New Adventures in Spying 3G & 4G Users: Locate, Track, · PDF fileSQN and its update: Most of...
Transcript of New Adventures in Spying 3G & 4G Users: Locate, Track, · PDF fileSQN and its update: Most of...
New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor
Ravishankar Borgaonkar, Lucca Hirshi, Shinjo Park, AltafShaik, Andrew Martin and Jean-Pierre Seifert
BLACKHAT USA 2017Las Vegas26 July 2017
ResearchTeam
Discoveryofattacks:
RavishankarBorgaonkar
LuccaHirschi
CarriedoutPOCwith:Shinjo Park&Altaf Shaik
Page 2
Outline
Background
Newprivacyattacks
Attacksinpractice exploitationmethodsanddemo
Impactagainstmobileusers
Countermeasures
Conclusions
Page 3
Generalcellulararchitecture
RadioAccessNetwork CoreNetwork
Emergingthreats
Page 4
Trackingmobileusers stateoftheart
Note:pictureprovidesanabstractviewonly
Page 5
BaseStationMNO Internet
Compromisemobile(Pegasus) Stingray
CompromiseMNO(GreekScandal)
SS7services(HLRLookup)
Mobile
TrackingusingStingray/fakebasestation
Page 6
FakeBaseStationMobilewithSIM
IMEIIMSI
2G3G/4G
AuthenticationProtocol
IMEI InternationalMobileEquipmentIdentity IMSI InternationalMobileSubscriberIdentitySIM SubscriberIdentityModule
AuthenticationandKeyAgreement(AKA)Protocol
Deployedinevery3G/4Gterminalssince2002 Mutualauthenticationbetweennetworkandmobiletoestablishasecurelink
Improvedin4G keysizes,keyseparationetc. Oftentermedasoneofthemostsuccessfulwidelydeployedcryptoprotocol
Page 7
Features Symmetrickeysharedbetweenmobile(USIM)andnetwork(HLR) Sequencenumberforavoidingreplayattacks
AKA:Stateoftheart
Page 8
Knownsecurityissues IMSIleakage Linkability attacks
Availabilityoflow-costhardwareandsoftwaretoolsNewattacks??
AKA:Bigpicture
Page 9
UserIdentification
AuthenticationMaterial
Challenge
Re-Synchronization
Mobile BaseStation Network
IMSICatchers
FailureMessages
Partofnewattackvector
Mobile RNC MSC/VLR AuC
authenticationrequestIMSI
XRES=f2(K,RAND)CK=f3(K,RAND)IK=f4(K,RAND)AK=f5(K,RAND)MAC=f1(K,RAND,SQN,AMF)
(RAND,AUTN(SQN AK,AMF,MAC),XRES,CK,IK)
(RAND,AUTN(SQNAK,AMF,MAC))
XRES=f2(K,RAND)CK=f3(K,RAND)IK=f4(K,RAND)AK=f5(K,RAND)MAC=f1(K,RAND,SQN,AMF)
verifyAUTNandcomputeRES RES
ifRES==XRES
sessionwithencryptionandIntegritykeys
ifRESisdifferentfromXRES,re-synchronizationprocedure
identityrequest:IMSI
AKAprotocol
K,SQN K,SQN
RoleofSequenceNumber(SQN)inAKA
SQNforprovidingfreshnesstomobile(preventreplayattacks) HelpsinsavingoneroundtripmessagetoAuC AuC storesSQNandincrementitforeachauthentication MaskedwithanonymitykeyAKtoprotectprivacyofmobiles USIMstoreshighestreceivedSQNfromthenetwork Incaseoffailure,resynchronisationofSQNwithAuC
USIMmustsendcurrentSQNtoAuC MaskedwithanonymitykeyAK*
Page 11
Page 12
Mobile BaseStation Network
SQNtoohighorlow
SendcurrentSQNtonetwork
SequenceNumberSQNpolicies
SQNcountermaybeupdatedby1 SQNmaybetime-based
Page 13
Accordingtoguidelinesfrom3GPPTS133.102,differentpoliciesforSQNanditsupdate:
Mostofourattacksworkforanypoliciesthatarenottime-based.OtherLocationattacksworkindependentofpolicy.
