![Page 1: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/1.jpg)
Exposing Device Features on 4G and 5G Networks
Altaf Shaik(Technische Universität Berlin, Germany)
Ravishankar Borgaonkar(SINTEF Digital, Norway)
126.09.2019 Hardware.io 2019, Netherlands
KAITIAKI
![Page 2: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/2.jpg)
5G?
226.09.2019
Human Communication
Machine Communication
![Page 3: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/3.jpg)
5G Sec.?
326.09.2019
Source: https://www.informationsecuritybuzz.com/articles/security-challenges-next-generation-5g-mobile-networks/
New Services (Use Cases)
LTE Security Requirements + Enhancements
New Networking TechnologiesNFV/SDN
5G Security Requirements
![Page 4: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/4.jpg)
5G Security Elements
26.09.2019 4
Device identifiers/
Credentials/
Authentication+/
Encryption/
Integrity+/
Privacy+/
Resilience+
Edge Cloud Network Slicing Security/
NFV/SDN Security/
Central Cloud
Mobile Edge Computing/
Cell
![Page 5: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/5.jpg)
Security Evolution (OTA)
526.09.2019
![Page 6: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/6.jpg)
IMSI Catchers in 5G.?
626.09.2019
IMSI IMEI
IMSI IMEI
IMSI IMEI
IMSI IMEI
![Page 7: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/7.jpg)
5G Security?
5G Security >> 4G ? (What’s new)
Same Protocols, Same security algorithms
Attacks in 4G/LTE fixed.?
Downgrade attacks, DoS attacks, Location tracking
What’s not fixed in 4G – copy paste to 5G
726.09.2019
![Page 8: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/8.jpg)
UE Capabilities
Core network Capabilities1
(Security algorithms, voice calling support, V2V)
Radio access Capabilities2
(frequency bands, Rx & Tx features, MIMO, CA, Category)
Capabilities?
1. 3GPP TS 24.301, 23.401, 24.0082. 3GPP TS 36.331
826.09.2019
![Page 9: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/9.jpg)
Core Capabilities
926.09.2019
![Page 10: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/10.jpg)
Capabilities 5G
1026.09.2019
• V2X: Connected Cars
• Prose (D2D): Location services
• CIoT: IoT specific
![Page 11: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/11.jpg)
Radio Capabilities
1126.09.2019
![Page 12: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/12.jpg)
Get capabilities
Registration Success
Authentication and Security
Send Capabilities
Radio AccessCapabilities
Save all Capabilities
Registration(Core Network Capabilities)
OTA Security
LTE Registration
1226.09.2019
UE Capabilities
sent to network while registration
Stored at network for long periods
visible in plain-text over-the-air
Passive and active attacks
![Page 13: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/13.jpg)
Issue?
1326.09.2019
UE Capabilities
Accessible by rogue base stationsSent plain-text over the airStandard + Implementation bugs
![Page 14: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/14.jpg)
Attacks?
1426.09.2019
MNmap (active or passive)
Bidding down (MITM)
Battery Drain (MITM)
![Page 15: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/15.jpg)
Setup – LTE MitM attacker
Hardware 2 X (USRP B210 + Laptops)
Phones, Quectel modems, cars, IoT devices, trackers, laptops, routers….
Software SRSLTE
Attacks tested with real devices and commercial networks
1526.09.2019
![Page 16: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/16.jpg)
1. MNmap
1726.09.2019
(Mobile Network Mapping) similar to IP Nmap
Maker Model OS Applications Version
![Page 17: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/17.jpg)
MNmapBaseband
Vendor Name and Model
Cellular
Phone(Tablet)
Android
SamsungHuawei
HTCLG
NOKIA
iOS
Iphone, Ipad(with
version)
Others
CarRailways
Router USB dongleHotspotsLaptops
Vending machines Wearables
Cellular IoT
NB-IoT
Smart MetersSmart grid
Sensors
LTE-M
Asset Trackers
Agriculture
Home automation
Identify any Cellular device in the wild
Chip Maker, Device Model, Operating System, Application of device,Baseband Software Version
1826.09.2019
![Page 18: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/18.jpg)
Identification – How
Baseband Vendors implement capabilities differently For e.g., Qualcomm Chipsets always Disable EAI0
Many Capabilities are optional, (disabled/enabled)
Each target Application requires different set of UE Capabilities V2V for automated car Voice calling and codec support for phone GPS capability for tracker Data only support for routers, USB data sticks (SMS only)
1926.09.2019
![Page 19: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/19.jpg)
DUT
2026.09.2019
![Page 20: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/20.jpg)
Ref model
2126.09.2019
Devices• Baseband vendor• Application• Chipset name• 3GPP release
![Page 21: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/21.jpg)
Fingerprints
Capability Huawei Samsung Intel Mediatek Qualcomm
CM Service Prompt
1 0 0 0 1
EIA0 1 1 1 1 0
Access class control for CSFB
0 1 0 1 1
