Long Term Evolution (LTE) is a communication network technology currently under development by the 3rd Generation Partnership Project (3GPP). LTE requires a new radio access technique termed Evolved Universal Terrestrial Radio Access Network (E-UTRAN), which is designed to improve network capacity, reduce latency in the network, and consequently improve the end-user's experience. System Architecture Evolution (SAE) is the core network architecture for LTE communication networks.
Referring to FIG. 1, the LTE/SAE architecture includes a Mobility Management Entity (MME) 1, which is responsible for control signalling. An SAE Gateway (SAE-GW) 2 is responsible for the user data. The SAE-GW 2 consists of two different parts, namely a Serving Gateway that routes user data packets, and a PDN Gateway that provides connectivity between a user device and an external data network. These nodes are described in detail in 3GPP Technical Specification (TS) 23.401. All these nodes are interconnected by an IP network. Further nodes are the eNodeBs (eNBs) 3, 4, which act as base stations in the network and communicate with terminals (UEs) 5, 6. There are three major protocols and interfaces between these node types. These are S1-MME (between the eNBs 3, 4 and the MME 1), S1-U (between the eNBs 3, 4 and the SAE-GW 2, or more correctly between the eNBs 3, 4 and the Serving Gateway), and X2 (between eNBs 3, 4). The corresponding protocols used in these interfaces are S1AP (S1 Application Protocol) and X2AP (X2 Application Protocol). All these protocols and interfaces are IP-based. In addition, the network may contain other nodes that are part of the above interface, for example a Home eNodeB Gateway (HeNB GW) between a HeNB and rest of the nodes in the network. The MME is often located in the core network and the eNBs are often located in the radio access network.
The LTE system provides confidentiality and integrity protection for data transmitted between the network and a terminal. These security services are provided by the use of ciphering and integrity protection algorithms. Such algorithms are jointly described hereinafter as security algorithms. For ciphering and integrity protection to work in LTE, the network and the terminal must use the same security algorithms to process the data. The processing using the security algorithms is carried out by the MMEs and the eNBs.
WO 2009/120122 describes a system for enabling the LTE network and a terminal to negotiate security algorithms to use for protecting their communication. This idea was later adopted by the LTE specifications and is included in TS 33.401.
FIG. 2 illustrates part of the security algorithm negotiation described in more detail in TS 33.401. The network elements correspond to those shown in FIG. 1.
The terminal, or the User Equipment (UE) 5 as it is called in TS 33.401, supports a particular set of security algorithms, which can be referred as the UE security capabilities. When the UE 5 registers with an MME 1, for example as part of an Attach procedure or a Tracking Area Update procedure, the UE informs the MME about its UE security capabilities. This is done in a secure fashion so that the MME can be sure that the UE security capabilities it has received are correct. The MME can thus trust the received information. In FIG. 2 the first Attach message S201 represents this step.
When the UE 5 connects to a source eNB3, the MME 1 informs the source eNB 3 about the UE security capabilities for the UE 5. This is done using a UE CONTEXT SETUP message S202. The source eNB 3 uses this information to select, in step S203, which security algorithms to use when it communicates with the UE 5. For example, the source eNB would of course only select a security algorithm if it is present in the UE security capabilities. Once the source eNB has made its choice, it informs the UE about the selection using a Security Mode Command S204. After this, the UE and the source eNB can communicate securely using the selected security algorithms.
If the UE 5 is handed over from the source eNB 3 to a target eNB 4 using an X2-handover procedure, the source eNB 3 forwards the UE security capabilities it received from the MME to the target eNB 4 in a HANDOVER REQUEST message S205. The target eNB 4 then selects, in step S206, which security algorithms to use when communicating with the UE based on the received UE security capabilities. The target eNB 4 sends a HANDOVER COMMAND message S207 to the UE 5, which includes details of the security algorithms selected. The UE 5 activates the selected security algorithms in step S208 based on the information provided in the HANDOVER COMMAND message, and the same security algorithms are activated by the target eNB 4 in step S209.
After this, the target eNB 4 sends a PATH SWITCH REQUEST message S210 to the MME 1, which returns an acknowledgement message S211. The PATH SWITCH REQUEST message S210 includes details of the UE security capabilities received by the target eNB 4 from the source eNB 3. This enables the MME 1 to compare the UE security capabilities received in the PATH SWITCH REQUEST S210 with the UE security capabilities received in the Attach message S201 when the UE 5 first registered with the MME 1. Any difference raises the possibility that a security downgrade attack has taken place, and it may then be appropriate for the MME 1 to raise an alarm.
