Field of Invention
The disclosed invention generally relates to a system and method for detecting a malicious man-in-the-middle attack in a 3G cellular network, which is typically utilized to listen to a cellular phone call. The system of the invention is deployed within the mobile operator's 3G cellular core network along with a network probe, and can therefore detect many such attacks simultaneously. The system does not use any special application on user's mobile device.
Discussion of Related Art
A base-station-like apparatus can typically be used for man-in-the middle attacks in cellular networks to catch identities of mobile stations, to locate, listen and record communications. In 2G networks (such as the GSM networks), performing such an attack is unfortunately possible simply because the base stations (BS) may not be required to authenticate themselves towards cell phones to which they are providing service. While networks migrate from 2G to 3G (such as Universal Mobile Telecommunications System (aka UMTS), these two technologies will co-exist and interoperate. In order to facilitate a smooth transition to 3G, cellular networks allow subscribers to roam from 3G to 2G, and vice versa, depending on the availability of 3G in their vicinity. Doing so, subscribers can stay connected independent of technology availability.
In both 2G and 3G networks, authentications are carried out between the mobile station and the Mobile Switching Center (MSC). In 2G networks, encryption is carried out between the mobile station and the base station (BS), while in 3G networks encryption reaches a bit further into the backbone network up to the Radio Network Controller (RNC), which is located between the BS and the MSC. Note that on the network side, all BSs are connected to the MSCs. The 2G MSCs support only 2G authentication methods while 3G MSCs support both 2G and 3G authentication methods to support interoperability. Similarly, 2G base stations support 2G encryption methods, and the 3G base stations support the 3G encryption, which is defined by standards organizations. Only 2G base stations can connect to 2G MSCs. However, both 2G and 3G base stations can connect to 3G MSCs. Different mobile station BS and MSC combinations with 2G and 3G support lead to different types of authentication and encryption scenarios to ensure mobile stations stay connected while roaming across networks with different technology support.
2G networks are vulnerable to a man-in-the-middle attack because they allow an attacker to impersonate a fake base station towards a victim mobile station and as a mobile station towards a real BS at the same time. In order to conduct this attack, the attacker forces the victim mobile station to re-connect to the fake 2G base station by broadcasting the Cell Number (or cell ID) of the subscriber's home network. If the mobile station is in a stand-by mode, it will always connect to the base station from which it receives highest level of signal, and hence, the fake base station. Thus, the attacker can make the mobile station connect to itself bypassing any present real base stations. After connection set-up to the victim mobile station, the fake base station impersonates to be a mobile station towards the network by re-sending the identity information it obtained from the victim mobile station. In the subsequent authentication process, the attacker simply forwards the authentication traffic between the victim mobile station and the real network. By sending false information about its encryption capabilities to the network, the attacker (fake base station) can disable the encryption between itself and the network. By simply requesting to turn off encryption the attacker can also disable the encryption between the mobile station and the fake base station. This attack not only allows the attacker to eavesdrop on the communications between the mobile station and the network but also to insert and modify traffic. We call the fake base station an International Mobile Subscriber Identity-catcher, or simply ‘IMSI-catcher’, in the rest of the document.
Embodiments of the present invention are an improvement over prior art systems and methods.