wifi-based imsi catcher - black hat · wifi-based imsi catcher piers o’hanlon...
TRANSCRIPT
![Page 1: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/1.jpg)
Department of Computer Science
WiFi-BasedIMSICatcher
PiersO’HanlonRavishankar BorgaonkarBlackHat, London, 3rd November 2016
![Page 2: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/2.jpg)
Overview
•WhatisanIMSI?• ConventionalIMSICatchers•WiFi-basedIMSICatcher• WiFi NetworkAuthentication💣• WiFi CallingAuthentication💣
• Operator/Vendor/OSMitigations• UserMitigations• Demo
![Page 3: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/3.jpg)
WhatisanIMSI?• InternationalMobileSubscriberIdentity
• 15digitnumbere.g.234123456789012• Allowsformutualauthenticationofadevicetothenetwork
• UsingSIM’ssecretauthenticationKey(Ki)andfor3/4GtheSequenceNumber(SQN)• Storedintwoplaces:
• Inthe‘SIMCard’(USIM/UICC)• IMSIisaccessibleinreadonlysectionofSIM• Secretkey(Ki)andSQNarenotdirectlyreadable
• AttheOperator• IMSIindexesKi andSQNfromHSS/AuC Database
• Anidentifierthatcanbeusedfortracking• OneofafewlikeWiFi/Bluetooth/NFCHardwareaddress(e.g.MAC),IMEI,MSISDN(Phonenumber),etc.
![Page 4: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/4.jpg)
ConventionalIMSICatchers• Typicalfeatures
• Tracking:IMSI/IMEI,Location• Interception:Call/SMS/Data
• OperatesonlicensedMobileBands:GSM/3G/4G• Actsasafakebasestationtolurenearbymobiledevices• Operatesintwomodes
• ‘Passive’- mainlyfortracking (interceptionwhenno/weakciphering)
• Active– interceptionandtracking• Cost
• Commercialsolutionsexpensive- butnowpossiblewithLaptop+SDR board
• Beenaroundsincetheearly1990s• PatentedinEuropein1993
![Page 5: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/5.jpg)
TechniquesinConventionalIMSICatchers
• Exploitsprotocolflaws(nomutualauthentication..)
• Tracking&Interception
• Easilyavailabletobuyonline
• Useoffakebasestation
• Exploitsarchitectureissues(Basestation>UE..)
• Tracking&difficulttointercepttrafficw.r.t 2G
• Commercialproductsusuallydowngrades
• Useoflegitimatebasestationalsopossible
2G 3G/4G
http://www.epicos.com/EPCompanyProfileWeb/Content/Ability/EM_GSM.JPG http://edge.alluremedia.com.au/m/g/2016/05/nokia_ultra_compact_network.jpg
![Page 6: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/6.jpg)
ProtectionagainstIMSICatchers
• Noprotectionforcommercialnon-rootedmobiledevices
• Specialphones(expensivethough)andappsforrootedphones
• TurnoffcellularconnectionoruseWiFi platformforsecurecalls/data??