One example of a security downgrade attack, as envisaged when the mechanism described above was designed, is that an attacker could break into the source eNB 3. The source eNB 3 could then remove the strongest security algorithms (or even all security algorithms) from the UE security capabilities after they have been received from the MME 1 in step S22. When the X2 handover S25 occurs, the target eNB 4 would receive the modified UE security capabilities from the source eNB 3, but since the UE security capabilities no longer include any strong security algorithms, the target eNB 4 is forced to make a less secure choice in identifying the strongest security algorithm it has in common with the UE 5.
The negotiation described above (and specified in TS 33.401) has a shortcoming. Even though the MME 1 will detect the downgrading attack, the system does not recover from the attack until the UE 5 goes to IDLE state or until the UE 5 carries out an S1 handover. A UE that stays connected for a longer period will therefore be a victim of the attack at the source eNB 3 even after an X2 handover to the target eNB 4. Even though the network has detected the attack, the effect remains despite the fact that the UE is now connected to an honest and non-compromised eNB.
Examples of such situations when a UE stays connected for long periods include a user listening to streaming internet radio or watching streaming video. This can be quite common. Furthermore, the user may have other data sessions, in addition to the streaming video or radio, which could be eavesdropped on by the attacker.
In addition, current discussions in 3GPP involve the use of direct X2 interfaces between two Home eNBs and between Home eNBs and regular macro eNBs. The problem described may therefore become more widespread.
It is commonly known that customer premises equipment are broken into by hackers and security hobbyists. There are examples of hackers breaking into UMTS home base stations. It is quite probable that similar attacks will be possible against particular implementations of home base stations in LTE (Home eNBs).
If a Home eNB that is connected with a direct interface to a macro eNB is compromised, (e.g. by its hosting party using similar techniques used against UMTS home base stations), then the attacker could easily carry out the downgrade attack described above for any UE connected to his Home eNB. When the subscriber then moves into the macro network via a direct interface handover, the attacker can listen to the radio of the victim, and the downgrade attack results in the transmission of all the data in clear text or encrypted with a weak security algorithm that the attacker can break.
This is the same type of attack as described above, but the home eNB aspect shows that a compromise of a base station is more likely here. The attacker can also work uninterrupted in his own home.
In addition to the security implications described above, a further problem with the existing arrangements relates to upgrading of security algorithms in nodes of the network. When a new security algorithm is introduced in the specifications, it cannot always be assumed that it will be implemented in all nodes in the network at once. For example, the MME 1 may implement the new algorithms whereas the source eNB 3 to which the UE 5 connects does not. This is not a problem. The MME 1 informs the source eNB 3 in step S22 of the security capabilities of the UE 5. If these are better than those supported by the eNB 3, the source eNB 3 will just ignore the extra algorithms.
The problem arises when the source eNB 3 forwards the UE security capabilities to the target eNB 4. Even though the source eNB 3 is not compromised, in step S203 it re-codes the UE security capability information (received from the MME in step S202) to a different format. This is necessary because the protocol used between the MME 1 and eNB 3 is different to that used between two eNBs. As a result, the source eNB 3 ignores the information that the UE supports the new security algorithm, and does not include this information when sending the UE security capability information to the target eNB 4 in step S205. So, even if the target eNB 4 has been upgraded and supports the new security algorithm, it will not receive the information that the UE 5 also supports the new algorithm, and the new algorithm will not be used by the target eNB 4.
So just as described above when an attack has taken place, the system will not self heal until an S1 handover occurs or the UE goes to IDLE state. And, as previously discussed, this may take a considerable time.
This also leads to a further problem. After each X2-handover the target eNB 4 reports the UE security capability information to the MME 1 in step S210, and the MME 1 will find that it does not match the UE security capability information received from the UE 5 at registration (step S201). The MME 1 will take some action, for example raising an alarm, and continue repeating the action specified every time the report is received from a target eNB. In other words, the fact that a target eNB 4 has been upgraded but a source eNB 3 has not will result in the alarm being raised every time a handover of this type takes place, whether or not there has been a security breach.
Effectively, therefore, eNBs that have not been upgraded with the new algorithm will prevent eNBs that have been upgraded from using the best possible algorithm.