[go: up one dir, main page]

WO2019047943A1 - Procédé d'identification et de défense de pseudo-station de base, et terminal - Google Patents

Procédé d'identification et de défense de pseudo-station de base, et terminal Download PDF

Info

Publication number
WO2019047943A1
WO2019047943A1 PCT/CN2018/104749 CN2018104749W WO2019047943A1 WO 2019047943 A1 WO2019047943 A1 WO 2019047943A1 CN 2018104749 W CN2018104749 W CN 2018104749W WO 2019047943 A1 WO2019047943 A1 WO 2019047943A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
cell
pseudo base
terminal
side device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/104749
Other languages
English (en)
Chinese (zh)
Inventor
梁云侠
张志勇
韩磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201811044950.9A external-priority patent/CN109474932A/zh
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2019047943A1 publication Critical patent/WO2019047943A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a pseudo base station identification and defense method and terminal.
  • a pseudo base station generally refers to a set of illegal radio communication devices composed of a notebook computer, a host, etc., for performing functions of a base station in a normal network and some other network side devices (such as a core network device).
  • the pseudo base station user can perform various illegal activities through the pseudo base station, including collecting user information, for example, collecting an IMSI (International Mobile Subscriber Identity) or an IMEI (International Mobile Equipment Identity). Sending fraud or spam messages, monitoring communications, etc., has a serious impact on users' privacy and property security.
  • IMSI International Mobile Subscriber Identity
  • IMEI International Mobile Equipment Identity
  • the pseudo base station utilizes the design flaw of unidirectional authentication in the GSM protocol (ie, only the network authentication terminal (UE), but no terminal authentication network), which can be set by setting a larger transmission power.
  • the terminal is attached to the 2G pseudo base station (ie, the pseudo base station for the 2G network), and can be used for various illegal activities after the adsorption is successful.
  • the 3/4G pseudo base station ie, the pseudo base station for the 3/4G network
  • the 3/4G pseudo base station cannot be authenticated, and therefore cannot Directly pass the 3/4G pseudo base station to achieve the purpose of sending spam messages or spoofing text messages.
  • the 3/4G pseudo base station it is possible to use the 3/4G pseudo base station as a springboard (transfer station) to adsorb the terminal to the 2G pseudo base station, thereby performing illegal activities.
  • an attacker can use a high-power 4G pseudo base station (a pseudo base station for a 4G network) to first adsorb the terminal to the 4G pseudo base station, and then set the weight on the 4G pseudo base station.
  • the priority is selected (for example, the frequency of the 2G pseudo base station is configured as a high priority), so that the UE is reselected to the 2G pseudo base station.
  • the pseudo base station can achieve the purpose of illegal activities. Therefore, there is a need for a method to identify the pseudo base station, so that the defensive action can be targeted. To protect the privacy of users and just the property security.
  • the present application provides a pseudo base station identification and defense method, which is executed by a terminal, including: when performing cell reselection or cell selection, according to the network side
  • the system message sent by the device acquires a system message configuration for cell reselection or cell selection; when the system message is configured to be abnormally configured, the network side device is determined to be a candidate pseudo base station; where the candidate pseudo base station is located After the camping, the security verification process is initiated to the candidate pseudo base station; and the candidate pseudo base station is confirmed as the authentic base station according to the security verification procedure.
  • the system message configuration is used for cell reselection or cell selection, and it is determined by this that the candidate pseudo base station is more targeted. At the same time, after judging the candidate pseudo base station, it is further confirmed by the security verification process, so that the false positive is less and the user experience is better.
  • determining that the network side device is a candidate pseudo base station includes: when the system message is configured to be used as much as possible When the current cell does not pass the cell reselection or the cell selects an abnormal configuration to another cell, it is determined that the network side device is the candidate pseudo base station.
  • the system message configured to be abnormally configured includes any one or more of the following situations: 1) in SIB3 The value of cellReselectionPriority is configured to be smaller than the value of cellReselectionPriority in SIB7; 2) the system message is configured not to send SIB5 to the terminal; 3) the value of dl-CarrierFreq in SIB5 sent by one network side device to the terminal is not the operator Commonly used frequency points; 4) ThreshX-High and ThreshX-Low configurations have higher values; 5) qHyst is larger, or Qoffset is larger, or both are larger; 6) When access layer security is not activated The base station sends an RRCConnectionRelease message to redirect the terminal to the GSM cell. This aspect gives a variety of practical parameters, which can be used to make the judgment of the candidate pseudo base station, which is easy to implement.
  • the confirming that the candidate pseudo base station is an authentic base station according to the security verification process includes: When the network side device fails to perform security verification and/or does not want to perform security verification, it is confirmed that the candidate pseudo base station is an authentic base station. Judging by this condition, the network side device exists.