Newvulnerabilitiesandattacks
Page 14
FirstAttackVector
Requestofchallengesarenotauthenticated Designchoiceofsymmetrickeymechanism SeemsnocheckatAuC (HLR)forsuchqueries
Privacyimpact BuildafakeUSIMbyreprogrammingIMSI CollectRAND,AUTNpairs Re-usethemtolocateaparticularmobileusers
Page 15
UserIdentification
AuthenticationMaterial
Challenge
Re-Synchronization
Exploitingfirstattackvector
Page 16
HLRLookupservices phonenumber IMSI
HowtofindIMSIofatarget
ReprogramIMSI Nootherkeysrequired CollectRAND,AUTNpairs
BuildafakeUSIMcard
Locationattacksagainst3G/4Gdevices
Locationattacks Locateatargetedphone(rangeof2km) TrackfurtherusingGPSortriangulationmethod
RAND,AUTN
Page 17
Our Attacks
LearnnleastsignificantbitsofSQN(andIND) Learnwhethermobileattachedtocertainnetworkinacertaintimewindow
Page 18
Activitymonitoringattacks
Locationattacks
Track/traceamobileintheradiusoffakebasestation
Serviceusage(calls/SMS) numberofauthentications increaseSQN
Mobilesactivity newtypeofthreat
Proof of concept
Page 20
Mobile Stingray Network
Attacks&Demo
Page 20
Experimentalsetup
Hardware USRPB210 Anysmartcardreader ProgrammableUSIM
Software pySIM OpenLTE
Hardwaresetupcostsabout1400$
Page 21
Puttingattacksintopractice
Practicalconfirmationofallattacksinrealnetworks
(Available)hardwaresetupcost:1400$(100$forPOConly)
Monitoringattack:10bitsofSQNquickly(12injections+64eavesdrops)
Monitoringattackcanbeimprovedwithmoreefficientsignallingsetup
Page 22
Observationsindeployed3G/4Gnetworks1
NoclearrequirementsinTS33.102(onlyguidelines)
DifferentpoliciesaboutacceptingunusedAUTN,RANDpair
RisktomutualauthenticationpropertyofAKA
Page 23
Issuewithawindowofacceptablesequencenumbervaluestorecoverfromlossorreordering
Observationsindeployed3G/4Gnetworks..2
TestedinfewEuropeanmobileoperators
AssistinrevealingSQN,bypassmutualauthentication,andlocateamobilephone
Protectionneeded?
Page 24
NoratelimitatwhichAKAtokenscanberequestedfromHLR
Impactsagainstusers&operators
Page 25
Newthreatonprivacy(activitymonitoringattack) Newlocationattack,hardertodetect,hardertofix Affectall3Gand4Gdevices Likelytoaffectin5G??
EndUsers:
CellularOperators: NewattackinterfacetoinjectpacketstoHLR(heartofthenetwork) PoorSQNpoliciesmayintroducedenialofserviceattacks ProblemsindetectingmodernIMSIcatchers
Countermeasures
Page 26
Evaluate SQNacceptancepolicy RatelimitauthenticationrequestatAuC/HLR?
MobileOperators:
EndUsers: Unfortunately,nothingmuchbesideuseWiFi serviceswithoutUSIM
Vendors: Hopefullyfakebasestationswillnolongerworkin5G Supportforlegacynetwork(2G/3G/4G)challenging MoreeffortsinmobileOStotacklefakebasestationproblem
Conclusions..1
Page 27
Trade-offsarestillvalid- almost25years Mobiledevicesarestilldumbterminalsinthearchitecture Therearealmostinfinitewaystobuildsmart4GIMSIcatchers
Lessons:
OurFindings: Newattackvectorleadingtovariousprivacybreaches Activitymonitoringattackleakingnewtypeofinformationtoattacker AffectdifferentvariantsofAKA:{EAP,EPS}AKA,HTTPdigestAKA Countermeasuresrequirenon-trivialdedicatedmodifications(for5G) ImprovedpoliciesonSQNmayassistinminimizingimpact
Conclusions..2
Page 28
From3GPPTR33.899V1.1.0(2017-03):
Study on the security aspects of the next generation system (5G)
ThankYou.
Questions?
Page 29
Thisworkwaspartlysupportedby5G-Ensure(grantagreementNo.671562www.5Gensure.eu).