![Page 7: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/7.jpg)
WiFi-BasedIMSICatcher• Features
• Tracking:IMSI,Location• Nointerception(yet)
• OperatesinunlicensedISMBands:WiFi• Range- fewhundredmeters– canbeextended…• FakeAccessPoints• Redirect/Spoofsmobilepacketdatagateway• Exploitsprotocol&configurationweaknesses
• Basedontwoseparatetechniques[3GPPTS33.234]• WiFi NetworkAuthentication(‘WLANdirectIPaccess’)• WiFi-CallingAuthentication(‘WLAN3GPPIPaccess’)
• Cost• Low:VirtuallyanyWiFi capablecomputer
![Page 8: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/8.jpg)
WiFi Networkattachment
• UnencryptedWiFi accesspoints• CaptivePortalapproaches
• WirelessInternetServiceProviderroaming(WiSPr)etc
• NormalEncryptedWiFi accesspoints• Pre-sharedpassword/credentials
• ‘AutoConnect’EncryptedWiFi accesspoints• WiFi keyisnegotiatedwithoutuserintervention• BasedoncredentialsintheUSIM/UICC(‘SIMCard’)• Controlledbyoperatorprovidedconfiguration
• Manual• Automatic/pre-installed
![Page 9: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/9.jpg)
Automaticconfiguration• SomeAndroidandWindowsphonesautomaticallyconnectbasedonSIM• iOSconfiguresphonebasedoninsertedSIM• Activatesanoperatorspecific.mobileconfig file• Configuresarangeofoperatorspecificoptions
• IncludingalistofAuto/EAPsupportedWiFi SSIDs
• OuranalysisofiOS9profilesshowed• Morethan50profilesforAuto/EAPWiFi• Alsootherconfig info
![Page 10: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/10.jpg)
‘Manual’Configuration• SomeAndroiddevicesrequireinitialmanualconfig• Afterwhichitautomaticallyconnects
• Instructionsonoperatorwebsites• Followsimplestepstosetup
• AndroidprovidesvariousCarriercontrolledmechanisms• Lollipop(v5.1MR1):UICCCarrierPrivileges• Marshmallow(v6.0):CarrierConfiguration
• “Privilegedapplicationstoprovidecarrier-specificconfigurationtotheplatform”
![Page 11: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/11.jpg)
AutomaticWiFi Authentication• PortBasedNetworkAccessControl[IEEE802.1X]
• UsesExtensibleAuthenticationProtocol(EAP)[RFC3748]overLAN(EAPOL)overWiFi
• BasedupontwoEAPMethods• EAP-SIM[RFC4186]
• GSMbasedsecurity- Currentlymostwidelyused• EAP-AKA[RFC4187]
• 3Gbasedsecurity- Beingdeployed
• SupportinAndroid,iOS,WindowsMobile,andBlackberrydevices• We’vereportedtheissuetothemallandtooperators&GSMA
• Noprivacybounties😕• Appleincluded‘conservativepeer’supportduetoourwork
• Deployedinmanycountries– adoptiongrowing
![Page 12: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/12.jpg)
EAP-SIM/AKAIdentities• Threebasicidentitytypesforauthentication• Permanent-identity(IMSI)
• Typicallyusedinitiallyafterwhichtemporaryidsareused• Pseudonymidentity
• ApseudonymfortheIMSIhaslimitedlifetime• Fastreauthentication-identity
• Loweroverheadre-attachmentafterinitialexchange
• Behaviouraffectedbypeerpolicy• “Liberal”peer- Currentdefault
• Respondstoanyrequestsforpermanentidentity• “Conservative”peer– Futuredeploymentoption
• OnlyrespondtorequestsforpermanentidentitywhennoPseudonymidentityavailable
![Page 13: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/13.jpg)
EAP-SIM/AKAtransport• BasicEAPprotocolisnotencrypted• CurrentlyEAP-SIM/AKAinEAPOLisunencrypted• ThusIMSIisvisible(toapassiveattacker)whenpermanentidentityusedforfullauthentication😱• Alsoopentoactiveattacksbyrequestingfullauth😱
• WiFi Accesskeysnotcompromised• Allcontentstillprotected
• ThereareencryptedtunnelEAPmethods• EAP-TTLSv0,EAP-TLS…• ButsupportrequiredinbothmobileOSandoperator
![Page 14: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/14.jpg)
WiFi-CallingConnection
• PhoneconnectstoEdgePacketDataGateway(EPDG)overWiFi• VoicecallsoverWiFi• Phoneconnectsonlow/nosignal
• AlsoconnectsinAirplanemode+WiFi …
• ConnectiontoEPDGusesIPsec• AuthenticatesusingInternetKeyExchangeProtocol(IKEv2)
