mobile subscriber wifiprivacy - ieee-security.org •mobile identifiers •imsi catchers/trackers...
TRANSCRIPT
Department of Computer Science
MobileSubscriberWiFi Privacy
PiersO’HanlonRavishankar BorgaonkarLuccaHirschi (LSV,UniversityParis-Saclay)
MoST IEEES&PWorkshop2017
Overview
• Mobileidentifiers• IMSICatchers/Trackers– Conventional–WiFi-based
• WiFi authenticationflaws• EAP-SIM/AKAFormalAnalysis• Mitigations– User/MobileOS/Operator
Mobileidentifiers• Subscriberidentifiers
• Mobilesubscriberidentity• InternationalMobileSubscriberIdentity(IMSI)• TemporaryIMSI(TIMSI)
• Mobilenumber• MobileStationInternationalSubscriberDirectoryNumber(MSISDN)
• Deviceidentifiers• InternationalMobileEquipmentIdentity(IMEI)• WiFi MACaddress• BluetoothMACaddress• NFCAddress
• Network/OSlevelidentifiers• IPaddresses,Hostnames,DHCPoptions,MulticastDNSnames,etc
• Applicationlevelidentifiers• Usernames,identifiers,handles,etc
WhatisanIMSI?• InternationalMobileSubscriberIdentity
• 15digitnumber(MCountryCode+MNetCode+MSIdNum)• e.g.234123456789012
• Identityformutualauthenticationofadevicetothenetwork• UsingSIM’ssecret128-bitauthenticationKey(Ki)andfor3/4GtheSequenceNumber(SQN)
• Storedintwoplaces:• Inthe‘SIMCard’(USIM/UICC)
• IMSIisaccessibleinreadonlysectionofSIM• Secretkey(Ki)andSQNarenotdirectlyreadable
• AttheOperator• IMSIindexesKi andSQNfromHSS/AuC Database
• Anidentifierthatcanbeusedfortracking
ConventionalIMSICatchers• Typicalfeatures
• Tracking:IMSI/IMEI,Location• Interception:Call/SMS/Data
• OperatesonlicensedMobileBands:2G(GSM)/3G/4G• Actsasafakebasestationtolurenearbymobiledevices
• ‘Passive’- mainlyfortracking (interceptionwhenno/weakciphering)
• Active– interceptionandtracking• Cost
• Commercialsolutionsexpensive• NowcheaperoptionsusingLaptop+SDR board
• Beenaroundsincetheearly1990s• PatentedinEuropein1993
ConventionalIMSICatchers:2-4G
• Exploitsprotocolflaws(nomutualauthentication..)
• Tracking&Interception
• Easilyavailabletobuyonline
• Useoffakebasestation
• Exploitsarchitectureissues(Basestation>UE..)
• Tracking&difficulttointercepttrafficw.r.t 2G
• Commercialproductsusuallydowngrades
• Useoflegitimatebasestationalsopossible
2G 3G/4G
http://www.epicos.com/EPCompanyProfileWeb/Content/Ability/EM_GSM.JPG http://edge.alluremedia.com.au/m/g/2016/05/nokia_ultra_compact_network.jpg
WiFi-BasedIMSICatcher• Features
• Tracking:IMSI,Location• Nointerception
• OperatesinunlicensedISMBands:WiFi• Range- fewhundredmeters– canbeextended…• FakeAccessPoints• Redirect/Spoofsmobilepacketdatagateway• Exploitsprotocol&configurationweaknesses
• Basedontwoseparateaccesstechniques[3GPPTS33.234]• WiFi NetworkAuthentication(‘WLANdirectIPaccess’)• WiFi-CallingAuthentication(‘WLAN3GPPIPaccess’)
• Cost• Low:VirtuallyanyWiFi capablecomputer
MobilenetworkArchitecture
WiFi Networkattachment(WLANdirectIPaccess)
• UnencryptedWiFi accesspoints(APs)• CaptivePortalapproaches
• WirelessInternetServiceProviderroaming(WiSPr)etc
• EncryptedWiFi APs• Pre-sharedpassword/credentials
• ‘AutoConnect’EncryptedWiFi APs(802.1X)• WiFi keyisnegotiatedwithoutuserintervention• BasedoncredentialsintheUSIM/UICC(‘SIMCard’)• Controlledbyoperatorprovidedconfiguration
• Manual• Automatic/pre-installed
ManualConfiguration
• SomeAndroiddevicesrequireinitialmanualconfiguration• Afterwhichitautomaticallyconnects
• Instructionsonoperatorwebsites• Followsimplestepstosetup
• AndroidprovidesvariousCarriercontrolledmechanisms• Lollipop(v5.1MR1):UICCCarrierPrivileges• Marshmallow(v6.0):CarrierConfiguration
• “Privilegedapplicationstoprovidecarrier-specificconfigurationtotheplatform”
