Understanding 3GPP LTE/NR NAS Security Mode Command it’s impact on user privacy.

Introduction:

The securityModeCommand is set by the network and is the final security algorithm config selection done during the RRC Configuration after attaching to the network.

Various algorithms are available in the LTE and NR standards. Which algorithms and security capabilities (EPS encryption, integrity protection) that are chosen depends on the UE capability that is reported to the network in the ueCapabilityInquiry.

This has a direct impact on the privacy of the user in their interaction with the network. Once established after the first plain text negotiation between the UE and the network (ueCapabilityInquiry and ueCapabilityInformation), all communication is then ciphered and integrity protected with end to end encryption. This uses a key exchange process that is unique to each session, or unique to each bearer. When adding or removing component carriers, adding or removing a bear, or switching from one site to another during mobility, the integrity protection can be refreshed and reestablished. This integrity protection applies to and encompasses all communication within the bearers, including the IMS bearer which is used to transport VoLTE/VoNR voice, video, and sms.

Resulting entry in LTE RRC packet:

eutra

Resulting entry in NR RRC packet:

How to enable additional NAS Security Capabilities:

Step 1: Launch EFS explorer

Launch QPST with your device in diag mode. Then, open the EFS explorer.

Step 2: Upload the NV item files setting additional security algorithms

Navigate to /nv/item_files/modem/nas/

Right click and “Copy item file from PC”, do not drag or drop.

List of NV item files:

lte_nas_ue_sec_capability set to TBD

lte_nas_ue_additional_sec_capability set to TBD

nas_config_feature set to TBD set to TBD

dos_mitigation_feature_config set to 0x01

avoid_guti_nas_security_check set to 0x00

For dual SIM devices also add:

lte_nas_ue_sec_capability_Subscription01 set to TBD

nas_config_feature_Subscription01 set to TBD

dos_mitigation_feature_config_Subscription01 set to 0x01

avoid_guti_nas_security_check_Subscription01 set to 0x00

Download from coming soon