CAPEC-606: Weakening of Cellular Encryption
An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode).
Last updated
Overview
CAPEC-606 (Weakening of Cellular Encryption) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- Cellular devices that allow negotiating security modes to facilitate backwards compatibility and roaming on legacy networks.
Skills required
- Medium skill: Adversaries can purchase and implement rogue BTS stations at a cost effective rate, and can push a mobile device to downgrade to a non-secure cellular protocol like 2G over GSM or CDMA.
Consequences
What a successful CAPEC-606 attack can achieve.
Other
Affects: Confidentiality
Tracking, Network Reconnaissance
How to mitigate it
Defenses that reduce the risk of CAPEC-606.
- Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.
- Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.