Questioning the Feasibility of UMTS-GSM Interworking Attacks

Recently, Ahmadian and Salimi [1] presented and analyzed three different attacks that can be performed in UMTS-GSM interworking networks: (i) a real-time eavesdropping attack, (ii) an offline eavesdropping attack, and (iii) an impersonation attack. In this letter we question the feasibility of these attacks. In particular, we pinpoint and analyze that these attacks are based on some erroneous and misleading assumptions that the authors have made regarding the security functionality of the UMTS-GSM interworking networks. Based on this analysis, we deduce that these three attacks cannot be performed. Overall, three different attacks, which exploit new identified security weaknesses are presented in [1] targeting UMTS-GSM interworking networks. All attacks are performed in two steps. For the better understanding of the presented notions in this letter, we briefly outline these attacks highlighting the specific erroneous and misleading assumptions. ATTACK 1: Real time eavesdropping (see Figure 1) In step 1 of this attack, the adversary performs a man in the middle attack in the GSM-AKA procedure to obtain the session key Kc of GSM-AKA. In step 2, MS executes a UMTS-AKA with a valid 3G VLR/SGSN via a BTS of GSM. STEP 1: The adversary mounts a man in the middle attack in GSM-AKA PHASE 1: IMSI catching (the adversary impersonates a BTS of GMS) 1. The victim MS connects and sends its security capabilities to a false BTS of GSM (ASSUMPTION 3). The false BTS is under the adversary's control. 2. The adversary sends a user identity request message to the victim MS. 3. MS responses with its permanent identity (IMSI) and the adversary disconnects from MS. PHASE 2: Obtaining RAND and AUTN (in this phase the adversary impersonates the victim MS)