on low-cost privacy exposure attacks in lte mobile...
TRANSCRIPT
![Page 1: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/1.jpg)
ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE COMMUNICATION
Ruxandra F. Olimid*,** and Stig F. Mjølsnes** Dept. of Information Security and Communication Technology, NTNU, Norway** Dept. of Computer Science, University of Bucharest, Romania
RCD2017Bucharest, September18
![Page 2: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/2.jpg)
2
[https://www.statista.com/statistics/206615/forecast-of-the-number-of-global-hspa-lte-subscriptions-up-to-2014]
Motivation
![Page 3: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/3.jpg)
3
LTE - Architecture
![Page 4: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/4.jpg)
4
LTE - Identification
User side (UE):• SIM (2G), USIM(3G/4G)• Stores subscriber permanent ID (IMSI)
and private keys
IMSI (InternationalMobileSubscriberIdentity)
MCC(MobileCountryCode)
MNC(MobileNetworkCode)
MSIN(MobileSubscriberIdentificationNumber)
Network side (HSS):• Stores identification and authentication
parameters of the subscribers
![Page 5: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/5.jpg)
5
Identifiers & ParametersU
ser E
quip
men
t IMSI InternationalMobileSubscriberIdentity
IMEI InternationalMobileEquipmentIdentifier
IMEISV IMEISoftwareVersion
TMSIGUTIGUMMEI
TemporaryMobileSubscriberIdentityGloballyUniqueTemporaryIdentityGloballyUniqueMobilityManagementEntityIdentifier
K Thesharedcryptographickey
Net
wor
k O
pera
tor MCC MobileCountryCode
MNC MobileNetworkCode
TAC TrackingAreaCode
EARFCN EUTRAAbsoluteRadio-FrequencyChannelNumber
![Page 6: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/6.jpg)
6
Motivation
Subscriber Provider
IdentityRequest(IMSI)
IdentityResponse(IMSI)
[. . . ] requests the user to send its permanent identity. The user's response contains the IMSI in cleartext. This represents a breach in the provision of user identity confidentiality.
[ETSITS133401V10.3.0(2012-07)]
![Page 7: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/7.jpg)
7
Our contribution
Question: What is the effect of identities and parameters leakage in LTE mobile communication systems w.r.t. security
and privacy of the subscribers?
2 scenarios:
1. Physical access to the user equipment• apps, built-in codes
2. Attack the radio link• passive & active attacks
![Page 8: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/8.jpg)
8
Tools: Hardware
• Software radio peripherals (USRPs)– Ettus B200mini + antennas– HackRF One + antenna
• Computers - Standard desktops or laptops: Intel NUC D54250WYK (i5-4250U
CPU@1,30GHz), Lenovo ThinkPad T460s (i7-6600U CPU@2,30GHz)
• Mobile phones: – LG Nexus 5 Android v6.0.1– LG Nexus 5X Android v7.0
• SIM cards: – mobile operators in Norway and Romania
[https://www.ettus.com/product/details/USRP-B200mini]
[https://greatscottgadgets.com/hackrf/]
![Page 9: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/9.jpg)
9
Tools: Software• LTE Emulators and tools:
– Open Air Interface (OAI), an open source software that provides a (partially) standard compliant implementation of LTE
[http://www.openairinterface.org/]
– LTE Cell Scanner and Tracker[https://github.com/0x90/sdr-arsenal/tree/master/LTE-Cell-Scanner]
• Mobile phones:– Service Mode, built-in codes for mobile devices– Apps
![Page 10: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/10.jpg)
10
Physical Access to the UE
![Page 11: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/11.jpg)
11
Passive Attacks
Interception and decoding of SIB messages
![Page 12: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/12.jpg)
12
Active Attacks
LTE IMSI Catchers
![Page 13: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/13.jpg)
13
Our LTE IMSI Catcher• We have built an IMSI Catcher:
– Low-cost (< 3000 EUR)– ”Commercial of the shelf” hardware and readily available
software only– No (or basic) changes in the source code– Different implementations: DoS, downgrade to non-LTE
networks, immediate reconnection to the commercialnetwork
* Results published in 2 previous papers: MMM-ACNS’17 and Secrypt’17
![Page 14: ON LOW-COST PRIVACY EXPOSURE ATTACKS IN LTE MOBILE ...ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/rcd_2017.pdf · LTE -Identification User side(UE): • SIM (2G), USIM(3G/4G)](https://reader035.vdocuments.site/reader035/viewer/2022063009/5fc0bd0320072518a14b8b60/html5/thumbnails/14.jpg)
14
Thank you!
A!
Q?