A Survey on the Security Vulnerabilities of Cellular Communication Systems (GSM-UMTS-LTE)


  • Vasileios Gkioulos Norwegian University of Science and Technology
  • Stephen D. Wolthusen Norwegian University of Science and Technology
  • Athanasios Iossifides Alexander Technological Educational Institute of Thessaloniki


The development of mobile communication systems started immediately after the end of world war two, with increasingly significant and global impact. The available systems faced various challenges, enforcing the development of new practices and the introduction of emerging technologies. An important aspect of those systems is security, due to their widespread use, the significance of the transmitted information and possible service abuse. Through this study, the identified security vulnerabilities of digital mobile communication systems are examined, in parallel to the emerging threats. This will provide a valuable understanding on the historical efficiency of the deployed security mechanisms and guidelines for the security requirements of future generation systems.

Author Biographies

Vasileios Gkioulos, Norwegian University of Science and Technology

Norwegian Information Security Laboratory

Stephen D. Wolthusen, Norwegian University of Science and Technology

Norwegian Information Security Laboratory

Athanasios Iossifides, Alexander Technological Educational Institute of Thessaloniki

Department of Electronics Engineering


R. Shirey, “Internet Security Glossary, Version 2.” RFC 4949 (Informational), Aug. 2007.

3GPP, “Security aspects,” TS 02.09, 3rd Generation Partnership Project (3GPP), June 2006.

3GPP, “3G security; Security architecture,” TS 33.102, 3rd Generation Partnership Project (3GPP), June 2008.

3GPP, “3GPP System Architecture Evolution (SAE); Security architecture,” TS
33.401, 3rd Generation Partnership Project (3GPP)

“Groupe Speciale Mobile Association-Brief History of Global System for Mobile
Communications & the Groupe Speciale Mobile Association.”

M. Toorani and A. Beheshti, “Solutions to the GSM Security Weaknesses,” in Next Generation Mobile Applications, Services and Technologies, 2008. NGMAST ’08. The Second International Conference on, pp. 576–581, Sept 2008.

G. Lorenz, T. Moore, G. Manes, J. Hale, and S. Shenoi, “Securing SS7
Telecommunications Networks,” in In Proceedings of the IEEE Workshop on
Information Assurance and Security, pp. 5–6, 2001.

S. Gindraux, “From 2G to 3G: a guide to mobile security,” in 3G Mobile
Communication Technologies, 2002. Third International Conference on (Conf. Publ. No. 489), pp. 308–311, May 2002.

A. Biryukov, A. Shamir, and D. Wagner, “Real Time Cryptanalysis of A5/1 on a
PC,” in Fast Software Encryption (G. Goos, J. Hartmanis, J. van Leeuwen, and
B. Schneier, eds.), vol. 1978 of Lecture Notes in Computer Science, pp. 1–18,
Springer Berlin Heidelberg, 2001.

E. Barkan, E. Biham, and N. Keller, “Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication,” J. Cryptol., vol. 21, pp. 392–429, Mar. 2008.

V. Bocan and V. Cretu, “Mitigating denial of service threats in GSM networks,”
in Availability, Reliability and Security, 2006. ARES 2006. The First International Conference on, pp. 6 pp.–, April 200 .

V. Bocan and V. Creu, “Security and Denial of Service Threats in GSM Networks- PERIODICA POLITECHNICA, Transactions on AUTOMATIC CONTROL and COMPUTER SCIENCE,” 2004.

K. Kumar, G. Shailaja, A. Kavitha, and A. Saxena, “Mutual Authentication and
Key Agreement for GSM,” in Mobile Business, 2006. ICMB ’06. International
Conference on, pp. 25–25, June 2006.

G. Cattaneo, G. De Maio, P. Faruolo, and U. Petrillo, “A Review of Security Attacks on the GSM Standard,” in Information and Communication Technology (K. Mustofa, E. Neuhold, A. Tjoa, E. Weippl, and I. You, eds.), vol. 7804 of Lecture Notes in Computer Science, pp. 507–512, Springer Berlin Heidelberg, 2013.

J. D. Golic, “Cryptanalysis of Alleged A5 Stream Cipher,” in Advances in
Cryptology - EUROCRYPT ’97 (W. Fumy, ed.), vol. 1233 of Lecture Notes in
Computer Science, pp. 239–255, Springer Berlin Heidelberg, 1997.

P. Ekdahl and T. Johansson, “Another attack on A5/1,” Information Theory, IEEE Transactions on, vol. 49, pp. 284–289, Jan 2003.

O. Dunkelman, N. Keller, and A. Shamir, “A Practical-Time Related-Key Attack
on the KASUMI Cryptosystem Used in GSM and 3G Telephony,” Journal of
Cryptology, vol. 27, no. 4, pp. 824–849, 2014.

G. Rose, “A precis of the new attacks on GSM encryption-QUALCOMM,” 10
September 2003.

K. Nohl, “Attacking phone privacy-Security research labs,” 2010. Berlin.

E. Biham and O. Dunkelman, “Cryptanalysis of the A5/1 GSM Stream Cipher,”
in Progress in Cryptology âINDOCRYPT 2000 (B. Roy and E. Okamoto, eds.),
vol. 1977 of Lecture Notes in Computer Science, pp. 43–51, Springer Berlin
Heidelberg, 2000.

