New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor

Ravishankar Borgaonkar, Lucca Hirshi, Shinjo Park, AltafShaik, Andrew Martin and Jean-Pierre Seifert

BLACKHAT USA 2017Las Vegas26 July 2017

ResearchTeam

Discoveryofattacks:

RavishankarBorgaonkar

LuccaHirschi

CarriedoutPOCwith:Shinjo Park&Altaf Shaik

Page 2

Outline

Background

Newprivacyattacks

Attacksinpractice exploitationmethodsanddemo

Impactagainstmobileusers

Countermeasures

Conclusions

Page 3

Generalcellulararchitecture

RadioAccessNetwork CoreNetwork

Emergingthreats

Page 4

Trackingmobileusers stateoftheart

Note:pictureprovidesanabstractviewonly

Page 5

BaseStationMNO Internet

Compromisemobile(Pegasus) Stingray

CompromiseMNO(GreekScandal)

SS7services(HLRLookup)

Mobile

TrackingusingStingray/fakebasestation

Page 6

FakeBaseStationMobilewithSIM

IMEIIMSI

2G3G/4G

AuthenticationProtocol

IMEI InternationalMobileEquipmentIdentity IMSI InternationalMobileSubscriberIdentitySIM SubscriberIdentityModule

AuthenticationandKeyAgreement(AKA)Protocol

Deployedinevery3G/4Gterminalssince2002 Mutualauthenticationbetweennetworkandmobiletoestablishasecurelink

Improvedin4G keysizes,keyseparationetc. Oftentermedasoneofthemostsuccessfulwidelydeployedcryptoprotocol

Page 7

Features Symmetrickeysharedbetweenmobile(USIM)andnetwork(HLR) Sequencenumberforavoidingreplayattacks

AKA:Stateoftheart

Page 8

Knownsecurityissues IMSIleakage Linkability attacks

Availabilityoflow-costhardwareandsoftwaretoolsNewattacks??

AKA:Bigpicture

Page 9

UserIdentification

AuthenticationMaterial

Challenge

Re-Synchronization

Mobile BaseStation Network

IMSICatchers

FailureMessages

Partofnewattackvector

Mobile RNC MSC/VLR AuC

authenticationrequestIMSI

XRES=f2(K,RAND)CK=f3(K,RAND)IK=f4(K,RAND)AK=f5(K,RAND)MAC=f1(K,RAND,SQN,AMF)

(RAND,AUTN(SQN AK,AMF,MAC),XRES,CK,IK)

(RAND,AUTN(SQNAK,AMF,MAC))

XRES=f2(K,RAND)CK=f3(K,RAND)IK=f4(K,RAND)AK=f5(K,RAND)MAC=f1(K,RAND,SQN,AMF)

verifyAUTNandcomputeRES RES

ifRES==XRES

sessionwithencryptionandIntegritykeys

ifRESisdifferentfromXRES,re-synchronizationprocedure

identityrequest:IMSI

AKAprotocol

K,SQN K,SQN

RoleofSequenceNumber(SQN)inAKA

SQNforprovidingfreshnesstomobile(preventreplayattacks) HelpsinsavingoneroundtripmessagetoAuC AuC storesSQNandincrementitforeachauthentication MaskedwithanonymitykeyAKtoprotectprivacyofmobiles USIMstoreshighestreceivedSQNfromthenetwork Incaseoffailure,resynchronisationofSQNwithAuC

USIMmustsendcurrentSQNtoAuC MaskedwithanonymitykeyAK*

Page 11

Page 12

Mobile BaseStation Network

SQNtoohighorlow

SendcurrentSQNtonetwork

SequenceNumberSQNpolicies

SQNcountermaybeupdatedby1 SQNmaybetime-based

Page 13

Accordingtoguidelinesfrom3GPPTS133.102,differentpoliciesforSQNanditsupdate:

Mostofourattacksworkforanypoliciesthatarenottime-based.OtherLocationattacksworkindependentofpolicy.