  • the terminal receives the tracking from the network side device in the process of camping to the previous cell.
  • the area code TAC is different from the TAC received from the network side device in the process of camping on the current cell; correspondingly, after the camp of the cell where the candidate pseudo base station is located, the security verification process is initiated to the candidate pseudo base station; Confirming that the candidate pseudo base station is an authentic base station according to the security verification process includes: sending a TAU request message to the network side device after the camp of the candidate pseudo base station is located; and receiving the network side device reply An Identity Request message for requesting the terminal to report an International Mobile Subscriber Identity (IMSI); sending, to the network side device, an Identity Request message for replying to the Identity Request message, and carrying an IMSI of the terminal; the network The side device transmits a TAU Accept or TAU reject; when the TAU reject is received, and the TAU Reject and the Identity Reque received The st
  • IMSI International Mobile Subscriber Identity
  • the terminal receives the tracking from the network side device in the process of camping to the previous cell.
  • the area code TAC is the same as the TAC received from the network side device during the camping of the current cell; correspondingly, after the camp of the candidate pseudo base station is camped, the security verification process is initiated to the candidate pseudo base station;
  • the security verification process confirms that the candidate pseudo base station is an authentic base station, and after the resident of the candidate pseudo base station, sends a Service Request message to the network side device to initiate a SERVICE process; After receiving the SecurityModeCommand or receiving the SecurityModeCommand but failing the integrity protection check, it is confirmed that the candidate pseudo base station is the authentic base station.
  • the candidate pseudo base station can be confirmed as the authentic base station by the security verification procedure when the TAC is different.
  • the terminal receives the tracking from the network side device in the process of camping to the previous cell.
  • the area code TAC is the same as the TAC received from the network side device during the camping of the current cell; correspondingly, after the camp of the candidate pseudo base station is camped, the security verification process is initiated to the candidate pseudo base station;
  • the security verification process confirms that the candidate pseudo base station is an authentic base station, and after the camp of the candidate pseudo base station is located, sends a TAU Request message to the network side device, but does not carry the key, and starts the T3430 timing.
  • the security and integrity protection check fails, and the candidate pseudo base station is confirmed to be the authentic base station.
  • the security and integrity protection check fails, and the candidate pseudo base station is confirmed to be the authentic base station.
  • the method further includes: The authenticating base station performs a defense process to reduce the harm caused by the authentic base station to the user of the terminal. By performing defense, the loss caused by the pseudo base station to the user can be reduced.
  • the performing defense processing on the authentic base station includes any one or a combination of the following methods:
  • the search process is started to return to the normal cell, where, in the search process, the frequency of the frequency of the cell that is camped before the connection is released is preferentially searched; the method has less interference to the user, and is not applicable. Users who want to be disturbed.
  • the method after returning to the normal cell, the method further includes: starting the neighbor cell measurement to use the cell of the authentic base station Add a blacklist to avoid reselecting the cell to the authentic base station again.
  • the method can further strengthen the shielding of the pseudo base station, and the protection effect is better.
  • the present application discloses a terminal including one or more processors, a memory, the memory is used to store instructions, and the one or more processors are configured to read the memory stored instructions to perform the first In one aspect, and the method of any of the various implementations of the first aspect.
  • the present disclosure discloses a pseudo base station defense method, which is executed by a terminal, and includes: when performing cell reselection or cell selection, acquiring according to a system message sent by a network side device. System message configuration for cell reselection or cell selection; determining that the network side device is a candidate pseudo base station when the system message is configured as an abnormal configuration; and performing defense processing on the candidate pseudo base station to reduce the authenticity of the authentic base station pair The hazard caused by the user of the terminal.
  • the performing defense processing on the candidate pseudo base station includes any one or a combination of the following methods:
  • determining that the network side device is a candidate pseudo base station includes: when the system message is The network side device is determined to be the candidate pseudo base station when configured to allow the terminal to camp on the current cell as much as possible without cell reselection or cell selection to other cells.
  • the configuring, by the system message, the abnormal configuration includes any one or more of the following situations:
  • the value of cellReselectionPriority in SIB3 is configured to be smaller than the value of cellReselectionPriority in SIB7;
  • the system message is configured not to send the SIB5 to the terminal;
  • the base station sends an RRCConnectionRelease message to redirect the terminal to the GSM cell.
