Department of Computer Science

MobileSubscriberWiFi Privacy

PiersO’HanlonRavishankar BorgaonkarLuccaHirschi (LSV,UniversityParis-Saclay)

MoST IEEES&PWorkshop2017

Overview

• Mobileidentifiers• IMSICatchers/Trackers– Conventional–WiFi-based

• WiFi authenticationflaws• EAP-SIM/AKAFormalAnalysis• Mitigations– User/MobileOS/Operator

Mobileidentifiers• Subscriberidentifiers

• Mobilesubscriberidentity• InternationalMobileSubscriberIdentity(IMSI)• TemporaryIMSI(TIMSI)

• Mobilenumber• MobileStationInternationalSubscriberDirectoryNumber(MSISDN)

• Deviceidentifiers• InternationalMobileEquipmentIdentity(IMEI)• WiFi MACaddress• BluetoothMACaddress• NFCAddress

• Network/OSlevelidentifiers• IPaddresses,Hostnames,DHCPoptions,MulticastDNSnames,etc

• Applicationlevelidentifiers• Usernames,identifiers,handles,etc

WhatisanIMSI?• InternationalMobileSubscriberIdentity

• 15digitnumber(MCountryCode+MNetCode+MSIdNum)• e.g.234123456789012

• Identityformutualauthenticationofadevicetothenetwork• UsingSIM’ssecret128-bitauthenticationKey(Ki)andfor3/4GtheSequenceNumber(SQN)

• Storedintwoplaces:• Inthe‘SIMCard’(USIM/UICC)

• IMSIisaccessibleinreadonlysectionofSIM• Secretkey(Ki)andSQNarenotdirectlyreadable

• AttheOperator• IMSIindexesKi andSQNfromHSS/AuC Database

• Anidentifierthatcanbeusedfortracking

ConventionalIMSICatchers• Typicalfeatures

• Tracking:IMSI/IMEI,Location• Interception:Call/SMS/Data

• OperatesonlicensedMobileBands:2G(GSM)/3G/4G• Actsasafakebasestationtolurenearbymobiledevices

• ‘Passive’- mainlyfortracking (interceptionwhenno/weakciphering)

• Active– interceptionandtracking• Cost

• Commercialsolutionsexpensive• NowcheaperoptionsusingLaptop+SDR board

• Beenaroundsincetheearly1990s• PatentedinEuropein1993

ConventionalIMSICatchers:2-4G

• Exploitsprotocolflaws(nomutualauthentication..)

• Tracking&Interception

• Easilyavailabletobuyonline

• Useoffakebasestation

• Exploitsarchitectureissues(Basestation>UE..)

• Tracking&difficulttointercepttrafficw.r.t 2G

• Commercialproductsusuallydowngrades

• Useoflegitimatebasestationalsopossible

2G 3G/4G

http://www.epicos.com/EPCompanyProfileWeb/Content/Ability/EM_GSM.JPG http://edge.alluremedia.com.au/m/g/2016/05/nokia_ultra_compact_network.jpg

WiFi-BasedIMSICatcher• Features

• Tracking:IMSI,Location• Nointerception

• OperatesinunlicensedISMBands:WiFi• Range- fewhundredmeters– canbeextended…• FakeAccessPoints• Redirect/Spoofsmobilepacketdatagateway• Exploitsprotocol&configurationweaknesses

• Basedontwoseparateaccesstechniques[3GPPTS33.234]• WiFi NetworkAuthentication(‘WLANdirectIPaccess’)• WiFi-CallingAuthentication(‘WLAN3GPPIPaccess’)

• Cost• Low:VirtuallyanyWiFi capablecomputer

MobilenetworkArchitecture

WiFi Networkattachment(WLANdirectIPaccess)

• UnencryptedWiFi accesspoints(APs)• CaptivePortalapproaches

• WirelessInternetServiceProviderroaming(WiSPr)etc

• EncryptedWiFi APs• Pre-sharedpassword/credentials

• ‘AutoConnect’EncryptedWiFi APs(802.1X)• WiFi keyisnegotiatedwithoutuserintervention• BasedoncredentialsintheUSIM/UICC(‘SIMCard’)• Controlledbyoperatorprovidedconfiguration

• Manual• Automatic/pre-installed

ManualConfiguration

• SomeAndroiddevicesrequireinitialmanualconfiguration• Afterwhichitautomaticallyconnects

• Instructionsonoperatorwebsites• Followsimplestepstosetup

• AndroidprovidesvariousCarriercontrolledmechanisms• Lollipop(v5.1MR1):UICCCarrierPrivileges• Marshmallow(v6.0):CarrierConfiguration

