mobile security tm.ppt - school of informatics · z a mobile equipment is uniquely identified by...
TRANSCRIPT
![Page 1: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/1.jpg)
Mobile Communication Security
Shahriar Bijani
Informatics School, Edinburgh University
Mar 2012
![Page 2: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/2.jpg)
Outline
Why Security is Important?
Mobile Network Technologies
Security Mechanisms in GSM
GSM Security Vulnerabilities
![Page 3: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/3.jpg)
Mobile Communication Fraud Stats
Sources of the Stats Governments Mobile Operators International Organisations (e.g. CTIA, CFCA, …)
Estimated Communication Fraud Costs
1997: %4-%6 of the operators' revenue 2000: %5 of the operators' revenue ~ $13M 2011: 40 Billion $
Communication fraud gives more income than drug trafficking!
![Page 4: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/4.jpg)
4
New Services 2%
Processes 3%
Revenue Lo$$
Revenue Available
100%
Revenue Realized <100%
Other 1%
Interconnect 2%
$$$$ £££ %%
$$$$ £££ %%
Lost Revenue
Source: Analysis Survey for BT: representative sample of telecom providers around the world.
Fraud 3-5%
Lost CDRs 3%
Average leakage of 1% = $8 million/telco (PWC)
![Page 5: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/5.jpg)
Mobile Communication Fraud Stats
Subscription 36%
Dealer 8%
Prepaid 11%Credit Card
4% Internal 8%
SIM Theft3%
Interconnect 2%
SMS 2%
Social Engineering 1%
Roaming 12%
PRS13%
GSM Mobile Network Fraud Source: Communications Fraud Control Association, www.cfca.org
![Page 6: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/6.jpg)
Mobile Communication Fraud Stats
Geographical Distribution of the Mobile Networks Fraud
Source: Chorleywood Consulting
EMEA (Europe,ME, A)
41%
North America
33%
South America
12%
Asia Pacific 14%
US$24.6 Billion
![Page 7: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/7.jpg)
Outline
Why Security is Important?
Mobile Network Technologies
Security Mechanisms in GSM
GSM Security Vulnerabilities
![Page 8: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/8.jpg)
Mobile Network technologies
2G: GSM (1990-1) (2010: GSM Association estimates that technologies defined in the GSM
standard serve 80% of the global mobile market, encompassing more than 5 billion people)
2.5 G: GPRS, … 3G: UMTS (2001) ( + %15)
4G: LTE Advanced (2011) Services will roll out in 2013 in the UK
![Page 9: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/9.jpg)
cdmaOne cdmaOne
GSM GSM
TDMA TDMA
2G
PDC PDC
CDMA2000 1x
CDMA2000 1x
First Step into 3G
GPRS GPRS 90%
10%
Evolution of Mobile Systems to 3G - drivers are capacity, data speeds, lower cost of delivery for revenue growth
EDGE
EDGE
WCDMA
WCDMA
CDMA2000 1x EV/DV
CDMA2000 1x EV/DV
3G phase 1 Evolved 3G
3GPP Core Network
CDMA2000 1x EV/DO
CDMA2000 1x EV/DO
HSDPA
HSDPA
Expected market share
EDGE Evolution
EDGE Evolution
Source: ICIL
![Page 10: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/10.jpg)
GSM and GPRS Architecture
SIM: Subscriber Identity Module | MSC: Mobile services Switching Center BSC: Base Station Controller | HLR: Home Location Register | EIR: Equipment Identity Register BTS: Base Transceiver Station | VLR: Visitor Location Register | AuC: Authentication Center
![Page 11: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/11.jpg)
GPRS Architecture
![Page 12: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/12.jpg)
12
3G (UMTS) Network Architecture
SD
Mobile Station
MSC/VLR
Base StationSubsystem
GMSC
Network Subsystem
AUCEIR HLR
Other Networks
Note: Interfaces have been omitted for clarity purposes.
GGSNSGSN
BTS BSC
NodeB
RNC
RNS
UTRAN
SIM ME
USIMME
+
PSTN
PLMN
Internet
![Page 13: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/13.jpg)
Outline
Why Security is Important?
