loretta ilaria mancini [email protected]/teaching/dss15/07-mobiletelephony... · 3g security...
TRANSCRIPT
Mobile Telephony Systems Security
Loretta Ilaria Mancini
School of Computer ScienceUniversity of Birmingham
November 2015
L. I. Mancini Mobile Telephony Systems Security
Motivation and Scope
What:
Security of the over-the-air interface in Mobile Telephony Systems
Why:wireless communications
mobile phones are always on and emitting their identity
answer without the agreement of their bearers
are pervasive
can collect personal data through a variety of sensors
L. I. Mancini Mobile Telephony Systems Security
Motivation and Scope
Enemies of
Security and Privacy by Design
Low cost
Computational limitations
Limited storage
Battery life
Functionality
Market competition
L. I. Mancini Mobile Telephony Systems Security
Summary
Introduction to Mobile Telephony SystemsBasic protocols2G Security Features2G Security Weaknesses3G Security Features3G Security Weaknesses4G Security Features4G Security WeaknessesEmerging and Future GenerationsConclusions
L. I. Mancini Mobile Telephony Systems Security
Introduction to Mobile Telephony Systems
Cellular (Mobile Telephony) network:Radio network covering wide geographic areas divided in cells.
Each cell is served by at least one base station.
A cellular network enables a large number of radio transceivers (e.g.mobile phones) to communicate with each other and with fixedtransceivers (e.g. fixed telephones) via the base station.
L. I. Mancini Mobile Telephony Systems Security
Generations
Cellular communication is developed in generations:
0G (1970s) analog, did not support handover (i.e. user could notmove from one cell to another while calling, devices built incar/truck or in a briefcase.
1G (1980s) mainly for voice services, no international roaming.2G (1990) introduces: BSC to lighten MSC workload, encryption,
mobile assisted handoff, data services, SMS, Internet, fax,picture sharing, international roaming.
3G (1995) offers: improved voice and data services including videocall, higher speed internet access (up to 1Mbps), improvedsecurity.
4G (2006) aimed at boosting data services with increased data ratefrom 100Mbps to 1Gbps, based on IPv6.
5G (???)
L. I. Mancini Mobile Telephony Systems Security
Mobile Telephony Systems Architecture
Note: this architecture is simplified and uses a 2G like terminology.Similar network elements with similar functions are found in 3Gnetworks
L. I. Mancini Mobile Telephony Systems Security
Protocol Stack
L. I. Mancini Mobile Telephony Systems Security
Identity Management
IMSI is the long-termidentity stored on the SIMcardTMSI is a short-termidentity reallocatedperiodicallyAccording to the standardat least at each change oflocationNew TMSI should not belinkable with old one
L. I. Mancini Mobile Telephony Systems Security
Identity Management
IMSI is the long-termidentity stored on the SIMcardTMSI is a short-termidentity reallocatedperiodicallyAccording to the standardat least at each change oflocationNew TMSI should not belinkable with old one
L. I. Mancini Mobile Telephony Systems Security
Basic Protocols
L. I. Mancini Mobile Telephony Systems Security
Basic Protocols: Identification Procedure
KIMSI , IMSI KIMSI , IMSI
IDENTITY_REQ, ID_TYPE
IDENTITY_RES, IMSI
initiated by the network on a dedicated channel usually when theMS first attachestrivially breaches anonymity
L. I. Mancini Mobile Telephony Systems Security
Basic Protocols: TMSI Reallocation Procedure
KIMSI , IMSI, TMSI, CK KIMSI , IMSI, TMSI, CK
new newTMSI
L3_MSG, TMSI
Management of means for ciphering: CK established
{ TMSI_REALL_CMD, newTMSI, LAI}rCK
{TMSI_REALL_COMPLETE}rCK
initiated by the network on a dedicated channelre-allocation message is encryptedshould be periodically executed and should be executed at least at eachchange of location