• “Privilegedapplicationstoprovidecarrier-specificconfigurationtotheplatform”

Automaticconfiguration• SomeAndroidandWindowsphonesautomaticallyconnectbasedonSIM• iOSconfiguresphonebasedoninsertedSIM• Activatesanoperatorspecific.mobileconfig file• Configuresarangeofoperatorspecificoptions

• Includingalistof802.1XsupportedWiFi SSIDs

• OuranalysisofiOS9profilesshowed• Morethan60profiles(44countries)for802.1XWiFi• Containing66uniqueSSIDSplusotherconfig

• =>Phonescontinuouslytryingtosilentlyautomaticallyauthenticate

AutomaticWiFi Authentication• PortBasedNetworkAccessControl[IEEE802.1X]

• UsesExtensibleAuthenticationProtocol(EAP)[RFC3748]overLAN(EAPOL)overWiFi

• BasedupontwoEAPMethods• EAP-SIM[RFC4186]

• GSMbasedsecurity- Currentlymostwidelyused• EAP-AKA[RFC4187]

• 3Gbasedsecurity- Beingdeployed

• SupportinallmajorMobileOSes:Android,iOS,WindowsMobile,andBlackberrydevices• Reportedtheissuetothemallandtooperators&GSMA

• Deployedinmanycountries– adoptiongrowing

EAP-SIM/AKAIdentities

• Threebasicidentitytypesforauthentication• Permanent-identity(IMSI)

• Typicallyusedinitiallyafterwhichtemporaryidsareused• Pseudonymidentity

• ApseudonymfortheIMSIhaslimitedlifetime• Fastreauthentication-identity

• Loweroverheadre-attachmentafterinitialexchange

• Behaviouraffectedbypeerpolicy• “Liberal”peer- Currentdefault

• Respondstoanyrequestsforpermanentidentity• “Conservative”peer– Futuredeploymentoption

• OnlyrespondtorequestsforpermanentidentitywhennoPseudonymidentityavailable

EAP-SIM/AKAtransport

• BasicEAPprotocolisnotencrypted• CurrentlyEAP-SIM/AKAinEAPOLisunencrypted• ThusIMSIisvisible(toapassiveattacker)whenpermanentidentityusedforfullauthentication😱• Alsoopentoactiveattacksbyrequestingfullauth😱

• Problemamplifiedduetopre-configuredprofiles• Mobiledevicesareconstantlycheckingforpre-configuredSSIDsandattemptingauthentication

• WiFi Accesskeysnotcompromised• Allcontentstillprotected

WiFi-CallingOperation(WLAN3GPPIPaccess)• PhoneconnectstoEdgePacketDataGateway(EPDG)overWiFi• VoicecallsoverWiFi• Phoneconnectsonlow/nosignal

• AlsoconnectsinAirplanemode+WiFi …

• ConnectiontoEPDGusesIPsec• AuthenticatesusingInternetKeyExchangeProtocol(IKEv2)

• SupportedoniOS,Android,andWindowsdevices• WiFi-Callingavailableinanumberofcountries• TheissuealsobeenreportedtoOSmakersandOperators

IPsecbriefoverview• InternetProtocolSecurity

• Confidentiality,dataintegrity,accesscontrol,anddatasourceauthentication

• Recoveryfromtransmissionerrors:packetloss,packetreplay,andpacketforgery

• Authentication• AuthenticationHeader(AH)- RFC4302

• Confidentiality• EncapsulatingSecurityPayload(ESP)- RFC4303

• Keymanagement• InternetKeyExchangev2(IKEv2)- RFC7296

• Twomodes• Tunnel- usedforconnectiontoGateway(EPDG)• Transport

IKEv2 weakness• Initiatesconnectionintwophases

• IKE_SA_INIT• Negotiatecryptographicalgorithms,exchangenonces,anddoaDiffie-Hellmanexchange

• IKE_AUTH• Authenticatethepreviousmessages,exchangeidentities(e.g.IMSI),andcertificates,andestablishthechildSecurityAssociation(s)(SA)

• IKE_AUTHusesEAP-AKAtoexchangeidentities• DH-encryptedIMSIexchangenotprotectedbyacertificate• OpentoMitM attacksonidentityexchange(e.g.IMSI)😱

• IPsecESPkeysarenotcompromised• Callcontentstillsafe

EAP-SIM/AKAFormalAnalysis

• AnalysedEAP-SIM/AKAinProVerif securityprotocolanalyser• Modelledusingasymbolicmodelbaseduponappliedπ-calculus