Automaticconfiguration• SomeAndroidandWindowsphonesautomaticallyconnectbasedonSIM• iOSconfiguresphonebasedoninsertedSIM• Activatesanoperatorspecific.mobileconfig file• Configuresarangeofoperatorspecificoptions
• Includingalistof802.1XsupportedWiFi SSIDs
• OuranalysisofiOS9profilesshowed• Morethan60profiles(44countries)for802.1XWiFi• Containing66uniqueSSIDSplusotherconfig
• =>Phonescontinuouslytryingtosilentlyautomaticallyauthenticate
AutomaticWiFi Authentication• PortBasedNetworkAccessControl[IEEE802.1X]
• UsesExtensibleAuthenticationProtocol(EAP)[RFC3748]overLAN(EAPOL)overWiFi
• BasedupontwoEAPMethods• EAP-SIM[RFC4186]
• GSMbasedsecurity- Currentlymostwidelyused• EAP-AKA[RFC4187]
• 3Gbasedsecurity- Beingdeployed
• SupportinallmajorMobileOSes:Android,iOS,WindowsMobile,andBlackberrydevices• Reportedtheissuetothemallandtooperators&GSMA
• Deployedinmanycountries– adoptiongrowing
EAP-SIM/AKAIdentities
• Threebasicidentitytypesforauthentication• Permanent-identity(IMSI)
• Typicallyusedinitiallyafterwhichtemporaryidsareused• Pseudonymidentity
• ApseudonymfortheIMSIhaslimitedlifetime• Fastreauthentication-identity
• Loweroverheadre-attachmentafterinitialexchange
• Behaviouraffectedbypeerpolicy• “Liberal”peer- Currentdefault
• Respondstoanyrequestsforpermanentidentity• “Conservative”peer– Futuredeploymentoption
• OnlyrespondtorequestsforpermanentidentitywhennoPseudonymidentityavailable
EAP-SIM/AKAtransport
• BasicEAPprotocolisnotencrypted• CurrentlyEAP-SIM/AKAinEAPOLisunencrypted• ThusIMSIisvisible(toapassiveattacker)whenpermanentidentityusedforfullauthentication😱• Alsoopentoactiveattacksbyrequestingfullauth😱
• Problemamplifiedduetopre-configuredprofiles• Mobiledevicesareconstantlycheckingforpre-configuredSSIDsandattemptingauthentication
• WiFi Accesskeysnotcompromised• Allcontentstillprotected
WiFi-CallingOperation(WLAN3GPPIPaccess)• PhoneconnectstoEdgePacketDataGateway(EPDG)overWiFi• VoicecallsoverWiFi• Phoneconnectsonlow/nosignal
• AlsoconnectsinAirplanemode+WiFi …
• ConnectiontoEPDGusesIPsec• AuthenticatesusingInternetKeyExchangeProtocol(IKEv2)
• SupportedoniOS,Android,andWindowsdevices• WiFi-Callingavailableinanumberofcountries• TheissuealsobeenreportedtoOSmakersandOperators
IPsecbriefoverview• InternetProtocolSecurity
• Confidentiality,dataintegrity,accesscontrol,anddatasourceauthentication
• Recoveryfromtransmissionerrors:packetloss,packetreplay,andpacketforgery
• Authentication• AuthenticationHeader(AH)- RFC4302
• Confidentiality• EncapsulatingSecurityPayload(ESP)- RFC4303
• Keymanagement• InternetKeyExchangev2(IKEv2)- RFC7296
• Twomodes• Tunnel- usedforconnectiontoGateway(EPDG)• Transport
IKEv2 weakness• Initiatesconnectionintwophases
• IKE_SA_INIT• Negotiatecryptographicalgorithms,exchangenonces,anddoaDiffie-Hellmanexchange
• IKE_AUTH• Authenticatethepreviousmessages,exchangeidentities(e.g.IMSI),andcertificates,andestablishthechildSecurityAssociation(s)(SA)
• IKE_AUTHusesEAP-AKAtoexchangeidentities• DH-encryptedIMSIexchangenotprotectedbyacertificate• OpentoMitM attacksonidentityexchange(e.g.IMSI)😱
• IPsecESPkeysarenotcompromised• Callcontentstillsafe
EAP-SIM/AKAFormalAnalysis
• AnalysedEAP-SIM/AKAinProVerif securityprotocolanalyser• Modelledusingasymbolicmodelbaseduponappliedπ-calculus
• EAP-AKAisstateful,usesXOR,andSQNsoitwassimplified
• Weusedthemodelstoformallyverifyuntraceability oftheIMSIfortwousers• AttackfoundwhenIMSIisunhidden– asexpected• NoattackfoundwhenIMSIhidden(encrypted/pseudonym)withoutadditionalauthenticationmaterial
