The UMTS/LTE/3G Project

This wiki is writeable for everyone. Add what you know. Delete what is wrong.

This JUST started! It's information gathering phase. Enjoy.

Contents

  1. About
  2. TODO
  3. Receiver
    1. Wireless 3g 4 free
    2. Tektronix
  4. Various Ideas (security)
    1. UMTS encoding and modulation
    2. UMTS security
    3. Attacking the PRNG
    4. Fallback attacks
    5. 64 Bit key
  5. LTE
  6. Links

1. About

The goal is to gather information of how UMTS/3G works. The focus is to receive/send UMTS/3G traffic and to assess (and maybe crack) the security implemented in UMTS.

2. TODO

  1. Documentation how UMTS works (encoding, modulation, encryption, security)
  2. Documentation how Ki's are generated. How does the PRNG work? How is it seeded?
  3. Documentation/Manuals of base stations
  4. Documentation how LTE works

3. Receiver

  1. USRP might be possible.
  2. Reference boards / Target boards from Texas Instruments? Are they available to the public? Can we get a partnership with them? Anyone who has a contact there?

3.1. Wireless 3g 4 free

Software based demodulation and decoding exists: http://www.wireless3g4free.com/. Can we use the USRP with this software?

Wireless3g4free Source code:

3.2. Tektronix

Link: Tektrnox K1297-G35 Protocol Analyzer

Test equipment. Can analyze and script protocol. Is this a NodeB or a UE?
Need more documentation about how to script/modify protocol.

4. Various Ideas (security)

4.1. UMTS encoding and modulation

Uses CDMA technology, not TDMA like GSM.

4.2. UMTS security

Authentication is done using Milenage - uses AES at the core for encryption)

- the network sends additional data to authenticate the network itself -> not possible to fake a base station unless a operator key is known and the Ki key of the SIM card that is connecting

Encryption is done using the Kasumi block cipher (also called A5/3).

Each signalling packet has a signature from the phone that travels with the package all the way to the MSC inside the operator network. This makes man-in-the-middle attacks harder.

4.3. Attacking the PRNG

Obvious attack vector but no infos available yet how PRNG works.

4.4. Fallback attacks

Would require an active attack. Trick the handset into connecting only to a GSM network, i.e. somehow scramble the existing 3G network or do an attack where there is no 3g coverage. Fallback to GSM 2 happens. Vulnerable.

4.5. 64 Bit key

http://www.mail-archive.com/cryptography@wasabisystems.com/msg02841.html mentions that the A5/3 key is 64 bit for the foreseeable future. Can anyone confirm this?

5. LTE

LTE is Enhanced UMTS.

Download: LTE.pdf Download: LTE Technical Overview.pdf

6. Links

  1. UMTS-Security Mechanisms

  2. Info on UMTS Algorithms