• EAP-AKAisstateful,usesXOR,andSQNsoitwassimplified

• Weusedthemodelstoformallyverifyuntraceability oftheIMSIfortwousers• AttackfoundwhenIMSIisunhidden– asexpected• NoattackfoundwhenIMSIhidden(encrypted/pseudonym)withoutadditionalauthenticationmaterial

EAP-SIMtraceabilityattack

• WhenIMSIhiddenandattackerknowsn(=3)GSMauthenticationtripletsfortargetedIMSI• GSMTriplet:SignedResponse[SRES](32-bit),Randomnumber[RAND](128-bit),&CipheringKey[Kc](64-bit)• UsingknownGSMtriplets,attackersendschallengerequesttomobiledevice(Step5– NextSlide)• Ifmobiledeviceacceptschallenge

==>mobileisthetargeteddevice

EAP-SIMFullAuthenticationPeer Authenticator

1. | EAP-Request/Identity ||<---------------------------------------------------------|| |

2. | EAP-Response/Identity (e.g. IMSI) ||--------------------------------------------------------->|| |

3. | EAP-Request/SIM/Start (AT_VERSION_LIST) ||<---------------------------------------------------------|| |

4. | EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)||--------------------------------------------------------->|| |

5. | EAP-Request/SIM/Challenge (AT_RAND, AT_MAC) ||<---------------------------------------------------------|

+-------------------------------------+ || Peer runs GSM algorithms, verifies | || AT_MAC and derives session keys | |+-------------------------------------+ |6. | EAP-Response/SIM/Challenge (AT_MAC) |

|--------------------------------------------------------->|| |

7. | EAP-Success ||<---------------------------------------------------------|| |

Operator/VendorMitigations• DeprecateEAP-SIMinfavourofEAP-AKA

• EAP-SIMisweakerasitonlyusesGSMtriplets• DeployEAP-AKA/SIMwithconservativepeerpseudonym• DeployCertificatebasedapproach

• DeploycertificatesonsuitableAAAinfrastructure• DeploycertificateprotectedtunnelledEAP-AKAforWLANaccess

• E.g.EAP-TTLS+EAP-AKAon802.1X• DeploycertificateprotectedIPsec/IKEv2toEPDG

• E.g.EAP-TTLS+EAP-AKAforIKE_AUTH,ormultipleIKEv2auth exchange

• (Re)investigateotherpotentialsolutions• IMSIencryption– 5G-ENSUREprojecthasproposedan‘enabler’• E.g.3GPPPTDS3-030081– ‘Certificate-BasedProtectionofIMSIforEAP-SIM/AKA’

• Standardsbodiesshouldre-evaluateapproaches

MobileOSMitigations

• SupportconservativepeerforEAP-AKA/SIMwithpseudonymsupport• EmerginginsomeOSes(e.g.iOS10)• iOS10hasconservativepeerpseudonymsupport–duetous😉

• Certificatebasedapproach• SupportforEAP-TTLSv0+EAP-AKAinIKEv2&EAPOL

• AllowformoreuserchoicewithautomaticWiFinetworkaccess• Preferablyallowforeditingofallstoredassociations

UserMitigation• WiFi NetworkAccessControl

• iOS• Turnoff‘Auto-Join’toggleforAuto-WiFi networks

• Onlypossiblewhennetworkinrange• iOS10willprovidebetterprotection(onceoperatorsdeploypseudonymsupport)

• Android• ‘Forget’Auto-WiFi profiles

• Dependingonversiononlypossiblewhennetworkinrange

• WiFi-Calling• Android/iOS:SelectivelydisableWiFi-Calling

• SwitchoffWiFi inuntrustedenvironments

Summary

• LargescaleIMSIexposureissues• Poorprivacymandatesinstandards• Widespreaddevicepre-configurationwithnooptout• Lackofcheckingbycompaniesinvolved

• We’vebeenworkingwithOperators/Vendors/OScompaniestofixtheissue• Butit’sacomplexissuerequiringchangesbyall• iOS10conservativepeersupportduetothiswork• EAP-AKAisnowstartingtoreplaceEAP-SIM

• Weneedstrongerprivacyprotections

Conclusions&FutureWork

• InvestigatingotherusesofEAP-SIM/AKA• ExploringuseofUSIMcredentialsinotherWiFibasedprotocols• Continuingworkin5GENSURE.EU Project• SecurityArchitectureandenablers

Department of Computer Science

26

5GENSUREreceivesfundingfromtheEUFrameworkProgramme forResearchandInnovationH2020undergrantagreementNo671562|DurationNovember2015– October2017

The5GInfrastructurePublicPrivatePartnership(SGPPP)

5GEnablersfornetworkandsystemsecurityandresilience

@5GEnsure

5G-ENSURE:http://www.5gensure.eu

contact@5gensure.eu

Questions?