On the (In)Security of 4G - Part VII: Understanding the Initial Attachment Procedure

Table of Contents

LTE Security - UE Attach Procedure

Now we have gone (again) through the architectural properties of the Long Term Evolution (LTE) infrastructure. Now we will begin with a first look on security and begin with the attach procedure.
Every User Equipment (UE) has to go through this procedure to identify itself to the LTE network. First we will show a picture of the entire process and then discuss it in depth (In TS 23.401 this process is described on pages 130 - 146).

As there are still some entities, that we did not describe before, so we will start there:

• Serving GPRS Support Node (SGSN): Part of the GPRS core network, allowing 2G, 3G mobile networks to transmit IP packets to the Internet.
• General Packet Radio Service (GPRS): Packet oriented mobile data standard on 2G and 3G based GSM cellular network communication.
• Equipment Identity Register (EIR): Responsible for checking International Mobile Equipment Identity (IMEI), whether they are blacklisted.

Initial Attach Procedure - Step 1

“If the UE can proceed to attach, it initiates the Attach procedure by the transmission, to the eNodeB, of an Attach Request […] message together with Radio Resource Control (RRC) parameters indicating the Selected Network and the old Globally Unique Mobility Management Entity (MME) Identifier (GUMMI).” [Source] In other words: The ATTACH REQUEST message is sent via a Non Access Stratum (NAS) message and contains the International Mobile Subscriber Identity (IMSI) and cryptographic parameters among other information about the UE.

Initial Attach Procedure - Step 2

“The eNodeB derives the MME address from the RRC parameters carrying the old GUMMEI, the indicated Selected Network and the Radio Access Technology (RAT). If that MME is not associated with the eNodeB or the old GUMMEI is not available, the eNodeB selects an MME as described in clause 4.3.8.3 on “MME selection function”. The eNodeB forwards the Attach Request message in a S1-MME control message (Initial UE message)” [Source] In other words: The eNB passes on the ATTACH REQUEST together with the information of the cell, to which the UE has connected to, to the MME.

Initial Attach Procedure - Step 3

“If the UE identifies itself with Globally Unique Temporary Identity (GUTI) and the MME has changed since detach, the new MME determines the type of the old node, i.e. MME or SGSN, as specified in clause 4.3.19, uses the GUTI received from the UE to derive the old MME/SGSN address, and sends an Identification Request (old GUTI, complete Attach Request message) to the old MME/SGSN to request the IMSI. If the request is sent to an old MME, the old MME first verifies the Attach Request message by NAS MAC and then responds with Identification Response (IMSI, MM Context).” [Source] In other words: In case the UE has switched from an old to a new MME, identification is asked for.

Initial Attach Procedure - Step 4

“If the UE is unknown in both the old MME/SGSN and new MME, the new MME sends an Identity Request to the UE to request the IMSI. The UE responds with Identity Response (IMSI).” [Source] In other words: If no MME knows the identity of the UE, we need to request the IMSI, which could be problematic for security.

Initial Attach Procedure - Step 5

a) “If no UE context for the UE exists anywhere in the network, if the Attach Request (sent in step 1) was not integrity protected, or if the check of the integrity failed, then authentication and NAS security setup to activate integrity protection and NAS ciphering are mandatory. Otherwise it is optional.” [Source] Important: “After step 5a, all NAS messages shall be protected by the NAS security functions (integrity and ciphering) indicated by the MME” [Source] In other words: This is the juice!!! We will describe step 5a) in depth later!

b) 1. “The IMEI Software Version (IMEISV) shall be retrieved from the UE. The ME identity shall be transferred encrypted unless the UE performs Emergency Attach or Random Line-Of-Sight (RLOS) Attach and cannot be authenticated.” [Source] In other words: An ID is asked for from the UE by the network. And Emergency Attach or RLOS seem to be juicy things!

b) 2. “The MME may send the ME Identity Check Request (ME Identity, IMSI) to the EIR. The EIR shall respond with ME Identity Check Ack (Result). Dependent upon the Result, the MME decides whether to continue with this Attach procedure or to reject the UE.” [Source] In other words: The identity of the UE is checked by the EIR and here the MME can either proceed or teardown the connection. (Denial of Service seems possible by forcing to reject ME ID all the time? How about blacklisting you best friend on the EIR here? That seems like fun!)