L. I. Mancini Mobile Telephony Systems Security
Basic Protocols: Paging Procedure
KIMSI , IMSI,TMSI KIMSI , IMSI
PAGING_REQ, IMSI
PAGING_RES, ID
the paging request is sent on a broadcast channel by the network inorder to deliver a service to a MS
the paging request is sent in all the most recently visited location areas
the paging response is sent on a dedicated channel
ID is IMSI in 2G, TMSI in 3G
L. I. Mancini Mobile Telephony Systems Security
2G Security
L. I. Mancini Mobile Telephony Systems Security
2G Security Features
2G networks aim to provideUser Identity Confidentiality:to ensure privacy of the subscriber from third partiesUser Identity Authentication:to ensure that the subscriber is a legitimate oneUser Data Confidentiality
L. I. Mancini Mobile Telephony Systems Security
2G Authentication Protocol
2G Authentication Protocol:is always initiated by the networkallows the network to establish that the subscriber is alegitimate onedoes not authenticate the network to the useris always executed after a dedicated channel isestablished and the MS sent its identity
L. I. Mancini Mobile Telephony Systems Security
2G Authentication Protocol
KIMSI , IMSI KIMSI , IMSI
generate RANDicomputeXSRESi = A3(RANDi , KIMSI )CKi = A8(RANDi , KIMSI )AVi = (RANDi , XSRESi , CKi )
computeSRESi = A3(RANDi , KIMSI )
Compute and storeCKi = A8(RANDi , KIMSI )
if SRESi <> XSRESi then abort
RANDi
SRESi
L. I. Mancini Mobile Telephony Systems Security
2G Encryption
A5(enc)/A3(auth)/A8(key gen) algos are proprietaryA5 has 3 variants:
A5/1 is the most usedA5/2 (weaker version of A5/1) is being phased outA5/3 (KASUMI) stronger but not yet widespread in 2G networks
algos can be negotiatednetwork can enforce no encryptionoften no indication is given to the user about the use of encryption
L. I. Mancini Mobile Telephony Systems Security
2G Security Weaknesses
lack of network authenticationuser identity secrecy breached by identificationprocedureno integrity protectionno protection against replay attackstraffic encrypted only between MS and BTS not in thecore networksecurity through obscurity (A3, A5, A8 based onproprietary algos)
L. I. Mancini Mobile Telephony Systems Security
2G Offline attack
Threat: SIM CloningExploit: weaknesses in COMP128/COMP128-1
used by key gen (A8) and auth (A3)allow retrieval of the long term key KIMSI
Requirements: physical access to original SIM cardcard reader/writerblank SIM cardcracking software
Effects: identity theft, available credit/allowance theft, DOSMitigations: cloning can be detected
SIM using COMP128-2/3 cannot be cloned
L. I. Mancini Mobile Telephony Systems Security
Fake BS-based Attacks
(rely on lack of network authentication)
Threat: IMSI CatcherExploit: lack of network authentication
Requirements: Fake BS (BS-like device)MS attaches to the BS with stronger signal the Fake BSsends an identification request message asking for thelong term identity IMSI
Effects: tracking the presence of a user in a given areaMitigations: IMSI Catcher-Catcher
Fake BS considered too expensive until advent ofUSRP and short range BSs (femtocells)Protect the identification procedure using PKI
demo performed at DefCon18
L. I. Mancini Mobile Telephony Systems Security
Fake BS-based Attacks
(rely on lack of network authentication)IMSI Catcher: Fake BS can induce MS to attach using strongersignal than legitimate BS and then trigger the identificationprocedure to breach user privacyOver-the-air SIM cloning: due to weaknesses in COMP128 KIMSIcan be retrieved over the air by sending selected challenges butit can take several hours. SIM cloning can be detected by thenetwork.Fake BS can deactivate ciphering and force MS to send data inclear (most MS do not alert the user when no encryption is used).Services can be delivered either by using a MS connected to thereal network or by routing the data through a VOIP connection.
