Vulnerabilities of UMTS Access Domain Security Architecture

Abstract

This paper presents vulnerabilities of UMTS access domain security architecture. The security architecture of UMTS offers some protection against known threats including false base station attacks, man-in-the-middle attacks and replay attacks. The system also successfully ensures user data confidentiality and signaling data integrity. However, a few novel vulnerabilities have been identified in this paper. It has been shown that modification of unprotected initial messages prior to the security mode command may result in DoS and man-in-the-middle attacks. Non-integrity protection of rrcConnectionReject message can also be exploited to launch DoS attack. Clear transmission of IMSI on some occasions is a violation of user identity/location confidentiality and user traceability. This exposed IMSI can be exploited for new attacks.