L.1 Impersonation of the UE to the BSF during the run of the Ub protocol

33.2203GPPGeneric Authentication Architecture (GAA)Generic Bootstrapping Architecture (GBA)TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This is the main threat to the 2G GBA solution.

1) An attacker (being in the possession of 2G GBA equipment) could try to perform a Man-in-the-middle-attack, impersonating a genuine GSM user to the BSF. In this scenario the attacker would be at the client end of the TLS tunnel to the BSF and send the challenge RAND to the target GSM user, in order to obtain SRES and Kc. However, for the attack to be successful, he would have to find also Kc within the runtime allowed for steps 3 to 5 of the protocol over Ub, as specified in Annex I.5.2. This may be feasible when the terminal of the target GSM user still runs A5/2. A5/2 will be removed from networks by the end of 2006, and will not be present in any 2G GBA enabled terminals. A vulnerability caused by A5/2 would only exist in the case where a GSM user has subscribed to 2G GBA feature, but uses his SIM in an old terminal with A5/2 enabled while being targeted by the attacker. But the practical implications of this remaining vulnerability are expected to be limited as a user subscribed to 2G GBA will own a Release 7 terminal (2G GBA will be a Release 7 feature), and the likelihood of him inserting his SIM in an old terminal, and an attacker obtaining this information and exploiting it for a man-in-the-middle attack, may be low in practice. Furthermore, old terminals will gradually disappear.
The attack may also be feasible when the attacker, using a false base station, forces the use of A5/1 on the ME. The attacker may then be able to determine Kc from the (encrypted) CIPHERING MODE COMPLETE message especially when the fillbits are not random. Note that the fillbits are required to be random from Rel-8 onwards, according to TS 44.006 [46].
The attack may also be feasible when the attacker, using a false base station, forces the use of GEA1 on the ME and is able to determine Kc. Note that the implementation of GEA1 in MEs is forbidden from Rel-12 onwards, according to TS 43.020 [47].

2) SIM cloning: an attacker being able to find the long-term key Ki of a genuine GSM user is able to fully impersonate him in all contexts, including the 2G-GBA one (if this has been subscribed by the genuine user).. The attacker could do this by exploiting weaknesses of A3/A8 as they were found for COMP128, while in possession of the SIM i.e. the attacker tries to find the long term key K. Even if 2G GBA does not increase the risk of possible A3/A8 breakages, it has to be noted that the COMP128-related issue disappears when more secure A3/A8 algorithms are used. These are available today, cf. "GSM MILENAGE", as specified in TS 55.205 v610. Operators are advised in general to discontinue the use of COMP128

3) Unauthorized access to SIM needs to be countered by platform security methods. The impacts of a compromised SIM/ME or UICC/ME interface on GAA security are similar in 2G GBA and 3G GBA.