1. 1 On 3GPP2 Femto Security Anand Palanigounder Qualcomm Inc. apg@qualcomm.com Notice: Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Contributors are also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by the contributors to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on the contributors. Contributors specifically reserve the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of the contributors other than provided in the copyright statement above. ABSTRACT: This contribution provides threat analysis of 3GPP2 femto systems and proposes to create a WG4 Femto security Framework document to address the agreed threats RECOMMENDATION: Review and adopt. S40-20080512-003 3GPP2 TSG-S WG4

2. 2 Background Femto stage 2 architecture work underway in other 3GPP2 WGs (e.g. PDS) WG4 had discussed in the past some –security threats & solutions –security requirements With this contribution, we –identify further security threats in femto systems –propose a way forward to document these threats and consider requirements and measures to mitigate those threats

3. 3 Femto Security reference model ATFemto AP SeGW insecure link Operator’s core network Assumptions: Legacy ATs need to be supported Femto security reference model need to be reusable for any cdma2000 systems (access independent) –e.g. 1xRTT, HRPD, UMB, etc

4. 4 Threat Analysis: Assets & Owners Femto AP –Primarily operator’s asset (similar to macro BS in terms of functionalities) –May be deployed in environments (physically) uncontrolled by operator –Implication: Sensitive information (e.g., any security credentials, etc) at the femto needs protection Operator’s Service Assets (including network infrastructure assets) –Owned by the operator/service provider –Femto APs opens up an access channel to operators secure domain (e.g., core network) –Implication: Access channel needs protection against abuse by attackers User’s data/Identities –Owned by the user –Protection needs to be at least at the same level as in case of macro

5. 5 Threat Analysis: Attackers Femto AP and Operator’s Service Assets –Anyone with physical access to the femto AP or the backhaul link Can be a hacker motivated for fun, service theft or to launch attack on operator’s infrastructure –E.g. denial-of-service, hack into nodes inside operator’s secure domain using a compromised femto AP User’s data and identities A motivated attacker wanting to eavesdrop on user’s traffic Compromise user’s identity/location privacy

6. 6 Threats due to Femto APs (1/2) Compromise of Femto AP credentials –Compromise by physical intrusion to obtain credentials –Moving credentials from one femto AP to another –Cloning of credentials Threats against a Femto APs –Tampering or hacking into it –Loading fraudulent firmware –Femto configuration and management operations vulnerabilities –Femto facilitating masquerading of one user as another user (user plane) –DoS attacks on Femto Software simulation of Femto AP

7. 7 Threats due to Femto APs (2/2) DOS attacks on the core network –Through hacked or simulated Femto APs Service Theft –By manipulating any access control lists –Unauthorized content distribution –Attacks against location or network locking User Data and identity privacy attacks Attacks on Radio resources and management

8. 8 1xRTT-specific Femto threats CAVE Authentication: Global RAND must not be generated by FAP (already agreed by TSG-S WG4) –An attacker listening to the Global RAND OTA can use his hacked femto to obtain the CAVE keys (e.g., SMEKEY, etc) –Mitigation: Global RAND generation should be controlled/verified by a core network entity SSD Update Vulnerabilities –Attack: A compromised SSD used by an attacker to break CAVE authentication –Mitigation: SSDs must not be shared with Femto APs False 1x network (masquerading) attacks –CAVE (CS) /CHAP (PS) are not a mutually authenticating protocol –Mitigation: Does not seem feasible to protect without legacy UE impact neeed replacement of CAVE/CHAP with a mutually authenticating protocol e.g, AKA (legacy UE impact) NOTE: Whether any of the above threats are applicable to agreed 1xRTT femto architecture is FFS

9. 9 HRPD-specific Threats HRPD AN authentication –HRPD AN CHAP Shared Secret must not be shared with Femto AP – i.e., local AAA (if any) at the Femto AP –Mitigation: AN-AAA must be in the operator’s secure domain PDSN Authentication –If PPP Authentication terminates at the Femto AP, then PPP CHAP Secret must not be shared with Femto AP –Similar requirements also apply to any Mobile IP/Simple IP authentication False HRPD network (masquerading) attacks –CHAP is not mutually authenticating protocol –Mitigation: Not feasible to protect without legacy UE impact NOTE: Whether any of the above threats are applicable to agreed HRPD femto architecture is FFS

10. 10 Proposal Start a Femto Security Framework document in WG4 to capture: –Agreed security threats & their related requirements –Study and document security architecture and mechanism(s) to mitigate them – such as, –Femto authentication –Tunnel establishment procedures –etc WG4 agrees on a reference architecture model – that is independent of access system for Security Framework specification purposes WG4 Discuss the threats identified in this contribution and decide on the validity of the threats –agreed threats needs to be captured so as to not loose them (e.g., in an informative Annex)