EAP-SIMtraceabilityattack
• WhenIMSIhiddenandattackerknowsn(=3)GSMauthenticationtripletsfortargetedIMSI• GSMTriplet:SignedResponse[SRES](32-bit),Randomnumber[RAND](128-bit),&CipheringKey[Kc](64-bit)• UsingknownGSMtriplets,attackersendschallengerequesttomobiledevice(Step5– NextSlide)• Ifmobiledeviceacceptschallenge
==>mobileisthetargeteddevice
EAP-SIMFullAuthenticationPeer Authenticator
1. | EAP-Request/Identity ||<---------------------------------------------------------|| |
2. | EAP-Response/Identity (e.g. IMSI) ||--------------------------------------------------------->|| |
3. | EAP-Request/SIM/Start (AT_VERSION_LIST) ||<---------------------------------------------------------|| |
4. | EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)||--------------------------------------------------------->|| |
5. | EAP-Request/SIM/Challenge (AT_RAND, AT_MAC) ||<---------------------------------------------------------|
+-------------------------------------+ || Peer runs GSM algorithms, verifies | || AT_MAC and derives session keys | |+-------------------------------------+ |6. | EAP-Response/SIM/Challenge (AT_MAC) |
|--------------------------------------------------------->|| |
7. | EAP-Success ||<---------------------------------------------------------|| |
Operator/VendorMitigations• DeprecateEAP-SIMinfavourofEAP-AKA
• EAP-SIMisweakerasitonlyusesGSMtriplets• DeployEAP-AKA/SIMwithconservativepeerpseudonym• DeployCertificatebasedapproach
• DeploycertificatesonsuitableAAAinfrastructure• DeploycertificateprotectedtunnelledEAP-AKAforWLANaccess
• E.g.EAP-TTLS+EAP-AKAon802.1X• DeploycertificateprotectedIPsec/IKEv2toEPDG
• E.g.EAP-TTLS+EAP-AKAforIKE_AUTH,ormultipleIKEv2auth exchange
• (Re)investigateotherpotentialsolutions• IMSIencryption– 5G-ENSUREprojecthasproposedan‘enabler’• E.g.3GPPPTDS3-030081– ‘Certificate-BasedProtectionofIMSIforEAP-SIM/AKA’
• Standardsbodiesshouldre-evaluateapproaches
MobileOSMitigations
• SupportconservativepeerforEAP-AKA/SIMwithpseudonymsupport• EmerginginsomeOSes(e.g.iOS10)• iOS10hasconservativepeerpseudonymsupport–duetous😉
• Certificatebasedapproach• SupportforEAP-TTLSv0+EAP-AKAinIKEv2&EAPOL
• AllowformoreuserchoicewithautomaticWiFinetworkaccess• Preferablyallowforeditingofallstoredassociations
UserMitigation• WiFi NetworkAccessControl
• iOS• Turnoff‘Auto-Join’toggleforAuto-WiFi networks
• Onlypossiblewhennetworkinrange• iOS10willprovidebetterprotection(onceoperatorsdeploypseudonymsupport)
• Android• ‘Forget’Auto-WiFi profiles
• Dependingonversiononlypossiblewhennetworkinrange
• WiFi-Calling• Android/iOS:SelectivelydisableWiFi-Calling
• SwitchoffWiFi inuntrustedenvironments
Summary
• LargescaleIMSIexposureissues• Poorprivacymandatesinstandards• Widespreaddevicepre-configurationwithnooptout• Lackofcheckingbycompaniesinvolved
• We’vebeenworkingwithOperators/Vendors/OScompaniestofixtheissue• Butit’sacomplexissuerequiringchangesbyall• iOS10conservativepeersupportduetothiswork• EAP-AKAisnowstartingtoreplaceEAP-SIM
• Weneedstrongerprivacyprotections
Conclusions&FutureWork
• InvestigatingotherusesofEAP-SIM/AKA• ExploringuseofUSIMcredentialsinotherWiFibasedprotocols• Continuingworkin5GENSURE.EU Project• SecurityArchitectureandenablers
Department of Computer Science
26
5GENSUREreceivesfundingfromtheEUFrameworkProgramme forResearchandInnovationH2020undergrantagreementNo671562|DurationNovember2015– October2017
The5GInfrastructurePublicPrivatePartnership(SGPPP)
5GEnablersfornetworkandsystemsecurityandresilience
@5GEnsure
5G-ENSURE:http://www.5gensure.eu
Questions?