guti reallocation demystified: cellular location tracking ... · 160 paging / sec success rate of...
TRANSCRIPT
GUTIReallocationDemystified:CellularLocationTrackingwithChanging
TemporaryIdentifier
ByeongdoHong,SangwookBae,YongdaeKimKAISTSysSecFeb.19,2018
SysSec System Security Lab.
PagingAreainCellularNetwork
2
TrackingArea(radius<10km)
Paging:AmethodtofindspecificsubscriberHow?Byusingsubscriber’sidentifier
Yongdae
PagingAreainCellularNetwork
3
TrackingArea(radius<10km) PagingRequest
Paging:AmethodtofindspecificsubscriberHow?Byusingsubscriber’sidentifier
Yongdae
PagingAreainCellularNetwork
4
TrackingArea(radius<10km) PagingRequest
PagingResponse
Paging:AmethodtofindspecificsubscriberHow?Byusingsubscriber’sidentifier
Yongdae
IdentifiersinCellularNetworks v Permanent/Uniqueidentifier
– IMSI(InternationalMobileSubscriberIdentity)§ ProvisionedintheSIMcard
v Temporaryidentifier– Usedtohidesubscriber
§ TMSI(TemporaryMobileSubscriberIdentity)• Usedin2G/3G
§ GUTI(GloballyUniqueTemporaryIdentity)• UsedinLTE
5
LocationTrackinginCellularNetwork
6
LocationArea1
LocationArea2 VictimYongdae
UserB
TMSI:0xDEADBEEF
UserC
0xDEADBEEF
Attacker
Kuneetal.NDSS2012
0xDEADBEEF=Yongdae?
LocationTrackinginCellularNetwork
7
LocationArea1
LocationArea2 VictimA
UserBUserC
12345
Attacker
Repeatdialing
0xff123456=AIfoundA!!
TemporaryIDIssue:UnchangedIdentifierGSM:NDSS’12,LTE:NDSS’16
TMSI:0xff123456
Phonenumber-TemporaryIDmappingv TrafficanalysistofindthesameTMSI(Kuneetal.NDSS’12)
– Findintersectsofidentifier’ssets
v Using“SilentCall”– Terminatingcallbeforeringing
v SamevulnerabilityinLTE-unchangedGUTI(Shaiketal.NDSS’16)
8
Attacker
PagingChannel Time
dt
Calltrigger Observation Calltrigger Calltrigger
dt dt
DefenseofLocationTracking v TemporaryIdentifierReallocation
– GUTIReallocationinLTE– TopreventbetweensubscriberandIDmapping
9
Q.IsGUTIReallocationthesolutiontoexistingattacks?
A.ItisYes
Butsimplychangingisnotasolution!
ExperimentSetup
10
DiagnosticMonitor
USRPB210Antenna
BroadcastChannelReceiver
DeviceAnalysis
SignalingCollectionandAnalysisTool(SCAT)[1]
BroadcastChannelAnalysis
srsLTE(Opensource)
[1]B.Hong,S.Park,H.Kim,D.Kim,H.Hong,H.Choi,J.P.Seifert,S.Lee,Y.Kim,PeekingovertheCellularWalledGardens-AMethodforClosedNetworkDiagnosis-,IEEETransactionsonMobileComputing.
WorldwideDataCollection Country #of
OP. #ofUSIM
#ofsignalings
Country #ofOP.
#ofUSIM
#ofsignalings
U.S.A 3 22 763K U.K. 1 1 41K Austria 3 3 807K Spain 2 2 51K Belgium 3 3 372K Netherlands 3 3 946K Switzerland 3 3 559K Japan 1 2 37K Germany 4 19 841K SouthKorea 3 14 1.7M France 2 6 305K
11
※ OP: operator, USIM: Universal Subscriber Identity Module, Signaling: control plane message
DatasummaryCollectionPeriod:2014.11.~2017.7.#ofcountries:11#ofoperators:28#ofUSIMs:78#ofvoicecalls:58K#ofsignalings:6.4M
Samevs.FingerprintableIDs
12
NDSS’12,‘16:SameIDàLocationTracking!!
Thiswork:IDFingerprintingàLocationTracking!!