• SupportedoniOS,Android,andWindowsdevices• WiFi-Callingavailableinanumberofcountries• TheissuealsobeenreportedtoOSmakersandOperators
![Page 15: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/15.jpg)
IPsecbriefoverview• InternetProtocolSecurity
• Confidentiality,dataintegrity,accesscontrol,anddatasourceauthentication
• Recoveryfromtransmissionerrors:packetloss,packetreplay,andpacketforgery
• Authentication• AuthenticationHeader(AH)- RFC4302
• Confidentiality• EncapsulatingSecurityPayload(ESP)- RFC4303
• Keymanagement• InternetKeyExchangev2(IKEv2)- RFC7296
• Twomodes• Tunnel- usedforconnectiontoGateway(EPDG)• Transport
![Page 16: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/16.jpg)
InternetKeyExchange(IKEv2)• Initiatesconnectionintwophases
• IKE_SA_INIT• Negotiatecryptographicalgorithms,exchangenonces,anddoaDiffie-Hellmanexchange
• IKE_AUTH• Authenticatethepreviousmessages,exchangeidentities(e.g.IMSI),andcertificates,andestablishthechildSecurityAssociation(s)(SA)
• IKE_AUTHusesEAP-AKA• IMSIexchangenotprotectedbyacertificate• OpentoMitM attacksonidentity(IMSI)😱
• IPsecESPkeysarenotcompromised• Callcontentstillsafe
![Page 17: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/17.jpg)
Operator/VendorMitigations• DeprecateEAP-SIMinfavourofEAP-AKA
• EAP-SIMisweakerasitonlyusesGSMtriplets• DeployEAP-AKA/SIMwithconservativepeerpseudonym• DeployCertificatebasedapproach
• DeploycertificatesonsuitableAAAinfrastructure• DeploycertificateprotectedtunnelledEAP-AKAforWLANaccess
• E.g.EAP-TTLS+EAP-AKAon802.1X• DeploycertificateprotectedIPsec/IKEv2toEPDG
• E.g.EAP-TTLS+EAP-AKAforIKE_AUTH,ormultipleIKEv2auth exchange
• (Re)investigateotherpotentialsolutions• IMSIencryption– 5G-ENSUREprojecthasproposedan‘enabler’• E.g.3GPPPTDS3-030081– ‘Certificate-BasedProtectionofIMSIforEAP-SIM/AKA’
• Standardsbodiesshouldre-evaluateapproaches
![Page 18: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/18.jpg)
MobileOSMitigations
• SupportconservativepeerforEAP-AKA/SIMwithpseudonymsupport• EmerginginsomeOses (e.g.iOS10)
• Certificatebasedapproach• SupportforEAP-TTLv0+EAP-AKAinIKEv2&EAPOL• Otherapproaches?
• AllowformoreuserchoicewithautomaticWiFinetworkaccess• Preferablyallowforeditingofallstoredassociations
![Page 19: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/19.jpg)
UserMitigation• WiFi NetworkAccessControl
• iOS• Turnoff‘Auto-Join’toggleforAuto-WiFi networks
• Onlypossiblewhennetworkinrange• iOS10mayprovidebetterprotection(onceoperatorsdeploysupport)• Ithasconservativepeerpseudonymsupport– duetous😉
• Android• ‘Forget’Auto-WiFi profiles
• Dependingonversiononlypossiblewhennetworkinrange
• WiFi-Calling• Android/iOS:SelectivelydisableWiFi-Calling
• SwitchoffWiFi inuntrustedenvironments
![Page 20: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/20.jpg)
Summary
• ExposedtwoIMSIcatchingnewtechniques• WiFi Networkauthenticationprotocols• WiFi-Callingauthenticationprotocols
• Mostoftheworld’ssmartphonesimplementtheseprotocols• Bothtechniquesrelyuponinstalledoperatorautomaticconfigurationforthesepopularservices
• We’vebeenworkingwithOperators/Vendors/OScompaniestofixtheissue• Butit’sacomplexissue
![Page 21: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/21.jpg)
Conclusions&FutureWork
• InvestigatingotherusesofEAP-SIM/AKA• ExploringuseofUSIMcredentialsinotherWiFibasedprotocols• Continuingworkin5GENSURE.EU Project• SecurityArchitectureandenablers
![Page 22: WiFi-Based IMSI Catcher - Black Hat · WiFi-Based IMSI Catcher Piers O’Hanlon RavishankarBorgaonkar BlackHat, ... • Our analysis of iOS9 profiles showed • More than 50 profiles](https://reader031.vdocuments.net/reader031/viewer/2022020214/5ae4809f7f8b9a495c8ea0ea/html5/thumbnails/22.jpg)
DemoandQuestions…