  • the third aspect and various implementation manners of the present application can directly prompt the user without performing the security verification process, so that the pseudo base station threat can be promptly prompted, and the user can know the latent high threat in time.
  • the third aspect and its various implementations and the first aspect and various implementation manners thereof may be two configurable schemes, which may all be implemented in the terminal, which one is allowed to be selected by the user during operation, or may be only in the terminal. Have one of them.
  • the security process verification in the first aspect may be added to further confirm whether it is a authentic base station, and then corresponding defense measures are given, that is, In this implementation, the defense measures are twice.
  • the first time may not be particularly accurate, but it can promptly promptly, and the second time will be more accurate, so that the user can know more timely and accurately whether the base station connected to the terminal is a pseudo base station and take Corresponding measures to reduce user losses.
  • the first defense measure cannot adopt the first type of defense measures in the first implementation manner of the third aspect (because it is possible to access the normal cell at this time, perform security verification)
  • the process does not make sense to confirm whether it is a true or false base station, but the 2) and 3) defense measures can be used.
  • the present application discloses a terminal including one or more processors, a memory, the memory is used to store instructions, and the one or more processors are configured to read the memory stored instructions to perform, for example, The method of any of the third aspect and the various implementations of the third aspect.
  • Embodiment 2 is a method for identifying a pseudo base station according to Embodiment 1 of the present invention
  • Embodiment 3 is a security verification method according to Embodiment 3 of the present invention.
  • FIG. 5 is another security verification method according to Embodiment 3 of the present invention.
  • FIG. 6 is a structural diagram of a terminal according to Embodiment 5 of the present invention.
  • a first embodiment of the present invention provides a pseudo base station defense method, which is performed by a terminal.
  • the terminal or terminal device, user equipment
  • the terminal herein refers to a device corresponding to the network side device, and may include various mobile communication services such as mobile phones, tablet computers, and PCs, such as 2G, 3G, and the like. 4G) equipment.
  • the "network-side device” refers to a device provided by an operator to cooperate with a terminal to complete wireless communication, and may include a base station and various core network-side devices.
  • a "pseudo base station” also belongs to a network side device and is provided by a criminal.
  • the terminal does not care about the specific software and hardware implementation of the network side device, and the terminal is only responsible for processing the received wireless signal, that is, the network side device is for the terminal. It is a black box, as long as these devices can send signals that conform to the communication protocol and can be processed by the terminal, the terminal will process them.
  • the “pseudo base station” is referred to as a "base station”, in practice, the “base station” also has the functions of some devices of a non-"base station" in a normal network, for example, having a core network device.
  • the embodiments of the present invention do not strictly describe the functions of each part of the "pseudo base station" separately, but describe the use of the pseudo base station as a whole.
  • a typical terminal such as a mobile phone
  • a component such as a memory, an input/output device (such as a display, a touch screen), wherein the processor may be a chip integrated with a baseband module (for modem, communication protocol processing, etc.).
  • the baseband module can also be separated from the integrated processor chip, that is, the module with the baseband is separately used as a baseband chip, and the processor with the baseband function removed, and then a single chip, the hardware architecture and the specific The implementation methods are all prior art and are not described here.
  • the terminal first searches for the network provided by the network side device, and then camps on a cell. In the idle state, the terminal initiates a reselection procedure, and if there is a more suitable cell, it will camp on the new cell through the cell reselection procedure. If the pseudo base station now provides the same frequency as the normal base station and, at the same time, a higher transmit power is used, the terminal will camp on the pseudo base station.
  • a pseudo base station defense method provided by this embodiment includes:
  • the terminal is performing cell reselection (ie reselection from one resident cell to another cell) or cell selection (eg, first boot selection or entering a coverage area with signal coverage from a signalless blind zone)
  • the network side device interacts with the standard-defined interaction mode, and obtains some system messages (such as MasterInformationBlock message and various SystemInformationBlockType messages).
  • system message configuration determines What kind of strategy does the terminal take for cell reselection or cell selection.
  • the system message configuration may refer to the configuration of some parameters in the system message, or may refer to the presence or absence of a specific system message.
  • the specific implementation of the cell system message is a prior art.
  • the system first needs to obtain the SystemInformationBlockType1 and SystemInformationBlockType2 messages, and then obtain the SystemInformationBlockType3 (SIB3), SystemInformationBlockType5 (SIB5), and the like after the resident.
  • SIB3 SystemInformationBlockType3
  • SIB5 SystemInformationBlockType5
