Department of Computer Science
WiFi-BasedIMSICatcher
PiersO’HanlonRavishankar BorgaonkarBlackHat, London, 3rd November 2016
Overview
•WhatisanIMSI?• ConventionalIMSICatchers•WiFi-basedIMSICatcher• WiFi NetworkAuthentication💣• WiFi CallingAuthentication💣
• Operator/Vendor/OSMitigations• UserMitigations• Demo
WhatisanIMSI?• InternationalMobileSubscriberIdentity
• 15digitnumbere.g.234123456789012• Allowsformutualauthenticationofadevicetothenetwork
• UsingSIM’ssecretauthenticationKey(Ki)andfor3/4GtheSequenceNumber(SQN)• Storedintwoplaces:
• Inthe‘SIMCard’(USIM/UICC)• IMSIisaccessibleinreadonlysectionofSIM• Secretkey(Ki)andSQNarenotdirectlyreadable
• AttheOperator• IMSIindexesKi andSQNfromHSS/AuC Database
• Anidentifierthatcanbeusedfortracking• OneofafewlikeWiFi/Bluetooth/NFCHardwareaddress(e.g.MAC),IMEI,MSISDN(Phonenumber),etc.
ConventionalIMSICatchers• Typicalfeatures
• Tracking:IMSI/IMEI,Location• Interception:Call/SMS/Data
• OperatesonlicensedMobileBands:GSM/3G/4G• Actsasafakebasestationtolurenearbymobiledevices• Operatesintwomodes
• ‘Passive’- mainlyfortracking (interceptionwhenno/weakciphering)
• Active– interceptionandtracking• Cost
• Commercialsolutionsexpensive- butnowpossiblewithLaptop+SDR board
• Beenaroundsincetheearly1990s• PatentedinEuropein1993
TechniquesinConventionalIMSICatchers
• Exploitsprotocolflaws(nomutualauthentication..)
• Tracking&Interception
• Easilyavailabletobuyonline
• Useoffakebasestation
• Exploitsarchitectureissues(Basestation>UE..)
• Tracking&difficulttointercepttrafficw.r.t 2G
• Commercialproductsusuallydowngrades
• Useoflegitimatebasestationalsopossible
2G 3G/4G
http://www.epicos.com/EPCompanyProfileWeb/Content/Ability/EM_GSM.JPG http://edge.alluremedia.com.au/m/g/2016/05/nokia_ultra_compact_network.jpg
ProtectionagainstIMSICatchers
• Noprotectionforcommercialnon-rootedmobiledevices
• Specialphones(expensivethough)andappsforrootedphones
• TurnoffcellularconnectionoruseWiFi platformforsecurecalls/data??
WiFi-BasedIMSICatcher• Features
• Tracking:IMSI,Location• Nointerception(yet)
• OperatesinunlicensedISMBands:WiFi• Range- fewhundredmeters– canbeextended…• FakeAccessPoints• Redirect/Spoofsmobilepacketdatagateway• Exploitsprotocol&configurationweaknesses
• Basedontwoseparatetechniques[3GPPTS33.234]• WiFi NetworkAuthentication(‘WLANdirectIPaccess’)• WiFi-CallingAuthentication(‘WLAN3GPPIPaccess’)
• Cost• Low:VirtuallyanyWiFi capablecomputer
WiFi Networkattachment
• UnencryptedWiFi accesspoints• CaptivePortalapproaches
• WirelessInternetServiceProviderroaming(WiSPr)etc
• NormalEncryptedWiFi accesspoints• Pre-sharedpassword/credentials
• ‘AutoConnect’EncryptedWiFi accesspoints• WiFi keyisnegotiatedwithoutuserintervention• BasedoncredentialsintheUSIM/UICC(‘SIMCard’)• Controlledbyoperatorprovidedconfiguration
• Manual• Automatic/pre-installed
Automaticconfiguration• SomeAndroidandWindowsphonesautomaticallyconnectbasedonSIM• iOSconfiguresphonebasedoninsertedSIM• Activatesanoperatorspecific.mobileconfig file• Configuresarangeofoperatorspecificoptions
• IncludingalistofAuto/EAPsupportedWiFi SSIDs
• OuranalysisofiOS9profilesshowed• Morethan50profilesforAuto/EAPWiFi• Alsootherconfig info
‘Manual’Configuration• SomeAndroiddevicesrequireinitialmanualconfig• Afterwhichitautomaticallyconnects
• Instructionsonoperatorwebsites• Followsimplestepstosetup
• AndroidprovidesvariousCarriercontrolledmechanisms• Lollipop(v5.1MR1):UICCCarrierPrivileges• Marshmallow(v6.0):CarrierConfiguration
• “Privilegedapplicationstoprovidecarrier-specificconfigurationtotheplatform”
AutomaticWiFi Authentication• PortBasedNetworkAccessControl[IEEE802.1X]
• UsesExtensibleAuthenticationProtocol(EAP)[RFC3748]overLAN(EAPOL)overWiFi
• BasedupontwoEAPMethods• EAP-SIM[RFC4186]
• GSMbasedsecurity- Currentlymostwidelyused• EAP-AKA[RFC4187]
• 3Gbasedsecurity- Beingdeployed
• SupportinAndroid,iOS,WindowsMobile,andBlackberrydevices• We’vereportedtheissuetothemallandtooperators&GSMA
• Noprivacybounties😕• Appleincluded‘conservativepeer’supportduetoourwork
• Deployedinmanycountries– adoptiongrowing
