C.2 Threats

33.2223GPPAccess to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)Generic Authentication Architecture (GAA)Release 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

The usage scenarios described in clause A.1 are susceptible to five serious threats:

Threat 1: ME downloads a web page from an attacker that has Javascript which requests all NAF specific keys that the attacker is interested in.

Threat 2: ME uses a public access point that is controlled by the attacker, i.e., a classic man-in-the-middle attack. When the ME requests the login page from the service provider, the attacker sends back a rogue login web page as it controls the DNS. This rogue login page has Javascript that is able to extract any NAF specific authentication token of the service provider, and sends it back to the attacker.

Threat 3: It is possible for any third party on the internet connection to eavesdrop on the B-TID and the NAF specific authentication token, and impersonate the user as long as the B-TID has not expired.

Threat 4: If an attacker gets hold of the authentication token Ks_js_NAF, then he can utilize it to attack the communication between theweb browser and the NAF.

Threat 5: ME downloads a web page from an attacker that has JavaScript which repeatedly triggers GBA re-bootstrapping to be performed. This can have the effect that the malicious web page can coordinate a distributed DoS attack against the BSF/HSS.