17

FOS LTE IMSI CATCHER DOMI

fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Download PDF Report

Upload
others
View
22
Download
0

Embed Size (px)

Citation preview

Page 1: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

FOSLTEIMSICATCHERDOMI

Page 2: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

WARNING!ThistalkwillbeaboutclassicIMSIcatchers– do

notexpectMITMcalls,dataetc.

Page 3: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

GSMIMSIcatcher- recap• CreateafakeBTSwith• highreselectionvalue(C1,C2)• randomlocationareacode

• PhoneswillconnectandinitiateLocationUpdate• ReplywithIdentityRequest(requestIMSI)• AftergettingtheIMSIsendLUReject– cause13oranyotherdependingonyourintention

Page 4: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Whycouldwedothis?Nomutualauthentication,thenetworkisalwaystrusted

Rejectmessagesneedtobeunencrypted

(Sh*tty ornullcryptoalsoleadtoMITMetc.)

Page 5: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

LTEArchitecture

EUTRANArchitecturebyCrati underCCBY-SA3.0

INTERNETPSTNPLMN

Page 6: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

ChangesinLTE•Mutualauthentication

• Integrityprotection

• Bettercrypto

Page 7: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Procedureimprovements•MostproceduresrequireASsecurityenabled(integrityprotection)• UEsdropnon-protectedmessagesoncetheyhaveestablishedsecuritycontext

•Shouldbefine,right?

Page 8: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Page 9: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Tinylittleprotocolproblem…

Page 10: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

TrackingAreaUpdateReject• UEsendsaTrackingAreaUpdateRequest• RogueeNodeB rejectsitwithcause9

3GPPTS24.301-5.5.3.2.5

Page 11: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

CatchingtheIMSI• Nomorekey/securitycontextinUE

• UEwillinitiateattach

• ItisallowedtoaskforitsIMSIinanIDENTITYREQUEST

• AftergettingitwesendanATTACHREJECTwithcause#12(TrackingAreanotallowed)

Page 12: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

HWandSW• USRPandlaptop•ManyopensourceLTEprojects(thisisAWESOMEbtw):•openLTE•OpenAirInterface• srsLTE andsrsUE• OwnimplementationofMME/corenetwork(pendingrequesttoopensourceit)

Page 13: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

RogueeNodeB• Needtosomehow‘lure’UEs• InGSMyoujustneededaneighborcell’sfrequency+highreselectionvalue• InLTEalistoffrequenciesarebroadcastedwiththeirpriorities–>youneedtodecodethelist,andselectthefrequencywiththehighestpriority

Page 14: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Page 15: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

ThesePeoplearegreat!*APPLAUSE*• Ravishankar Borgaonkar andAltaf ShaikfordiscoveringtheTAURejectvuln (andmanyotherproblems)inLTE• BenoitMichau forthelibrarymycorenetworkisbasedon• PhilippeLanglois andElvisPfützenreuter forpysctp

•MymentorsduringmyinternshipatQualcomm:KevinRedonandNicoGolde

Page 16: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Q&A

Page 17: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Thankyou!Key-ID:E2712651

Fingerprint:811C3FC3CFCB16E4BAEBF5FB7440DF59E2712651

Catching IMSI-catcher-catchers: An e ectiveness … e ectiveness review of IMSI-catcher-catcher applications Author: ... In our research we take three well known and ... and the network

Catching IMSI-catcher-catchers: An e ectiveness … e ectiveness review of IMSI-catcher-catcher applications Author: ... In our research we take three well known and ... and the network

Documents

White-Stingray: Evaluating IMSI Catchers Detection Applications … · White-Stingray: Evaluating IMSI Catchers Detection Applications Ravishankar Borgaonkar, Andrew Martin Department

White-Stingray: Evaluating IMSI Catchers Detection Applications … · White-Stingray: Evaluating IMSI Catchers Detection Applications Ravishankar Borgaonkar, Andrew Martin Department

Documents

Defeating IMSI Catchers - Institute for Computing and ...fabianbr/Defeating_IMSI_Catchers.pdf · Defeating IMSI Catchers Fabian van den Broek Institute for Computing and Information

Defeating IMSI Catchers - Institute for Computing and ...fabianbr/Defeating_IMSI_Catchers.pdf · Defeating IMSI Catchers Fabian van den Broek Institute for Computing and Information

Documents

ACS IMSI Pool Configuration Mode Commands · ACS IMSI Pool Configuration Mode Commands TheACSIMSIPoolConfigurationModeisusedtodefineapoolofsubscriberInternationalMobileStation Identifier(IMSI

ACS IMSI Pool Configuration Mode Commands · ACS IMSI Pool Configuration Mode Commands TheACSIMSIPoolConfigurationModeisusedtodefineapoolofsubscriberInternationalMobileStation Identifier(IMSI