L. I. Mancini Mobile Telephony Systems Security
MS-based Attacks
Threat: Session key retrieval (one of many, live demo andcracking tool available)
Exploit: weaknesses in A5/1, A5/2Requirements: 64bits of known plaintext, e.g. control messages
uses brute force-like attack based on rainbow tables(implemented in the Kraken tool)way of locating target user (eg. silent SMS/silent calllocating attack)device to sniff traffic on dedicated channel (modifiedmotorola phone)
Effects: breach of phone call/SMS message confidentialityMitigations: use stronger encryption algorithm
demo performed at CCC
L. I. Mancini Mobile Telephony Systems Security
MS-based Attacks
Threat: Network DOS attackExploit: channel request message, limited resources of BSC
Requirements: MS-like device capable to send channel requestmessages
Effects: saturation of BSC resourcesservice unavailability
L. I. Mancini Mobile Telephony Systems Security
MS-based Attacks
Threat: User De-registration DOS attackExploit: lack of authentication of signalling messages
Requirements: MS-like device programmed to send IMSI detachmessages to the network
Effects: user unreachable for mobile terminated services
L. I. Mancini Mobile Telephony Systems Security
MS-based Attacks
Threat: Paging response DOS attackExploit: lack of authentication of signalling messages
Requirements: MS-like device programmed to send paging responsemessages to the networkanswer paging request faster than the victim phone
Effects: incoming call droppedincoming call hijacked if attack performed inunencrypted network
Mitigations: use of encryption, indication of no encryption on MS
L. I. Mancini Mobile Telephony Systems Security
MS-based Attacks
Threat: User trackingExploit: silent phone call/SMS, TMSI not updated often
Requirements: MS-like device programmed to sniff signallingmessages over dedicated channels
Effects: breach of user privacyMitigations: frequent change of TMSI
demo performed at CCC
L. I. Mancini Mobile Telephony Systems Security
GSM Experimental Analysis and Hacking
Osmocom-bbOpenBSC (uses commercial BTS)OpenBTS (implements BTS using USRP and GNUradio)wiresharkBladeRFHackRF
L. I. Mancini Mobile Telephony Systems Security
Any Questions?
L. I. Mancini Mobile Telephony Systems Security
3G Security
L. I. Mancini Mobile Telephony Systems Security
3G Security Features
3G security mainly relies on the Authenticationand Key Agreement (AKA) Protocol to provide:
Mutual AuthenticationUser Data ConfidentialityUser Identity Confidentiality (Anonymity)User Untraceability (Unlinkability)
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
Initiated by the network to:Authenticate a MS identityAuthenticate the network identityEstablish a ciphering keyEstablish an integrity key
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
Check:MAC == XMAC
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
AUTH_FAILURE(MAC)Check:MAC == XMAC
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
Check:MAC == XMAC
Check:SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
Check:MAC == XMAC
AUTH_FAILURE(AUTS)Check:SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
Check:MAC == XMAC
AUTH_FAILURE(AUTS)Check:SQNHN >= SQNMS
Resynch
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
Calculate:RES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
Check:MAC == XMAC
Check:SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
AUTH_RES(RES)Calculate:RES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
Check:MAC == XMAC
Check:SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
AUTH_RES(RES)Calculate:RES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
Check:XRES == RES
Check:MAC == XMAC
Check:SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: AKA Protocol
K ,SQNMS K ,SQNHN
SN/HNMS
AUTH_REQ(RAND, AUTN)
Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f1K (SQNHN ||RAND)
XRES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
AK = f5K (RAND)
Compute:
AK = f5K (RAND)
SQNHN = (SQNHN ⊕ AK ) ⊕ AK
XMAC = f1K (SQNHN ||RAND)
AUTH_RES(RES)Calculate:RES = f2K (RAND)
CK = f3K (RAND)
IK = f4K (RAND)
Check:XRES == RES
AUTH_FAILURE(MAC)Check:MAC == XMAC
AUTH_FAILURE(AUTS)Check:SQNHN >= SQNMS
Resynch
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: 3G AKA Protocol
