PracticalattacksagainstPrivacyandAvailabilityin4G/LTEMobileCommunicationSystems

Altaf Shaik &JeanPierreSeifert Ravishankar Borgaonkar N.Asokan Valtteri NiemiTUBerlin&T-Labs UniversityofOxford Aalto&Uni.ofHelsinkiUni.ofHelsinki

23February2016NDSS2016SanDiegoUSA

Outline

• Evolutionofsecurityinmobilenetworksü2G/GSM,3G/UMTS,4G/LTE

• Practicalattacksagainst4G/LTEü LocationleaksüDenialofservice

• Potentialreasonsforvulnerabilities

• Impact

2

Fakebase-stations..1

• Usedfor:IMSI/IMEI/locationtracking,call&datainterception

• Exploitweaknessesin2G&3G(partially)

• KnowsasIMSICatchers

• Difficulttodetectonnormalphones(Darshak,Cryptophone orSnoopsnitch)

3

Fakebase-stations..2

4

4G/LTE

• Widelydeployed,1.37billionusersbyendof2015

• Moresecurethanpreviousgenerations

• Bestefforttoavoidpreviousmistakes

5

Fig.source:Wikipedia

4GArchitecture

6

E-UTRAN

eNodeBUE

Cell

S1

Tracking Area

MME

Internet

eNodeB:EvolvedNodeB(“basestation”) UE:UserEquipmentE-UTRAN:EvolvedUniversalTerrestrialAccessNetwork S1:InterfaceMME:MobilityManagementEntity

Securityevolutioninmobilenetworks

7

Base Station

Phone

nomutualauthentication

mutualauthenticationintegrityprotection

mutualauthenticationdeepermandatoryintegrityprotection

2G

3G

4G

decidesencryption/authenticationrequestsIMSI/IMEI

ResearchMotivation

ØAnalysisofaccessnetworkprotocolsandintegrityprotectioninpractice

Ø LTEfakebasestations:thoughttobecomplex*andlesseffective

ØButinpractice:ü Implementation/configurationflaws,specification/protocol

deficiencies?

8

*https://insidersurveillance.com/rayzone-piranha-lte-imsi-catcher/

Evaluating4GSecurity:ExperimentSet-up

• Hardware– USRP,4Gdongle,4Gphones

• Software – OpenLTE &srsLTE

Set-upcost- littleover1000Euros!

9

ThankstoOpenLTE andsrsLTE group!

Results

• Vulnerabilities in 4G specifications and networks

• Demonstrating impact by practical attacks✓ Location leaks✓ Denial-of-service

11

Relevant 4G Features

• (Smart) Paging

• Diagnostic Reports from UE

• Mobility Management

11

Feature:Pagingin4G

12

PagingRequest

{404220522xxxxxx:A000FFFF}

IMSI=404220522xxxxxx

“GUTI”=A000FFFF

Why: locate subscriber to deliver calls/messages

GUTI:GloballyUniqueTemporaryIdentifierIMSI:InternationalMobilesubscriberIdentity

Pagingconfigurationvulnerabilities

13

passiveattacker

Pagingbroadcast

SmartPagingü sentontoasmallcellinsteadofabigtrackingareaü Allowsattackertolocate4Gsubscriberinacell

GUTIpersistenceü MNOsdon’tchangeGUTIsufficiently&frequently

Feature:ReportsfromUEtoeNodeB

14

ListofvisibleeNodeBs,signalstrengths,UE’sGPSco-ordinates

RLFReports(radiolinktroubleshooting)

Measurementreports (handovers)

Vulnerabilitiesinthefeature

15

activeattacker

SendmeMeasurement/RLFreport

Specification

UEmeasurementreportsü Requestsnotauthenticatedü Reportsarenotencrypted

Implementations

RLFreportsü Requestsnotauthenticatedü Reportsarenotencryptedü Allbasebandvendors

Feature:MobilityManagementin4G

16

TrackingAreaUpdate(TAU)procedureü DuringTAU,MME& UEagreeonnetwork

mode(2G/3G/4G)ü “TAUReject”usedtorejectsomeservices

services(e.g.,4G)toUE

Specificationvulnerability:Rejectmessagesarenotintegrityprotected

Feature:MobilityManagementin4G

17

SecurityCapabilitiesSupportedNetworks

AttachRequest(turnON)

Integrityprotected

SecurityCapabilities

Specificationvulnerability:Networkcapabilitiesnotprotected- biddingdownattacks

Discovered Vulnerabilities in 4GSpecification

• UEmeasurementreportsü Requestsnotauthenticated:reportsarenotencrypted

• TrackingAreaUpdate(TAU)procedureü Rejectmessagesarenotintegrityprotected

• Attachprocedureü Networkcapabilitiesarenotprotectedagainstbiddingdownattacks

Implementations:(allbasebandvendors)

• RLFreportsü Requestsnotauthenticated:reportsarenotencrypted

18

22

Attacks:Locationleaks

19

LocationLeaks:trackingcoarselevel

20

Semi-passiveAttacker(TA/cell)

paging

Target

Target

LocationAccuracy:2Sq.Km

MappingGUTItoSocialIdentity

LocationLeaks:trackingpreciselevel

21

Activeattacker

Target

Measurement/RLFreports

LocationAccuracy:50meters(or)GPSco-ordinates

Attacks:Denialofservice

22

DoS Attacks

ExploitingspecificationvulnerabilityinEMMprotocol!

• Downgradetonon-LTEnetworkservices(2G/3G)

• Denyallservices(2G/3G/4G)

• Denyselectedservices(blockincomingcalls)

• PersistentDoS

• Requiresreboot/SIMre-insertion

23

Tradeofbetweensecurityand

• Performanceü Phonerestrictstoconnecttonetwork- savingpowerü savingnetworksignalingresources(avoidunsuccessfulattach)ü Operatordonotrefreshtemporaryidentifiersoften

• Availabilityü operatorsrequireunprotectedreportsfortroubleshooting

• Functionalityü Smartphoneappsongenericplatformsnotmobile-network-friendly

• AttackingcostVsSecuritymeasures(definedin15yearsback)

24

Reasons for vulnerabilities

Impact

All(4)affectedbasebandmanufacturersü Responsibledisclosureofbugs:acknowledgedandpatchesreleasedü ButOEMsdonotyethavesecurityupdatestophones

Networkoperatorsü Configurationissueswereacknowledgedandfixed

Standardsorganizationsü SecurityissuespresentedatSA3(inAnaheim,Nov2015)andGSMAü ChangesintoLTEspecificationsareinprogress

Socialnetworkapplicationsü Facebooknolongersupportscompletelysilentmessages

25

Conclusions• Newvulnerabilitiesin4Gstandards/chipsets• Configurationbyoperatorsdonotfollowbestpractices

• Leadtoattacks:ü Socialapplicationsusedforsilenttracking

ü Locating4Gdevicesusingtrilateration ,GPSco-ordinates!

üDoS attacksarepersistent&silenttousers

• Designtrade-offsmadeadecadeagonolongereffective

26

ThankYou.

Questions?

Shoutforademo!

This work was supported in part by the Intel Collaborative Research Institute forSecure Computing, Academy of Finland (“Cloud Security Services” project#283135), Deutsche Telekom Innovation Laboratories (TLabs), and 5G-Ensure(grant agreement No. 671562, www.5Gensure.eu).