3GPP Release 15: An end to the battle against false base stations?

False base station. IMSI catcher. Stingray. Rogue base station. Cell site simulator. They all mean the same thing: A device which intentionally sets out to impersonate a genuine base station – very often, as could be assumed, as part of some wrongdoing from unauthorized surveillance to communication sabotage and unsolicited advertising.

The battle against false base stations in 3GPP standardization

The phenomenon has received some attention not only in hacker conferences and media, but also from network operators and government officials. Many a time, the phenomenon around false base stations is overstated. Nevertheless, they need to be addressed seriously for a trustworthy communication platform with regards to privacy, availability, and fraud.

As earlier generations of mobile networks were developed, so too was the security against false base stations, which picked up notably for 5G. Now, as the first version of 5G specification work is drawing to a close, we examine the adequacy of the measures and assess whether we can expect to see yet further security enhancements in this area.

Introduction to false base stations and security work done on this topic in 3GPP are described in our earlier blog posts on protecting 5G against IMSI catchers and detecting false base stations in mobile networks.

3GPP releases

3GPP is the de-facto organization that develops technical specifications for mobile networks and publishes them as so called 'releases'. Each release provides a set of functionalities that are stable at a given point and can be implemented. New functionality and updates are then added to future releases.

3GPP Release 15, 3GPP's most recent standard published in 2018, delivered the first set of 5G technical specifications (the first 4G/LTE technical specifications were delivered as 3GPP Release 8 in 2009).

Selected inherited security features of 3GPP Release 15

Release 15 comes with several security features that significantly improve resistance against false base stations. Some of those security features are new, while some are inherited from earlier generations. The selected security features inherited from earlier generations are:

• Mutual authentication between devices and network: This feature ensures that not only the network authenticates devices, but also the devices authenticate the network. Therefore, it is infeasible for false base stations to impersonate genuine base stations in security protected messages with devices
• Secure algorithm negotiations: Security algorithms used for encryption and integrity protection are securely negotiated and thus, it is infeasible for false base stations to trick the network or devices into using a different security algorithm than intended
• Integrity protected signalling: Signalling or control plane messages between devices and the network are integrity protected. This feature provides protection against rogue or tampered signalling messages from false base stations
• Retry timers: Various timers are specified for different scenarios for devices to wait and retry connecting with the network. This feature mitigates the risk of false base stations trying to keep devices locked out from the network

New selected security features of 3GPP Release 15

3GPP Release 15 is the first release to contain technical specifications for 5G, while offering several security features with particular regard to false base stations. Some of the primary features included are:

• Concealment of permanent identifier: This feature enables a home operator to conceal a Subscriber Permanent Identifier (SUPI), roaming or not. When enabled, this feature makes it infeasible for false base stations to identify or trace subscribers in a 5G-only system.
• Strict refreshment of temporary identifier: It is mandatory to refresh a 5G Globally Unique Temporary Identifier (5G-GUTI) at "initial registration", "mobility registration update", and network triggered Service Request. This feature makes identifying or tracing subscribers, based on 5G-GUTI, impractical.
• Decoupling of permanent identifier from the paging mechanism: First, there is no longer a paging option based on SUPI. Second, the calculation of the paging frame index and paging occasions is no longer based on SUPI and is instead based on 5G-GUTI. Therefore, it is infeasible for false base stations to use paging messages for identifying or tracing subscribers.
• Integrity protection of user plane traffic:This feature provides a mechanism to require integrity protection of user plane traffic so that data modification attacks are detected. It is a valuable feature for small data transmissions, particularly for constrained IoT devices.
• Secure radio redirections: It is mandatory to integrity protect radio resource control messages that redirect devices. This feature makes it infeasible for false base stations to perform rogue redirections.
• False base station detection: A general framework for detecting false base stations has been described. The framework is based on radio condition information received from devices. It could be used to make it significantly harder for false base stations to remain stealthy.

Networks or devices could, of course, have other security and privacy features that are proprietary and offered in addition to 3GPP standards.

3GPP Release 16 – an outlook on the topic of false base stations

So, is the battle against false base stations over with Release 15? While it is true that Release 15 is great win, a good warrior never puts its guard down, and therefore 3GPP has continued to look what could still be improved.

For Release 16, 3GPP has initiated a new study (which you can read here) which aims to pro-actively investigate the topic of false base stations even further. It should be appreciated that this study by itself does not mean that new security or privacy enhancements are deemed compulsory. It rather means that 3GPP will work on the topic further to investigate if, and how, any new enhancement could be introduced.

The study will essentially analyze 'key issues' and 'candidate solutions' in order to provide a sufficient conclusion.

A 'key issue' could be a potential security or privacy problem related to the topic. It contains a description of the problem, associated threats, and corresponding requirements to mitigate the threats. Key issues could be considered as sub-studies and, by themselves, do not mean that problems are substantial, neither do they mean that the threats are feasible. Similarly, the requirements proposed for each key issue are potential and do not imply that they apply to any technical specification. What key issues provide, is an opportunity for interested companies to investigate a particular security or privacy aspect.

Now, a candidate solution is the one that addresses one or more key issues and provides potential security or privacy mechanisms. Similar to key issues, the term 'candidate solution' does not mean that the proposed solutions are endorsed or adopted. Candidate solutions are the options that companies consider if and when they develop potential solutions.

Several companies, including Ericsson, contributed initial proposals for this study (read them here). For example, Ericsson made numerous proposals for potential key issues such as integrity protection of System Information (SI) and replay protection of SI, minimizing effects of rogue REJECT, and minimizing effects of Self-Organizing Networks (SON) poisoning attempts. We also proposed Key Issues on enhancing a false base station detection framework and further improving protection against unauthorized traceability attempts. Our proposals also included Key Issues on support for privacy visibility and service delivery visibility. In order to facilitate a risk-based analysis and to assess the security and privacy benefits against the complexity, we proposed that Key Issues and Candidate solutions address one or more of the following areas - Denial of Service (DoS) attacks on devices, DoS attacks on network, rogue services, and attacks on subscriber privacy.

3GPP had the first discussion on the initial proposals from various companies in November 2018. Some proposals were agreed, and the discussion will continue in future meetings. This study, until concluded, will be continuously documented in a technical report TR 33.809 (read it here).

As the study progresses, investigations will be done on the efficacy of threats, the need for protection mechanisms and their feasibility. The investigation involves exploring and analyzing proposed Key Issues and Candidate Solutions while taking into account security and privacy effects, technical complexity, as well as commercial considerations. If the technical report (mentioned above) concludes that new security and privacy mechanisms are needed and are feasible, then those mechanisms could result in updates to future versions of the main 5G security technical specification TS 33.501 (available here).

Ericsson will continue to be active in the study and collaborate with other companies participating in 3GPP.

The battle continues, for now.

Visit our 5G standardization page to read more about the work Ericsson is doing to standardize security of tomorrow's networks.