EAP-SIM/AKAIdentities• Threebasicidentitytypesforauthentication• Permanent-identity(IMSI)
• Typicallyusedinitiallyafterwhichtemporaryidsareused• Pseudonymidentity
• ApseudonymfortheIMSIhaslimitedlifetime• Fastreauthentication-identity
• Loweroverheadre-attachmentafterinitialexchange
• Behaviouraffectedbypeerpolicy• “Liberal”peer- Currentdefault
• Respondstoanyrequestsforpermanentidentity• “Conservative”peer– Futuredeploymentoption
• OnlyrespondtorequestsforpermanentidentitywhennoPseudonymidentityavailable
EAP-SIM/AKAtransport• BasicEAPprotocolisnotencrypted• CurrentlyEAP-SIM/AKAinEAPOLisunencrypted• ThusIMSIisvisible(toapassiveattacker)whenpermanentidentityusedforfullauthentication😱• Alsoopentoactiveattacksbyrequestingfullauth😱
• WiFi Accesskeysnotcompromised• Allcontentstillprotected
• ThereareencryptedtunnelEAPmethods• EAP-TTLSv0,EAP-TLS…• ButsupportrequiredinbothmobileOSandoperator
WiFi-CallingConnection
• PhoneconnectstoEdgePacketDataGateway(EPDG)overWiFi• VoicecallsoverWiFi• Phoneconnectsonlow/nosignal
• AlsoconnectsinAirplanemode+WiFi …
• ConnectiontoEPDGusesIPsec• AuthenticatesusingInternetKeyExchangeProtocol(IKEv2)
• SupportedoniOS,Android,andWindowsdevices• WiFi-Callingavailableinanumberofcountries• TheissuealsobeenreportedtoOSmakersandOperators
IPsecbriefoverview• InternetProtocolSecurity
• Confidentiality,dataintegrity,accesscontrol,anddatasourceauthentication
• Recoveryfromtransmissionerrors:packetloss,packetreplay,andpacketforgery
• Authentication• AuthenticationHeader(AH)- RFC4302
• Confidentiality• EncapsulatingSecurityPayload(ESP)- RFC4303
• Keymanagement• InternetKeyExchangev2(IKEv2)- RFC7296
• Twomodes• Tunnel- usedforconnectiontoGateway(EPDG)• Transport
InternetKeyExchange(IKEv2)• Initiatesconnectionintwophases
• IKE_SA_INIT• Negotiatecryptographicalgorithms,exchangenonces,anddoaDiffie-Hellmanexchange
• IKE_AUTH• Authenticatethepreviousmessages,exchangeidentities(e.g.IMSI),andcertificates,andestablishthechildSecurityAssociation(s)(SA)
• IKE_AUTHusesEAP-AKA• IMSIexchangenotprotectedbyacertificate• OpentoMitM attacksonidentity(IMSI)😱
• IPsecESPkeysarenotcompromised• Callcontentstillsafe
Operator/VendorMitigations• DeprecateEAP-SIMinfavourofEAP-AKA
• EAP-SIMisweakerasitonlyusesGSMtriplets• DeployEAP-AKA/SIMwithconservativepeerpseudonym• DeployCertificatebasedapproach
• DeploycertificatesonsuitableAAAinfrastructure• DeploycertificateprotectedtunnelledEAP-AKAforWLANaccess
• E.g.EAP-TTLS+EAP-AKAon802.1X• DeploycertificateprotectedIPsec/IKEv2toEPDG
• E.g.EAP-TTLS+EAP-AKAforIKE_AUTH,ormultipleIKEv2auth exchange
• (Re)investigateotherpotentialsolutions• IMSIencryption– 5G-ENSUREprojecthasproposedan‘enabler’• E.g.3GPPPTDS3-030081– ‘Certificate-BasedProtectionofIMSIforEAP-SIM/AKA’
• Standardsbodiesshouldre-evaluateapproaches
MobileOSMitigations
• SupportconservativepeerforEAP-AKA/SIMwithpseudonymsupport• EmerginginsomeOses (e.g.iOS10)
• Certificatebasedapproach• SupportforEAP-TTLv0+EAP-AKAinIKEv2&EAPOL• Otherapproaches?
• AllowformoreuserchoicewithautomaticWiFinetworkaccess• Preferablyallowforeditingofallstoredassociations
UserMitigation• WiFi NetworkAccessControl
• iOS• Turnoff‘Auto-Join’toggleforAuto-WiFi networks
• Onlypossiblewhennetworkinrange• iOS10mayprovidebetterprotection(onceoperatorsdeploysupport)• Ithasconservativepeerpseudonymsupport– duetous😉
• Android• ‘Forget’Auto-WiFi profiles
• Dependingonversiononlypossiblewhennetworkinrange
• WiFi-Calling• Android/iOS:SelectivelydisableWiFi-Calling
• SwitchoffWiFi inuntrustedenvironments
Summary
• ExposedtwoIMSIcatchingnewtechniques• WiFi Networkauthenticationprotocols• WiFi-Callingauthenticationprotocols
• Mostoftheworld’ssmartphonesimplementtheseprotocols• Bothtechniquesrelyuponinstalledoperatorautomaticconfigurationforthesepopularservices
• We’vebeenworkingwithOperators/Vendors/OScompaniestofixtheissue• Butit’sacomplexissue
Conclusions&FutureWork
• InvestigatingotherusesofEAP-SIM/AKA• ExploringuseofUSIMcredentialsinotherWiFibasedprotocols• Continuingworkin5GENSURE.EU Project• SecurityArchitectureandenablers
DemoandQuestions…