  • the "system message is configured for priority cell reselection or abnormal configuration of cell selection” means that the network side device does not want the terminal to be preferentially reselected or selected to a certain cell, and at the same time, its system message configuration is not a normal configuration.
  • the pseudo base station Since the pseudo base station generally does not want the terminal to return to the normal cell through reselection or cell selection, it will find a way for the terminal to stay in the cell provided by the pseudo base station, so if the system message configuration is also used to make the terminal try to stay When it is left in the abnormal configuration of the current cell, it indicates that the network side device has a high probability of being an abnormal device with an illegal purpose (although it may also be a normal device), so it is first judged as a "candidate pseudo base station".
  • the qualifier "candidate” indicates that the pseudo base station judged by this scheme in this embodiment does not determine that it is a true pseudo base station, but serves as a "candidate", and a more accurate judgment result needs to be obtained through a subsequent process. .
  • the system message used to determine whether it is a candidate pseudo base station may be one or more, and the system message configuration may be a value of one or more parameters (ie, values of some fields) in the system message, or whether some parameters are carried;
  • the system message configuration can also refer to whether some system messages are sent.
  • it may be judged based on the specific value of one or more parameters (such as determining whether each value satisfies a certain limit, such as whether it is greater than a certain value) It is also possible to compare the relative values of the parameters in some system messages (such as whether the value of one parameter is greater than the value of another parameter), which is not limited in this application.
  • the security verification process in this embodiment refers to a process in which the terminal and the network side device perform mutual security verification, including but not limited to the processes related to encryption and integrity protection.
  • the security verification process can be performed based on a NAS (Non-access stratum) process.
  • NAS Non-access stratum
  • the security verification process it can be determined whether the network side device can pass the security verification and/or whether it wants to perform security verification.
  • the network side device fails the security verification and/or does not want to perform the security verification, the network side device can be confirmed as authentic. Base station.
  • the candidate pseudo base station is first determined by the system message configuration, and then further confirmed by the security verification process, so that it is more effective to detect whether the pseudo base station is true, prevent false positives, and the user experience is better.
  • this embodiment introduces the system message configuration.
  • the pseudo base station intentionally re-selects or selects the pseudo base station itself in order to enable the terminal to perform cell reselection (hereinafter referred to as “reselection") or cell selection (hereinafter referred to as “selection”).
  • the value of the message configuration is configured to be used for priority reselection or selection, and this value is not the same as the normal value range. It is an abnormal value. Therefore, when such abnormal configuration is detected, there is a large value.
  • the probability is determined by the pseudo base station, and can be initially determined as a pseudo base station (referred to as “candidate pseudo base station” in the present invention). The following is a detailed description by way of various examples. For convenience of description, only the case of “reselection” will be described below, and the criterion for “selection” may be the same as “reselection", and will not be described again.
  • system message configuration may include one or a combination of any one of the following:
  • SIBx SystemInformationBlockTypex (x represents a positive integer), for example, SystemInformationBlockType 3 is referred to as SIB3, and SystemInformationBlockType 7 is referred to as SIB7 or the like.
  • one of the "system message configuration” refers to the configuration of the cellReselectionPriority parameter among the two system messages SIB3 and SIB7.
  • This parameter is a parameter used to configure the cell reselection priority.
  • the range that can be configured is 8 integer values from 0-7.
  • the normal value is that the value of the cellReselectionPriority in the SIB3 is configured to be greater than the value of the cellReselectionPriority in the SIB7.
  • the cellReselectionPriority of the serving cell in the SIB3 is configured as 4-7, and then in the SIB7.
  • the cellReselection Priority of the GERAN GSM EDGE Radio Access Network, Global System for Mobile Communications and Global Mobile Telecommunications System Enhanced Data Rate Evolved Radio Access Network
  • GERAN GSM EDGE Radio Access Network, Global System for Mobile Communications and Global Mobile Telecommunications System Enhanced Data Rate Evolved Radio Access Network
  • the value of the cellReselectionPriority in the SIB3 is configured to be smaller than the value of the cellReselectionPriority in the SIB7.
  • the cellReselectionPriority of the serving cell in the SIB3 is configured to be 4-6, and then the GERAN neighbor in the SIB7.
  • the cell's cellReselectionPriority is configured to 7.
  • the SIB5 system message determines the state in which the terminal performs the inter-frequency reselection after the cell resides.
  • the configuration related to the SIB5 system message may include the following situations:
  • the SIB5 is sent to the terminal. If the system message is configured not to send the SIB5 to the terminal, it is abnormally configured.
  • the system message is configured to not send the SIB5 by using the SIB1.
