practical attacks against privacy and availability in 4g/lte mobile … · 2017-09-06 · all (4)...
TRANSCRIPT
![Page 1: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/1.jpg)
PracticalattacksagainstPrivacyandAvailabilityin4G/LTEMobileCommunicationSystems
Altaf Shaik &JeanPierreSeifert Ravishankar Borgaonkar N.Asokan Valtteri NiemiTUBerlin&T-Labs UniversityofOxford Aalto&Uni.ofHelsinkiUni.ofHelsinki
23February2016NDSS2016SanDiegoUSA
![Page 2: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/2.jpg)
Outline
• Evolutionofsecurityinmobilenetworksü2G/GSM,3G/UMTS,4G/LTE
• Practicalattacksagainst4G/LTEü LocationleaksüDenialofservice
• Potentialreasonsforvulnerabilities
• Impact
2
![Page 3: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/3.jpg)
Fakebase-stations..1
• Usedfor:IMSI/IMEI/locationtracking,call&datainterception
• Exploitweaknessesin2G&3G(partially)
• KnowsasIMSICatchers
• Difficulttodetectonnormalphones(Darshak,Cryptophone orSnoopsnitch)
3
![Page 4: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/4.jpg)
Fakebase-stations..2
4
![Page 5: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/5.jpg)
4G/LTE
• Widelydeployed,1.37billionusersbyendof2015
• Moresecurethanpreviousgenerations
• Bestefforttoavoidpreviousmistakes
5
Fig.source:Wikipedia
![Page 6: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/6.jpg)
4GArchitecture
6
E-UTRAN
eNodeBUE
Cell
S1
Tracking Area
MME
Internet
eNodeB:EvolvedNodeB(“basestation”) UE:UserEquipmentE-UTRAN:EvolvedUniversalTerrestrialAccessNetwork S1:InterfaceMME:MobilityManagementEntity
![Page 7: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/7.jpg)
Securityevolutioninmobilenetworks
7
Base Station
Phone
nomutualauthentication
mutualauthenticationintegrityprotection
mutualauthenticationdeepermandatoryintegrityprotection
2G
3G
4G
decidesencryption/authenticationrequestsIMSI/IMEI
![Page 8: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/8.jpg)
ResearchMotivation
ØAnalysisofaccessnetworkprotocolsandintegrityprotectioninpractice
Ø LTEfakebasestations:thoughttobecomplex*andlesseffective
ØButinpractice:ü Implementation/configurationflaws,specification/protocol
deficiencies?
8
*https://insidersurveillance.com/rayzone-piranha-lte-imsi-catcher/
![Page 9: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/9.jpg)
Evaluating4GSecurity:ExperimentSet-up
• Hardware– USRP,4Gdongle,4Gphones
• Software – OpenLTE &srsLTE
Set-upcost- littleover1000Euros!
9
ThankstoOpenLTE andsrsLTE group!
![Page 10: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/10.jpg)
Results
• Vulnerabilities in 4G specifications and networks
• Demonstrating impact by practical attacks✓ Location leaks✓ Denial-of-service
11
![Page 11: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/11.jpg)
Relevant 4G Features
• (Smart) Paging
• Diagnostic Reports from UE
• Mobility Management
11
![Page 12: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/12.jpg)
Feature:Pagingin4G
12
PagingRequest
{404220522xxxxxx:A000FFFF}
IMSI=404220522xxxxxx
“GUTI”=A000FFFF
Why: locate subscriber to deliver calls/messages
GUTI:GloballyUniqueTemporaryIdentifierIMSI:InternationalMobilesubscriberIdentity
![Page 13: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/13.jpg)
Pagingconfigurationvulnerabilities
13
passiveattacker
Pagingbroadcast
SmartPagingü sentontoasmallcellinsteadofabigtrackingareaü Allowsattackertolocate4Gsubscriberinacell
GUTIpersistenceü MNOsdon’tchangeGUTIsufficiently&frequently
![Page 14: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/14.jpg)
Feature:ReportsfromUEtoeNodeB
14
ListofvisibleeNodeBs,signalstrengths,UE’sGPSco-ordinates
RLFReports(radiolinktroubleshooting)
Measurementreports (handovers)
![Page 15: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/15.jpg)
Vulnerabilitiesinthefeature
15
activeattacker
SendmeMeasurement/RLFreport
Specification
UEmeasurementreportsü Requestsnotauthenticatedü Reportsarenotencrypted
Implementations