Newvulnerabilitiesandattacks

Page 14

FirstAttackVector

Requestofchallengesarenotauthenticated Designchoiceofsymmetrickeymechanism SeemsnocheckatAuC (HLR)forsuchqueries

Privacyimpact BuildafakeUSIMbyreprogrammingIMSI CollectRAND,AUTNpairs Re-usethemtolocateaparticularmobileusers

Page 15

UserIdentification

AuthenticationMaterial

Challenge

Re-Synchronization

Exploitingfirstattackvector

Page 16

HLRLookupservices phonenumber IMSI

HowtofindIMSIofatarget

ReprogramIMSI Nootherkeysrequired CollectRAND,AUTNpairs

BuildafakeUSIMcard

Locationattacksagainst3G/4Gdevices

Locationattacks Locateatargetedphone(rangeof2km) TrackfurtherusingGPSortriangulationmethod

RAND,AUTN

Page 17

Our Attacks

LearnnleastsignificantbitsofSQN(andIND) Learnwhethermobileattachedtocertainnetworkinacertaintimewindow

Page 18

Activitymonitoringattacks

Locationattacks

Track/traceamobileintheradiusoffakebasestation

Serviceusage(calls/SMS) numberofauthentications increaseSQN

Mobilesactivity newtypeofthreat

Proof of concept

Page 20

Mobile Stingray Network

Attacks&Demo

Page 20

Experimentalsetup

Hardware USRPB210 Anysmartcardreader ProgrammableUSIM

Software pySIM OpenLTE

Hardwaresetupcostsabout1400$

Page 21

Puttingattacksintopractice

Practicalconfirmationofallattacksinrealnetworks

(Available)hardwaresetupcost:1400$(100$forPOConly)

Monitoringattack:10bitsofSQNquickly(12injections+64eavesdrops)

Monitoringattackcanbeimprovedwithmoreefficientsignallingsetup

Page 22

Observationsindeployed3G/4Gnetworks1

NoclearrequirementsinTS33.102(onlyguidelines)

DifferentpoliciesaboutacceptingunusedAUTN,RANDpair

RisktomutualauthenticationpropertyofAKA

Page 23

Issuewithawindowofacceptablesequencenumbervaluestorecoverfromlossorreordering

Observationsindeployed3G/4Gnetworks..2

TestedinfewEuropeanmobileoperators

AssistinrevealingSQN,bypassmutualauthentication,andlocateamobilephone

Protectionneeded?

Page 24

NoratelimitatwhichAKAtokenscanberequestedfromHLR

Impactsagainstusers&operators

Page 25

Newthreatonprivacy(activitymonitoringattack) Newlocationattack,hardertodetect,hardertofix Affectall3Gand4Gdevices Likelytoaffectin5G??

EndUsers:

CellularOperators: NewattackinterfacetoinjectpacketstoHLR(heartofthenetwork) PoorSQNpoliciesmayintroducedenialofserviceattacks ProblemsindetectingmodernIMSIcatchers

Countermeasures

Page 26

Evaluate SQNacceptancepolicy RatelimitauthenticationrequestatAuC/HLR?

MobileOperators:

EndUsers: Unfortunately,nothingmuchbesideuseWiFi serviceswithoutUSIM

Vendors: Hopefullyfakebasestationswillnolongerworkin5G Supportforlegacynetwork(2G/3G/4G)challenging MoreeffortsinmobileOStotacklefakebasestationproblem

Conclusions..1

Page 27

Trade-offsarestillvalid- almost25years Mobiledevicesarestilldumbterminalsinthearchitecture Therearealmostinfinitewaystobuildsmart4GIMSIcatchers

Lessons:

OurFindings: Newattackvectorleadingtovariousprivacybreaches Activitymonitoringattackleakingnewtypeofinformationtoattacker AffectdifferentvariantsofAKA:{EAP,EPS}AKA,HTTPdigestAKA Countermeasuresrequirenon-trivialdedicatedmodifications(for5G) ImprovedpoliciesonSQNmayassistinminimizingimpact

Conclusions..2

Page 28

From3GPPTR33.899V1.1.0(2017-03):

Study on the security aspects of the next generation system (5G)

ThankYou.

Questions?

Page 29

Thisworkwaspartlysupportedby5G-Ensure(grantagreementNo.671562www.5Gensure.eu).