  • the specific implementation method is prior art, and is not described here.
  • the value of dl-CarrierFreq in SIB5 is normally allocated to the frequency used by the legal operator, and if it is not the frequency used by the legal operator, it is abnormal. .
  • the frequencies frequently used by operators China Mobile are 38400, 37900, 38100, 38350, 38950, 38098, 39350, 39150, etc. If the value of dl-CarrierFreq in SIB5 sent by a network-side device to the terminal is not the above-mentioned China If the frequently used frequency is moved, the value of dl-CarrierFreq in SIB5 is abnormal.
  • the value of the reselection priority cellReselectionPriority parameter (for inter-frequency neighbor reselection) of the inter-frequency point in the SIB5 is normally configured as 4-7. And if this value is configured to 0, the configuration is not configured properly. Or, if the cellReselectionPriority parameter is not matched (this parameter is optional in SIB5, you can not configure this parameter. If it is not configured, it will not be reselected). In this case, it is also abnormal configuration.
  • threshX-High and threshX-Low are high-priority inter-frequency reselection thresholds and low-priority inter-frequency reselection thresholds, respectively, and the configurable range is an integer from 0-31.
  • the typical configuration of the two values is generally around 11.
  • q-RxLevMin reference signal Receiving Power
  • the RSRP Reference Signal Receiving Power
  • threshX-Low The configuration of threshX-Low is similar to that of ThreshX-High. If threshX-Low is configured to 31, it is also necessary to have a neighboring area higher than -62dB, which is likely to satisfy the reselection.
  • “higher” can be understood as a value close to “highest”, and the specific value can be set in combination with actual conditions, and can usually be within 1-3 levels.
  • the “larger” below also means the same meaning, that is, a value close to "maximum”.
  • the same frequency reselection is also performed.
  • the value of the reselection priority cellReselectionPriority parameter in SIB3 is the same as that of the serving cell (ie, the cell in which the terminal resides).
  • the R value of the serving cell (ie Rs) is calculated from the measured value plus q-Hyst, ie:
  • the R value of the same frequency neighbor (ie, Rn) is obtained by subtracting Qoffset from the measured value, namely:
  • q-Hyst and Qoffset are located in SIB3.
  • the SIB3 is an abnormal configuration according to the value of at least one of the qHyst and the Qoffset parameters in the SIB3. If the qHyst is large, or the Qoffset is large, or both are large, it is considered to be an abnormal configuration. .
  • the qHyst of a normal base station is generally set to about 0-3 dB, and the Qoffset is generally not set/configured (this parameter is optional, there may or may not be) or even if the setting is about -3 dB to 3 dB.
  • the value of qHyst is configured to be 24 dB, even if Qoffset is not set, the same-frequency neighboring area needs to be reselected 24 dB higher than the pseudo-base station cell energy, indicating that the network-side device in this case allows the terminal to camp on the cell it provides as much as possible. Without reselecting to other cells, it is highly probable that the network side device is a pseudo base station (the pseudo base station does not want the user to camp on other normal cells, but always wants the user to camp on the cell provided by the pseudo base station).
  • the above embodiments all have larger and higher statements.
  • the "comparative" indicates that it is different from the normal configuration.
  • the specific value can be determined according to the empirical value in various application scenarios. If it is higher than the empirical value, It can be considered higher.
  • the experience value is not completely consistent among various operators and various network environments. At this time, it is possible that the experience value of one area A will be higher than that of another area B. Thus, the area A
  • the normal value is an abnormal value compared to the area B.
  • the RRCConnectionRelease is a 4G air interface message.
  • the message is sent by the network after the connection (that is, the connection that needs to be sent to the cell after the terminal is camped on the cell), and the terminal is released to the idle state, or the terminal is instructed to be heavy.
  • the redirection process refers to the Redirect process defined in the protocol, that is, the following cell is carried in the RRCConnectionRelease message.
  • the terminal After receiving the RRCConnectionRelease message, the terminal re-searches and camps on another cell of 4G or 3G or 2G according to the cell carried in the message.
  • the base station Under normal circumstances, when the redirection process is performed, because the security of GSM itself is not enough, if the access layer security is not activated, the base station will not issue an RRCConnectionRelease message to redirect the terminal to the GSM cell; If the access layer security is not activated, the base station sends an RRCConnectionRelease message to redirect the terminal to the GSM cell, which is considered to be abnormal configuration.
  • Each of the above conditions may be used alone or in combination with any of a plurality of them to determine whether it is an abnormal configuration.
  • an implementation manner is to directly consider the candidate pseudo base station as a true pseudo base station, and then start various defense measures in the fourth embodiment.
  • various defense measures in the implementation 4 are not directly executed, but a security verification process is further initiated, and according to the security verification process, it is further confirmed whether the candidate pseudo base station is a pseudo-base station, and the confirmation is Defensive measures are only implemented after the pseudo base station.
  • This embodiment describes the NAS process in detail.