RLFreportsü Requestsnotauthenticatedü Reportsarenotencryptedü Allbasebandvendors
![Page 16: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/16.jpg)
Feature:MobilityManagementin4G
16
TrackingAreaUpdate(TAU)procedureü DuringTAU,MME& UEagreeonnetwork
mode(2G/3G/4G)ü “TAUReject”usedtorejectsomeservices
services(e.g.,4G)toUE
Specificationvulnerability:Rejectmessagesarenotintegrityprotected
![Page 17: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/17.jpg)
Feature:MobilityManagementin4G
17
SecurityCapabilitiesSupportedNetworks
AttachRequest(turnON)
Integrityprotected
SecurityCapabilities
Specificationvulnerability:Networkcapabilitiesnotprotected- biddingdownattacks
![Page 18: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/18.jpg)
Discovered Vulnerabilities in 4GSpecification
• UEmeasurementreportsü Requestsnotauthenticated:reportsarenotencrypted
• TrackingAreaUpdate(TAU)procedureü Rejectmessagesarenotintegrityprotected
• Attachprocedureü Networkcapabilitiesarenotprotectedagainstbiddingdownattacks
Implementations:(allbasebandvendors)
• RLFreportsü Requestsnotauthenticated:reportsarenotencrypted
18
22
![Page 19: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/19.jpg)
Attacks:Locationleaks
19
![Page 20: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/20.jpg)
LocationLeaks:trackingcoarselevel
20
Semi-passiveAttacker(TA/cell)
paging
Target
Target
LocationAccuracy:2Sq.Km
MappingGUTItoSocialIdentity
![Page 21: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/21.jpg)
LocationLeaks:trackingpreciselevel
21
Activeattacker
Target
Measurement/RLFreports
LocationAccuracy:50meters(or)GPSco-ordinates
![Page 22: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/22.jpg)
Attacks:Denialofservice
22
![Page 23: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/23.jpg)
DoS Attacks
ExploitingspecificationvulnerabilityinEMMprotocol!
• Downgradetonon-LTEnetworkservices(2G/3G)
• Denyallservices(2G/3G/4G)
• Denyselectedservices(blockincomingcalls)
• PersistentDoS
• Requiresreboot/SIMre-insertion
23
![Page 24: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/24.jpg)
Tradeofbetweensecurityand
• Performanceü Phonerestrictstoconnecttonetwork- savingpowerü savingnetworksignalingresources(avoidunsuccessfulattach)ü Operatordonotrefreshtemporaryidentifiersoften
• Availabilityü operatorsrequireunprotectedreportsfortroubleshooting
• Functionalityü Smartphoneappsongenericplatformsnotmobile-network-friendly
• AttackingcostVsSecuritymeasures(definedin15yearsback)
24
Reasons for vulnerabilities
![Page 25: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/25.jpg)
Impact
All(4)affectedbasebandmanufacturersü Responsibledisclosureofbugs:acknowledgedandpatchesreleasedü ButOEMsdonotyethavesecurityupdatestophones
Networkoperatorsü Configurationissueswereacknowledgedandfixed
Standardsorganizationsü SecurityissuespresentedatSA3(inAnaheim,Nov2015)andGSMAü ChangesintoLTEspecificationsareinprogress
Socialnetworkapplicationsü Facebooknolongersupportscompletelysilentmessages
25
![Page 26: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/26.jpg)
Conclusions• Newvulnerabilitiesin4Gstandards/chipsets• Configurationbyoperatorsdonotfollowbestpractices
• Leadtoattacks:ü Socialapplicationsusedforsilenttracking
ü Locating4Gdevicesusingtrilateration ,GPSco-ordinates!
üDoS attacksarepersistent&silenttousers
• Designtrade-offsmadeadecadeagonolongereffective
26
![Page 27: Practical attacks against Privacy and Availability in 4G/LTE Mobile … · 2017-09-06 · All (4) affected baseband manufacturers üResponsible disclosure of bugs: acknowledged and](https://reader034.vdocuments.net/reader034/viewer/2022042100/5e7c6e157ab80a71f47e4415/html5/thumbnails/27.jpg)
ThankYou.
Questions?
Shoutforademo!
This work was supported in part by the Intel Collaborative Research Institute forSecure Computing, Academy of Finland (“Cloud Security Services” project#283135), Deutsche Telekom Innovation Laboratories (TLabs), and 5G-Ensure(grant agreement No. 671562, www.5Gensure.eu).