Initial Attach Procedure - Step 6

Optional: “Ciphered Options i.e. Protocol Configuration Options (PCO) or Access Point Name (APN) or both, [can] now be retrieved from the UE.” [Source]

Initial Attach Procedure - Step 7

“If there are active bearer contexts in the new MME for this particular UE, the new MME deletes these bearer contexts by sending Delete Session Request (Link Bearer Identity (LBI)) messages to the Gateway (GW)s involved.” [Source] In other words: Old sessions are deleted (e.g. when connection to that MME was not complete before and is still somehow cached)

Initial Attach Procedure - Step 8

“If the MME has changed since the last detach, or if there is no valid subscription context for the UE in the MME, or if the UE provides an IMSI or the UE provides an old GUTI which doesn’t refer to a valid context in the MME, or for some network sharing scenario (e.g. Gateway Core Network (GWCN)) if the Public Land Mobile Network (PLMN)-ID of the Temporary Tracking Area Identity (TAI) supplied by the eNodeB is different from that of the GUTI in the UE’s context, the MME sends an Update Location Request […] message to the HSS.” [Source]

Initial Attach Procedure - Step 9

“The HSS sends Cancel Location (IMSI, Cancellation Type) to the old MME. The old MME acknowledges with Cancel Location Ack (IMSI) and removes the Mobility Management (MM) and bearer contexts.” [Source]

Initial Attach Procedure - Step 10

“If there are active bearer contexts in the old MME/SGSN for this particular UE, the old MME/SGSN deletes these bearer contexts by sending Delete Session Request (LBI) messages to the GWs involved. " [Source]

Initial Attach Procedure - Step 11

“The HSS acknowledges the Update Location message by sending an Update Location Ack (IMSI, Subscription data) message to the new MME.” [Source]

Initial Attach Procedure - Step 12

“If a subscribed Packet Data Network (PDN) address is allocated for the UE for this APN, the PDN subscription context contains the UE’s IPv4 address and/or the IPv6 prefix and optionally the PDN GW identity. If the PDN subscription context contains a subscribed IPv4 address and/or IPv6 prefix, the MME indicates it in the PDN address. For Request Type indicating “Initial request”, if the UE does not provide an APN, the MME shall use the PDN GW corresponding to the default APN for default bearer activation. If the UE provides an APN, this APN shall be employed for default bearer activation. For Request Type indicating “Handover”, if the UE provides an APN, the MME shall use the PDN GW corresponding to the provided APN for default bearer activation, If the UE does not provide an APN, and the subscription context from HSS contains a PDN GW identity corresponding to the default APN, the MME shall use the PDN GW corresponding to the default APN for default bearer activation. " [Source] In other words: IP address allocation can be requested by the UE here from the right APN.

Initial Attach Procedure - Step 13

“The Serving GW creates a new entry in its Evolved Packet System (EPS) Bearer table and sends a Create Session Request […] message to the PDN GW indicated by the PDN GW address received in the previous step. After this step, the Serving GW buffers any downlink packets it may receive from the PDN GW without sending a Downlink Data Notification message to the MME until it receives the Modify Bearer Request message […] below.” [Source] In other words: S-GW creates new EPS bearer for that UE and tells the PDN GW to wake up and buffer downlink data messages from the PN, until the attach procedure is complete.

Initial Attach Procedure - Step 14

“The IMSI, APN, UE IP address, User Location Information (E-UTRAN Cell Global Identifier (ECGI)), UE Time Zone, Serving Network, RAT type, Access Point Name Aggregate Maximum Bit Rate (APN-AMBR), Default EPS Bearer QoS, […] are provided to the PCRF by the PDN GW if received by the previous message.” [Source] In other words: PCRF is informed about the new UE.

Initial Attach Procedure - Step 15

“The P-GW creates a new entry in its EPS bearer context table and generates a Charging Id for the Default Bearer. The new entry allows the P-GW to route user plane PDUs between the S GW and the packet data network, and to start charging.” [Source] In other words: Mobile Networks provider can now start making money by charging for passing user data.

Initial Attach Procedure - Step 16

“The Serving GW returns a Create Session Response […] message to the new MME.” [Source] In other words: The S-GW tells the MME to make a new session for that UE.

Initial Attach Procedure - Step 17

“The new MME sends an Attach Accept […] message to the eNodeB. GUTI is included if the new MME allocates a new GUTI.” [Source] In other words: The MME tells the eNB to accept the UE with that GUTI.

Initial Attach Procedure - Step 18

“If the eNodeB received an S1-AP Initial Context Setup Request the eNodeB sends the RRC Connection Reconfiguration message including the EPS Radio Bearer Identity to the UE, and the Attach Accept message will be sent along to the UE.” [Source] In other words: EPS Radio Bearer Identity and Attach Accept message can be passed from the eNB to the UE.

Initial Attach Procedure - Step 19

“UE sends the RRC Connection Reconfiguration Complete message to the eNodeB” [Source] In other words: Possible RRC reconfiguration is done.

Initial Attach Procedure - Step 20

“The eNodeB sends the Initial Context Response message to the new MME. This Initial Context Response message includes the Tunnel Endpoint Identifier (TEID) of the eNodeB and the address of the eNodeB used for downlink traffic on the S1_U reference point.” [Source] In other words: The MME knows now the eNB and downlink reference point for that specific UE.

Initial Attach Procedure - Step 21

“The UE sends a Direct Transfer message to the eNodeB, which includes the Attach Complete (EPS Bearer Identity, NAS sequence number, NAS-MAC) message.” [Source] In other words: Either in step 19 or now, the attachment procedure is done for the UE.

Initial Attach Procedure - Step 22

“The eNodeB forwards the Attach Complete message to the new MME in an Uplink NAS Transport message.” [Source] In other words: Even the MME knows now that the UE is done with attaching.