  • the network side device in this embodiment, also referred to as “network” that interacts with the terminal is a candidate pseudo base station
  • the terminal may select to provide the candidate pseudo base station first.
  • the cell camps (i.e., even if it is known to be a pseudo base station, but still camps on this "pseudo base station"), and then through the NAS process to further determine whether the candidate pseudo base station is a true pseudo base station.
  • the terminal When the terminal reselects from one cell A to another, it detects the TAC (tracking area code, located in SIB1) and the station received from the network side device in the process of camping on the previous cell A. Whether the TACs received from the network side device are the same in the current cell B process, and according to whether the two TACs are the same, there may be several different methods to determine whether it is a pseudo base station. Among them, how to detect and compare whether the TAC is the same is the prior art (for example, save the previous TAC and then compare it with the currently saved TAC), which is not described here.
  • TAC tracking area code
  • the following describes specifically how to determine whether or not the pseudo base station is different in the case where the TAC is different and the same.
  • the initiating TAU does not carry the security key.
  • a possible interaction between the terminal and the network side device (which may be a device in a real wireless network or a pseudo base station) is as follows:
  • the UE selects or reselects a cell, and receives a system message of the cell.
  • the system message it may be initially determined to be a pseudo base station (ie, judged to be a candidate pseudo base station), and the TAC is changed.
  • the UE sends a TAU Request message to the network side device.
  • the terminal sends a TAU Request message to the network side device. Specifically, the terminal initiates a link establishment process, and the terminal sends an RRCConnectionSetupComplete message during the connection establishment completion phase, and the TAU Request message is Carry in this news.
  • the network side device receives the TAU Request, and replies to the terminal with an Identity Request message for querying the terminal IMSI (International Mobile Subscriber Identity).
  • IMSI International Mobile Subscriber Identity
  • the network side device After receiving the TAU Request, the network side device replies to the Identity Request message, and the Identity Request message carries the information for querying the Terminal Identify Request. According to the protocol, the network side device can send an Identity Request message in plain text to request the terminal to report the IMSI, or use the encryption/integrity protection mode to deliver the Identity Request message.
  • the terminal After receiving the Identity Response message, the terminal replies to the Identity Response message and brings the IMSI of the terminal.
  • the reply to the Identity Response message can be replied in plain text.
  • the network side device sends a TAU Accept or TAU Reject.
  • the network device can be determined as a pseudo base station, and the currently accessed cell is a pseudo.
  • the cell provided by the base station This is because the primary purpose of the pseudo base station is to obtain the IMSI of the user.
  • the pseudo base station does not know the security parameters used by the terminal, and cannot pass the integrity protection. Therefore, in order to obtain the IMSI, the Identity Request message is sent in plaintext.
  • the UE is required to report the IMSI, and at the same time, it can only reply to the TAU Reject because it cannot pass the integrity protection check. Based on the above analysis, when the terminal determines that the received Identity Request message for querying the terminal IMSI is in plaintext, and the TAU Reject is received, it can be determined that the network side device is a pseudo base station.
  • the corresponding defense measures can be performed. For example, it can be returned to the original normal cell by reselection through steps 7-9.
  • the camping cell is a pseudo base station cell, and the UE actively initiates a release connection. That is, the cell connection provided by the candidate pseudo base station is no longer connected.
  • the UE restarts the search network, and searches for other frequency points preferentially when searching the network, so as to return to the normal network with greater probability, and search for the frequency point again when no cells are found at other frequency points.
  • the neighboring cell measurement is started to add the previously determined pseudo base station cell to the blacklist to avoid reselecting to the pseudo base station cell.
  • the interaction between the UE and the network side device is the same as the TAC.
  • the interaction process is as follows:
  • the UE selects or reselects a cell, and receives a system message of the cell.
  • the system message it may be determined that it is a pseudo base station (ie, it is judged to be a candidate pseudo base station), and the TAC is not changed.
  • the terminal When the terminal determines that the TAC is different, the terminal actively initiates the SERVICE process by sending a Service Request message.
  • the network sends the UE capability query and the UE capability reporting process. This process may or may not be performed, depending on whether the network has the UE capability information of the UE.
  • the normal network will activate the security verification (including encryption and integrity protection check) of the UE by issuing the SecurityModeCommand, and the SecurityModeCommand is Integrity protected.
  • the UE After receiving the SecurityModeCommand, the UE needs to perform integrity protection check. Under normal circumstances, the terminal and the network side device store the key (K RRCint ) required for integrity protection check. Therefore, the verification can Pass, then the terminal replies to the network SecurityModeComplete message to the network, and then initiates integrity protection. Because the SERVICE process is initiated by the terminal, there may be no data transmission. Therefore, after the network inactivity timer expires, the RRC connection of the terminal is released, and the process ends.