Extended Measurement
Capability0 0 0 1 0
Implementation differences among Baseband vendors
2226.09.2019
![Page 22: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/22.jpg)
Chipset info
2326.09.2019
![Page 23: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/23.jpg)
Half-way
2426.09.2019
1. Baseband Maker
2. Baseband Model
3. List of supported devices for the chipset
4. Identify the right device and application
![Page 24: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/24.jpg)
FingerprintsCapability Phone Others
UE’s Usage settingVoice or
DataNot
present
Voice domain preference
CS Voice or PS Voice
Not present
UMTS AMR codec Present Not
Difference b/w phone and other devices
Capability Android iOS
MS assisted GPS 1 0
Voice over PS-HS-UTRA-FDD-r9
1 0
Difference b/w iOS and Android
Capability Cellular IoT Cellular
PSM Timer 1 0
T3412 ext period TAU timer
1 0
Difference b/w cellular and cellular IoT
26.09.2019
Phone Baseband
Huawei Huawei
Samsung Samsung
Apple Intel or QCT
Phone and preferred Baseband
26
![Page 25: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/25.jpg)
MNmap issues
SIM card can have affect on capabilities enabled/disabled – operator setting, e.g., bands
IoT applications lte-M vs NB-IoT Timer values (low for smart meters, high for asset trackers)
Success and failures in detecting (close to round off, multiple options)
2726.09.2019
![Page 26: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/26.jpg)
What next Passive MNmap also works (active base station not required)
Privacy Link IMSI to device capabilities on 4G
(associate device fingerprints to people)
Launch target specific attack
Open source MNmap : share traces and automated tool
2926.09.2019
![Page 27: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/27.jpg)
2. Bidding down
Hijacking
Radio Capabilities
MitM relay before OTA Security
Network/Phone cannot detect
3026.09.2019
Get capabilities
Registration Success
Send Capabilities
RadioCapabilities
Save all Capabilities
OTA Security
RadioCapabilities
RELAY
![Page 28: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/28.jpg)
Bidding down
Radio Capabilities are modified
UE Category changed (Cat 12 -> Cat 1)
CA and MIMO are disabled
Frequency Bands are removed
VoLTE mandatory requirements are disabled
V2V capabilities can be removed
3126.09.2019
![Page 29: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/29.jpg)
Tests with real networks
LTE service downgrade (with elite USIM)
Iphone 8 and LTE Netgear router (Qualcomm Basebands)
Data Rate (downlink) 48 Mbps to 2 Mbps (USA and Europe)
VoLTE calls are denied to UE (CSFB used)
Handovers to 2G/3G due to lack of band support – downgraded
26.09.2019 3232
![Page 30: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/30.jpg)
Impact 22 out of 32 Tested LTE networks worldwide (Europe, Asia, NA) are
affected (USA, Switzerland, France, Japan, Korea Netherlands, UK, Belgium, Iceland)
Persistent for 7 days Capabilities are Cached at Core network Restart device for normal operation
**Radio is bottleneck for speed data service
3326.09.2019
![Page 31: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/31.jpg)
Why without/before Security
3426.09.2019
***To do early optimization for better service/connectivity
![Page 32: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/32.jpg)
3. Battery Drain
3526.09.2019
Registration Success
Capabilities CapabilitiesNB-IoT (Narrow Band)
Power Saving Mode (PSM)
OFF when not in use
Registration
PSM_enable
PSM_disabled
Authentication and Security
PSM_Not_enabledBattery_Drain
![Page 33: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/33.jpg)
Tests PSM disabled (UE and network don’t detect)
Continuous activity - Neighbor cell measurements drains battery (10 year battery??)
Experiment with NB-IoT UE (Quectel BC68 modem) Reconnects after 310 hours (13 days) Battery lifetime reduced by 5 times
Persistent attack: restart required to restore
3626.09.2019
![Page 34: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/34.jpg)
Vulnerability Status
Reported to GSMA, 3GPP SA3 and other affected operators and vendors
Positive acknowledgement / could be implementation issues
Thanks to GSMA, SA3: 3GPP to add fixes
Core network capabilities are still unprotected
MNmap still possible on 5G : passive, active
3726.09.2019
![Page 35: Exposing Device Features on KAITIAKI 4G and 5G Networks · Iphone, Ipad (with version) Others Car Railways Router USB dongle Hotspots Laptops Vending machines Wearables Cellular IoT](https://reader030.vdocuments.net/reader030/viewer/2022040422/5e157c857fe4c3083277c644/html5/thumbnails/35.jpg)
Fixes
3826.09.2019
Fixes in LTE release 14 for NB-IoT will be commercial soon
UE Capabilities should be security protected : accessible only after mutual authentication• Operators eNodeB implementation/configuration should be
updated
Capabilities should be replayed to UE after NAS security setup for verification – Hash of them• V2V, Voice calling features, PSM timers, etc.