SIM Cloning Threat - HLR Security

258 Views Asked by At

I have an HLR security question in terms of risk assessment, which is broadly beyond my areas of expertise.

If an HLR was potentially hacked, would that create a risk of SIM card cloning (among other risks obviously)?

In other words, does accessing the HLR command line reveal information about the SIM cards aside from the IMSI, MSISDN, etc. (namely the Ki key) that would enable hackers to produce cloned SIM cards for select subscribers? My understanding is that having the IMSI and Ki is sufficient for SIM card cloning.

If that is indeed a risk, would changing the transport keys of all SIM cards in the HLR(s) solve the problem by preventing a cloned SIM card from attaching to the network? Or is that irrelevant?

My understanding is that change the transport keys won't matter for existing SIM cards but it would protect new SIM cards to not have the Ki key revealed in the network. But I just want to verify.

Thanks!

2

There are 2 best solutions below

0
On

Yes it definitely should happen (statistically and given the overall level of security negligence). There should be a reason we never hear about that. No, transport keys are irrelevant once HLR is compromised.

0
On

The authentication process is actually quite complex and also differs between mobile standards versions (2G, 3G etc although these are not precise terms). In general, the HLR does not keep or transmit the secret key associated with a SIM. In UMTS there is a AUC component which does keep the secret info.

It's worth remembering that it is the SIM that is verifying itself to the network - at a 10,000 meter level it does this by applying some crypto algorithms to a random value the network sends it and returning a result. The Network also has a copy of the expected result (for that Random value) and if they match it concludes the SIM is valid.

Ultimately, any secret keys that allow the network calculate the expected result must be stored somewhere and if that store is compromised then there is definitely a problem. However, accessing a HLR should not provide access to these keys, although it may enable some attacks.

There is a really nice overview here (at the time of writing) which helps show the flow: https://steemit.com/mobilenetworks/@irelandscape/introduction-to-mobile-networks-3g-umts-authentication