FixedBytesinGUTIReallocation
AllocationPattern Operators AssigningthesameGUTI BE-III,DE-II,FR-II,JP-I Threebytesfixed CH-II,DE-III,NL-I,NL-II Twobytesfixed BE-II,CH-I,CH-III,ES-I,FR-I,NL-III Onebytesfixed AT-I,AT-II,AT-III,BE-I,DE-I
13
v 19operatorshavefixedbytes
AT:Austria,BE:Belgium,CH:Switzerland,DE:Germany,ES:Spain,FR:France,JP:Japan,NL:Netherlands
CaseI:Netherlands(NL-I)
14
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30 H
exad
ecim
al v
alue
# of call
0
4
8
12
0 10 20 30
Hex
adec
imal
val
ue
# of call (a) 1st byte (b) 2nd byte
(c) 3rd byte (d) 4th byte
FF
40
80
C0
FF
40
80
C0
FF
40
80
C0
F
4
8
C
CaseI:Netherlands(NL-I)
15
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30 H
exad
ecim
al v
alue
# of call
0
4
8
12
0 10 20 30
Hex
adec
imal
val
ue
# of call (a) 1st byte (b) 2nd byte
(c) 3rd byte (d) 4th byte
FF
40
80
C0
FF
40
80
C0
FF
40
80
C0
F
4
8
C
CaseII:Belgium(BE-II)
16
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
48
50
52
54
56
58
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30 H
exad
ecim
al v
alue
# of call
(a) 1st byte (b) 2nd byte
(c) 3rd byte (d) 4th byte
40
80
C0
FF
40
80
C0
FF
40
80
C0
30
32 34
36 38
CaseII:Belgium(BE-II)
17
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
48
50
52
54
56
58
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30
Hex
adec
imal
val
ue
# of call
0
64
128
192
0 10 20 30 H
exad
ecim
al v
alue
# of call
(a) 1st byte (b) 2nd byte
(c) 3rd byte (d) 4th byte
40
80
C0
FF
40
80
C0
FF
40
80
C0
30
32 34
36 38
FixedBytesinGUTIReallocation
AllocationPattern Operators AssigningthesameGUTI BE-III,DE-II,FR-II,JP-I Threebytesfixed CH-II,DE-III,NL-I,NL-II Twobytesfixed BE-II,CH-I,CH-III,ES-I,FR-I,NL-III Onebytesfixed AT-I,AT-II,AT-III,BE-I,DE-I
18
v 19operatorshavefixedbytes
AT:Austria,BE:Belgium,CH:Switzerland,DE:Germany,ES:Spain,FR:France,JP:Japan,NL:Netherlands
StressTesting v NonoticeableruleofGUTIReallocationforsomeoperators
v Invokingvoicecallcontinuouslywithashorttime– Twotypesoftest
§ Weakstresstesting§ Hardstresstesting
• Callsatshorterintervalsthanweakstresstest
19
StressTestingResult v ForcethenetworktoskiptheGUTIreallocation
– PerformexperimentsonUSandKoreanoperators§ TwoUSandtwoKoreanoperators
20
Operator WeakStressTesting
HardStressTesting
KR-I O O KR-II X O US-I X O US-II O O
O:ReuseGUTIX:Nonoticeablechange
0
64
128
192
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29
Hex
adec
imal
val
ue
# of call 1st Byte 2nd Byte 3rd Byte 4th Byte
Network skips GUTI Reallocation
End weak stress testing
FF
40
80
C0
0
5
10
15
20
1 byte fixed 2 bytes fixed 3 bytes fixed
CallTrial
5 paging / sec 88 paging / sec 160 paging / sec
SuccessRateofourAttack v Requirednumberofcallscovering99%successrate
LocationTrackingwithGUTI v Observationofbroadcastchannelsaftercallinvocation
– Patternmatching(fixedbytes,assigningsameGUTI)– Locationtracking(TrackingArea,Cell)
22
OpenSignal(atKAIST)
Defenses+Requirements v Frequentrefreshingoftemporaryidentifier
– Perservicerequestv Unpredictableidentityallocation
– Cryptographicallysecurepseudorandomnumbergeneration§ Hash_DRBGcanbeused
v Collisionavoidancev Stress-testingresistancev Lowcostimplementation
23
Conclusion v Predictablereallocationlogic
– GUTIreallocationpattern§ Fixedbytes(19operators)
– SameGUTI§ Bystresstest(4testcases)§ AssigningsameGUTI
v Locationtrackingisstillpossibleincellularnetwork!v SecureGUTIreallocationmechanismisrequired
24
Q&A Thankyou
25
BACKUPSLIDES
GUTIFormat
27
DatasetRelease?v Ourdatasetincludessomewhatsensitiveinformation.
– NameoftelcosèVulnerabilitiescanbelinkedtotelcos.– SomeIMSIs
v Notclearifreleasingthisdatasetmaycauseanylegalissues.
v B.Hong,et.al,“PeekingovertheCellularWalledGardens-AMethodforClosedNetworkDiagnosis-,IEEETransactionsonMobileComputing.– Findingperformancebugsbycomparativeanalysisofcallflows
v Shouldwebuildopen-sourcedatasetusingcrowdsourcing?– Mayhelpcustomerstopushtelcostobuildsecureandbettercellularnetwork!
28
StressTestingResult:US-I
29
ProbabilitywithFixedBytes
AttackFlow
31
Obtaintargetinformation(Phonenumber,carrier)
PerformGUTIReallocation?
AttackFlow
32
PerformGUTIReallocation?
AnalysisofrulesforIDreallocation
Yes No
Findthetarget(MMEarea,Trackingarea,Cell)
AttackFlow
33
AnalysisofrulesforIDreallocation
Havefixedbytes?
Yes
Stresstest
No
Findthetarget(MMEarea,Trackingarea,Cell)
PagingDistributioninKorea(KR-I)
34
0 10 20 30 40 50 60 70 80 90
100
19:10 22:50 2:30 6:10 9:50 13:30
# of
pag
ing
/ sec
Time of day
Max:88pagings/sec
Min:5pagings/sec