Understanding IMSI Privacy!!Ravishankar Borgaonkar!TU Berlin!!Swapnil Udar!Aalto University!!Email: darshak@sec.t-labs.tu-berlin.de!!!!

Blackhat USA 2014, Las Vegas, 7th August 2014

2

Overview!u  Unresolved Privacy Issues ! ( IMSI catchers and Silent SMS )!

u  Darshak- Privacy framework!

u  Use-cases and demos!

u  Future work !

!!

3

Unresolved Privacy Issues

4

Mobile Security Status!u  Efforts from OS providers, Manufacturers, network operators u  Efforts from researchers, startup companies u  Devices are good but cellular network secure??? u  Still all fail when Targeted Attacks u  What is Targeted Attacks and who does it?

«  IMSI catchers «  Illegal entities? «  Methods of doing?

5

Targeted Attacks!

u  IMSI catchers !«  Often used!«  Exploits cellular weaknesses!«  Location and interception!

!u  Pegasus!

«  Compromising with OTA update !«  SIM toolkit? Like ANT!

!

IMSI catcher or compromising phone !

Sources: product manuals

6

Unsolved Security Questions!u  Your last call was encrypted/authenticated?!

u  Is someone tracking you?? No app for that!!u  Can someone listen to your calls/SMS?!

«  Besides legal entities!«  Last call/SMS was encrypted?!

!u  Are you a victim of IMSI catcher attack?!!u  Is your mobile handset and operator using up-to-date

encryption standards?!!!

7

More ecosystem problems u  3GPP standard for mobile handset features u  No API for Android, iOS, Windows, BB

- See issue* 5353: Ciphering Indicator (Android) u  Flatrate calling/data/sms rates –

- you getting free calls?

* https://code.google.com/p/android/issues/detail?id=5353! !!

Source:wikipedia

8

Darshak Framework

Motivation!

u  Research platform to collect GSM & 3G security relevant data!

u  Easy to use cellular network security indicator!!!

9

Darshak* Framework !u  Display (in) security capabilities of your cellular

network operator!u  Android based framework!

«  Detection!«  Notification!«  Intelligence!«  Collection!

u  Security features!«  GSM and 3G networks!«  Captures ‘silent sms’ and notifies user!«  Alerts when operator not doing encryption?!«  Displays suspicious activities!

!!* In ancient Indian language, Darshak means indicator!

10

Technical Details

u  Running on Intel baseband devices Samsung S3, S2!u  Primarily based on Xgoldmon idea!u  Thanks to GSMMAP!u  Device needs to be rooted !u  Notifies sender's number - Silent SMS!u  Classify security capabilities of 2G/3G networks A5/0,

A5/1,A5/3, (useful while roaming)!u  Current TMSI after every event!u  Displays authentication tokens (RAND, AUTN)!

11

Methodology

12

GSM background

13

GSM Security Issues

No Mutual Authentication!

GSM : BTS!MS!

Weak algorithms!

A5/2 broken, A5/1 weak!

Fake base station / MiTM!

BTS decides encryption!

Downgrading attacks!

14

GSM Security Issues

Plaintext over-the-air!

GSM : BTS!MS!

No authentication!

IMEI is not authenticated!

IMSI & TMSI!

Local regulations!

No upgrade, weak algorithms!

15

GSM badly broken !

u  Proven experimentally by various researchers !

u  Has it fixed and upgraded by your operator as per

GSMA guidelines? !

u  Authentication!«  Mobile originated – mostly performed!«  Mobile terminated – not often!

u  Encryption - A5/1 vs A5/3 vs A5/0!

u  Threat model is not your government (lawful

interception) but other illegal entities!

!

16

Use-cases and Demos

17

GSM and 3G security indicators !

u  Invokes at every incoming and outgoing radio event!

!

!

interception attack!

18

3G security indicators

19

Detecting silent SMS !

u  Type 0 messages !

u  Standard says mobiles must acknowledge receipt but

may discard contents!

u  Mobiles do not display any notification to end users!

u  Useful for police or other illegal agencies !

u  HushSMS tool from @c0rnholio !

!

20

Detecting silent SMS - Demo !

u  HushSMS allows!

«  Ping 3 (0-byte WAP Push)!

«  Ping 4 (Emtpy MMSN)!

u  Detects, alerts with a notification!

u  Option to turn on airplane mode ! (not useful until you control the baseband)!

!

21

IMSI Catcher Detection !

u  Finding parameters to detect!

u  Need lots of data from different operators!

u  LAC or Cell id not enough!

!scanning first!

downgrading!jamming!

22

Finding parameters !

u  System Information Type 3 messages!

- Layer 3 messages about GSM system configuration!

!

23

Finding parameters !

u  Control Channel Description!«  MSCR: shows current GSM network version!

«  0 – MSCR release version 98 or older!

«  1- MSC release version 99 or newer!

u  Data from various operators and openBTS!

!

Telekom! O2! Vodafone! Play Network!

BSNL! Idea! OpenBTS!

MSCR! '99 onwards !

'99 onwards !

'99 onwards !

'98 or older ! '99 onwards !

'99 onwards !

'98 or older !

24

Finding parameters !

u  Radio Link Timeout!«  Counter value to judge downlink failure!

«  Counter decrease when there is error!

«  When 0 radio link failure!

u  Data from various operators and openBTS!

!

Telekom! O2! Vodafone! Play Network!

BSNL! Idea! OpenBTS!

MSCR! 64! 24! 64! 64! 20! 40! 64!

25

Finding parameters !

u  PWRC - power control indicator !!

u  Data from various operators and openBTS!

!

Telekom! O2! Vodafone! Play Network!

BSNL! Idea! OpenBTS!

MSCR! Flase! True! False! Flase! True! False! False!

26

Building a profile !

u  Tool collects such parameters !

u  Very seldom change (no change in a week)!

u  Build a profile per location : office-work-city!

u  Work in progress!

!

27

Future work !

u  Source code will be released (without IMSI catcher)!

u  Support to other possible devices !

u  Data upload functionality (anonymous data)!

u  Building more profiles for IMSI catcher detection!

u  Collecting and sharing data!

!

!

28

Thank you!