Mobile Network Technologies
Security Mechanisms in GSM
GSM Security Vulnerabilities
![Page 14: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/14.jpg)
Security Mechanisms in GSM
Anonymity of the subscriber
Authentication
Confidentiality
![Page 15: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/15.jpg)
Identity in GSM
IMSI (International Mobile Subscriber Identify) :
For unique identification of a subscriber IMEI (International Mobile Equipment Identity):
A mobile equipment is uniquely identified by the manufacturer provided IMEI
Ki: 128bit shared authentication key Stores in AuC (Authentication Centre) and the subscriber’s SIM card. The foundation of GSM security
Kc: The cipher key for encryption between mobile phone and BTS
![Page 16: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/16.jpg)
Anonymity
Location Management:
TMSI (Temporary Mobile Subscriber Identity ) is used for anonymity.
A 4-byte number for local subscriber identification Only valid within the location area of the VLR temporarily TMSI minimize the number of times IMSI is needed to be sent.
![Page 17: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/17.jpg)
Authentication – Ki never leaves the SIM – The A3 (authentication) and A8 (key management) algorithms
– key- dependent one-way hash functions. (similar in functionality) – commonly implemented as a single algorithm called COMP128.
(RAND, SRES, Kc) (RAND, SRES, Kc)
![Page 18: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/18.jpg)
18
Confidentiality
A5 encryption algorithm (between Phone and BTS)
A5 has three types: A5/1, A5/2, A5/3 (for 3G)
![Page 19: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/19.jpg)
Outline
Why Security is Important?
Mobile Network Technologies
Security Mechanisms in GSM
GSM Security Vulnerabilities
![Page 20: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/20.jpg)
Security Vulnerabilities
Security properties in GSM Access control Authentication Non-repudiation Confidentiality Communication security Data integrity Privacy Availability
![Page 21: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/21.jpg)
Security Vulnerabilities
Security properties in GSM Access control Authentication Non-repudiation Confidentiality Communication security Data integrity Privacy Availability
![Page 22: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/22.jpg)
Security Vulnerabilities
The main security shortcoming: Integrity is not considered in the GSM design and implementation No end to end security: limited encryption In GSM encryption algorithms obscurity is used for security! A3/A5/A8 algorithms eventually leaked A5/2 breakable in real-time and A5/1 also breakable in practice. One way authentication is not enough A3/A8 key management algorithms have been broken!
![Page 23: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/23.jpg)
GSM Security Threats
Identity theft using IMEI e.g. stealing of mobile phone
Fake subscription by subscribers’ Identity theft : e.g. SIM cloning
DoS/ DDoS attacks Cellular Phone Jamming De-registration
Interception of voice and data of subscribers Over-the-air interception using fake BTS Cryptanalysis attacks against A5 Hijacking incoming calls Hijacking outgoing calls
Tracking of the subscribers
![Page 24: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/24.jpg)
GSM Security Threats
Commercial Interception devices! Some specifications:
Fake BTS Fake mobile phone/SIM Braking A5 algorithm Direction finder (DF) Jammer …
GSM Interceptor Pro System $420,000.00
GSS-ProA
![Page 25: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/25.jpg)
A GSM Security Threat Analysis
An threat analysis method for the GSM network DREAD :
Damage potential: D Reproducibility: R Exploitability: E Affect Users: A Discoverability: D
![Page 26: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/26.jpg)
A GSM Security Threat Analysis
Threat Discoverability Affect Users Exploitability Reproducibility Damage Potential Risk
Denial of Service
10 9 8 10 5 8.4
Hijacking outgoing calls 10 1 5 10 4 6
Hijacking incoming calls
10 1 5 10 4 6
Fake BTS 10 1 4 10 3 5.6
Passive Identity Caching
10 1 5 8 2 5.2
De-registration 10 1 5 10 3 5.8
Location Update 10 1 5 10 3 5.8
![Page 27: Mobile Security tm.ppt - School of Informatics · z A mobile equipment is uniquely identified by the manufacturer ... z Jammer z … ... Mobile Security tm.ppt [Compatibility Mode]](https://reader031.vdocuments.us/reader031/viewer/2022022510/5adaa7487f8b9afc0f8cc80e/html5/thumbnails/27.jpg)
Any Question?