Loretta Ilaria Mancini [email protected] › ~mdr › teaching › dss15 › 07-MobileTelephonySecurity.pdfCellular (Mobile Telephony) network: Radio network covering wide geographic

Mobile Telephony Systems Security

Loretta Ilaria Mancini

[email protected]

School of Computer ScienceUniversity of Birmingham

November 2015

L. I. Mancini Mobile Telephony Systems Security

Motivation and Scope

What:

Security of the over-the-air interface in Mobile Telephony Systems

Why:wireless communications

mobile phones are always on and emitting their identity

answer without the agreement of their bearers

are pervasive

can collect personal data through a variety of sensors


Motivation and Scope

Enemies of

Security and Privacy by Design

Low cost

Computational limitations

Limited storage

Battery life

Functionality

Market competition


Summary

Introduction to Mobile Telephony SystemsBasic protocols2G Security Features2G Security Weaknesses3G Security Features3G Security Weaknesses4G Security Features4G Security WeaknessesEmerging and Future GenerationsConclusions


Introduction to Mobile Telephony Systems

Cellular (Mobile Telephony) network:Radio network covering wide geographic areas divided in cells.

Each cell is served by at least one base station.

A cellular network enables a large number of radio transceivers (e.g.mobile phones) to communicate with each other and with fixedtransceivers (e.g. fixed telephones) via the base station.


Generations

Cellular communication is developed in generations:

0G (1970s) analog, did not support handover (i.e. user could notmove from one cell to another while calling, devices built incar/truck or in a briefcase.

1G (1980s) mainly for voice services, no international roaming.2G (1990) introduces: BSC to lighten MSC workload, encryption,

mobile assisted handoff, data services, SMS, Internet, fax,picture sharing, international roaming.

3G (1995) offers: improved voice and data services including videocall, higher speed internet access (up to 1Mbps), improvedsecurity.

4G (2006) aimed at boosting data services with increased data ratefrom 100Mbps to 1Gbps, based on IPv6.

5G (???)


Mobile Telephony Systems Architecture

Note: this architecture is simplified and uses a 2G like terminology.Similar network elements with similar functions are found in 3Gnetworks


Protocol Stack


Identity Management

IMSI is the long-termidentity stored on the SIMcardTMSI is a short-termidentity reallocatedperiodicallyAccording to the standardat least at each change oflocationNew TMSI should not belinkable with old one


Basic Protocols


Basic Protocols: Identification Procedure

KIMSI , IMSI KIMSI , IMSI

IDENTITY_REQ, ID_TYPE

IDENTITY_RES, IMSI

initiated by the network on a dedicated channel usually when theMS first attachestrivially breaches anonymity


Basic Protocols: TMSI Reallocation Procedure

KIMSI , IMSI, TMSI, CK KIMSI , IMSI, TMSI, CK

new newTMSI

L3_MSG, TMSI

Management of means for ciphering: CK established

{ TMSI_REALL_CMD, newTMSI, LAI}rCK

{TMSI_REALL_COMPLETE}rCK

initiated by the network on a dedicated channelre-allocation message is encryptedshould be periodically executed and should be executed at least at eachchange of location


Basic Protocols: Paging Procedure

KIMSI , IMSI,TMSI KIMSI , IMSI

PAGING_REQ, IMSI

PAGING_RES, ID

the paging request is sent on a broadcast channel by the network inorder to deliver a service to a MS

the paging request is sent in all the most recently visited location areas

the paging response is sent on a dedicated channel

ID is IMSI in 2G, TMSI in 3G


2G Security


2G Security Features

2G networks aim to provideUser Identity Confidentiality:to ensure privacy of the subscriber from third partiesUser Identity Authentication:to ensure that the subscriber is a legitimate oneUser Data Confidentiality


2G Authentication Protocol

2G Authentication Protocol:is always initiated by the networkallows the network to establish that the subscriber is alegitimate onedoes not authenticate the network to the useris always executed after a dedicated channel isestablished and the MS sent its identity


2G Authentication Protocol

KIMSI , IMSI KIMSI , IMSI

generate RANDicomputeXSRESi = A3(RANDi , KIMSI )CKi = A8(RANDi , KIMSI )AVi = (RANDi , XSRESi , CKi )

computeSRESi = A3(RANDi , KIMSI )

Compute and storeCKi = A8(RANDi , KIMSI )

if SRESi XSRESi then abort

RANDi

SRESi


2G Encryption

A5(enc)/A3(auth)/A8(key gen) algos are proprietaryA5 has 3 variants:

A5/1 is the most usedA5/2 (weaker version of A5/1) is being phased outA5/3 (KASUMI) stronger but not yet widespread in 2G networks

algos can be negotiatednetwork can enforce no encryptionoften no indication is given to the user about the use of encryption


2G Security Weaknesses

lack of network authenticationuser identity secrecy breached by identificationprocedureno integrity protectionno protection against replay attackstraffic encrypted only between MS and BTS not in thecore networksecurity through obscurity (A3, A5, A8 based onproprietary algos)


2G Offline attack

Threat: SIM CloningExploit: weaknesses in COMP128/COMP128-1

used by key gen (A8) and auth (A3)allow retrieval of the long term key KIMSI

Requirements: physical access to original SIM cardcard reader/writerblank SIM cardcracking software

Effects: identity theft, available credit/allowance theft, DOSMitigations: cloning can be detected

SIM using COMP128-2/3 cannot be cloned


Fake BS-based Attacks

(rely on lack of network authentication)

Threat: IMSI CatcherExploit: lack of network authentication

Requirements: Fake BS (BS-like device)MS attaches to the BS with stronger signal the Fake BSsends an identification request message asking for thelong term identity IMSI

Effects: tracking the presence of a user in a given areaMitigations: IMSI Catcher-Catcher

Fake BS considered too expensive until advent ofUSRP and short range BSs (femtocells)Protect the identification procedure using PKI

demo performed at DefCon18


Fake BS-based Attacks

(rely on lack of network authentication)IMSI Catcher: Fake BS can induce MS to attach using strongersignal than legitimate BS and then trigger the identificationprocedure to breach user privacyOver-the-air SIM cloning: due to weaknesses in COMP128 KIMSIcan be retrieved over the air by sending selected challenges butit can take several hours. SIM cloning can be detected by thenetwork.Fake BS can deactivate ciphering and force MS to send data inclear (most MS do not alert the user when no encryption is used).Services can be delivered either by using a MS connected to thereal network or by routing the data through a VOIP connection.


MS-based Attacks

Threat: Session key retrieval (one of many, live demo andcracking tool available)

Exploit: weaknesses in A5/1, A5/2Requirements: 64bits of known plaintext, e.g. control messages

uses brute force-like attack based on rainbow tables(implemented in the Kraken tool)way of locating target user (eg. silent SMS/silent calllocating attack)device to sniff traffic on dedicated channel (modifiedmotorola phone)

Effects: breach of phone call/SMS message confidentialityMitigations: use stronger encryption algorithm

demo performed at CCC


MS-based Attacks

Threat: Network DOS attackExploit: channel request message, limited resources of BSC

Requirements: MS-like device capable to send channel requestmessages

Effects: saturation of BSC resourcesservice unavailability


MS-based Attacks

Threat: User De-registration DOS attackExploit: lack of authentication of signalling messages

Requirements: MS-like device programmed to send IMSI detachmessages to the network

Effects: user unreachable for mobile terminated services


MS-based Attacks

Threat: Paging response DOS attackExploit: lack of authentication of signalling messages

Requirements: MS-like device programmed to send paging responsemessages to the networkanswer paging request faster than the victim phone

Effects: incoming call droppedincoming call hijacked if attack performed inunencrypted network

Mitigations: use of encryption, indication of no encryption on MS


MS-based Attacks

Threat: User trackingExploit: silent phone call/SMS, TMSI not updated often

Requirements: MS-like device programmed to sniff signallingmessages over dedicated channels

Effects: breach of user privacyMitigations: frequent change of TMSI

demo performed at CCC


GSM Experimental Analysis and Hacking

Osmocom-bbOpenBSC (uses commercial BTS)OpenBTS (implements BTS using USRP and GNUradio)wiresharkBladeRFHackRF


Any Questions?


3G Security


3G Security Features

3G security mainly relies on the Authenticationand Key Agreement (AKA) Protocol to provide:

Mutual AuthenticationUser Data ConfidentialityUser Identity Confidentiality (Anonymity)User Untraceability (Unlinkability)


3G Security Features: AKA Protocol

Initiated by the network to:Authenticate a MS identityAuthenticate the network identityEstablish a ciphering keyEstablish an integrity key



K ,SQNMS K ,SQNHN

SN/HNMS



K ,SQNMS K ,SQNHN

SN/HNMS

Authentication Vector:AV = [RAND, XRES, CK , IK , AUTN]

AUTN = SQNHN ⊕ AK ||MAC

MAC = f1K (SQNHN ||RAND)

XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)



K ,SQNMS K ,SQNHN

SN/HNMS

AUTH_REQ(RAND, AUTN)




XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)



