practical attacks against privacy and availability in 4g/lte mobile … · 2017-09-06 · all (4)...
Post on 19-Mar-2020
0 Views
Preview:
TRANSCRIPT
PracticalattacksagainstPrivacyandAvailabilityin4G/LTEMobileCommunicationSystems
Altaf Shaik &JeanPierreSeifert Ravishankar Borgaonkar N.Asokan Valtteri NiemiTUBerlin&T-Labs UniversityofOxford Aalto&Uni.ofHelsinkiUni.ofHelsinki
23February2016NDSS2016SanDiegoUSA
Outline
• Evolutionofsecurityinmobilenetworksü2G/GSM,3G/UMTS,4G/LTE
• Practicalattacksagainst4G/LTEü LocationleaksüDenialofservice
• Potentialreasonsforvulnerabilities
• Impact
2
Fakebase-stations..1
• Usedfor:IMSI/IMEI/locationtracking,call&datainterception
• Exploitweaknessesin2G&3G(partially)
• KnowsasIMSICatchers
• Difficulttodetectonnormalphones(Darshak,Cryptophone orSnoopsnitch)
3
Fakebase-stations..2
4
4G/LTE
• Widelydeployed,1.37billionusersbyendof2015
• Moresecurethanpreviousgenerations
• Bestefforttoavoidpreviousmistakes
5
Fig.source:Wikipedia
4GArchitecture
6
E-UTRAN
eNodeBUE
Cell
S1
Tracking Area
MME
Internet
eNodeB:EvolvedNodeB(“basestation”) UE:UserEquipmentE-UTRAN:EvolvedUniversalTerrestrialAccessNetwork S1:InterfaceMME:MobilityManagementEntity
Securityevolutioninmobilenetworks
7
Base Station
Phone
nomutualauthentication
mutualauthenticationintegrityprotection
mutualauthenticationdeepermandatoryintegrityprotection
2G
3G
4G
decidesencryption/authenticationrequestsIMSI/IMEI
ResearchMotivation
ØAnalysisofaccessnetworkprotocolsandintegrityprotectioninpractice
Ø LTEfakebasestations:thoughttobecomplex*andlesseffective
ØButinpractice:ü Implementation/configurationflaws,specification/protocol
deficiencies?
8
*https://insidersurveillance.com/rayzone-piranha-lte-imsi-catcher/
Evaluating4GSecurity:ExperimentSet-up
• Hardware– USRP,4Gdongle,4Gphones
• Software – OpenLTE &srsLTE
Set-upcost- littleover1000Euros!
9
ThankstoOpenLTE andsrsLTE group!
Results
• Vulnerabilities in 4G specifications and networks
• Demonstrating impact by practical attacks✓ Location leaks✓ Denial-of-service
11
Relevant 4G Features
• (Smart) Paging
• Diagnostic Reports from UE
• Mobility Management
11
Feature:Pagingin4G
12
PagingRequest
{404220522xxxxxx:A000FFFF}
IMSI=404220522xxxxxx
“GUTI”=A000FFFF
Why: locate subscriber to deliver calls/messages
GUTI:GloballyUniqueTemporaryIdentifierIMSI:InternationalMobilesubscriberIdentity
Pagingconfigurationvulnerabilities
13
passiveattacker
Pagingbroadcast
SmartPagingü sentontoasmallcellinsteadofabigtrackingareaü Allowsattackertolocate4Gsubscriberinacell
GUTIpersistenceü MNOsdon’tchangeGUTIsufficiently&frequently
Feature:ReportsfromUEtoeNodeB
14
ListofvisibleeNodeBs,signalstrengths,UE’sGPSco-ordinates
RLFReports(radiolinktroubleshooting)
Measurementreports (handovers)
Vulnerabilitiesinthefeature
15
activeattacker
SendmeMeasurement/RLFreport
Specification
UEmeasurementreportsü Requestsnotauthenticatedü Reportsarenotencrypted
Implementations
RLFreportsü Requestsnotauthenticatedü Reportsarenotencryptedü Allbasebandvendors
Feature:MobilityManagementin4G
16
TrackingAreaUpdate(TAU)procedureü DuringTAU,MME& UEagreeonnetwork
mode(2G/3G/4G)ü “TAUReject”usedtorejectsomeservices
services(e.g.,4G)toUE
Specificationvulnerability:Rejectmessagesarenotintegrityprotected
Feature:MobilityManagementin4G
17
SecurityCapabilitiesSupportedNetworks
AttachRequest(turnON)
Integrityprotected
SecurityCapabilities
Specificationvulnerability:Networkcapabilitiesnotprotected- biddingdownattacks
Discovered Vulnerabilities in 4GSpecification
• UEmeasurementreportsü Requestsnotauthenticated:reportsarenotencrypted
• TrackingAreaUpdate(TAU)procedureü Rejectmessagesarenotintegrityprotected
• Attachprocedureü Networkcapabilitiesarenotprotectedagainstbiddingdownattacks
Implementations:(allbasebandvendors)
• RLFreportsü Requestsnotauthenticated:reportsarenotencrypted
18
22
Attacks:Locationleaks
19
LocationLeaks:trackingcoarselevel
20
Semi-passiveAttacker(TA/cell)
paging
Target
Target
LocationAccuracy:2Sq.Km
MappingGUTItoSocialIdentity
LocationLeaks:trackingpreciselevel
21
Activeattacker
Target
Measurement/RLFreports
LocationAccuracy:50meters(or)GPSco-ordinates
Attacks:Denialofservice
22
DoS Attacks
ExploitingspecificationvulnerabilityinEMMprotocol!
• Downgradetonon-LTEnetworkservices(2G/3G)
• Denyallservices(2G/3G/4G)
• Denyselectedservices(blockincomingcalls)
• PersistentDoS
• Requiresreboot/SIMre-insertion
23
Tradeofbetweensecurityand
• Performanceü Phonerestrictstoconnecttonetwork- savingpowerü savingnetworksignalingresources(avoidunsuccessfulattach)ü Operatordonotrefreshtemporaryidentifiersoften
• Availabilityü operatorsrequireunprotectedreportsfortroubleshooting
• Functionalityü Smartphoneappsongenericplatformsnotmobile-network-friendly
• AttackingcostVsSecuritymeasures(definedin15yearsback)
24
Reasons for vulnerabilities
Impact
All(4)affectedbasebandmanufacturersü Responsibledisclosureofbugs:acknowledgedandpatchesreleasedü ButOEMsdonotyethavesecurityupdatestophones
Networkoperatorsü Configurationissueswereacknowledgedandfixed
Standardsorganizationsü SecurityissuespresentedatSA3(inAnaheim,Nov2015)andGSMAü ChangesintoLTEspecificationsareinprogress
Socialnetworkapplicationsü Facebooknolongersupportscompletelysilentmessages
25
Conclusions• Newvulnerabilitiesin4Gstandards/chipsets• Configurationbyoperatorsdonotfollowbestpractices
• Leadtoattacks:ü Socialapplicationsusedforsilenttracking
ü Locating4Gdevicesusingtrilateration ,GPSco-ordinates!
üDoS attacksarepersistent&silenttousers
• Designtrade-offsmadeadecadeagonolongereffective
26
ThankYou.
Questions?
Shoutforademo!
This work was supported in part by the Intel Collaborative Research Institute forSecure Computing, Academy of Finland (“Cloud Security Services” project#283135), Deutsche Telekom Innovation Laboratories (TLabs), and 5G-Ensure(grant agreement No. 671562, www.5Gensure.eu).
top related