Documents

Catching IMSI catchers - TA3M.org · PDF fileIMSI catcher catcher? Ways to detect silent text messages Ways to detect SS7 network attacks Ways to detect IMSI catchers Or: battery drain

Catching IMSI catchers - TA3M.org · PDF fileIMSI catcher catcher? Ways to detect silent text messages Ways to detect SS7 network attacks Ways to detect IMSI catchers Or: battery drain

Documents

· PDF file11/17/2017 · posed by IMSI catchers and the steps DHS has taken to respond appropriately. To that end, please respond to the following questions:

· PDF file11/17/2017 · posed by IMSI catchers and the steps DHS has taken to respond appropriately. To that end, please respond to the following questions:

Documents

Trashing IMSI Catchers in Mobile Networks · Trashing IMSI Catchers in Mobile Networks WiSec ’17 , July 18-20, 2017, Boston, MA, USA exclusive-or. The MAC is a message authentication

Trashing IMSI Catchers in Mobile Networks · Trashing IMSI Catchers in Mobile Networks WiSec ’17 , July 18-20, 2017, Boston, MA, USA exclusive-or. The MAC is a message authentication

Documents

Mobile network security - the need to measure security in ... · PDF fileSeminar on IMSI-catchers, Fornebu, 26Aug2015 Mobile network security - the need to measure security in the

Mobile network security - the need to measure security in ... · PDF fileSeminar on IMSI-catchers, Fornebu, 26Aug2015 Mobile network security - the need to measure security in the

Documents

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers · Catcher will produce all of the artifacts described below. 4.1 Choosing a Frequency To increase signal quality, avoid radio interference,

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers · Catcher will produce all of the artifacts described below. 4.1 Choosing a Frequency To increase signal quality, avoid radio interference,

Documents

Documents

IMSI Catchers and Mobile Security...to prevent them from accessing the GSM network. Figure 2: Simplified GSM network architecture [9] 2.4.2 Authentication and Encryption When a Mobile

IMSI Catchers and Mobile Security...to prevent them from accessing the GSM network. Figure 2: Simplified GSM network architecture [9] 2.4.2 Authentication and Encryption When a Mobile

Documents

White-Stingray: Evaluating IMSI Catchers Detection ... · which contains IMSI in plaintext. Also, certain networks request for IMEI from the MS before authentication pro-cedure, however,

White-Stingray: Evaluating IMSI Catchers Detection ... · which contains IMSI in plaintext. Also, certain networks request for IMEI from the MS before authentication pro-cedure, however,

Documents

Trashing IMSI Catchers in Mobile Networks - Chris · PDF fileTrashing IMSI Catchers in Mobile Networks Mohammed Sha ul Alam Khan ISG, Royal Holloway, University of London Egham, Surrey

Trashing IMSI Catchers in Mobile Networks - Chris · PDF fileTrashing IMSI Catchers in Mobile Networks Mohammed Sha ul Alam Khan ISG, Royal Holloway, University of London Egham, Surrey

Documents

Perspectives of Physical Layer Security (Physec) for the ... · hacking systems (such as advanced IMSI catchers for example [2]) that operate at the radio interface of wireless networks,

Perspectives of Physical Layer Security (Physec) for the ... · hacking systems (such as advanced IMSI catchers for example [2]) that operate at the radio interface of wireless networks,

Documents

Catching IMSI-catcher-catchers: An e ectiveness …...Catching IMSI-catcher-catchers: An e ectiveness review of IMSI-catcher-catcher applications Author: Bauke Brenninkmeijer 4366298

Catching IMSI-catcher-catchers: An e ectiveness …...Catching IMSI-catcher-catchers: An e ectiveness review of IMSI-catcher-catcher applications Author: Bauke Brenninkmeijer 4366298

Documents

Polismyndighetens användning av IMSI- catchersuu.diva-portal.org/smash/get/diva2:1342523/FULLTEXT01.pdf2 IMSI-catchers 2.1 Inledning För att klargöra på vilket sätt och i vilken

Polismyndighetens användning av IMSI- catchersuu.diva-portal.org/smash/get/diva2:1342523/FULLTEXT01.pdf2 IMSI-catchers 2.1 Inledning För att klargöra på vilket sätt och i vilken

Documents

IMSI-Catcher-Catchers IMSI-Catch Me If You Can · IMSI-Catch Me If You Can: IMSI-Catcher-Catchers Adrian Dabrowski, Nicola Pianta, Thomas Klepp Martin Mulazzani, Edgar Weippl CS 598

IMSI-Catcher-Catchers IMSI-Catch Me If You Can · IMSI-Catch Me If You Can: IMSI-Catcher-Catchers Adrian Dabrowski, Nicola Pianta, Thomas Klepp Martin Mulazzani, Edgar Weippl CS 598