K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)

SQNHN = (SQNHN ⊕ AK ) ⊕ AK

XMAC = f1K (SQNHN ||RAND)



K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)



Check:MAC == XMAC



K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)



AUTH_FAILURE(MAC)Check:MAC == XMAC



K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)



Check:MAC == XMAC

Check:SQNHN >= SQNMS



K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)



Check:MAC == XMAC

AUTH_FAILURE(AUTS)Check:SQNHN >= SQNMS



K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)



Check:MAC == XMAC


Resynch



K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)



Calculate:RES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

Check:MAC == XMAC




K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)



AUTH_RES(RES)Calculate:RES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

Check:MAC == XMAC




K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)




CK = f3K (RAND)

IK = f4K (RAND)

Check:XRES == RES

Check:MAC == XMAC




K ,SQNMS K ,SQNHN

SN/HNMS





XRES = f2K (RAND)

CK = f3K (RAND)

IK = f4K (RAND)

AK = f5K (RAND)

Compute:

AK = f5K (RAND)




CK = f3K (RAND)

IK = f4K (RAND)

Check:XRES == RES

AUTH_FAILURE(MAC)Check:MAC == XMAC


Resynch


3G Security Features: 3G AKA Protocol

3G crypto functionsare open to public scrutinyno practical attacks found so far


3G Security Features: 3G AKA Protocol

3G crypto functionsare open to public scrutinyno practical attacks found so far

but 3G protocols have weaknesses


3G Attacks

Threat: 2G downgrade attackExploit: lack of authentication of serving network

Requirements: Fake BSEffects: Fake BS forces downgrade to 2G

Mitigations: set network connection on 3G only in MS settings


3G Attacks

Threat: Redirection attackExploit: lack of authentication of serving network

Requirements: Fake BS and a MS connected to a real BSEffects: redirection of the communication to a chosen network

perhaps one charging a higher rate or using weakerencryption


3G Attacks

Threat: AKA linkability attackExploit: AKA error messages

Requirements: Fake BS-like deviceEffects: user tracking

Mitigations: conceal the error messagesend generic error messageno error handling


3G Attacks

K ,SQNMS K ,SQNHN

NetworkAttackerMS



3G Attacks

K ,SQNMS RAND, AUTN K ,SQNHN

NetworkAttackerMS



3G Attacks


NetworkAttackerMS


AUTH_RES(RES)


3G Attacks


NetworkAttackerMS


AUTH_RES(RES)


AUTH_RES(RES) if RES=SYNCH_FAIL||RES = f2KIMSI (RAND) thenI know this MS!


3G Attacks


NetworkAttackerMS


AUTH_RES(RES)





3G Attacks


NetworkAttackerMS


AUTH_RES(RES)




AUTH_RES(RES) if RES=MAC_FAIL thenthis is another MS


3G Attacks

Threat: Femtocell rootingExploit: weaknesses in femtocell software/firmware

Requirements: FemtocellEffects: breach of user confidentiality

call/SMS interceptionbreach of user privacy


4G Architecture

simplified architecture (less elements with more complexfunctions)all IP networkinterworking with non- 3GPP networks


4G Security aims

user identity confidentialitymutual authentication (including SN to MS)data confidentialitydata integrity


4G security features

Re-use of UMTS Authentication and Key Agreement (AKA)Use of USIM required (GSM SIM excluded)128 bit keys used but 256bit keys could be used as wellInterworking security for non-3GPP networksExtended key hierarchy


4G AKA and keys hierarchy

establishes local master keybetween MME and MS

hierarchy of keys derived

different keys used to protectuser data and signalling data

fresh session keys can begenerated without executingAKA

integrity protection iscompulsory

ciphering is optional

ciphering and integrity basedon SNOW 3G and AES

KIMSI

CK,IK

KASME

KNASenc KNASint

KeNB

KUPenc KRRCenc KRRCint

UE/MME

UE/eNB


Beyond 4G

Cellular IoT (4.5G)aims at providing IoT servicesfocuses on M2M communicationdeep coverage at lower speed5GAimed at even better data services with increased speed


Conclusions

Mobile systems have been deployed for few decades

security analysis has only recently opened to wider public scrutiny

plenty of room for formal and experimental analysis

technology in constant evolution

reluctance towards PKI adoption for economical and historicalreasons

next generations will benefit building on the strength and avoidingmistakes of past generations.


Thank You!


Documents

Loretta Ilaria Mancini [email protected] › ~mdr › teaching › dss15 › 07-MobileTelephonySecurity.pdfCellular (Mobile Telephony) network: Radio network covering wide geographic