  • K RRCint the key required for integrity protection check. Therefore, the verification can Pass, then the terminal replies to the network SecurityModeComplete message to the network, and then initiates integrity protection. Because the SERVICE process is initiated by the terminal, there may be no data transmission. Therefore, after the network inactivity timer expires, the RRC connection of the terminal is released, and the process ends.
  • the pseudo base station does not know the K RRCint of the UE, so it is impossible to deliver the integrity-protected SecurityModeCommand to the UE, because if the UE is delivered, the UE cannot pass the integrity protection check. That is, it is impossible for the pseudo base station to activate the security and integrity protection of the AS, and then the DRB cannot be established (the protocol specifies that the DRB must be established after the AS security activation), then the protection timer (T3417) of the NAS SERVICE process will be Timeout, the RRC connection is released.
  • the SecurityModeCommand is not received within a certain period of time or the SecurityModeCommand is received but the integrity protection check fails, it can be considered as a pseudo base station, and the corresponding defense measures can be performed, as shown in steps 9-10.
  • the UE restarts the search network, and searches for other frequency points preferentially when searching the network, so as to return to the normal network with greater probability, and search for the frequency point again when no cells are found at other frequency points.
  • the neighboring cell measurement is started to add the previously determined pseudo base station cell to the blacklist to avoid reselecting to the pseudo base station cell.
  • another implementation method in this case includes:
  • the UE selects or reselects a cell, and receives a system message of the cell.
  • the system message it may be determined that it is a pseudo base station (ie, it is judged to be a candidate pseudo base station), and the TAC is not changed.
  • the terminal actively sends a TAU Request message to the network side device, but does not carry the security key and starts the T3430 timer.
  • the TAU Request sent by the terminal is based on a standard procedure and carries a key. In this embodiment, the key is not carried in the TAU Request.
  • the TAU Accept is sent and the security parameters are carried, and the pseudo base station does not send the TAU Accept. Therefore, if the TAU Accept is received normally and the security parameters are carried, the normal base station is processed according to the normal process.
  • T3430 does not receive the TAU Accept after timeout, or if the TAU Reject is received, it is identified as a pseudo base station cell, and the defense is started by actively releasing the connection.
  • the UE restarts the search network, and searches for other frequency points preferentially when searching the network, so as to return to the normal network with greater probability, and search for the frequency point again when no cells are found at other frequency points.
  • the neighboring cell measurement is started to add the previously determined pseudo base station cell to the blacklist to avoid reselecting to the pseudo base station cell.
  • the present embodiment provides some defense measures that can be performed after determining that the candidate pseudo base station is a candidate.
  • a defense measure is mentioned in the third embodiment, that is, by actively releasing the connection and restarting the search network (preferring other frequency points), the neighboring area measurement can also be started after returning to the normal network resident.
  • the previously determined pseudo base station cell is added to the blacklist to avoid reselecting to the pseudo base station cell again. For details, see, for example, steps 7-9 in case 1).
  • a terminal 61 which may be a device that can connect to a network and can be attacked by a pseudo base station, such as a smart phone, a tablet, a notebook, an e-reader, and a smart watch.
  • a pseudo base station such as a smart phone, a tablet, a notebook, an e-reader, and a smart watch.
  • the terminal includes one or more processors 611 and a memory 612 (generally including a relatively fast access memory and other non-volatile memories such as a flash/hard disk having a relatively slow access speed but a relatively large capacity).
  • the processor is operative to read the code stored in the memory to perform the processes in the various embodiments described above.
  • some hardware circuits such as ASIC or FPGA are not limited to perform some or all of the functions.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé de défense de pseudo-station de base, exécuté par un terminal. Le procédé comprend les étapes suivantes : pendant une resélection de cellule ou une sélection de cellule, acquérir une configuration de message de système pour la resélection de cellule ou la sélection de cellule selon un message de système envoyé par un dispositif côté réseau; lorsque la configuration de message de système est une configuration anormale, déterminer que le dispositif côté réseau est une pseudo-station de base candidate; lorsqu'il réside dans une cellule où la pseudo-station de base candidate se trouve, lancer un processus de vérification de sécurité à la pseudo-station de base candidate; et déterminer que la pseudo-station de base candidate est une station de base réelle ou pseudo selon le processus de vérification de sécurité.
PCT/CN2018/104749 2017-09-08 2018-09-10 Procédé d'identification et de défense de pseudo-station de base, et terminal Ceased WO2019047943A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201710803036.7 2017-09-08
CN201710803036 2017-09-08
CN201811044950.9 2018-09-07
CN201811044950.9A CN109474932A (zh) 2017-09-08 2018-09-07 一种伪基站识别以及防御方法和终端

