 Threat Scenarios

33.2033G Security3GPPAccess security for IP-based servicesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

T.3.0 General

To understand what controls are needed to address the security requirements, it is useful to describe some of the threat scenarios.

NOTE: There are many other threats, which are outside the scope of this Annex.

T.3.1 Impersonation on IMS level using the identity of an innocent user

The scenario proceeds as follows:

– Attacker A attaches to GPRS, GGSN allocates IP address, IPA

– Attacker A registers in the IMS using his IMS identity, IDA

– Attacker A sends SIP invite using his own source IP address (IPA) but with the IMS identity of B (IDB).

If the binding between the IP address on the bearer level, and the public and private user identities is not checked then the attacker will succeed, i.e. A pays for IP connectivity but IMS service is fraudulently charged to B. The fraud situation is made worse if IP flow based charging is used to ‘zero rate’ the IP connectivity.

The major problem is however that without this binding multiple users within a group "of friends" could sequentially (or possibly simultaneously) share B’s private/public user identities, and thus all get (say) the push-to-talk service by just one of the group paying a monthly subscription. Without protection against this attack, operators could be restricted to IP connectivity based tariffs and, in particular, would be unable to offer bundled tariffs. This is unlikely to provide sufficiently flexibility in today’s market place.

T.3.2 IP spoofing

The scenario proceeds as follows:

– User B attaches to GPRS, GGSN allocates IP address, IPB

– User B registers in the IMS using his IMS identity, IDB

– Attacker A sends SIP messages using his own IMS identity (IDA) but with the source IP address of B (IPB)

If the binding between the IP address that the GGSN allocated the UE in the PDP context activation and the source IP address in subsequent packets is not checked then the attacker will succeed, i.e. A pays for IMS service but IP connectivity is fraudulently charged to B. Note that this attack only makes sense for IMS services with outgoing traffic only because the attacker will not receive any incoming packets addressed to the IMS identity that he is impersonating.

T.3.3 Combined threat scenario

The scenario proceeds as follows:

– User B attaches to GPRS, GGSN allocates IP address, IPB

– User B registers in the IMS using his IMS identity, IDB

– Attacker A sends SIP messages using IMS identity (IDB) and source IP address (IPB)

If the bindings mentioned in the scenarios in clause T.3.1 and T.3.2 are not checked then the attacker will succeed, i.e. A fraudulently charges both IP connectivity and the IMS service to B. Note this attack only makes sense for IMS services with outgoing traffic only because the attacker will not receive any incoming packets addressed to the IMS identity that he is impersonating.