In unlicensed mobile access architecture, a mobile station uses unlicensed radio technology, such as wireless LAN (WLAN) or Bluetooth, to communicate with an unlicensed mobile access network. In such an arrangement, the unlicensed mobile access network replaces the Global System for Mobile Communication Base Station Subsystem (GSM BSS) used in the conventional Global System for Mobile Communication (GSM) arrangement. The interface between the mobile station and the unlicensed mobile access network uses Internet Protocol, at least partly run over unlicensed radio technology, and a new unlicensed radio resource protocol.
In a typical unlicensed mobile access deployment, the mobile station communicates with a WLAN access point that is connected to a broadband Internet connection. Since untrusted networks may be used in the connection between the mobile station and the unlicensed mobile access network, sufficient security features must be provided.
Therefore, in the unlicensed mobile access architecture, the unlicensed mobile access network authenticates the subscriber before any unlicensed radio resources signaling or higher-layer messages, such as Mobility Management, can be sent from the mobile station to the unlicensed mobile access network. The unlicensed mobile access network may authenticate a subscriber on a mobile station by using preexisting authentication methods, such as passwords, certificates or SIM cards. The signaling traffic between the mobile station and the unlicensed mobile access network is encrypted and integrity protected using, for example, IPsec or Transport Layer Security protocols. Optionally, user plane traffic may also be protected using either IPsec or Secure Real-time Transport Protocol.
After the subscriber is authenticated with the unlicensed mobile access network, the subscriber is then authenticated to the Core Network in the unlicensed mobile access architecture. To ensure that the Core Network is authenticating the right subscriber, the Core Network sends a challenge (RAND) to the mobile station. The mobile station uses a subscriber identity module (SIM) card to calculate a response (SRES) and an encryption key (Kc). The mobile station sends the response to the Core Network and if the response is correct, the Core Network activates encryption by sending a “BSSMAP Cipher Mode Command” message to the unlicensed mobile access network. The Cipher Mode Command message includes a list of permitted algorithms and the encryption key. Unlike the GSM arrangement where the BSS selects a suitable algorithm form the Cipher Mode Command message and commands the mobile station to start encryption by sending the selected algorithm to the mobile station, in the unlicensed mobile access architecture, the connection between the mobile station and the unlicensed mobile access network is already encrypted and the algorithms contained in the BSSMAP Cipher Mode Command message are not suitable for IPsec or TLS encryption used between the Mobile Station and the unlicensed mobile access network. Therefore, the unlicensed mobile access network uses neither the algorithm nor the key from the BSSMAP Cipher Mode Command message. Nevertheless, the unlicensed mobile access network forwards the list of algorithms in the Cipher Mode Command to the mobile station and the mobile station stores the parameters and key for later use when performing handover to a GSM network.
The authentication procedure used in the unlicensed mobile access architecture does not ensure that the identity that is authenticated to the unlicensed mobile access network is the same identity that is authenticated to the Core Network. This permits “a man-in-the-middle” attack wherein an attacker who has a valid subscription can, for instance, make calls that get billed to other subscribers.
FIG. 1 illustrates how a subscriber with a valid subscription can perform a man-in-the-middle attack. In Step 1010, the subscriber connects to the unlicensed mobile access network and the unlicensed mobile access network authenticates the subscriber and establishes a secure channel. In Step 1020, unlicensed radio resources signaling is established between the mobile station and the unlicensed mobile access network. In Step 1030, the subscriber requests service with a message that contains the International Mobile Subscribe Identity (IMSI) or the Temporary Mobile Subscriber Identity (TMSI) identifying the subscriber to the Core Network. However, in this step, the subscriber performing the man-in-the-middle attack includes an IMSI or TMSI of another unsuspecting subscriber. In Step 1040, the unlicensed mobile access network forwards the request message to the Core Network without examining the contents of the request message. In Step 1050, in response to the request message, the Core Network sends an authentication request to the mobile station. In Step 1060, when the subscriber receives the request message, instead of calculating the response to the authentication request by using the subscriber's SIM or USIM, the subscriber pretends to be a BSS in a GSM network and forwards the authentication request to the other unsuspecting subscriber. The other unsuspecting subscriber uses its SIM card to calculate a response to the authentication request and sends the response to the subscriber that is pretending to be a BSS. If UMTS protocols are used, an additional “AUTN” parameter is sent by the Core Network and verified by the other unsuspecting subscriber. However, the AUTN parameter does not prevent the man-in-the-middle attack. Upon receiving the response from the other unsuspecting subscriber, the subscriber performing the man-in-the-middle attack forwards the response with the other subscriber's SIM to the unlicensed mobile access network, in Step 1070. In Step 1080, the unlicensed mobile access network forwards the response to the Core Network without examining the contents of the response. In Step 1090, the Core Network verifies the response, which is correct because the other unsuspecting subscriber is a valid subscriber, and sends the BSSMAP Cipher Mode Command message to the unlicensed mobile access network. Since the unlicensed mobile access network does not use the algorithms or key supplied by the Core Network in the Cipher Mode Command message, the unlicensed mobile access network simply forwards the list of permitted algorithms to the subscriber. In Steps 1100, URR Ciphering Mode is completed between the mobile station and the unlicensed mobile access network. In Step 1010, BSSMAP Cipher Mode Command is completed between the unlicensed mobile access network and the Core Network.
After the Cipher Mode setting has been completed with the other subscriber's information, the subscriber is then able to perform normal Mobility Management and Call Control signaling when setting up a call. This causes the Core Network to use the other subscriber's IMSI or TMSI for billing purposes.