Publications (1)

Publication Number Publication Date
WO2019047943A1 true WO2019047943A1 (fr) 2019-03-14

Family

ID=65633523

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/104749 Ceased WO2019047943A1 (fr) 2017-09-08 2018-09-10 Procédé d'identification et de défense de pseudo-station de base, et terminal

Country Status (1)

Country Link
WO (1) WO2019047943A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2824650C1 (ru) * 2023-07-24 2024-08-12 Артем Анатольевич Задорожный Способ противодействия атаке "подделка" в сети не домашнего оператора мобильной связи

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105451232A (zh) * 2014-08-13 2016-03-30 中国移动通信集团江苏有限公司 伪基站检测方法、系统及终端、服务器
CN106211167A (zh) * 2016-06-28 2016-12-07 宇龙计算机通信科技(深圳)有限公司 一种终端、伪基站识别方法及系统
CN106572450A (zh) * 2016-11-03 2017-04-19 华为技术有限公司 伪基站识别方法及装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105451232A (zh) * 2014-08-13 2016-03-30 中国移动通信集团江苏有限公司 伪基站检测方法、系统及终端、服务器
CN106211167A (zh) * 2016-06-28 2016-12-07 宇龙计算机通信科技(深圳)有限公司 一种终端、伪基站识别方法及系统
CN106572450A (zh) * 2016-11-03 2017-04-19 华为技术有限公司 伪基站识别方法及装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2824650C1 (ru) * 2023-07-24 2024-08-12 Артем Анатольевич Задорожный Способ противодействия атаке "подделка" в сети не домашнего оператора мобильной связи

Similar Documents

Publication Publication Date Title
US12349055B2 (en) Method and apparatus for handling non-integrity protected reject messages in non-public networks
US10091715B2 (en) Systems and methods for protocol-based identification of rogue base stations
CN110741661B (zh) 用于伪基站检测的方法、移动设备和计算机可读存储介质
CN103891332B (zh) 检测可疑无线接入点
US9781137B2 (en) Fake base station detection with core network support
CN1972520B (zh) 无线网络中的欺骗接入点检测
CN104168568B (zh) 一种移动终端及其进行小区身份认证的方法
CN109314864A (zh) 操作无线通信设备的方法
US20210136585A1 (en) Detecting False Cell Towers
CN110312259B (zh) 伪基站识别方法、装置、终端及存储介质
CN109474932A (zh) 一种伪基站识别以及防御方法和终端
CN108353283B (zh) 防止来自伪基站的攻击的方法和装置
CN106211167A (zh) 一种终端、伪基站识别方法及系统
US20160037416A1 (en) Method, apparatus and computer program for operating a user equipment
WO2016131334A1 (fr) Procédé et terminal pour un enregistrement de station de base
SE541045C2 (en) A system and method for network entity assisted honeypot access point detection
Wuthier et al. Fake base station detection and blacklisting
WO2020042176A1 (fr) Procédé et dispositif d'identification de pseudo station de base
US9420460B2 (en) WLAN authentication restriction
WO2019047943A1 (fr) Procédé d'identification et de défense de pseudo-station de base, et terminal
Hollingsworth et al. This is your president speaking: Spoofing alerts in 4G LTE networks
CN112312398A (zh) 一种小区接入的方法、装置和系统
CN112771907B (zh) 伪基站识别方法、装置、移动终端以及存储介质
WO2025087450A1 (fr) Procédé et appareil de resélection de cellule, terminal et dispositif côté réseau
WO2019042540A1 (fr) Reconfiguration de dispositifs de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18854279

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18854279

Country of ref document: EP

Kind code of ref document: A1