3G crypto functionsare open to public scrutinyno practical attacks found so far
L. I. Mancini Mobile Telephony Systems Security
3G Security Features: 3G AKA Protocol
3G crypto functionsare open to public scrutinyno practical attacks found so far
but 3G protocols have weaknesses
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
Threat: 2G downgrade attackExploit: lack of authentication of serving network
Requirements: Fake BSEffects: Fake BS forces downgrade to 2G
Mitigations: set network connection on 3G only in MS settings
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
Threat: Redirection attackExploit: lack of authentication of serving network
Requirements: Fake BS and a MS connected to a real BSEffects: redirection of the communication to a chosen network
perhaps one charging a higher rate or using weakerencryption
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
Threat: AKA linkability attackExploit: AKA error messages
Requirements: Fake BS-like deviceEffects: user tracking
Mitigations: conceal the error messagesend generic error messageno error handling
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
K ,SQNMS K ,SQNHN
NetworkAttackerMS
AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
K ,SQNMS RAND, AUTN K ,SQNHN
NetworkAttackerMS
AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
K ,SQNMS RAND, AUTN K ,SQNHN
NetworkAttackerMS
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
K ,SQNMS RAND, AUTN K ,SQNHN
NetworkAttackerMS
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
K ,SQNMS RAND, AUTN K ,SQNHN
NetworkAttackerMS
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=SYNCH_FAIL||RES = f2KIMSI
(RAND) thenI know this MS!
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
K ,SQNMS RAND, AUTN K ,SQNHN
NetworkAttackerMS
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=SYNCH_FAIL||RES = f2KIMSI
(RAND) thenI know this MS!
AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
K ,SQNMS RAND, AUTN K ,SQNHN
NetworkAttackerMS
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=SYNCH_FAIL||RES = f2KIMSI
(RAND) thenI know this MS!
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=MAC_FAIL thenthis is another MS
L. I. Mancini Mobile Telephony Systems Security
3G Attacks
Threat: Femtocell rootingExploit: weaknesses in femtocell software/firmware
Requirements: FemtocellEffects: breach of user confidentiality
call/SMS interceptionbreach of user privacy
L. I. Mancini Mobile Telephony Systems Security
4G Architecture
simplified architecture (less elements with more complexfunctions)all IP networkinterworking with non- 3GPP networks
L. I. Mancini Mobile Telephony Systems Security
4G Security aims
user identity confidentialitymutual authentication (including SN to MS)data confidentialitydata integrity
L. I. Mancini Mobile Telephony Systems Security
4G security features
Re-use of UMTS Authentication and Key Agreement (AKA)Use of USIM required (GSM SIM excluded)128 bit keys used but 256bit keys could be used as wellInterworking security for non-3GPP networksExtended key hierarchy
L. I. Mancini Mobile Telephony Systems Security
4G AKA and keys hierarchy
establishes local master keybetween MME and MS
hierarchy of keys derived
different keys used to protectuser data and signalling data
fresh session keys can begenerated without executingAKA
integrity protection iscompulsory
ciphering is optional
ciphering and integrity basedon SNOW 3G and AES
KIMSI
CK,IK
KASME
KNASenc KNASint
KeNB
KUPenc KRRCenc KRRCint
UE/MME
UE/eNB
L. I. Mancini Mobile Telephony Systems Security
Beyond 4G
Cellular IoT (4.5G)aims at providing IoT servicesfocuses on M2M communicationdeep coverage at lower speed5GAimed at even better data services with increased speed
L. I. Mancini Mobile Telephony Systems Security
Conclusions
Mobile systems have been deployed for few decades
security analysis has only recently opened to wider public scrutiny
plenty of room for formal and experimental analysis
technology in constant evolution
reluctance towards PKI adoption for economical and historicalreasons
next generations will benefit building on the strength and avoidingmistakes of past generations.
L. I. Mancini Mobile Telephony Systems Security
Thank You!
L. I. Mancini Mobile Telephony Systems Security