Initial Attach Procedure - We can send Uplink Data

OK! Now the first User Plane Uplink data can flow!

Initial Attach Procedure - Step 23

“Upon reception of both, the Initial Context Response message in step 20 and the Attach Complete message in step 22, the new MME sends a Modify Bearer Request […] message to the Serving GW. If […] the MME does not need to report a change of UE presence in Presence Reporting Area, sending of Modify Bearer Request and steps 23a, 23b and 24 are skipped; […] If the MME has been requested to report a change of UE presence in Presence Reporting Area, the MME includes in this message […] whether the UE is inside or outside the area(s). When receiving the request for reporting change of UE presence in Presence Reporting Area, and the MME decides not to activate reporting UE presence in one or more of the received Presence Reporting Area(s), the MME reports also the inactive Presence Reporting Area(s) in this message. " [Source] In other words: The UE might have changed its area and might now need other bearers.

a) “If the Handover Indication is included in step 23, the Serving GW sends a Modify Bearer Request (Handover Indication) message to the PDN GW to prompt the PDN GW to tunnel packets from non 3GPP IP access to 3GPP access system and immediately start routing packets to the Serving GW for the default and any dedicated EPS bearers established.” [Source] In other words: Allow the UE to receive data from the PDN outside the previous bearer scope, by adjusting accordingly.

b) “The PDN GW acknowledges by sending Modify Bearer Response to the Serving GW.” [Source]

Initial Attach Procedure - Step 24

“The Serving GW acknowledges by sending Modify Bearer Response (EPS Bearer Identity) message to the new MME. The Serving GW can then send its buffered downlink packets.” [Source] In other words: If modifying of bearers was not required before (steps 23-24 could be skipped), then we are here as well. We can finally start downlinking the user data.

Initial Attach Procedure - We can send Downlink Data

OK! Either after step 22 or now the first User Plane Downlink data can flow!

Initial Attach Procedure - Step 25

“After the MME receives Modify Bearer Response (EPS Bearer Identity) message, if Request Type does not indicate handover and an EPS bearer was established and the subscription data indicates that the user is allowed to perform handover to non-3GPP accesses, and if the MME selected a PDN GW that is different from the PDN GW identity which was indicated by the HSS in the PDN subscription context, the MME shall send a Notify Request including the APN and PDN GW identity to the HSS for mobility with non-3GPP accesses. The message shall include information that identifies the PLMN in which the PDN GW is located. If the ME identity of the UE has changed and step 8 has not been performed, the MME sends a Notify Request (ME Identity) message to inform the HSS of the updated ME identity.” [Source] In other words: Enabling non 3GPP mobility with the MME and HSS.

Initial Attach Procedure - Step 26

“HSS stores the APN and PDN GW identity pair” [Source] In other words: APN and PDN GW are correlated now in the HSS for that particular UE.

LTE Security - Alright: UE Attached. What now?

The initial attach procedure, along with the passing of identifying information and key establishment, is one of the most vulnerable and important security procedures in the overall LTE security architecture.
Following step 5a), we now need to understand how the exchange of identities and cryptographic material works in detail. Also what we have not covered at all is the handling of control channel information. Is that secured? Some of those questions will be answered in the next blog post.

Summary

Hooray, you worked through a crazy complicated diagram and 26 steps until your smartphone has connected to the cell. Hey,it is hard for you phone, too and it has to execute these steps several times per day! We described the Initial Attach Procedure, the protocol, how an UE can connect to a Network. We went over each step, explained what it does and why it is relevant. Now we only need to understand the security in some of those initial attachment steps. We will do that in the next post.

Here you can read Part VI and Part VIII.

See you soon! :)

Abbreviations

• Access Point Name (APN)
• Access Point Name Aggregate Maximum Bit Rate (APN-AMBR)
• Equipment Identity Register (EIR)
• Evolved Universal Terrestrial Radio Access Network (E-UTRAN)
• E-UTRAN Cell Global Identifier (ECGI)
• Evolved Packet System (EPS)
• Gateway Core Network (GWCN))
• General Packet Radio Service (GPRS)
• Globally Unique MME Identifier (GUMMI)
• Globally Unique Temporary Identity (GUTI)
• Gateway (GW)
• Home Subscriber System (HSS)
• International Mobile Equipment Identity (IMEI)
• IMEI Software Version (IMEISV)
• International Mobile Subscriber Identity (IMSI)
• Link Bearer Identity (LBI)
• Link Bearer Identity (LBI)
• Medium Access Control (MAC)
• Mobility Management (MM)
• Mobility Management Entity (MME)
• Non Access Stratum (NAS)
• Packet Data Network (PDN)
• Protocol Configuration Options (PCO)
• Public Land Mobile Network (PLMN)
• Radio Access Technology (RAT)
• Random Line-Of-Sight (RLOS)
• Radio Resource Control (RRC)
• Serving GPRS Support Node (SGSN)
• Tracking Area Identity (TAI)
• Tunnel Endpoint Identifier (TEID)