F. van den Broek, “Eavesdropping on GSM: state-of-affairs,” CoRR, vol. abs/1101.0552, 2011.

C. Paget, “Practical cellphone spying.”
http://www.tombom.co.uk/blog/?p=262, August 2010.

C. Paget and Karsten, “GSM: SRSLY?.” http://events.ccc.de/
congress/2009/Fahrplan/events/3654.en.html, December 2009.

Y. Song, K. Zhou, and X. Chen, “Fake BTS Attacks of GSM System on Software Radio Platform,” Journal of Networks, vol. 7, no. 2, 2012.

U. Meyer and S.Wetzel, “On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks,” in Personal, Indoor and Mobile Radio Communications, 2004. PIMRC 2004. 15th IEEE International Symposium on, vol. 4, pp. 2876–2883 Vol.4, Sept 2004.
[26] P. S. Pagliusi, “A Contemporary Foreword on GSM Security,” in Proceedings of the International Conference on Infrastructure Security, InfraSec ’02, (London, UK), pp. 129–144, Springer-Verlag, 2002.

A. Castiglione, R. De Prisco, and A. De Santis, “Do You Trust Your Phone?,” in ECommerce and Web Technologies (T. Di Noia and F. Buccafurri, eds.), vol. 5692 of Lecture Notes in Computer Science, pp. 50–61, Springer Berlin Heidelberg, 2009.

M. Petracca, M. Vari, F. Vatalaro, and G. Lubello, “Performance evaluation of GSM robustness against smart jamming attacks,” in Communications Control and Signal Processing (ISCCSP), 2012 5th International Symposium on, pp. 1–6, May 2012.

M. Ståhlberg, “Radio jamming attacks against two popular mobile networks,” in In: Helsinki University of Technology Seminar on Network Security. (2000, 2000.

3GPP, “Security Objectives and Principles,” TS 33.120, 3rd Generation Partnership Project (3GPP), Apr. 2001.

3GPP, “3G security; Security threats and requirements,” TS 21.133, 3rd Generation Partnership Project (3GPP), Jan. 2002.

3GPP, “Guide to 3G security,” TR 33.900, 3rd Generation Partnership Project
(3GPP), Dec. 1999.

3GPP, “3G Security; Report on the design and evaluation of the MILENAGE
algorithm set; Deliverable 5: An example algorithm for the 3GPP authentication and key generation functions,” TR 33.909, 3rd Generation Partnership Project (3GPP), July 2001.

J. Daemen and V. Rijmen, “AES Proposal: "Rijndael, AES algorithm submission",” September 1999.

H. Gilbert and M. Minier, “A collision attack on 7 rounds of Rijndael,” The Third
AES Candidate Conference, printed by the National Institute of Standards and
Technology, pp. 230–241, April 2000.

S. Lucks, “Attacking Seven Rounds of Rijndael Under 192-bit and 256-bit Keys,” The Third AES Candidate Conference, printed by the National Institute of Standards and Technology, pp. 215–229, April 2000.

N. Fergusoon, “Improved Cryptanalysis of Rijndael,” The preproceedings of the Fast Software Encryption Workshop, April 2000.

D. Perez and J. Pico, eds., A practical attack against GPRS/EDGE/UMTS/HSPA
mobile data communications, Taddong-securtity in depth-Black Hat DC, January 2011.

G. Kambourakis, C. Kolias, S. Gritzalis, and J. Hyuk-Park, “Signaling-Oriented DoS Attacks in UMTS Networks,” in Advances in Information Security and Assurance (J. Park, H.-H. Chen, M. Atiquzzaman, C. Lee, T.-h. Kim, and S.-S. Yeo, eds.), vol. 5576 of Lecture Notes in Computer Science, pp. 280–289, Springer Berlin Heidelberg, 2009.

A. Bais, W. Penzhorn, and P. Palensky, “Evaluation of UMTS security architecture and services,” in Industrial Informatics, 2006 IEEE International Conference on, pp. 570–575, Aug 2006.

U. Meyer and S. Wetzel, “A Man-in-the-middle Attack on UMTS,” in Proceedings of the 3rd ACM Workshop on Wireless Security, WiSe ’04, (New York, NY, USA), pp. 90–97, ACM, 2004.

F. Ricciato, A. Coluccia, and A. DâAlconzo, “A review of DoS attack models for 3G cellular networks from a system-design perspective,” Computer Communications, vol. 33, no. 5, pp. 551 – 558, 2010.

M. Khan, A. Ahmed, and A. Cheema, “Vulnerabilities of UMTS Access Domain
Security Architecture,” in Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2008. SNPD ’08. Ninth ACIS International Conference on, pp. 350–355, Aug 2008.

3GPP, “Rationale and track of security decisions in Long Term Evolution (LTE)
RAN / 3GPP System Architecture Evolution (SAE),” TR 33.821, 3rd Generation
Partnership Project (3GPP), Jan. 2008.

Y. Park and T. Park, “A Survey of Security Threats on 4G Networks,” in Globecom Workshops, 2007 IEEE, pp. 1–6, Nov 2007.

R. Jover, “Security attacks against the availability of LTE mobility networks:
Overview and research directions,” in Wireless Personal Multimedia Communications (WPMC), 2013 16th International Symposium on, pp. 1–9, June 2013.

J. Cao, M. Ma, H. Li, Y. Zhang, and Z. Luo, “A Survey on Security Aspects for LTE and LTE-A Networks,” Communications Surveys Tutorials, IEEE, vol. 16, pp. 283–302, First 2014.





Norsk Informasjonssikkerhetskonferanse 2016