Documents

White-stingray - NULLCON•We can still fight IMSI catchers –easier compared to life on Mars •Potentially weak detectors –fail to catch •Require more robust and smart detection

White-stingray - NULLCON•We can still fight IMSI catchers –easier compared to life on Mars •Potentially weak detectors –fail to catch •Require more robust and smart detection

Documents

Documents

Peter Ney*, Ian Smith*, Gabriel Cadamuro, and Tadayoshi Kohno … · 2018-07-23 · 1 Introduction Cell-site simulators, also known as IMSI-catchers or stingrays, ... data sets in

Peter Ney*, Ian Smith*, Gabriel Cadamuro, and Tadayoshi Kohno … · 2018-07-23 · 1 Introduction Cell-site simulators, also known as IMSI-catchers or stingrays, ... data sets in

Documents

White-Stingray: Evaluating IMSI Catchers Detection ... · PDF fileWhite-Stingray: Evaluating IMSI Catchers Detection ... and used it for our study. Our results of ﬁve popular Android

White-Stingray: Evaluating IMSI Catchers Detection ... · PDF fileWhite-Stingray: Evaluating IMSI Catchers Detection ... and used it for our study. Our results of ﬁve popular Android

Documents

An investigation into the claims of IMSI catchers use in ... · An investigation into the claims of IMSI catchers use in Oslo in late ... Technical overview Data set Analysis of Delma

An investigation into the claims of IMSI catchers use in ... · An investigation into the claims of IMSI catchers use in Oslo in late ... Technical overview Data set Analysis of Delma

Documents

5G IMSI Catchers Mirage...5G IMSI Catchers -NSA •IMSI is not encrypted -> exposed over-the-air •No manadotry 4G-GUTI reallocation •4G core network, expect GUTI randomness •Let’s

5G IMSI Catchers Mirage...5G IMSI Catchers -NSA •IMSI is not encrypted -> exposed over-the-air •No manadotry 4G-GUTI reallocation •4G core network, expect GUTI randomness •Let’s

Documents

Mobile Subscriber WiFiPrivacy - ieee-security.org •Mobile identifiers •IMSI Catchers/Trackers –Conventional –WiFi-based •WiFiauthentication flaws •EAP-SIM/AKA Formal Analysis

Mobile Subscriber WiFiPrivacy - ieee-security.org •Mobile identifiers •IMSI Catchers/Trackers –Conventional –WiFi-based •WiFiauthentication flaws •EAP-SIM/AKA Formal Analysis

Documents

Documents

Low Cost Stingrays (IMSI-Catchers) - CyberCamp · 2018. 12. 17. · Introducción #CyberCamp18 • An International Mobile Subscriber Identity-catcher, or IMSI-catcher, is a telephone

Low Cost Stingrays (IMSI-Catchers) - CyberCamp · 2018. 12. 17. · Introducción #CyberCamp18 • An International Mobile Subscriber Identity-catcher, or IMSI-catcher, is a telephone

Documents

Spidey: Android-based Stingray Detector - GitHub Pagesjtwarren.github.io/files/spidey.pdf · Spidey: Android-based Stingray Detector ... IMSI catchers, meaning that people whose information

Spidey: Android-based Stingray Detector - GitHub Pagesjtwarren.github.io/files/spidey.pdf · Spidey: Android-based Stingray Detector ... IMSI catchers, meaning that people whose information

Documents

IMSI catcher detection and evolution - Simula · B IMSI catcher detection pitfalls (2/3) False positive causes Femto cells behave very similar to IMSI catchers: a. Query IMSI + IMEI

IMSI catcher detection and evolution - Simula · B IMSI catcher detection pitfalls (2/3) False positive causes Femto cells behave very similar to IMSI catchers: a. Query IMSI + IMEI

Documents

THE PROBLEM OF PRIVATE IDENTIFICATION … · (Mobile Subscriber Identification Number) 4 LTE -Subscriber’s Identification Subscriber IMSI Identification UE eNodeB ... –Run eNodeB_Jammerusing

THE PROBLEM OF PRIVATE IDENTIFICATION … · (Mobile Subscriber Identification Number) 4 LTE -Subscriber’s Identification Subscriber IMSI Identification UE eNodeB ... –Run eNodeB_Jammerusing

Documents

5G security – ensuring trusted business...Secure algorithms Authentication w/wo SIM Secure subscriber identification IMSI encryption and 5G-GUTI protection against IMSI catchers

5G security – ensuring trusted business...Secure algorithms Authentication w/wo SIM Secure subscriber identification IMSI encryption and 5G-GUTI protection against IMSI catchers

Documents